AppQuality · Kariamos · Jan 23, 2026 · Jan 27, 2026 · Jan 27, 2026 · Jan 28, 2026
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -21,7 +21,7 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "@appquality/tryber-database": "^0.46.11",
+    "@appquality/tryber-database": "^0.46.17",
     "@appquality/wp-auth": "^1.0.7",
     "@aws-crypto/sha256-js": "^5.2.0",
     "@aws-sdk/hash-node": "^3.374.0",

diff --git a/src/reference/openapi.yml b/src/reference/openapi.yml
@@ -3981,6 +3981,82 @@ paths:
         required: true
         schema:
           type: string
+  '/campaigns/{campaign}/finance/attachments':
+    parameters:
+      - schema:
+          type: string
+        name: campaign
+        in: path
+        required: true
+    post:
+      summary: Your POST endpoint
+      tags: []
+      responses:
+        '200':
+          description: OK
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  attachments:
+                    type: array
+                    items:
+                      type: object
+                      required:
+                        - url
+                        - name
+                        - mime_type
+                      properties:
+                        url:
+                          type: string
+                        name:
+                          type: string
+                        mime_type:
+                          type: string
+                  failed:
+                    type: array
+                    items:
+                      type: object
+                      required:
+                        - name
+                        - path
+                      properties:
+                        name:
+                          type: string
+                        path:
+                          type: string
+        '403':
+          $ref: '#/components/responses/NotAuthorized'
+        '500':
+          description: Internal Server Error
+      operationId: post-campaigns-campaign-finance-attachments
+      x-stoplight:
+        id: 0ucra88nj3skb
+      security:
+        - JWT: []
+      requestBody:
+        content:
+          multipart/form-data:
+            schema:
+              type: object
+              properties:
+                attachment:
+                  x-stoplight:
+                    id: loo9qp15yg7er
+                  oneOf:
+                    - type: string
+                      x-stoplight:
+                        id: 1y0da4vjut50n
+                      format: binary
+                    - type: array
+                      x-stoplight:
+                        id: 567eldf6sv5mh
+                      items:
+                        x-stoplight:
+                          id: ykrxebcilk657
+                        type: string
+                        format: binary
   '/campaigns/{campaign}/forms':
     get:
       description: ''
@@ -13199,6 +13275,150 @@ paths:
                 - jotformId
                 - testerQuestionId
       description: ''
+  '/campaigns/{campaign}/finance/supplier':
+    get:
+      description: Get all finance suppliers
+      operationId: get-campaigns-campaign-finance-supplier
+      responses:
+        '200':
+          description: OK
+          content:
+            application/json:
+              schema:
+                type: object
+                required:
+                  - items
+                properties:
+                  items:
+                    type: array
+                    x-stoplight:
+                      id: hhr19m5dfxjtt
+                    items:
+                      x-stoplight:
+                        id: ihcfe7bywmrjs
+                      type: object
+                      required:
+                        - name
+                      properties:
+                        name:
+                          type: string
+                          x-stoplight:
+                            id: 08yzm5eu8tl1h
+                        created_at:
+                          type: string
+                          x-stoplight:
+                            id: w0fmflgc090ff
+                        created_by:
+                          type: integer
+                          x-stoplight:
+                            id: gcs2p8mvl32gc
+              examples:
+                Example 2:
+                  value:
+                    items:
+                      - name: Respondent
+                        created_at: '2026-01-01'
+                        created_by: 10
+        '400':
+          description: Bad Request
+        '403':
+          description: Forbidden
+        '500':
+          description: Internal Server Error
+      security:
+        - JWT: []
+      summary: Get finance supplier
+      x-stoplight:
+        id: tlziygldrfder
+    parameters:
+      - schema:
+          type: string
+        name: campaign
+        in: path
+        required: true
+    post:
+      summary: POST a new supplier
+      operationId: post-campaigns-campaign-finance-supplier
+      tags:
+        - Campaign
+      responses:
+        '201':
+          description: Created
+          content: {}
+        '400':
+          description: Bad Request
+        '403':
+          description: Forbidden
+        '500':
+          description: Internal Server Error
+      security:
+        - JWT: []
+      requestBody:
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - name
+              properties:
+                name:
+                  type: string
+            examples:
+              Example 1:
+                value:
+                  name: Respondent
+      x-stoplight:
+        id: j17dlfvjwluu7
+  '/campaigns/{campaign}/finance/type':
+    parameters:
+      - schema:
+          type: string
+        name: campaign
+        in: path
+        required: true
+    get:
+      summary: GET types
+      tags: []
+      responses:
+        '200':
+          description: OK
+          content:
+            application/json:
+              schema:
+                type: object
+                required:
+                  - items
+                properties:
+                  items:
+                    type: array
+                    x-stoplight:
+                      id: d7f0e5l5qrx6o
+                    items:
+                      x-stoplight:
+                        id: r1p9rcymebjpu
+                      type: object
+                      properties:
+                        name:
+                          type: string
+                          x-stoplight:
+                            id: y0keeoutvijjh
+              examples:
+                Example 1:
+                  value:
+                    items:
+                      - name: Recruiting
+                      - name: Survey
+        '403':
+          $ref: '#/components/responses/NotAuthorized'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          description: Internal Server Error
+      operationId: get-campaigns-campaign-finance-type
+      x-stoplight:
+        id: 02e8ns5xdhecm
+      security:
+        - JWT: []
 servers:
   - url: 'https://api.app-quality.com'
 tags:

diff --git a/src/routes/campaigns/campaignId/finance/attachment/_post/index.spec.ts b/src/routes/campaigns/campaignId/finance/attachment/_post/index.spec.ts
@@ -0,0 +1,98 @@
+import app from "@src/app";
+import { tryber } from "@src/features/database";
+import upload from "@src/features/upload";
+import request from "supertest";
+
+jest.mock("@src/features/upload");
+
+const profile = {
+  id: 1,
+  wp_user_id: 1,
+  email: "tester@example.com",
+  employment_id: 1,
+  education_id: 1,
+};
+const wpUser = {
+  ID: 1,
+  user_login: "tester",
+  user_email: "tester@example.com",
+  user_pass: "pass",
+};
+const campaign = {
+  id: 1,
+  title: "Test Campaign",
+  customer_title: "Test Campaign",
+  start_date: "2020-01-01",
+  end_date: "2020-01-01",
+  pm_id: 1,
+  page_manual_id: 0,
+  page_preview_id: 0,
+  platform_id: 1,
+  customer_id: 1,
+  project_id: 1,
+};
+
+const campaign2 = {
+  ...campaign,
+  id: 2,
+};
+
+describe("Route POST /campaigns/{campaignId}/finance/attachments", () => {
+  beforeAll(async () => {
+    (upload as jest.Mock).mockImplementation(
+      ({ key, bucket }: { bucket: string; key: string }) => {
+        return `https://s3.amazonaws.com/${bucket}/${key}`;
+      }
+    );
+    await tryber.tables.WpUsers.do().insert(wpUser);
+    await tryber.tables.WpAppqEvdProfile.do().insert(profile);
+    await tryber.tables.WpAppqEvdCampaign.do().insert([campaign, campaign2]);
+  });
+
+  afterAll(async () => {
+    await tryber.tables.WpUsers.do().delete();
+    await tryber.tables.WpAppqEvdProfile.do().delete();
+    await tryber.tables.WpAppqEvdCampaign.do().delete();
+  });
+
+  it("Should answer 403 if not logged in", async () => {
+    const response = await request(app).post(
+      "/campaigns/1/finance/attachments"
+    );
+    expect(response.status).toBe(403);
+  });
+
+  it("Should answer 200 and mark as failed if try to send file as .bat, .sh and .exe", async () => {
+    const mockFileBuffer = Buffer.from("some data");
+
+    const response = await request(app)
+      .post("/campaigns/1/finance/attachments")
+      .attach("media", mockFileBuffer, "void.bat")
+      .attach("media", mockFileBuffer, "image.png")
+      .attach("media", mockFileBuffer, "void.sh")
+      .attach("media", mockFileBuffer, "void.exe")
+      .set("authorization", 'Bearer tester olp {"appq_campaign":[1]}');
+
+    expect(response.status).toBe(200);
+    expect(response.body).toHaveProperty("failed", [
+      { path: "INVALID_FILE_EXTENSION", name: "void.bat" },
+      { path: "INVALID_FILE_EXTENSION", name: "void.sh" },
+      { path: "INVALID_FILE_EXTENSION", name: "void.exe" },
+    ]);
+  });
+
+  it("Should answer 200 and mark as failed if try to send an oversized file", async () => {
+    process.env.MAX_FILE_SIZE = "100";
+    const mockFileBuffer = Buffer.alloc(101);
+
+    const response = await request(app)
+      .post("/campaigns/1/finance/attachments")
+      .attach("media", mockFileBuffer, "oversized.png")
+      .set("authorization", 'Bearer tester olp {"appq_campaign":[1]}');
+
+    expect(response.status).toBe(200);
+    expect(response.body).toHaveProperty("failed", [
+      { path: "FILE_TOO_BIG", name: "oversized.png" },
+    ]);
+  });
+});