Testing Strategy
Test Pyramid
| Layer | Tool | Coverage target | Runs in |
|---|---|---|---|
| Unit tests | Jest | 80% minimum | CI — every push |
| Integration — backend | Jest + Supertest | All 12 custom endpoints | CI — every push |
| API contract | Newman (Postman collections) | Full collection against staging DB | Staging deploy |
| Component | Storybook + Chromatic | All ui/ components | On PR |
| E2E | Playwright | All 6 critical journeys | Staging deploy |
| Smoke | Playwright (subset) | 5–10 paths | Post-prod deploy |
Critical E2E Journeys (Playwright)
- Happy path: invite → register → browse → add to cart → checkout → download
- Auth guards: protected routes redirect unauthenticated users to
/login - Download validation: valid token → file; expired token → 410; wrong customer → 403
- Stripe payment failure: order stays failed, no download links created
- Invite expiry: expired token shows correct error, no account created
- Rate limiting: 6 failed logins → account locked message shown
Newman — API Contract Testing
Postman collection covers all 12 custom endpoints. Newman runs it against a seeded staging database on every staging deploy.
# Install Newman
npm install -g newman
# Run collection
newman run ./tests/api/vespertene-shop.postman_collection.json \
--environment ./tests/api/staging.postman_environment.json \
--reporters cli,junit \
--reporter-junit-export ./test-results/newman.xmlTest Data Management
- Backend: seed script at
src/scripts/seed.ts— creates test products, a test customer, promo codes - Playwright:
beforeAllhooks create test data via API,afterAllcleans up - Never hard-code UUIDs in tests — fetch them from seed output
- Staging DB reset:
npm run db:reset:stagingbefore Newman runs
Download System — Required Test Cases
| Scenario | Expected | Test type |
|---|---|---|
| Valid token, within limit | 302 → presigned URL, count incremented | Integration + E2E |
| Expired token | 410 DOWNLOAD_EXPIRED | Integration |
| Exhausted token (3/3) | 410 DOWNLOAD_LIMIT_REACHED | Integration |
| Wrong customer's token | 403 FORBIDDEN | Integration (IDOR test) |
| Tampered UUID | 404 NOT_FOUND | Integration |
| Duplicate Stripe webhook | Idempotent — no second link set | Integration |