@fishka/express 0.9.5

package/dist/cjs/route-table.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RouteTable = void 0;
+exports.createRouteTable = createRouteTable;
+const router_1 = require("./router");
+/**
+ * Helper utility for organizing and mounting routes.
+ * Provides a fluent interface for registering multiple handlers.
+ */
+class RouteTable {
+    constructor(app) {
+        this.app = app;
+    }
+    get(path, endpointOrRun) {
+        const endpoint = typeof endpointOrRun === 'function' ? { run: endpointOrRun } : endpointOrRun;
+        (0, router_1.mountGet)(this.app, path, endpoint);
+        return this;
+    }
+    post(path, endpoint) {
+        (0, router_1.mountPost)(this.app, path, endpoint);
+        return this;
+    }
+    patch(path, endpoint) {
+        (0, router_1.mountPatch)(this.app, path, endpoint);
+        return this;
+    }
+    put(path, endpoint) {
+        (0, router_1.mountPut)(this.app, path, endpoint);
+        return this;
+    }
+    delete(path, endpointOrRun) {
+        const endpoint = typeof endpointOrRun === 'function' ? { run: endpointOrRun } : endpointOrRun;
+        (0, router_1.mountDelete)(this.app, path, endpoint);
+        return this;
+    }
+}
+exports.RouteTable = RouteTable;
+/**
+ * Factory function to create a new route table.
+ * @param app Express application instance
+ * @returns RouteTable instance with fluent API
+ */
+function createRouteTable(app) {
+    return new RouteTable(app);
+}

package/dist/cjs/router.js

@@ -0,0 +1,245 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.mountDelete = exports.mountPut = exports.mountPatch = exports.mountPost = exports.mountGet = void 0;
+exports.mount = mount;
+const assertions_1 = require("@fishka/assertions");
+const url = __importStar(require("url"));
+const api_types_1 = require("./api.types");
+const http_types_1 = require("./http.types");
+const error_handling_1 = require("./error-handling");
+const thread_local_storage_1 = require("./thread-local/thread-local-storage");
+const conversion_utils_1 = require("./utils/conversion.utils");
+// ============================================================================
+// Internal implementation details
+// ============================================================================
+/**
+ * Registers a GET route.
+ */
+const mountGet = (app, path, endpoint) => mount(app, { method: 'get', route: endpoint, path });
+exports.mountGet = mountGet;
+/**
+ * Registers a POST route.
+ */
+const mountPost = (app, path, endpoint) => mount(app, { method: 'post', route: endpoint, path });
+exports.mountPost = mountPost;
+/**
+ * Registers a PATCH route.
+ */
+const mountPatch = (app, path, endpoint) => mount(app, { method: 'patch', route: endpoint, path });
+exports.mountPatch = mountPatch;
+/**
+ * Registers a PUT route.
+ */
+const mountPut = (app, path, endpoint) => mount(app, { method: 'put', route: endpoint, path });
+exports.mountPut = mountPut;
+/**
+ * Registers a DELETE route.
+ */
+const mountDelete = (app, path, endpoint) => mount(app, { method: 'delete', route: endpoint, path });
+exports.mountDelete = mountDelete;
+/**
+ * Mounts a route with the given method, endpoint, and path.
+ */
+function mount(app, { method, route, path }) {
+    const fullPath = `/${path}`;
+    const handler = createRouteHandler(method, route);
+    app[method](fullPath, (0, error_handling_1.catchRouteErrors)(handler));
+}
+/**
+ * @Internal
+ * Creates a route handler from an endpoint definition.
+ */
+function createRouteHandler(method, endpoint) {
+    return async (req, res, _next) => {
+        let result;
+        switch (method) {
+            case 'post':
+            case 'put':
+            case 'patch':
+                result = await executeBodyEndpoint(endpoint, req, res);
+                break;
+            case 'delete':
+                result = await executeDeleteEndpoint(endpoint, req, res);
+                break;
+            case 'get':
+                result = await executeGetEndpoint(endpoint, req, res);
+                break;
+        }
+        const response = (0, conversion_utils_1.wrapAsApiResponse)(result);
+        const tls = (0, thread_local_storage_1.getRequestLocalStorage)();
+        if (tls?.requestId) {
+            response.requestId = tls.requestId;
+        }
+        response.status = response.status || http_types_1.OK_STATUS;
+        res.status(response.status);
+        res.send(response);
+    };
+}
+/**
+ * @Internal
+ * Validates request parameters using custom validators.
+ */
+function validateUrlParameters(req, { $path, $query, }) {
+    try {
+        for (const key in req.params) {
+            const value = req.params[key];
+            // Run Global Validation if registered.
+            const globalValidator = api_types_1.URL_PARAMETER_INFO[key]?.validator;
+            if (globalValidator) {
+                (0, assertions_1.callValueAssertion)(value, globalValidator, `${http_types_1.BAD_REQUEST_STATUS}`);
+            }
+            // Run Local Validation.
+            const validator = $path?.[key];
+            if (validator) {
+                (0, assertions_1.callValueAssertion)(value, validator, `${http_types_1.BAD_REQUEST_STATUS}`);
+            }
+        }
+        const parsedUrl = url.parse(req.url, true);
+        for (const key in parsedUrl.query) {
+            const value = parsedUrl.query[key];
+            //  Global Validation if registered (also applies to query params if names match).
+            const globalValidator = api_types_1.URL_PARAMETER_INFO[key]?.validator;
+            if (globalValidator) {
+                // Query params can be string | string[] | undefined. Global validators usually expect string.
+                // We only validate if it's a single value or handle array in validator.
+                // For simplicity, we pass value as is (unknown) to assertion.
+                (0, assertions_1.callValueAssertion)(value, globalValidator, `${http_types_1.BAD_REQUEST_STATUS}`);
+            }
+            const validator = $query?.[key];
+            if (validator) {
+                (0, assertions_1.callValueAssertion)(value, validator, `${http_types_1.BAD_REQUEST_STATUS}`);
+            }
+        }
+    }
+    catch (error) {
+        throw new api_types_1.HttpError(http_types_1.BAD_REQUEST_STATUS, (0, assertions_1.getMessageFromError)(error));
+    }
+}
+/**
+ * @Internal
+ * Runs GET handler with optional middleware.
+ */
+async function executeGetEndpoint(route, req, res) {
+    const requestContext = newRequestContext(undefined, req, res);
+    validateUrlParameters(req, { $path: route.$path, $query: route.$query });
+    return await executeWithMiddleware(() => route.run(requestContext), route.middlewares || [], requestContext);
+}
+/**
+ * @Internal
+ * Runs DELETE handler with optional middleware.
+ */
+async function executeDeleteEndpoint(route, req, res) {
+    const requestContext = newRequestContext(undefined, req, res);
+    validateUrlParameters(req, { $path: route.$path, $query: route.$query });
+    await executeWithMiddleware(() => route.run(requestContext), route.middlewares || [], requestContext);
+    return undefined;
+}
+/**
+ * @Internal
+ * Runs POST/PUT/PATCH handler with optional middleware.
+ */
+async function executeBodyEndpoint(route, req, res) {
+    const validator = route.$body;
+    const apiRequest = req.body;
+    try {
+        // Handle validation based on whether validator is an object or function
+        if (typeof validator === 'function') {
+            // It's a ValueAssertion (function)
+            (0, assertions_1.callValueAssertion)(apiRequest, validator, `${http_types_1.BAD_REQUEST_STATUS}: request body`);
+        }
+        else {
+            // It's an ObjectAssertion - use validateObject
+            // We strictly assume it is an object because of the type definition (function | object)
+            const objectValidator = validator;
+            const isEmptyValidator = Object.keys(objectValidator).length === 0;
+            const error = (0, assertions_1.validateObject)(apiRequest, objectValidator, `${http_types_1.BAD_REQUEST_STATUS}: request body`, {
+                failOnUnknownFields: !isEmptyValidator,
+            });
+            (0, assertions_1.assertTruthy)(!error, error);
+        }
+    }
+    catch (error) {
+        if (error instanceof api_types_1.HttpError)
+            throw error;
+        throw new api_types_1.HttpError(http_types_1.BAD_REQUEST_STATUS, (0, assertions_1.getMessageFromError)(error));
+    }
+    const requestContext = newRequestContext(apiRequest, req, res);
+    validateUrlParameters(req, { $path: route.$path, $query: route.$query });
+    requestContext.body = req.body;
+    return await executeWithMiddleware(() => route.run(requestContext), (route.middlewares || []), requestContext);
+}
+/**
+ * @Internal
+ * Executes handler with middleware chain.
+ */
+async function executeWithMiddleware(run, middlewares, context) {
+    const current = async (index) => {
+        if (index >= middlewares.length) {
+            const result = await run();
+            return (0, conversion_utils_1.wrapAsApiResponse)(result);
+        }
+        const middleware = middlewares[index];
+        return (await middleware(() => current(index + 1), context));
+    };
+    return await current(0);
+}
+/**
+ * @Internal
+ * Creates a new RequestContext instance.
+ */
+function newRequestContext(requestBody, req, res) {
+    return {
+        body: requestBody,
+        req,
+        res,
+        params: {
+            get: (key) => {
+                const value = req.params[key];
+                (0, assertions_1.assertTruthy)(value, `Path parameter '${key}' not found`);
+                return value;
+            },
+            tryGet: (key) => req.params[key],
+        },
+        query: {
+            get: (key) => {
+                const parsedUrl = url.parse(req.url, true);
+                const value = parsedUrl.query[key];
+                return Array.isArray(value) ? value[0] : value;
+            },
+        },
+        state: new Map(),
+    };
+}

package/dist/cjs/thread-local/thread-local-storage-middleware.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createTlsMiddleware = createTlsMiddleware;
+const crypto_1 = require("crypto");
+const config_1 = require("../config");
+const thread_local_storage_1 = require("./thread-local-storage");
+/**
+ * Creates middleware that initializes thread-local storage for each request.
+ * Automatically generates a unique request ID and makes it available throughout
+ * the request lifecycle.
+ *
+ * @returns Express middleware function
+ */
+function createTlsMiddleware() {
+    return async (req, _res, next) => {
+        const config = (0, config_1.getExpressApiConfig)();
+        const headerId = config.trustRequestIdHeader ? req.headers['x-request-id'] : undefined;
+        const existingId = req.requestId || headerId;
+        const requestId = typeof existingId === 'string' ? existingId : (0, crypto_1.randomUUID)();
+        // Run the next handler within the TLS context
+        await (0, thread_local_storage_1.runWithRequestTlsData)({
+            requestId,
+        }, async () => {
+            next();
+        });
+    };
+}

package/dist/cjs/thread-local/thread-local-storage.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getRequestLocalStorage = getRequestLocalStorage;
+exports.runWithRequestTlsData = runWithRequestTlsData;
+const async_hooks_1 = require("async_hooks");
+/**
+ * AsyncLocalStorage instance for managing per-request context.
+ * This ensures that each async operation associated with a request
+ * can access the request-specific data even across async boundaries.
+ * @Internal
+ */
+const asyncLocalStorage = new async_hooks_1.AsyncLocalStorage();
+/**
+ * Gets all thread-local data for the current request context.
+ * Returns undefined if called outside an async context managed by API.
+ * @Internal
+ */
+function getRequestLocalStorage() {
+    return asyncLocalStorage.getStore();
+}
+/**
+ * Executes a callback within a request context with the given thread-local data.
+ * Used by middleware to set up the context for handlers.
+ * @Internal
+ * @param data - Thread-local data to establish
+ * @param callback - Function to execute within the context
+ * @returns Result of the callback
+ */
+async function runWithRequestTlsData(data, callback) {
+    return asyncLocalStorage.run(data, callback);
+}

package/dist/cjs/utils/conversion.utils.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.toApiDateString = toApiDateString;
+exports.wrapAsApiResponse = wrapAsApiResponse;
+/**
+ * Converts JS timestamp or date to ISO 8601 format (without milliseconds).
+ * Example: "2012-07-20T01:19:13Z".
+ * @Internal
+ */
+function toApiDateString(value) {
+    const resultWithMillis = (typeof value === 'number' ? new Date(value) : value).toISOString();
+    return `${resultWithMillis.substring(0, resultWithMillis.length - 5)}Z`;
+}
+/**
+ * Wraps the response into the correct API form.
+ * Add necessary fields, like 'requestId'.
+ * If the response is already in the correct form, returns it as-is.
+ * @Internal
+ */
+function wrapAsApiResponse(apiResponseOrResultValue) {
+    let apiResponse = apiResponseOrResultValue;
+    apiResponse = apiResponse?.result
+        ? apiResponse // The value is in the correct 'ApiResponse' form: just return it.
+        : { result: apiResponseOrResultValue }; // Wrap the raw value into the correct ApiResponse form.
+    return apiResponse;
+}

package/dist/cjs/utils/express.utils.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/esm/api.types.js

@@ -0,0 +1,31 @@
+import { assertString, assertTruthy } from '@fishka/assertions';
+export class HttpError extends Error {
+    constructor(status, message, details) {
+        super(message);
+        this.status = status;
+        this.details = details;
+        // Restore prototype chain for instanceof checks
+        Object.setPrototypeOf(this, HttpError.prototype);
+    }
+}
+/** Converts an API response value into a standardized ApiResponse structure. */
+export function response(result) {
+    return { result };
+}
+/**
+ * Default documentation and validation for URL parameters.
+ * @Internal
+ */
+export const URL_PARAMETER_INFO = {};
+/** Registers a new URL parameter. */
+export function registerUrlParameter(name, info) {
+    URL_PARAMETER_INFO[name] = info;
+}
+/**
+ * Asserts that the value is a registered URL parameter name.
+ * @Internal
+ */
+export function assertUrlParameter(name) {
+    assertString(name, 'Url parameter name must be a string');
+    assertTruthy(URL_PARAMETER_INFO[name], `Invalid URL parameter: '${name}'. Please register it using 'registerUrlParameter('${name}', ...)'`);
+}

package/dist/esm/auth/auth-strategy.js

@@ -0,0 +1,58 @@
+import { HttpError } from '../api.types';
+import { UNAUTHORIZED_STATUS } from '../http.types';
+/**
+ * Basic authentication strategy using username/password validation.
+ * Parses HTTP Basic Authorization header and validates credentials.
+ *
+ * Example usage:
+ * ```
+ * const strategy = new BasicAuthStrategy(
+ *   async (username, password) => {
+ *     const user = await db.users.findByUsername(username);
+ *     if (user && await bcrypt.compare(password, user.hash)) {
+ *       return user;
+ *     }
+ *     return null;
+ *   }
+ * );
+ * ```
+ */
+export class BasicAuthStrategy {
+    constructor(verifyFn) {
+        this.verifyFn = verifyFn;
+    }
+    /**
+     * Extracts username and password from Basic auth header.
+     * Expected format: "Basic base64(username:password)"
+     * Returns undefined if header is missing or not Basic.
+     */
+    extractCredentials(req) {
+        const authHeaderValue = req.header('Authorization');
+        if (!authHeaderValue || !authHeaderValue.startsWith('Basic ')) {
+            return undefined;
+        }
+        try {
+            const decoded = Buffer.from(authHeaderValue.substring(6), 'base64').toString('utf-8');
+            const [username, password] = decoded.split(':');
+            // If format is "Basic base64(:)", it might mean empty username/password which is technically valid syntax but usually useless.
+            // However, split might return undefined for password if ":" is missing.
+            if (!username || password === undefined) {
+                return undefined;
+            }
+            return { username, password };
+        }
+        catch {
+            return undefined;
+        }
+    }
+    /**
+     * Validates the extracted credentials using the provided validation function.
+     */
+    async validateCredentials({ username, password }) {
+        const user = await this.verifyFn(username, password);
+        if (!user) {
+            throw new HttpError(UNAUTHORIZED_STATUS, 'Invalid username or password');
+        }
+        return user;
+    }
+}

package/dist/esm/auth/auth.types.js

@@ -0,0 +1 @@
+export {};

package/dist/esm/auth/auth.utils.js

@@ -0,0 +1,59 @@
+import { HttpError } from '../api.types';
+import { UNAUTHORIZED_STATUS } from '../http.types';
+/**
+ * Creates a middleware that enforces authentication using the provided strategy.
+ * The authenticated user is stored in the context under the 'authUser' key.
+ *
+ * @template User - Type of the authenticated user
+ * @param strategy - Authentication strategy to use
+ * @param onSuccess - Optional callback to process authenticated user
+ * @returns a middleware that enforces authentication
+ */
+export function createAuthMiddleware(strategy, onSuccess) {
+    return async (handler, context) => {
+        // Extract credentials from request
+        const credentials = strategy.extractCredentials(context.req);
+        // If no credentials found (and strategy returned undefined), we must deny access here.
+        // In a composite strategy scenario, we might want to try the next strategy, but this helper is for a single strategy enforcement.
+        if (!credentials) {
+            throw new HttpError(UNAUTHORIZED_STATUS, 'No credentials provided or invalid format');
+        }
+        // Validate credentials and get authenticated user
+        const user = await strategy.validateCredentials(credentials);
+        // Store authenticated user in state for the handler to access
+        context.authUser = user;
+        // Optional: Call success callback
+        if (onSuccess) {
+            onSuccess(user, context);
+        }
+        // Execute the actual handler
+        return handler();
+    };
+}
+/**
+ * Extracts the authenticated user from the request context.
+ * Throws if the user is not present (i.e., authentication was not performed).
+ *
+ * @template User - Type of the authenticated user
+ * @param context - Request context
+ * @returns The authenticated user
+ * @throws Error if user is not found in context
+ */
+export function getAuthUser(context) {
+    const user = context.authUser;
+    if (!user) {
+        throw new HttpError(UNAUTHORIZED_STATUS, 'User not found in context. Did you add auth middleware?');
+    }
+    return user;
+}
+/**
+ * Safely extracts the authenticated user from the request context.
+ * Returns undefined if the user is not present.
+ *
+ * @template User - Type of the authenticated user
+ * @param context - Request context
+ * @returns The authenticated user, or undefined if not found
+ */
+export function tryGetAuthUser(context) {
+    return context.authUser;
+}

package/dist/esm/auth/bearer-auth-strategy.js

@@ -0,0 +1,55 @@
+import { HttpError } from '../api.types';
+import { UNAUTHORIZED_STATUS } from '../http.types';
+/**
+ * Bearer authentication strategy (commonly used for JWTs).
+ * Extracts the token from the 'Authorization: Bearer <token>' header.
+ *
+ * The validation logic is delegated to the `verifyFn`, which can:
+ * - Validate a JWT signature locally.
+ * - Call an external API/website to verify the token (Introspection/UserInfo).
+ *
+ * Example usage:
+ * ```ts
+ * const strategy = new BearerAuthStrategy(async (token) => {
+ *   // Call external website to validate
+ *   const response = await fetch('https://auth.example.com/verify', {
+ *     headers: { Authorization: `Bearer ${token}` }
+ *   });
+ *   if (!response.ok) return null;
+ *   return await response.json();
+ * });
+ * ```
+ */
+export class BearerAuthStrategy {
+    /**
+     * @param verifyFn Function to validate the token. Returns the user if valid, or null if invalid.
+     */
+    constructor(verifyFn) {
+        this.verifyFn = verifyFn;
+    }
+    /**
+     * Extracts the Bearer token from the Authorization header.
+     * Returns undefined if the header is missing or not a Bearer token.
+     */
+    extractCredentials(req) {
+        const authHeader = req.header('Authorization');
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            return undefined;
+        }
+        const token = authHeader.substring(7).trim();
+        if (!token) {
+            return undefined;
+        }
+        return token;
+    }
+    /**
+     * Validates the extracted token using the provided verification function.
+     */
+    async validateCredentials(token) {
+        const user = await this.verifyFn(token);
+        if (!user) {
+            throw new HttpError(UNAUTHORIZED_STATUS, 'Invalid token');
+        }
+        return user;
+    }
+}

package/dist/esm/config.js

@@ -0,0 +1,24 @@
+const defaultConfig = {
+    trustRequestIdHeader: true,
+};
+let currentConfig = { ...defaultConfig };
+/**
+ * Configure global @fishka/express settings.
+ * @param config Partial configuration to merge with current settings
+ */
+export function configureExpressApi(config) {
+    currentConfig = { ...currentConfig, ...config };
+}
+/**
+ * Get current Express API configuration.
+ */
+export function getExpressApiConfig() {
+    return currentConfig;
+}
+/**
+ * Reset API configuration to defaults.
+ * Useful for testing.
+ */
+export function resetExpressApiConfig() {
+    currentConfig = { ...defaultConfig };
+}

package/dist/esm/error-handling.js

@@ -0,0 +1,66 @@
+import { getMessageFromError } from '@fishka/assertions';
+import { HttpError } from './api.types';
+import { BAD_REQUEST_STATUS, INTERNAL_ERROR_STATUS } from './http.types';
+import { getRequestLocalStorage } from './thread-local/thread-local-storage';
+import { wrapAsApiResponse } from './utils/conversion.utils';
+function buildApiResponse(error) {
+    const tls = getRequestLocalStorage();
+    const requestId = tls?.requestId;
+    let response;
+    if (error instanceof HttpError) {
+        response = {
+            ...wrapAsApiResponse(undefined),
+            error: error.message,
+            status: error.status,
+            details: error.details,
+        };
+    }
+    else {
+        const errorMessage = getMessageFromError(error, '');
+        response = {
+            ...wrapAsApiResponse(undefined),
+            error: errorMessage && errorMessage.length > 0 ? errorMessage : 'Internal error',
+            status: INTERNAL_ERROR_STATUS,
+        };
+    }
+    if (requestId) {
+        response.requestId = requestId;
+    }
+    return response;
+}
+/** Catches all kinds of unprocessed exceptions thrown from a single route. */
+export function catchRouteErrors(fn) {
+    return async (req, res, next) => {
+        try {
+            await fn(req, res, next);
+        }
+        catch (error) {
+            const apiResponse = buildApiResponse(error);
+            if (apiResponse.status >= INTERNAL_ERROR_STATUS) {
+                console.error(`catchRouteErrors: ${req.path}`, error);
+            }
+            else {
+                console.log(`catchRouteErrors: ${req.path}`, error);
+            }
+            res.status(apiResponse.status);
+            res.send(apiResponse);
+        }
+    };
+}
+/**
+ * Catches all errors in Express.js and is installed as global middleware.
+ * Note that individual routes are wrapped with 'catchRouteErrors' middleware.
+ */
+export async function catchAllMiddleware(error, _, res, next) {
+    if (!error) {
+        next();
+        return;
+    }
+    // Report as critical. This kind of error should never happen.
+    console.error('catchAllMiddleware:', getMessageFromError(error));
+    const apiResponse = error instanceof SyntaxError // JSON body parsing error.
+        ? buildApiResponse(`${BAD_REQUEST_STATUS}: Failed to parse request: ${error.message}`)
+        : buildApiResponse(error);
+    res.status(apiResponse.status);
+    res.send(apiResponse);
+}