fix tests and add permission check

web/api/v2/minikit/send-notification/graphql/fetch-metadata.generated.ts

@@ -15,6 +15,8 @@ export type GetAppMetadataQuery = {
     name: string;
     app_id: string;
     is_reviewer_app_store_approved: boolean;
+    is_allowed_unlimited_notifications?: boolean | null;
+    max_notifications_per_day?: number | null;
     app: { __typename?: "app"; team: { __typename?: "team"; id: string } };
   }>;
 };
@@ -31,6 +33,8 @@ export const GetAppMetadataDocument = gql`
       name
       app_id
       is_reviewer_app_store_approved
+      is_allowed_unlimited_notifications
+      max_notifications_per_day
       app {
         team {
           id

web/api/v2/minikit/send-notification/graphql/fetch-metadata.graphql

@@ -9,6 +9,8 @@ query GetAppMetadata($app_id: String!) {
     name
     app_id
     is_reviewer_app_store_approved
+    is_allowed_unlimited_notifications
+    max_notifications_per_day
     app {
       team {
         id

web/api/v2/minikit/send-notification/index.ts

@@ -204,6 +204,18 @@ export const POST = async (req: NextRequest) => {
   const appMetadata = app_metadata?.[0];
   const teamId = appMetadata.app.team.id;
 
+  if (
+    !appMetadata.is_allowed_unlimited_notifications &&
+    appMetadata.max_notifications_per_day === 0
+  ) {
+    return errorResponse({
+      statusCode: 400,
+      code: "not_allowed",
+      detail: "Notifications not enabled for this app",
+      req,
+    });
+  }
+
   // Anchor: Send notification
 
   const signedFetch = createSignedFetcher({

web/tests/api/v2/minikit-app-metadata.test.ts

@@ -84,6 +84,7 @@ const validAppMetadataResponse = [
     supported_countries: ["us"],
     supported_languages: ["en"],
     associated_domains: ["https://worldcoin.org"],
+    is_allowed_unlimited_notifications: false,
     app: { team: { name: "test" }, rating_sum: 10, rating_count: 3 },
   },
 ];
@@ -181,6 +182,7 @@ describe("/api/v2/minikit/app-metadata/[app_id] [success cases]", () => {
           supported_countries: ["us"],
           supported_languages: ["en"],
           app: { team: { name: "test" }, rating_sum: 10, rating_count: 3 },
+          is_allowed_unlimited_notifications: false,
         },
       ],
     });

web/tests/api/v2/send-notification.test.ts

@@ -32,7 +32,17 @@ jest.mock("aws-sigv4-fetch", () => ({
   createSignedFetcher: () =>
     jest.fn(() =>
       Promise.resolve({
-        json: () => ({}),
+        json: () => ({
+          result: {
+            results: [
+              {
+                walletAddress: "0x1234567890abcdef1234567890abcdef12345678",
+                sent: true,
+                reason: "User has disabled notifications",
+              },
+            ],
+          },
+        }),
         ok: true,
         status: 201,
       }),
@@ -234,7 +244,7 @@ describe("/api/v2/minikit/send-notification [error cases]", () => {
     expect((await res.json()).detail).toBe("API key is inactive.");
   });
 
-  it("returns 403 if app team is invalid", async () => {
+  it("returns 400 if not allowed to send notifications", async () => {
     const mockReq = createMockRequest({
       url: "http://localhost:3000/api/v2/minikit/send-notification",
       api_key: validApiKey,
@@ -247,15 +257,17 @@ describe("/api/v2/minikit/send-notification [error cases]", () => {
           name: "Example App",
           app_id: "app_staging_9cdd0a714aec9ed17dca660bc9ffe72a",
           is_reviewer_app_store_approved: true,
+          is_allowed_unlimited_notifications: false,
+          max_notifications_per_day: 0,
           app: { team: { id: "random" } },
         },
       ],
     });
 
     const res = await POST(mockReq);
-    expect(res.status).toBe(403);
+    expect(res.status).toBe(400);
     expect((await res.json()).detail).toBe(
-      "You are not allowed to send notifications.",
+      "Notifications not enabled for this app",
     );
   });
 });