fix(pack): /tutorial/pack_open restricted to starter pack + pre-END viewer

The tutorial alias bypassed the currency / type_detail / open-count guards unconditionally. Combined with the unconditional TutorialState=100 write, any authenticated viewer could send /tutorial/pack_open with any parent_gacha_id to draw a pack for free and clobber their state down to 100. Two gates: parent_gacha_id MUST be 99047 (the legendary starter), and the viewer's TutorialState MUST be below 100. The state write is also max-preserved as a belt-and-braces backstop. Mirrors the 31→41 guard in GiftController. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 20:31:23 -04:00
parent 6fd8705990
commit 82d9668c9b
2 changed files with 90 additions and 2 deletions
--- a/SVSim.UnitTests/Controllers/PackControllerTests.cs
+++ b/SVSim.UnitTests/Controllers/PackControllerTests.cs
@@ -128,4 +128,70 @@ public class PackControllerTests
        Assert.That(body.Contains("\"tutorial_step\""), Is.False,
            "Regular /pack/open must never emit tutorial_step.");
    }
+
+    [Test]
+    public async Task TutorialPackOpen_rejects_non_starter_parent_gacha_id()
+    {
+        using var factory = new SVSimTestFactory();
+        await factory.SeedGlobalsAsync();
+        long viewerId = await factory.SeedViewerAsync(tutorialState: 41);
+        using var client = factory.CreateAuthenticatedClient(viewerId);
+
+        // Pick any non-99047 parent_gacha_id seeded by SeedGlobalsAsync (10032 is the most
+        // recent crystal-multi pack in the catalog). The alias must reject it BadRequest.
+        var requestJson = """{"parent_gacha_id":10032,"gacha_id":100320,"gacha_type":1,"pack_number":1,"exclude_card_ids":[],"viewer_id":"0","steam_id":0,"steam_session_ticket":""}""";
+        var response = await client.PostAsync("/tutorial/pack_open",
+            new StringContent(requestJson, Encoding.UTF8, "application/json"));
+
+        Assert.That(response.StatusCode, Is.EqualTo(HttpStatusCode.BadRequest),
+            "Tutorial alias must only accept the starter pack (99047); otherwise any authenticated " +
+            "viewer can draw any pack for free via the currency-bypass tutorial path.");
+
+        // State must NOT have advanced.
+        Assert.That(await factory.GetViewerTutorialStateAsync(viewerId), Is.EqualTo(41),
+            "Rejected requests leave TutorialState untouched.");
+    }
+
+    [Test]
+    public async Task TutorialPackOpen_rejects_completed_viewer()
+    {
+        using var factory = new SVSimTestFactory();
+        await factory.SeedGlobalsAsync();
+        long viewerId = await factory.SeedViewerAsync(tutorialState: 100);
+        await factory.SeedOwnedItemAsync(viewerId, itemId: 90001, count: 1, itemName: "Starter Legendary Ticket");
+        using var client = factory.CreateAuthenticatedClient(viewerId);
+
+        var requestJson = """{"parent_gacha_id":99047,"gacha_id":990047,"gacha_type":1,"pack_number":1,"exclude_card_ids":[],"viewer_id":"0","steam_id":0,"steam_session_ticket":""}""";
+        var response = await client.PostAsync("/tutorial/pack_open",
+            new StringContent(requestJson, Encoding.UTF8, "application/json"));
+
+        Assert.That(response.StatusCode, Is.EqualTo(HttpStatusCode.BadRequest),
+            "Tutorial alias must reject viewers past the tutorial-end gate (state>=100); the path " +
+            "would otherwise re-clobber state and consume a ticket the viewer kept post-tutorial.");
+
+        Assert.That(await factory.GetOwnedItemCountAsync(viewerId, 90001), Is.EqualTo(1),
+            "Rejected requests do not consume tickets.");
+    }
+
+    [Test]
+    public async Task TutorialPackOpen_does_not_downgrade_state_past_100()
+    {
+        // This is the max-preserve check. A future state > 100 (e.g., a post-tutorial training
+        // sentinel) must not be clobbered down to 100. Today nothing in prod sets state above 100,
+        // so synthesize the case directly.
+        using var factory = new SVSimTestFactory();
+        await factory.SeedGlobalsAsync();
+        long viewerId = await factory.SeedViewerAsync(tutorialState: 200);
+        using var client = factory.CreateAuthenticatedClient(viewerId);
+
+        var requestJson = """{"parent_gacha_id":99047,"gacha_id":990047,"gacha_type":1,"pack_number":1,"exclude_card_ids":[],"viewer_id":"0","steam_id":0,"steam_session_ticket":""}""";
+        var response = await client.PostAsync("/tutorial/pack_open",
+            new StringContent(requestJson, Encoding.UTF8, "application/json"));
+
+        // Either the request is rejected (because state>=100, see Gate B above), OR — if the
+        // implementation reads the gate differently — at minimum the persisted state must not
+        // regress. Encode the load-bearing invariant: state never goes backwards.
+        Assert.That(await factory.GetViewerTutorialStateAsync(viewerId), Is.GreaterThanOrEqualTo(200),
+            "TutorialState must not regress regardless of the alias's accept/reject decision.");
+    }
 }