Skip to content

Expose ibis team billing endpoint for web e2e tests#5340

Open
thisisamir98 wants to merge 2 commits into
developfrom
allow-ibis-endpoints
Open

Expose ibis team billing endpoint for web e2e tests#5340
thisisamir98 wants to merge 2 commits into
developfrom
allow-ibis-endpoints

Conversation

@thisisamir98

@thisisamir98 thisisamir98 commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add a staging-only nginz route for /i/team/{id}/billing (ibis internal upstream)
  • Uses the established test endpoint pattern: envs: staging, disable_zauth, basic_auth, versioned: false
  • Allows web e2e tests to upgrade teams to premium via ibis without a logged-in Wire user
  • Leaves the public /teams/{id}/billing route unchanged for normal authenticated users

Test plan

  • Deploy to a staging environment and verify /i/team/{teamId}/billing routes to ibis with basic auth
  • Confirm the public /teams/{teamId}/billing route still requires zauth
  • Confirm web e2e tests can upgrade a team to premium via the internal endpoint
  • Verify calling feature e2e tests pass with the premium team setup

Enable basic auth on the nginz route for /teams/{id}/billing so web e2e
tests can upgrade teams to premium via ibis and exercise calling features.
@thisisamir98
thisisamir98 requested review from a team as code owners July 15, 2026 12:27
@zebot zebot added the ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist label Jul 15, 2026

@jschaul jschaul left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm, the current PR has its problems. The auth thing isn't documented in the best way.

But basically in the "normal" user case, a user is authenticated with wire (eg using team settings) then does a request here, and there is a Bearer token sent along (that is meant by "zauth"). Nginx+ibis should currently validate that users can only change things for their team and not someone else's team. It's important to keep that in place. So no you don't want to disable it.

But at the same time the basic auth flow we can only add on non-production systems.
So you'd need another block in the yaml which has all of what I said: envs: - staging (that mean everything but not production), disable_zauth: true, basic_auth: true for a specific URL in ibis that expect to get no logged in user but where you can essentially bypass normal user/team authentication to do something. Ideally you should have a special handler for this in ibis and not mix this with the normal auth flow, and then a extra entry in the list in nginz. You can't easily mix both concerns on exactly the same handler. If zauth is enabled, then nginx will refuse the request if you're not logged into Wire and don't send a token along. But in the tests you want to bypass that.

So the pattern you can follow which is in place for all the other basic auth requests that aid testing is:

  1. new endpoint (in wire-server by convention it has a /i/ prefix for "internal") but can be anything
  2. new entry in nginx that is separate from current ones that expects no token/user, but basic auth credentials instead

Could you rework this PR and ensure it also has a matching endpoint inside ibis?

Add a separate nginz entry for /i/team/{id}/billing with staging-only
basic auth and disabled zauth, following the established internal test
endpoint pattern. Revert the incorrect basic_auth change on the public
/teams/{id}/billing route used by authenticated users.
@thisisamir98

Copy link
Copy Markdown
Contributor Author

@jschaul Thanks for the detailed explanation, that makes sense.

I've reworked the PR to follow the established pattern:

  • Reverted the basic_auth change on the public /teams/{id}/billing route, so normal user auth via zauth stays intact.
  • Added a separate staging-only nginz entry for the existing ibis internal endpoint /i/team/{id}/billing with:
    envs: - staging
    disable_zauth: true
    basic_auth: true
    versioned: false

This should let web e2e tests upgrade a team to premium via basic auth on staging, without affecting the production user billing flow. Let me know if anything else looks off.

@bsinou

bsinou commented Jul 15, 2026

Copy link
Copy Markdown

Please, pause (a.k.a do not merge) this PR for the time being.
We will come back to you soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants