Product Catalog Testing Runbook (Manual)
1. Overviewβ
This document outlines the sequential testing flow for the Reshma-Core Product Module. These tests verify the polymorphic Zod validation, Cloudinary image uploads, and Admin Role-Based Access Control (RBAC).
Recommended Tools: Thunder Client (VS Code) or Postman.
2. Prerequisites & Environment Setupβ
Before testing the write operations, you must have an Admin account.
- Register a new user via
POST /api/v1/auth/register(or use an existing one). - Open MongoDB Compass (or Atlas), find that user document, and manually change
"role": "USER"to"role": "ADMIN". - Hit
POST /api/v1/auth/loginto get a freshaccessToken. - The Base URL is
http://localhost:5000/api/v1/products.
3. The "Happy Path" (Sequential Test Suite)β
Test 1: Create a Bangle Product (Admin)β
Because this endpoint handles file uploads, we cannot use the raw JSON body tab. We must use the Form Data tab.
- Action: Send
POST / - Headers:
Authorization: Bearer <YOUR_ADMIN_ACCESS_TOKEN> - Body Configuration:
- In Thunder Client, go to the Body tab.
- Select Form (or
multipart/form-data). - Add the following Text key-value pairs:
itemType:BANGLEsku:TEST-BAN-001name:Bridal Glass Bangle SetmainCategory:BanglessubCategory:Glass Banglesmaterial:GLASSsellingUnit:DozenbasePrice:450currentStock:50weightGrams:350isFragile:truebangleSizes[0]:2.4(Note how arrays are passed in forms)bangleSizes[1]:2.6packSize:12
- Add the File field:
- Key:
images - Type: Change this from "Text" to "File".
- Value: Select any test image (e.g.,
reshma_bangles.jpgfrom your assets).
- Key:
- Expected Result:
201 Created. - Side-Effect Verification: 1. The JSON response should show the generated MongoDB
_id. Copy this ID for the next tests. 2. Theimagesarray in the response should contain a livehttps://res.cloudinary.com/...URL.
Test 2: Fetch the Catalog (Public)β
- Action: Send
GET /?page=1&limit=5&itemType=BANGLE - Auth: None required.
- Expected Result:
200 OK. The response should contain your newly created Bangle inside thedata.productsarray, and themetaobject should showtotal: 1.
Test 3: Fetch a Single Product (Public)β
- Action: Send
GET /<PASTE_PRODUCT_ID_HERE> - Auth: None required.
- Expected Result:
200 OK. Returns the single Bangle document.
Test 4: Update Inventory Stock (Admin)β
Unlike creation, updates can be sent as standard JSON.
-
Action: Send
PATCH /<PASTE_PRODUCT_ID_HERE> -
Headers:
Authorization: Bearer <YOUR_ADMIN_ACCESS_TOKEN> -
Body (JSON):
{"currentStock": 45,"basePrice": 499} -
Expected Result:
200 OK. The product's stock and price should instantly reflect the changes.
Test 5: Soft Delete Product (Admin)β
- Action: Send
DELETE /<PASTE_PRODUCT_ID_HERE> - Headers:
Authorization: Bearer <YOUR_ADMIN_ACCESS_TOKEN> - Expected Result:
200 OKwith message "Product successfully removed...". - Side-Effect Verification: Hit the
GET /<PASTE_PRODUCT_ID_HERE>(Test 3) again. It should now return a 404Not Foundbecause theisActiveflag was set to false, hiding it from the public.
4. Security & Edge Case Testing (Negative Tests)β
Edge Case 1: RBAC Firewall (Unauthorized Role)β
- Action: Login with a standard
USERaccount (not an ADMIN). Use that access token to hitDELETE /<PRODUCT_ID>. - Expected Result:
403 Forbidden. Message should indicate insufficient permissions.
Edge Case 2: Zod Polymorphic Firewall (Wrong Category Fields)β
-
Action: Try to create an Apparel item, but pass Bangle properties.
itemType:APPARELbangleSizes[0]:2.4(Invalid for Apparel)
-
Expected Result:
400 Bad Request. Zod should strip out the bangle size, realizesizes(required for Apparel) is missing, and throw an error stating:"Validation Failed: sizes: Required".
Edge Case 3: Cloudinary File Limitβ
- Action: Try to
POST /with a file larger than 5MB. - Expected Result:
400 Bad Requestor500caught by Multer's file size limit, preventing server memory exhaustion.