#!/usr/bin/env bash set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" TMP_DIR="$(mktemp -d)" trap 'rm -rf "${TMP_DIR}"' EXIT # shellcheck source=backend/scripts/smoke_common.sh source "${SCRIPT_DIR}/smoke_common.sh" INVALID_API_KEY="${INVALID_API_KEY:-definitely-invalid-api-key}" VIEWER_API_KEY="${VIEWER_API_KEY:-viewer-local-dev-key}" wait_for_health create_fresh_scheme_from_upload "smoke-auth-negative" request "scheme_current" "GET" "${API_URL}/api/v1/schemes/${SCHEME_ID}/current" "200" CURRENT_VERSION_ID="$(json_get "${TMP_DIR}/scheme_current.body" "scheme_version_id")" echo "CURRENT_VERSION_ID=${CURRENT_VERSION_ID}" request_without_api_key "manifest_missing_key" "GET" \ "${API_URL}/api/v1/manifest" \ "401" request_with_api_key "${INVALID_API_KEY}" "manifest_invalid_key" "GET" \ "${API_URL}/api/v1/manifest" \ "403" assert_file_contains "${TMP_DIR}/manifest_missing_key.body" "Missing API key" assert_file_contains "${TMP_DIR}/manifest_invalid_key.body" "Invalid API key" request_without_api_key "editor_context_missing_key" "GET" \ "${API_URL}/api/v1/schemes/${SCHEME_ID}/editor/context" \ "401" request_with_api_key "${INVALID_API_KEY}" "editor_context_invalid_key" "GET" \ "${API_URL}/api/v1/schemes/${SCHEME_ID}/editor/context" \ "403" assert_file_contains "${TMP_DIR}/editor_context_missing_key.body" "Missing API key" assert_file_contains "${TMP_DIR}/editor_context_invalid_key.body" "Invalid API key" request_without_api_key "pricing_bundle_missing_key" "GET" \ "${API_URL}/api/v1/schemes/${SCHEME_ID}/pricing" \ "401" request_with_api_key "${INVALID_API_KEY}" "pricing_bundle_invalid_key" "GET" \ "${API_URL}/api/v1/schemes/${SCHEME_ID}/pricing" \ "403" assert_file_contains "${TMP_DIR}/pricing_bundle_missing_key.body" "Missing API key" assert_file_contains "${TMP_DIR}/pricing_bundle_invalid_key.body" "Invalid API key" request_without_api_key "admin_audit_missing_key" "GET" \ "${API_URL}/api/v1/admin/artifacts/publish-preview/audit" \ "401" request_with_api_key "${INVALID_API_KEY}" "admin_audit_invalid_key" "GET" \ "${API_URL}/api/v1/admin/artifacts/publish-preview/audit" \ "403" request_with_api_key "${VIEWER_API_KEY}" "admin_audit_wrong_role" "GET" \ "${API_URL}/api/v1/admin/artifacts/publish-preview/audit" \ "403" assert_file_contains "${TMP_DIR}/admin_audit_missing_key.body" "Missing API key" assert_file_contains "${TMP_DIR}/admin_audit_invalid_key.body" "Invalid API key" assert_file_contains "${TMP_DIR}/admin_audit_wrong_role.body" "Admin role required" request_without_api_key "admin_cleanup_preview_missing_key" "GET" \ "${API_URL}/api/v1/admin/schemes/${SCHEME_ID}/pricing/categories/cleanup-preview" \ "401" request_with_api_key "${INVALID_API_KEY}" "admin_cleanup_preview_invalid_key" "GET" \ "${API_URL}/api/v1/admin/schemes/${SCHEME_ID}/pricing/categories/cleanup-preview" \ "403" request_with_api_key "${VIEWER_API_KEY}" "admin_cleanup_preview_wrong_role" "GET" \ "${API_URL}/api/v1/admin/schemes/${SCHEME_ID}/pricing/categories/cleanup-preview" \ "403" assert_file_contains "${TMP_DIR}/admin_cleanup_preview_missing_key.body" "Missing API key" assert_file_contains "${TMP_DIR}/admin_cleanup_preview_invalid_key.body" "Invalid API key" assert_file_contains "${TMP_DIR}/admin_cleanup_preview_wrong_role.body" "Admin role required" echo echo "===== done =====" echo "[OK] smoke auth negative completed successfully" echo "FRESH_SCHEME_ID=${SCHEME_ID}"