Ensure Orders are securely partitioned by Booking Partner #231
Description
As pointed out in Test Suite issue openactive/openactive-test-suite#441:
Orders from two different bookings partners must not be visible to each other, and UUID must be unique within each booking partner
However, when attempting to write a test for that in this PR: https://github.com/openactive/openactive-test-suite/pull/450/files#diff-05437e97561976a2f6835f0af9daa84b5e8ac9c84f994915b789fb23e01ffffd, it was found that OpenActive.Server.NET does not satisfy this requirement. Here is how to reproduce this bug (it comes from the steps in the packages/openactive-integration-tests/test/features/authentication/booking-partner-authentication/implemented/booking-partner-partitioning-for-orders-test.js file from that PR):
- Start OpenActive.Server.NET with at least two booking partners supported (this is the default configuration with which OpenActive.Server.NET starts when running against Test Suite)
- Generate a (v4) UUID
- With the 1st booking partner, book any opportunity and then cancel it, using the UUID.
- This Order will now be visible in the 1st booking partner's Orders feed
- With the 2nd booking partner, book any opportunity and then cancel it, still using the same UUID as before
- Observe that this 2nd Order never surfaces in the 2nd booking partner's Orders feed. This is the bug ❌
If this bug is resolved, the next step is to update these Test Suite tests:
packages/openactive-integration-tests/test/features/authentication/booking-partner-authentication/implemented/booking-partner-partitioning-for-orders-test.js; andpackages/openactive-integration-tests/test/features/authentication/booking-partner-authentication/implemented/booking-partner-partitioning-for-order-proposals-test.js
to un-comment out the bits that are commented out due to the existence of this bug.