feat(feedback): in-app user feedback with admin review and account roles
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 9s
CI / integration (pull_request) Successful in 12s
CI / ui (pull_request) Successful in 47s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m12s

User-facing Feedback screen (Settings -> Info, registered accounts only): a
message (<=1024 runes) plus one optional attachment, an anti-spam gate (one
unreviewed message at a time), and the operator's inline reply with a
Settings/Info badge. Server-rendered admin console section (/_gm/feedback):
unread/read/archived queue with per-user search, detail with read/reply/
archive/delete/delete-all, safe attachment serving (nosniff, images inline via
<img>, others download-only). Introduces account_roles, the first per-account
role table; feedback_banned blocks only feedback submission, granted/revoked
from /users and the delete-with-block action.

- migration 00004_feedback (feedback_messages + account_roles) + jetgen
- backend internal/feedback (store+service), internal/account/roles.go
- wire: FlatBuffers feedback.submit/get/unread; gateway guest gate (Op.NonGuest,
  is_guest via session resolve) -> guest_forbidden before any backend call
- reply push reuses NotificationEvent with a new admin_reply sub-kind
- UI: /feedback route + screen, attachment picker, badge, channel detection, i18n
- tests: feedback unit (Go+UI), gateway guest-gate, inttest lifecycle, e2e
- docs: PLAN stage 19, ARCHITECTURE s15, FUNCTIONAL(+ru), TESTING, READMEs
This commit is contained in:
Ilia Denisov
2026-06-15 12:23:10 +02:00
parent fc848157d6
commit 419ea11b14
75 changed files with 3638 additions and 55 deletions
+227
View File
@@ -0,0 +1,227 @@
//go:build integration
package inttest
import (
"context"
"errors"
"strings"
"testing"
"github.com/google/uuid"
"scrabble/backend/internal/account"
"scrabble/backend/internal/feedback"
)
func newFeedbackService() *feedback.Service {
return feedback.NewService(feedback.NewStore(testDB), account.NewStore(testDB))
}
// latestFeedbackID returns the id of the account's single message (across states).
func latestFeedbackID(t *testing.T, svc *feedback.Service, acc uuid.UUID) uuid.UUID {
t.Helper()
ctx := context.Background()
for _, status := range []string{"unread", "read", "archived"} {
rows, err := svc.AdminList(ctx, feedback.AdminFilter{AccountID: acc, Status: status}, 50, 0)
if err != nil {
t.Fatalf("admin list %s: %v", status, err)
}
if len(rows) > 0 {
return rows[0].ID
}
}
t.Fatal("no feedback message for account")
return uuid.Nil
}
func TestFeedbackGuestRejected(t *testing.T) {
svc := newFeedbackService()
guest := provisionGuest(t)
if err := svc.Submit(context.Background(), guest, "hi", nil, "", "web", "1.2.3.4"); !errors.Is(err, feedback.ErrGuestForbidden) {
t.Fatalf("guest submit err = %v, want ErrGuestForbidden", err)
}
}
func TestFeedbackSubmitGateAndReplyLifecycle(t *testing.T) {
ctx := context.Background()
svc := newFeedbackService()
acc := provisionAccount(t)
if err := svc.Submit(ctx, acc, " please fix the board ", []byte("PNGDATA"), "shot.png", "ios", "9.9.9.9"); err != nil {
t.Fatalf("submit: %v", err)
}
// Anti-spam gate: a second message is refused while the first is unreviewed.
if err := svc.Submit(ctx, acc, "again", nil, "", "web", ""); !errors.Is(err, feedback.ErrPendingReview) {
t.Fatalf("second submit err = %v, want ErrPendingReview", err)
}
if st, err := svc.State(ctx, acc); err != nil {
t.Fatal(err)
} else if st.CanSend || st.BlockedReason != "pending" || st.Reply != nil {
t.Fatalf("state = %+v, want pending / no reply", st)
}
id := latestFeedbackID(t, svc, acc)
m, err := svc.AdminGet(ctx, id)
if err != nil {
t.Fatalf("admin get: %v", err)
}
if m.Body != "please fix the board" { // trimmed
t.Fatalf("body = %q, want trimmed", m.Body)
}
if !m.HasAttachment || m.AttachmentName != "shot.png" || m.Channel != "ios" || m.SenderIP != "9.9.9.9" {
t.Fatalf("admin message = %+v", m)
}
if name, data, ok, err := svc.Attachment(ctx, id); err != nil || !ok || name != "shot.png" || string(data) != "PNGDATA" {
t.Fatalf("attachment = (%q, %q, %v, %v)", name, data, ok, err)
}
// Reply: marks the message read (so the player can send again) and is undelivered.
if err := svc.Reply(ctx, id, "We are on it."); err != nil {
t.Fatalf("reply: %v", err)
}
if unread, err := svc.ReplyUnread(ctx, acc); err != nil || !unread {
t.Fatalf("reply unread = %v (err %v), want true", unread, err)
}
st, err := svc.State(ctx, acc)
if err != nil {
t.Fatal(err)
}
if !st.CanSend {
t.Fatal("want canSend true after the message was read via reply")
}
if st.Reply == nil || st.Reply.Body != "We are on it." {
t.Fatalf("reply not shown: %+v", st.Reply)
}
// Fetching the state delivered the reply: the badge clears.
if unread, err := svc.ReplyUnread(ctx, acc); err != nil || unread {
t.Fatalf("reply unread = %v (err %v), want false after State", unread, err)
}
// The reply is hidden one week after it was delivered.
if _, err := testDB.ExecContext(ctx,
`UPDATE backend.feedback_messages SET reply_read_at = now() - interval '8 days' WHERE message_id = $1`, id); err != nil {
t.Fatalf("age reply: %v", err)
}
if st, err := svc.State(ctx, acc); err != nil {
t.Fatal(err)
} else if st.Reply != nil {
t.Fatalf("reply should be hidden after a week, got %+v", st.Reply)
}
}
func TestFeedbackBanRole(t *testing.T) {
ctx := context.Background()
svc := newFeedbackService()
accounts := account.NewStore(testDB)
acc := provisionAccount(t)
if err := accounts.GrantRole(ctx, acc, account.RoleFeedbackBanned); err != nil {
t.Fatalf("grant role: %v", err)
}
if err := svc.Submit(ctx, acc, "hi", nil, "", "web", ""); !errors.Is(err, feedback.ErrBanned) {
t.Fatalf("banned submit err = %v, want ErrBanned", err)
}
if st, err := svc.State(ctx, acc); err != nil {
t.Fatal(err)
} else if st.CanSend || st.BlockedReason != "banned" {
t.Fatalf("state = %+v, want banned", st)
}
// Revoke restores submission (the /users unblock path).
if err := accounts.RevokeRole(ctx, acc, account.RoleFeedbackBanned); err != nil {
t.Fatalf("revoke role: %v", err)
}
if err := svc.Submit(ctx, acc, "hi again", nil, "", "web", ""); err != nil {
t.Fatalf("submit after unban: %v", err)
}
}
func TestFeedbackValidation(t *testing.T) {
ctx := context.Background()
svc := newFeedbackService()
tests := []struct {
name string
body string
attachment []byte
attachmentName string
want error
}{
{"empty body", " ", nil, "", feedback.ErrEmptyMessage},
{"too long", strings.Repeat("a", 1025), nil, "", feedback.ErrMessageTooLong},
{"bad type", "ok", []byte("x"), "evil.exe", feedback.ErrAttachmentType},
{"too large", "ok", make([]byte, 1_000_001), "a.png", feedback.ErrAttachmentTooLarge},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
acc := provisionAccount(t) // fresh account so the pending gate never fires first
if err := svc.Submit(ctx, acc, tt.body, tt.attachment, tt.attachmentName, "web", ""); !errors.Is(err, tt.want) {
t.Fatalf("submit err = %v, want %v", err, tt.want)
}
})
}
}
func TestFeedbackAdminLifecycle(t *testing.T) {
ctx := context.Background()
svc := newFeedbackService()
acc := provisionAccount(t)
if err := svc.Submit(ctx, acc, "first report", nil, "", "web", ""); err != nil {
t.Fatalf("submit: %v", err)
}
id := latestFeedbackID(t, svc, acc)
inCount := func(status string) int {
t.Helper()
n, err := svc.AdminCount(ctx, feedback.AdminFilter{AccountID: acc, Status: status})
if err != nil {
t.Fatalf("count %s: %v", status, err)
}
return n
}
if inCount("unread") != 1 || inCount("read") != 0 || inCount("archived") != 0 {
t.Fatalf("after submit: unread=%d read=%d archived=%d", inCount("unread"), inCount("read"), inCount("archived"))
}
// Marking read moves it from the unread queue to the read list.
if err := svc.MarkRead(ctx, id); err != nil {
t.Fatalf("mark read: %v", err)
}
if inCount("unread") != 0 || inCount("read") != 1 {
t.Fatalf("after read: unread=%d read=%d", inCount("unread"), inCount("read"))
}
// Archiving moves it to the archive.
if err := svc.Archive(ctx, id); err != nil {
t.Fatalf("archive: %v", err)
}
if inCount("read") != 0 || inCount("archived") != 1 {
t.Fatalf("after archive: read=%d archived=%d", inCount("read"), inCount("archived"))
}
// Deleting removes it entirely.
if err := svc.Delete(ctx, id); err != nil {
t.Fatalf("delete: %v", err)
}
if inCount("archived") != 0 {
t.Fatalf("after delete: archived=%d, want 0", inCount("archived"))
}
}
func TestFeedbackDeleteAllByAccount(t *testing.T) {
ctx := context.Background()
svc := newFeedbackService()
acc := provisionAccount(t)
if err := svc.Submit(ctx, acc, "one", nil, "", "web", ""); err != nil {
t.Fatalf("submit: %v", err)
}
if err := svc.DeleteAllByAccount(ctx, acc); err != nil {
t.Fatalf("delete all: %v", err)
}
// The pending gate is clear again (no messages left), so the account can submit.
if has, err := svc.ReplyUnread(ctx, acc); err != nil || has {
t.Fatalf("reply unread after delete-all = %v (err %v)", has, err)
}
if err := svc.Submit(ctx, acc, "fresh", nil, "", "web", ""); err != nil {
t.Fatalf("submit after delete-all: %v", err)
}
}