@axinom/mosaic-graphql-common 0.28.0-rc.15 → 0.28.0-rc.16

package/src/plugins/bulk-edit/bulk-edit-item-change-handler-helpers.spec.ts

@@ -0,0 +1,360 @@
+import { PerformItemChangeCommand } from '@axinom/mosaic-messages';
+import { ClientBase, QueryResult } from 'pg';
+import { handlePerformItemChangeCommand } from './bulk-edit-item-change-handler-helpers';
+
+describe('bulk-edit-item-change-handler-helpers', () => {
+  let mockClient: ClientBase;
+  let mockQuery: jest.MockedFunction<
+    (queryText: string, values?: any[]) => Promise<QueryResult>
+  >;
+
+  // Helper to create a proper QueryResult object
+  const createQueryResult = (rows: any[] = []): QueryResult => ({
+    rows,
+    command: 'SELECT',
+    rowCount: rows.length,
+    oid: 0,
+    fields: [],
+  });
+
+  beforeEach(() => {
+    mockQuery = jest.fn().mockResolvedValue(createQueryResult([]));
+    mockClient = {
+      query: mockQuery,
+    } as unknown as ClientBase;
+  });
+
+  afterEach(() => {
+    jest.restoreAllMocks();
+  });
+
+  describe('handlePerformItemChangeCommand', () => {
+    describe('SET_FIELD_VALUES action', () => {
+      it('should update main entity fields', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'images',
+          action: 'SET_FIELD_VALUES',
+          stringified_condition: JSON.stringify({ id: 'test-id-123' }),
+          stringified_payload: JSON.stringify({
+            title: 'Updated Title',
+            description: 'Updated Description',
+          }),
+        };
+
+        // Act
+        await handlePerformItemChangeCommand(payload, mockClient);
+
+        // Assert
+        expect(mockQuery).toHaveBeenCalledTimes(1);
+        expect(mockQuery).toHaveBeenCalledWith(
+          'UPDATE "images" SET "title" = $1, "description" = $2 WHERE "id" = $3 RETURNING *',
+          ['Updated Title', 'Updated Description', 'test-id-123'],
+        );
+      });
+
+      it('should handle single field update', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'users',
+          action: 'SET_FIELD_VALUES',
+          stringified_condition: JSON.stringify({ id: 'user-123' }),
+          stringified_payload: JSON.stringify({ email: 'new@example.com' }),
+        };
+
+        // Act
+        await handlePerformItemChangeCommand(payload, mockClient);
+
+        // Assert
+        expect(mockQuery).toHaveBeenCalledWith(
+          'UPDATE "users" SET "email" = $1 WHERE "id" = $2 RETURNING *',
+          ['new@example.com', 'user-123'],
+        );
+      });
+    });
+
+    describe('CLEAR_RELATED_ENTITIES action', () => {
+      it('should delete all related entities matching condition', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'images_tags',
+          action: 'CLEAR_RELATED_ENTITIES',
+          stringified_condition: JSON.stringify({ image_id: 'image-123' }),
+          stringified_payload: JSON.stringify({}),
+        };
+
+        // Act
+        await handlePerformItemChangeCommand(payload, mockClient);
+
+        // Assert
+        expect(mockQuery).toHaveBeenCalledTimes(1);
+        expect(mockQuery).toHaveBeenCalledWith(
+          'DELETE FROM "images_tags" WHERE "image_id" = $1 RETURNING *',
+          ['image-123'],
+        );
+      });
+
+      it('should handle multiple condition fields', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'junction_table',
+          action: 'CLEAR_RELATED_ENTITIES',
+          stringified_condition: JSON.stringify({
+            parent_id: 'parent-123',
+            tenant_id: 'tenant-456',
+          }),
+          stringified_payload: JSON.stringify({}),
+        };
+
+        // Act
+        await handlePerformItemChangeCommand(payload, mockClient);
+
+        // Assert
+        expect(mockQuery).toHaveBeenCalledWith(
+          'DELETE FROM "junction_table" WHERE "parent_id" = $1 AND "tenant_id" = $2 RETURNING *',
+          ['parent-123', 'tenant-456'],
+        );
+      });
+    });
+
+    describe('REMOVE_RELATED_ENTITY action', () => {
+      it('should delete specific related entity', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'images_tags',
+          action: 'REMOVE_RELATED_ENTITY',
+          stringified_condition: '',
+          stringified_payload: JSON.stringify({
+            image_id: 'image-123',
+            name: 'tag-to-remove',
+          }),
+        };
+
+        // Act
+        await handlePerformItemChangeCommand(payload, mockClient);
+
+        // Assert
+        expect(mockQuery).toHaveBeenCalledWith(
+          'DELETE FROM "images_tags" WHERE "image_id" = $1 AND "name" = $2 RETURNING *',
+          ['image-123', 'tag-to-remove'],
+        );
+      });
+
+      it('should handle composite key deletion', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'user_role_assignments',
+          action: 'REMOVE_RELATED_ENTITY',
+          stringified_condition: '',
+          stringified_payload: JSON.stringify({
+            user_id: 'user-123',
+            user_role_id: 'role-456',
+          }),
+        };
+
+        // Act
+        await handlePerformItemChangeCommand(payload, mockClient);
+
+        // Assert
+        expect(mockQuery).toHaveBeenCalledWith(
+          'DELETE FROM "user_role_assignments" WHERE "user_id" = $1 AND "user_role_id" = $2 RETURNING *',
+          ['user-123', 'role-456'],
+        );
+      });
+    });
+
+    describe('ADD_RELATED_ENTITY action', () => {
+      it('should upsert new related entity', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'images_tags',
+          action: 'ADD_RELATED_ENTITY',
+          stringified_condition: '',
+          stringified_payload: JSON.stringify({
+            image_id: 'image-123',
+            name: 'new-tag',
+          }),
+        };
+
+        // Act
+        await handlePerformItemChangeCommand(payload, mockClient);
+
+        // Assert
+        expect(mockQuery).toHaveBeenCalledWith(
+          'INSERT INTO "images_tags" ("image_id", "name") VALUES ($1, $2) ON CONFLICT DO NOTHING RETURNING *',
+          ['image-123', 'new-tag'],
+        );
+      });
+
+      it('should handle multiple fields upsert', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'user_role_assignments',
+          action: 'ADD_RELATED_ENTITY',
+          stringified_condition: '',
+          stringified_payload: JSON.stringify({
+            user_id: 'user-123',
+            user_role_id: 'role-456',
+            created_at: '2024-01-01T00:00:00Z',
+          }),
+        };
+
+        // Act
+        await handlePerformItemChangeCommand(payload, mockClient);
+
+        // Assert
+        expect(mockQuery).toHaveBeenCalledWith(
+          'INSERT INTO "user_role_assignments" ("user_id", "user_role_id", "created_at") VALUES ($1, $2, $3) ON CONFLICT DO NOTHING RETURNING *',
+          ['user-123', 'role-456', '2024-01-01T00:00:00Z'],
+        );
+      });
+    });
+
+    describe('Error handling', () => {
+      it('should throw foreign key constraint errors', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'images_tags',
+          action: 'ADD_RELATED_ENTITY',
+          stringified_condition: '',
+          stringified_payload: JSON.stringify({
+            image_id: 'image-123',
+            name: 'tag',
+          }),
+        };
+
+        const foreignKeyError = new Error(
+          'insert or update on table "images_tags" violates foreign key constraint',
+        );
+        mockQuery.mockRejectedValueOnce(foreignKeyError);
+
+        // Act & Assert
+        await expect(
+          handlePerformItemChangeCommand(payload, mockClient),
+        ).rejects.toThrow(
+          'insert or update on table "images_tags" violates foreign key constraint',
+        );
+      });
+
+      it('should throw database connection errors', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'images',
+          action: 'SET_FIELD_VALUES',
+          stringified_condition: JSON.stringify({ id: 'test-id' }),
+          stringified_payload: JSON.stringify({ title: 'Test' }),
+        };
+
+        const connectionError = new Error('ECONNREFUSED');
+        mockQuery.mockRejectedValueOnce(connectionError);
+
+        // Act & Assert
+        await expect(
+          handlePerformItemChangeCommand(payload, mockClient),
+        ).rejects.toThrow('ECONNREFUSED');
+      });
+    });
+
+    describe('Edge cases', () => {
+      it('should handle empty payload for CLEAR_RELATED_ENTITIES', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'images_tags',
+          action: 'CLEAR_RELATED_ENTITIES',
+          stringified_condition: JSON.stringify({ image_id: 'empty-image' }),
+          stringified_payload: JSON.stringify({}),
+        };
+
+        // Act
+        await handlePerformItemChangeCommand(payload, mockClient);
+
+        // Assert
+        expect(mockQuery).toHaveBeenCalledTimes(1);
+      });
+
+      it('should handle special characters in table names', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'app_public.images_tags',
+          action: 'CLEAR_RELATED_ENTITIES',
+          stringified_condition: JSON.stringify({ image_id: 'test' }),
+          stringified_payload: JSON.stringify({}),
+        };
+
+        // Act
+        await handlePerformItemChangeCommand(payload, mockClient);
+
+        // Assert
+        expect(mockQuery).toHaveBeenCalledWith(
+          'DELETE FROM "app_public.images_tags" WHERE "image_id" = $1 RETURNING *',
+          ['test'],
+        );
+      });
+
+      it('should handle NULL values in payload', async () => {
+        // Arrange
+        const payload: PerformItemChangeCommand = {
+          table_name: 'images',
+          action: 'SET_FIELD_VALUES',
+          stringified_condition: JSON.stringify({ id: 'test-id' }),
+          stringified_payload: JSON.stringify({
+            description: null,
+            tags: null,
+          }),
+        };
+
+        // Act
+        await handlePerformItemChangeCommand(payload, mockClient);
+
+        // Assert
+        expect(mockQuery).toHaveBeenCalledWith(
+          'UPDATE "images" SET "description" = $1, "tags" = $2 WHERE "id" = $3 RETURNING *',
+          [null, null, 'test-id'],
+        );
+      });
+    });
+  });
+
+  describe('SQL injection protection', () => {
+    it('should properly escape column names with quotes', async () => {
+      // Arrange
+      const payload: PerformItemChangeCommand = {
+        table_name: 'images',
+        action: 'SET_FIELD_VALUES',
+        stringified_condition: JSON.stringify({ id: 'test-id' }),
+        stringified_payload: JSON.stringify({
+          'column; DROP TABLE images;': 'malicious',
+        }),
+      };
+
+      // Act
+      await handlePerformItemChangeCommand(payload, mockClient);
+
+      // Assert - Column names should be quoted, preventing SQL injection
+      expect(mockQuery).toHaveBeenCalledWith(
+        'UPDATE "images" SET "column; DROP TABLE images;" = $1 WHERE "id" = $2 RETURNING *',
+        ['malicious', 'test-id'],
+      );
+    });
+
+    it('should use parameterized queries for values', async () => {
+      // Arrange
+      const maliciousValue = "'; DROP TABLE images; --";
+      const payload: PerformItemChangeCommand = {
+        table_name: 'images',
+        action: 'SET_FIELD_VALUES',
+        stringified_condition: JSON.stringify({ id: 'test-id' }),
+        stringified_payload: JSON.stringify({ title: maliciousValue }),
+      };
+
+      // Act
+      await handlePerformItemChangeCommand(payload, mockClient);
+
+      // Assert - Value should be parameterized, not interpolated
+      expect(mockQuery).toHaveBeenCalledWith(
+        'UPDATE "images" SET "title" = $1 WHERE "id" = $2 RETURNING *',
+        [maliciousValue, 'test-id'],
+      );
+    });
+  });
+});

package/src/plugins/bulk-edit/bulk-edit-item-change-handler-helpers.ts

@@ -7,16 +7,18 @@ import {
 import { ClientBase, QueryResult } from 'pg';
 import { DatabaseClient } from 'pg-transactional-outbox';
 
-async function insert(
+async function upsert(
   client: ClientBase,
   tableName: string,
   jsonObject: Record<string, unknown>,
 ): Promise<QueryResult> {
-  const columns = Object.keys(jsonObject).join(', ');
+  const columns = Object.keys(jsonObject)
+    .map((col) => `"${col}"`)
+    .join(', ');
   const values = Object.values(jsonObject);
   const placeholders = values.map((_, index) => `$${index + 1}`).join(', ');
 
-  const query = `INSERT INTO ${tableName} (${columns}) VALUES (${placeholders}) RETURNING *`;
+  const query = `INSERT INTO "${tableName}" (${columns}) VALUES (${placeholders}) ON CONFLICT DO NOTHING RETURNING *`;
 
   return client.query(query, values);
 }
@@ -28,86 +30,104 @@ async function update(
   condition: Record<string, unknown>,
 ): Promise<QueryResult> {
   const setClause = Object.keys(jsonObject)
-    .map((key, index) => `${key} = $${index + 1}`)
+    .map((key, index) => `"${key}" = $${index + 1}`)
     .join(', ');
   const values = Object.values(jsonObject);
 
-  const conditionClause = Object.keys(condition)
-    .map((key, index) => `${key} = $${index + 1 + values.length}`)
-    .join(' AND ');
-  const conditionValues = Object.values(condition);
+  const { clause: conditionClause, values: conditionValues } = buildWhereClause(
+    condition,
+    values.length,
+  );
 
-  const query = `UPDATE ${tableName} SET ${setClause} WHERE ${conditionClause} RETURNING *`;
+  const query = `UPDATE "${tableName}" SET ${setClause} WHERE ${conditionClause} RETURNING *`;
 
   return client.query(query, [...values, ...conditionValues]);
 }
 
-async function deletes(
+/**
+ * Helper to build WHERE clause from a condition object
+ */
+function buildWhereClause(
+  condition: Record<string, unknown>,
+  parameterOffset = 0,
+): { clause: string; values: unknown[] } {
+  const values = Object.values(condition);
+  const clause = Object.keys(condition)
+    .map((key, index) => `"${key}" = $${index + 1 + parameterOffset}`)
+    .join(' AND ');
+
+  return { clause, values };
+}
+
+/**
+ * Deletes records from a table matching the given condition
+ */
+async function deleteWhere(
   client: ClientBase,
   tableName: string,
-  jsonObject: Record<string, unknown>,
+  condition: Record<string, unknown>,
 ): Promise<QueryResult> {
-  const conditionClause = Object.keys(jsonObject)
-    .map((key, index) => `${key} = $${index + 1}`)
-    .join(' AND ');
-  const conditionValues = Object.values(jsonObject);
+  const { clause, values } = buildWhereClause(condition);
+  const query = `DELETE FROM "${tableName}" WHERE ${clause} RETURNING *`;
 
-  const query = `DELETE FROM ${tableName} WHERE ${conditionClause} RETURNING *`;
-
-  return client.query(query, conditionValues);
+  return client.query(query, values);
 }
 
 export async function handlePerformItemChangeCommand(
   payload: PerformItemChangeCommand,
   client: ClientBase,
 ): Promise<void> {
-  try {
-    if (payload.action === 'SET_FIELD_VALUES') {
+  switch (payload.action) {
+    case 'SET_FIELD_VALUES':
       await update(
         client,
         payload.table_name,
         JSON.parse(payload.stringified_payload),
         { id: JSON.parse(payload.stringified_condition).id },
       );
-    } else if (payload.action === 'REMOVE_RELATED_ENTITY') {
-      await deletes(
+      break;
+
+    case 'CLEAR_RELATED_ENTITIES':
+      await deleteWhere(
+        client,
+        payload.table_name,
+        JSON.parse(payload.stringified_condition),
+      );
+      break;
+
+    case 'REMOVE_RELATED_ENTITY':
+      await deleteWhere(
         client,
         payload.table_name,
         JSON.parse(payload.stringified_payload),
       );
-    } else if (payload.action === 'ADD_RELATED_ENTITY') {
-      await insert(
+      break;
+
+    case 'ADD_RELATED_ENTITY':
+      await upsert(
         client,
         payload.table_name,
         JSON.parse(payload.stringified_payload),
       );
-    }
-
-    // TODO: Publish success event or implement a JOB tracking/monitoring mechanism
-  } catch (error) {
-    // TODO: If error is a known/expected one like `duplicate key value violates unique constraint` we ignore it, else we throw it and bubble up.
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    const errorAsAny = error as any;
-    if (
-      errorAsAny.message &&
-      typeof errorAsAny.message === 'string' &&
-      errorAsAny.message.startsWith(
-        'duplicate key value violates unique constraint',
-      )
-    ) {
-      // Skipping duplicate key error
-    } else {
-      throw error;
-    }
+      break;
   }
+
+  // TODO: Publish success event or implement a JOB tracking/monitoring mechanism
 }
 
+/**
+ * !NOTE!
+ *
+ * This is a temporary stub implementation that needs to be properly implemented later.
+ * The idea is to have a way to track failed item change commands and notify the users
+ * or systems about the failures.
+ */
 export async function handlePerformItemChangeCommandError(
-  config: BasicConfig,
-  error: Error,
-  message: TypedTransactionalMessage<PerformItemChangeCommand>,
-  storeOutboxMessage: StoreOutboxMessage,
-  client: DatabaseClient,
+  _config: BasicConfig,
+  _error: Error,
+  _message: TypedTransactionalMessage<PerformItemChangeCommand>,
+  _storeOutboxMessage: StoreOutboxMessage,
+  _client: DatabaseClient,
 ): Promise<void> {
   // TODO: Publish failed event or implement a JOB tracking/monitoring mechanism
   //