@dbos-inc/koa-serve 3.5.44-preview.gc094fdab44 → 3.6.3-preview

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dbos-inc/koa-serve",
-  "version": "3.5.44-preview.gc094fdab44",
+  "version": "3.6.3-preview",
   "description": "DBOS HTTP Package for serving workflows with Koa",
   "license": "MIT",
   "repository": {

package/src/dboshttp.ts

@@ -2,7 +2,20 @@ import { IncomingHttpHeaders } from 'http';
 import { ParsedUrlQuery } from 'querystring';
 import { randomUUID } from 'node:crypto';
 
-import { DBOS, DBOSLifecycleCallback, Error as DBOSErrors, MethodParameter } from '@dbos-inc/dbos-sdk';
+import {
+  DBOS,
+  DBOSLifecycleCallback,
+  Error as DBOSErrors,
+  MethodParameter,
+  requestArgValidation,
+  ArgRequired,
+  ArgOptional,
+  DefaultArgRequired,
+  DefaultArgValidate,
+  DefaultArgOptional,
+  ArgDate,
+  ArgVarchar,
+} from '@dbos-inc/dbos-sdk';
 
 export enum APITypes {
   GET = 'GET',
@@ -94,7 +107,7 @@ export class DBOSHTTPBase implements DBOSLifecycleCallback {
       propertyKey: string,
       descriptor: TypedPropertyDescriptor<(this: This, ...args: Args) => Promise<Return>>,
     ) {
-      const { regInfo } = DBOS.associateFunctionWithInfo(er, descriptor.value!, {
+      const { registration, regInfo } = DBOS.associateFunctionWithInfo(er, descriptor.value!, {
         ctorOrProto: target,
         name: propertyKey,
       });
@@ -104,6 +117,7 @@ export class DBOSHTTPBase implements DBOSLifecycleCallback {
         apiURL: url,
         apiType: verb,
       });
+      requestArgValidation(registration);
 
       return descriptor;
     };
@@ -134,9 +148,27 @@ export class DBOSHTTPBase implements DBOSLifecycleCallback {
     return this.httpApiDec(APITypes.DELETE, url);
   }
 
+  /** Parameter decorator indicating which source to use (URL, BODY, etc) for arg data */
+  static argSource(source: ArgSources) {
+    return function (target: object, propertyKey: PropertyKey, parameterIndex: number) {
+      const curParam = DBOS.associateParamWithInfo(
+        DBOSHTTP,
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+        Object.getOwnPropertyDescriptor(target, propertyKey)!.value,
+        {
+          ctorOrProto: target,
+          name: propertyKey.toString(),
+          param: parameterIndex,
+        },
+      ) as DBOSHTTPArgInfo;
+
+      curParam.argSource = source;
+    };
+  }
+
   protected getArgSource(arg: MethodParameter) {
-    void arg;
-    return ArgSources.AUTO;
+    const arginfo = arg.getRegisteredInfo(DBOSHTTP) as DBOSHTTPArgInfo;
+    return arginfo?.argSource ?? ArgSources.AUTO;
   }
 
   logRegisteredEndpoints(): void {
@@ -157,4 +189,29 @@ export class DBOSHTTPBase implements DBOSLifecycleCallback {
       }
     }
   }
+
+  static argRequired(target: object, propertyKey: PropertyKey, parameterIndex: number) {
+    ArgRequired(target, propertyKey, parameterIndex);
+  }
+
+  static argOptional(target: object, propertyKey: PropertyKey, parameterIndex: number) {
+    ArgOptional(target, propertyKey, parameterIndex);
+  }
+
+  static argDate() {
+    return ArgDate();
+  }
+  static argVarchar(n: number) {
+    return ArgVarchar(n);
+  }
+
+  static defaultArgRequired<T extends { new (...args: unknown[]): object }>(ctor: T) {
+    return DefaultArgRequired(ctor);
+  }
+  static defaultArgOptional<T extends { new (...args: unknown[]): object }>(ctor: T) {
+    return DefaultArgOptional(ctor);
+  }
+  static defaultArgValidate<T extends { new (...args: unknown[]): object }>(ctor: T) {
+    return DefaultArgValidate(ctor);
+  }
 }

package/src/dboskoa.ts

@@ -344,7 +344,7 @@ export class DBOSKoa extends DBOSHTTPBase {
           } catch (e) {
             if (e instanceof Error) {
               span?.setStatus({ code: SpanStatusCode.ERROR, message: e.message });
-              let st = 500;
+              let st = (e as DBOSErrors.DBOSResponseError)?.status || 500;
               if (isClientRequestError(e)) {
                 st = 400; // Set to 400: client-side error.
               }

package/src/index.ts

@@ -1,3 +1,5 @@
+import { DBOSKoa } from './dboskoa';
+
 export {
   ArgSources,
   DBOSHTTP,
@@ -12,3 +14,17 @@ export {
 } from './dboshttp';
 
 export { DBOSKoa, DBOSKoaAuthContext, DBOSKoaClassReg, DBOSKoaAuthMiddleware, DBOSKoaConfig } from './dboskoa';
+
+// Export these as unbound functions.  We know this is safe,
+//  and it more closely matches the existing library syntax.
+// (Using the static function as a decorator, for some reason,
+//  is erroneously getting considered as unbound by some lint versions,
+//  as there are no parens following it?)
+export const DefaultArgOptional = DBOSKoa.defaultArgOptional;
+export const DefaultArgRequired = DBOSKoa.defaultArgRequired;
+export const DefaultArgValidate = DBOSKoa.defaultArgValidate;
+export const ArgDate = DBOSKoa.argDate;
+export const ArgOptional = DBOSKoa.argOptional;
+export const ArgRequired = DBOSKoa.argRequired;
+export const ArgSource = DBOSKoa.argSource;
+export const ArgVarchar = DBOSKoa.argVarchar;

package/tests/argsource.test.ts

@@ -0,0 +1,151 @@
+import Koa from 'koa';
+import Router from '@koa/router';
+
+import { DBOS } from '@dbos-inc/dbos-sdk';
+
+import { ArgSources, DBOSKoa } from '../src';
+
+import request from 'supertest';
+import bodyParser from '@koa/bodyparser';
+
+const dhttp = new DBOSKoa();
+
+describe('httpserver-argsource-tests', () => {
+  let app: Koa;
+  let appRouter: Router;
+
+  beforeAll(async () => {
+    DBOS.setConfig({
+      name: 'dbos-koa-test',
+      userDatabaseClient: 'pg-node',
+    });
+    return Promise.resolve();
+  });
+
+  beforeEach(async () => {
+    const _classes = [ArgTestEndpoints];
+    await DBOS.launch();
+    app = new Koa();
+    appRouter = new Router();
+    dhttp.registerWithApp(app, appRouter);
+  });
+
+  afterEach(async () => {
+    await DBOS.shutdown();
+  });
+
+  test('get-query', async () => {
+    const response1 = await request(app.callback()).get('/getquery?name=alice');
+    expect(response1.statusCode).toBe(200);
+    expect(response1.text).toBe('hello alice');
+    const response2 = await request(app.callback()).get('/getquery').send({ name: 'alice' });
+    expect(response2.statusCode).toBe(400);
+  });
+
+  test('get-body', async () => {
+    const response1 = await request(app.callback()).get('/getbody?name=alice');
+    expect(response1.statusCode).toBe(400);
+    const response2 = await request(app.callback()).get('/getbody').send({ name: 'alice' });
+    expect(response2.statusCode).toBe(200);
+    expect(response2.text).toBe('hello alice');
+  });
+
+  test('get-default', async () => {
+    const response1 = await request(app.callback()).get('/getdefault?name=alice');
+    expect(response1.statusCode).toBe(200);
+    expect(response1.text).toBe('hello alice');
+    const response2 = await request(app.callback()).get('/getdefault').send({ name: 'alice' });
+    expect(response2.statusCode).toBe(400);
+  });
+
+  test('get-auto', async () => {
+    const response1 = await request(app.callback()).get('/getauto?name=alice');
+    expect(response1.statusCode).toBe(200);
+    expect(response1.text).toBe('hello alice');
+    const response2 = await request(app.callback()).get('/getauto').send({ name: 'alice' });
+    expect(response2.statusCode).toBe(200);
+    expect(response2.text).toBe('hello alice');
+  });
+
+  test('post-query', async () => {
+    const response1 = await request(app.callback()).post('/postquery?name=alice');
+    expect(response1.statusCode).toBe(200);
+    expect(response1.text).toBe('hello alice');
+    const response2 = await request(app.callback()).post('/postquery').send({ name: 'alice' });
+    expect(response2.statusCode).toBe(400);
+  });
+
+  test('post-body', async () => {
+    const response1 = await request(app.callback()).post('/postbody?name=alice');
+    expect(response1.statusCode).toBe(400);
+    const response2 = await request(app.callback()).post('/postbody').send({ name: 'alice' });
+    expect(response2.statusCode).toBe(200);
+    expect(response2.text).toBe('hello alice');
+  });
+
+  test('post-default', async () => {
+    const response1 = await request(app.callback()).post('/postdefault?name=alice');
+    expect(response1.statusCode).toBe(400);
+    const response2 = await request(app.callback()).post('/postdefault').send({ name: 'alice' });
+    expect(response2.statusCode).toBe(200);
+    expect(response2.text).toBe('hello alice');
+  });
+
+  test('post-auto', async () => {
+    const response1 = await request(app.callback()).post('/postauto?name=alice');
+    expect(response1.statusCode).toBe(200);
+    expect(response1.text).toBe('hello alice');
+    const response2 = await request(app.callback()).post('/postauto').send({ name: 'alice' });
+    expect(response2.statusCode).toBe(200);
+    expect(response2.text).toBe('hello alice');
+  });
+
+  @dhttp.koaBodyParser(
+    bodyParser({
+      enableTypes: ['json'],
+      parsedMethods: ['GET', 'POST'],
+    }),
+  )
+  @DBOSKoa.defaultArgRequired
+  class ArgTestEndpoints {
+    @dhttp.getApi('/getquery')
+    static async getQuery(@DBOSKoa.argSource(ArgSources.QUERY) name: string) {
+      return Promise.resolve(`hello ${name}`);
+    }
+
+    @dhttp.getApi('/getbody')
+    static async getBody(@DBOSKoa.argSource(ArgSources.BODY) name: string) {
+      return Promise.resolve(`hello ${name}`);
+    }
+
+    @dhttp.getApi('/getdefault')
+    static async getDefault(@DBOSKoa.argSource(ArgSources.DEFAULT) name: string) {
+      return Promise.resolve(`hello ${name}`);
+    }
+
+    @dhttp.getApi('/getauto')
+    static async getAuto(@DBOSKoa.argSource(ArgSources.AUTO) name: string) {
+      return Promise.resolve(`hello ${name}`);
+    }
+
+    @dhttp.postApi('/postquery')
+    static async postQuery(@DBOSKoa.argSource(ArgSources.QUERY) name: string) {
+      return Promise.resolve(`hello ${name}`);
+    }
+
+    @dhttp.postApi('/postbody')
+    static async postBody(@DBOSKoa.argSource(ArgSources.BODY) name: string) {
+      return Promise.resolve(`hello ${name}`);
+    }
+
+    @dhttp.postApi('/postdefault')
+    static async postDefault(@DBOSKoa.argSource(ArgSources.DEFAULT) name: string) {
+      return Promise.resolve(`hello ${name}`);
+    }
+
+    @dhttp.postApi('/postauto')
+    static async postAuto(@DBOSKoa.argSource(ArgSources.AUTO) name: string) {
+      return Promise.resolve(`hello ${name}`);
+    }
+  }
+});

package/tests/auth.test.ts

@@ -9,13 +9,21 @@ import request from 'supertest';
 
 const dhttp = new DBOSKoa();
 
+interface TestKvTable {
+  id?: number;
+  value?: string;
+}
+
 describe('httpserver-defsec-tests', () => {
   let app: Koa;
   let appRouter: Router;
 
+  const testTableName = 'dbos_test_kv';
+
   beforeAll(async () => {
     DBOS.setConfig({
       name: 'dbos-koa-test',
+      userDatabaseClient: 'pg-node',
     });
     return Promise.resolve();
   });
@@ -23,6 +31,8 @@ describe('httpserver-defsec-tests', () => {
   beforeEach(async () => {
     const _classes = [TestEndpointDefSec, SecondClass];
     await DBOS.launch();
+    await DBOS.queryUserDB(`DROP TABLE IF EXISTS ${testTableName};`);
+    await DBOS.queryUserDB(`CREATE TABLE IF NOT EXISTS ${testTableName} (id SERIAL PRIMARY KEY, value TEXT);`);
     middlewareCounter = 0;
     middlewareCounter2 = 0;
     middlewareCounterG = 0;
@@ -61,17 +71,17 @@ describe('httpserver-defsec-tests', () => {
 
   test('not-authenticated', async () => {
     const response = await request(app.callback()).get('/requireduser?name=alice');
-    expect(response.statusCode).toBe(500);
+    expect(response.statusCode).toBe(401);
   });
 
   test('not-you', async () => {
     const response = await request(app.callback()).get('/requireduser?name=alice&userid=go_away');
-    expect(response.statusCode).toBe(500);
+    expect(response.statusCode).toBe(401);
   });
 
   test('not-authorized', async () => {
     const response = await request(app.callback()).get('/requireduser?name=alice&userid=bob');
-    expect(response.statusCode).toBe(500);
+    expect(response.statusCode).toBe(403);
   });
 
   test('authorized', async () => {
@@ -83,6 +93,22 @@ describe('httpserver-defsec-tests', () => {
   test('cascade-authorized', async () => {
     const response = await request(app.callback()).get('/workflow?name=alice&userid=a_real_user');
     expect(response.statusCode).toBe(200);
+
+    const txnResponse = await request(app.callback()).get('/transaction?name=alice&userid=a_real_user');
+    expect(txnResponse.statusCode).toBe(200);
+  });
+
+  // We can directly test a transaction with passed in authorizedRoles.
+  test('direct-transaction-test', async () => {
+    await DBOS.withAuthedContext('user', ['user'], async () => {
+      const res = await TestEndpointDefSec.testTranscation('alice');
+      expect(res).toBe('hello 1');
+    });
+
+    // Unauthorized.
+    await expect(TestEndpointDefSec.testTranscation('alice')).rejects.toThrow(
+      new DBOSError.DBOSNotAuthorizedError('User does not have a role with permission to call testTranscation', 403),
+    );
   });
 
   async function authTestMiddleware(ctx: DBOSKoaAuthContext) {
@@ -145,14 +171,18 @@ describe('httpserver-defsec-tests', () => {
       return Promise.resolve(`Please say hello to ${name}`);
     }
 
-    @DBOS.step()
-    static async testStep(name: string) {
-      return Promise.resolve(`hello ${name}`);
+    @DBOS.transaction()
+    static async testTranscation(name: string) {
+      const { rows } = await DBOS.pgClient.query<TestKvTable>(
+        `INSERT INTO ${testTableName}(value) VALUES ($1) RETURNING id`,
+        [name],
+      );
+      return `hello ${rows[0].id}`;
     }
 
     @DBOS.workflow()
     static async testWorkflow(name: string) {
-      const res = await TestEndpointDefSec.testStep(name);
+      const res = await TestEndpointDefSec.testTranscation(name);
       return res;
     }
 
@@ -160,6 +190,11 @@ describe('httpserver-defsec-tests', () => {
     static async testWfEndpoint(name: string) {
       return await TestEndpointDefSec.testWorkflow(name);
     }
+
+    @dhttp.getApi('/transaction')
+    static async testTxnEndpoint(name: string) {
+      return await TestEndpointDefSec.testTranscation(name);
+    }
   }
 
   class SecondClass {