@openneuro/server 4.38.3 → 4.39.0-alpha.1

package/Dockerfile

@@ -4,7 +4,7 @@ FROM openneuro/node AS build
 WORKDIR /srv/packages/openneuro-server
 RUN yarn build
 
-FROM node:20.12.2-alpine
+FROM node:22.20-alpine
 
 WORKDIR /srv
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openneuro/server",
-  "version": "4.38.3",
+  "version": "4.39.0-alpha.1",
   "description": "Core service for the OpenNeuro platform.",
   "license": "MIT",
   "main": "src/server.js",
@@ -21,7 +21,7 @@
     "@elastic/elasticsearch": "8.13.1",
     "@graphql-tools/schema": "^10.0.0",
     "@keyv/redis": "^4.5.0",
-    "@openneuro/search": "^4.38.3",
+    "@openneuro/search": "^4.39.0-alpha.1",
     "@sentry/node": "^8.25.0",
     "@sentry/profiling-node": "^8.25.0",
     "base64url": "^3.0.0",
@@ -38,6 +38,7 @@
     "graphql-tools": "9.0.0",
     "immutable": "^3.8.2",
     "ioredis": "^5.6.1",
+    "js-yaml": "^4.1.0",
     "jsdom": "24.0.0",
     "jsonwebtoken": "^9.0.0",
     "keyv": "^5.3.4",
@@ -75,6 +76,7 @@
     "@types/express-serve-static-core": "^4.17.35",
     "@types/ioredis": "^4.17.1",
     "@types/ioredis-mock": "^8.2.2",
+    "@types/js-yaml": "^4",
     "@types/node-mailjet": "^3",
     "@types/semver": "^5",
     "core-js": "^3.10.1",
@@ -82,11 +84,10 @@
     "nodemon": "3.1.0",
     "ts-node-dev": "1.1.6",
     "tsc-watch": "^4.2.9",
-    "vitest": "2.1.2",
-    "vitest-fetch-mock": "0.3.0"
+    "vitest": "3.2.4"
   },
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "a5808939dc6c528d0647a9bd2b70fee21531479f"
+  "gitHead": "ba2f9a56450fcab27f02c27a05f7309f8d37affd"
 }

package/src/cache/types.ts

@@ -15,4 +15,5 @@ export enum CacheType {
   draftRevision = "revision",
   brainInitiative = "brainInitiative",
   validation = "validation",
+  dataciteYml = "dataciteYml",
 }

package/src/datalad/__tests__/contributors.spec.ts

@@ -0,0 +1,177 @@
+import { beforeEach, describe, expect, it, vi } from "vitest"
+import yaml from "js-yaml"
+import * as Sentry from "@sentry/node"
+import CacheItem from "../../cache/item"
+import { fileUrl } from "../files"
+import { datasetOrSnapshot } from "../../utils/datasetOrSnapshot"
+import { contributors } from "../contributors"
+
+vi.mock("../../libs/authentication/jwt", () => ({
+  sign: vi.fn(() => "mock_jwt_token"),
+  verify: vi.fn(() => ({ userId: "mock_user_id" })),
+}))
+
+vi.mock("js-yaml", () => ({
+  default: {
+    load: vi.fn(),
+  },
+}))
+
+vi.mock("@sentry/node", () => ({
+  captureMessage: vi.fn(),
+  captureException: vi.fn(),
+}))
+
+vi.mock("../../cache/item")
+vi.mock("../files")
+vi.mock("../../utils/datasetOrSnapshot")
+vi.mock("../libs/redis", () => ({
+  redis: vi.fn(),
+}))
+
+const mockYamlLoad = vi.mocked(yaml.load)
+const mockSentryCaptureMessage = vi.mocked(Sentry.captureMessage)
+const mockSentryCaptureException = vi.mocked(Sentry.captureException)
+const mockFileUrl = vi.mocked(fileUrl)
+const mockDatasetOrSnapshot = vi.mocked(datasetOrSnapshot)
+
+const mockFetch = vi.fn()
+global.fetch = mockFetch
+
+const mockCacheItemGet = vi.fn()
+vi.mocked(CacheItem).mockImplementation((_redis, _type, _key) => {
+  return {
+    get: mockCacheItemGet,
+  } as unknown as CacheItem
+})
+
+describe("contributors (core functionality)", () => {
+  const MOCK_DATASET_ID = "ds000001"
+  const MOCK_REVISION = "dce4b7b6653bcde9bdb7226a7c2b9499e77f2724"
+  const MOCK_REV_SHORT = MOCK_REVISION.substring(0, 7)
+
+  beforeEach(() => {
+    vi.clearAllMocks()
+
+    mockDatasetOrSnapshot.mockReturnValue({
+      datasetId: MOCK_DATASET_ID,
+      revision: MOCK_REVISION,
+    })
+    mockFileUrl.mockImplementation(
+      (datasetId, path, filename, revision) =>
+        `http://example.com/${datasetId}/${revision}/${filename}`,
+    )
+
+    mockCacheItemGet.mockImplementation((fetcher) => fetcher())
+  })
+
+  it("should return empty array if both datacite file and dataset_description.json fail", async () => {
+    mockFetch.mockResolvedValueOnce({
+      status: 500,
+      headers: new Headers(),
+      text: () => Promise.resolve("Server Error"),
+    })
+    mockCacheItemGet.mockImplementationOnce((fetcher) =>
+      fetcher().catch(() => null)
+    )
+    const result = await contributors({
+      id: MOCK_DATASET_ID,
+      revision: MOCK_REVISION,
+    })
+    expect(result).toEqual([])
+    expect(mockSentryCaptureException).toHaveBeenCalledTimes(1)
+  })
+
+  it("should return default empty array if no contributors array in datacite file or dataset_description.json (or wrong resourceTypeGeneral in datacite file)", async () => {
+    const dataciteYamlContent =
+      `data:\n  attributes:\n    types:\n      resourceTypeGeneral: Software\n    contributors: []`
+    const parsedDatacite = {
+      data: {
+        attributes: {
+          types: { resourceTypeGeneral: "Software" },
+          contributors: [],
+        },
+      },
+    }
+
+    mockFetch.mockResolvedValueOnce({
+      status: 200,
+      headers: new Headers({ "Content-Type": "application/yaml" }),
+      text: () => Promise.resolve(dataciteYamlContent),
+    })
+    mockYamlLoad.mockReturnValueOnce(parsedDatacite)
+    const result = await contributors({
+      id: MOCK_DATASET_ID,
+      revision: MOCK_REVISION,
+    })
+    expect(result).toEqual([])
+    expect(mockSentryCaptureMessage).toHaveBeenCalledWith(
+      `Datacite file for ${MOCK_DATASET_ID}:${MOCK_REV_SHORT} found but resourceTypeGeneral is 'Software', not 'Dataset'.`,
+    )
+    expect(mockSentryCaptureException).not.toHaveBeenCalled()
+  })
+
+  it("should return default empty array if datacite file is Dataset type but provides no contributors", async () => {
+    const dataciteYamlContent =
+      `data:\n  attributes:\n    types:\n      resourceTypeGeneral: Dataset\n    contributors: []`
+    const parsedDatacite = {
+      data: {
+        attributes: {
+          types: { resourceTypeGeneral: "Dataset" },
+          contributors: [],
+        },
+      },
+    }
+
+    mockFetch.mockResolvedValueOnce({
+      status: 200,
+      headers: new Headers({ "Content-Type": "application/yaml" }),
+      text: () => Promise.resolve(dataciteYamlContent),
+    })
+    mockYamlLoad.mockReturnValueOnce(parsedDatacite)
+    const result = await contributors({
+      id: MOCK_DATASET_ID,
+      revision: MOCK_REVISION,
+    })
+
+    expect(result).toEqual([])
+    expect(mockSentryCaptureMessage).toHaveBeenCalledWith(
+      `Datacite file for ${MOCK_DATASET_ID}:${MOCK_REV_SHORT} is Dataset type but provided no contributors.`,
+    )
+    expect(mockSentryCaptureException).not.toHaveBeenCalled()
+  })
+
+  it("should capture message if datacite file has unexpected content type but still parses", async () => {
+    const dataciteYamlContent =
+      `data:\n  attributes:\n    types:\n      resourceTypeGeneral: Dataset\n    contributors: []`
+    const parsedDatacite = {
+      data: {
+        attributes: {
+          types: { resourceTypeGeneral: "Dataset" },
+          contributors: [],
+        },
+      },
+      contentType: "text/plain", // simulate unexpected content type
+    }
+
+    mockFetch.mockResolvedValueOnce({
+      status: 200,
+      headers: new Headers({ "Content-Type": "text/plain" }),
+      text: () => Promise.resolve(dataciteYamlContent),
+    })
+    mockYamlLoad.mockReturnValueOnce(parsedDatacite)
+    const result = await contributors({
+      id: MOCK_DATASET_ID,
+      revision: MOCK_REVISION,
+    })
+
+    expect(mockSentryCaptureMessage).toHaveBeenCalledWith(
+      `Datacite file for ${MOCK_DATASET_ID}:${MOCK_REV_SHORT} served with unexpected Content-Type: text/plain. Attempting YAML parse anyway.`,
+    )
+    expect(mockSentryCaptureMessage).toHaveBeenCalledWith(
+      `Datacite file for ${MOCK_DATASET_ID}:${MOCK_REV_SHORT} is Dataset type but provided no contributors.`,
+    )
+    expect(mockSentryCaptureException).not.toHaveBeenCalled()
+    expect(result).toEqual([])
+  })
+})

package/src/datalad/contributors.ts

@@ -0,0 +1,153 @@
+import * as Sentry from "@sentry/node"
+import CacheItem, { CacheType } from "../cache/item"
+import { redis } from "../libs/redis"
+import {
+  type DatasetOrSnapshot,
+  datasetOrSnapshot,
+} from "../utils/datasetOrSnapshot"
+import {
+  getDataciteYml,
+  normalizeRawContributors,
+  updateContributorsUtil,
+} from "../utils/datacite-utils"
+import type { Contributor, RawDataciteYml } from "../types/datacite"
+import { description } from "./description"
+
+/**
+ * GraphQL resolver: fetch contributors for a dataset or snapshot
+ * Pure function: reads Datacite.yml or dataset_description.json and returns the list
+ */
+export const contributors = async (
+  obj: DatasetOrSnapshot,
+): Promise<Contributor[]> => {
+  if (!obj) return []
+
+  const { datasetId, revision } = datasetOrSnapshot(obj)
+  if (!datasetId) return []
+
+  const revisionShort = revision ? revision.substring(0, 7) : "HEAD"
+  const dataciteCache = new CacheItem(redis, CacheType.dataciteYml, [
+    datasetId,
+    revisionShort,
+  ])
+
+  try {
+    const dataciteData: RawDataciteYml & { contentType?: string } | null =
+      await dataciteCache.get(() => getDataciteYml(datasetId, revision))
+
+    if (!dataciteData) return []
+
+    // --- Capture unexpected content type ---
+    if (
+      dataciteData.contentType &&
+      dataciteData.contentType !== "application/yaml"
+    ) {
+      Sentry.captureMessage(
+        `Datacite file for ${datasetId}:${revisionShort} served with unexpected Content-Type: ${dataciteData.contentType}. Attempting YAML parse anyway.`,
+      )
+    }
+
+    const attributes = dataciteData.data?.attributes
+    const resourceType = attributes?.types?.resourceTypeGeneral
+
+    // --- Wrong resourceTypeGeneral ---
+    if (resourceType && resourceType !== "Dataset") {
+      Sentry.captureMessage(
+        `Datacite file for ${datasetId}:${revisionShort} found but resourceTypeGeneral is '${resourceType}', not 'Dataset'.`,
+      )
+      return []
+    }
+
+    // --- Contributors from Datacite.yml ---
+    if (attributes?.contributors?.length) {
+      const normalized = await normalizeRawContributors(attributes.contributors)
+      return normalized
+        .map((c, index) => ({ ...c, order: c.order ?? index + 1 }))
+        .sort((a, b) => (a.order ?? 0) - (b.order ?? 0))
+    }
+
+    // --- Dataset type but no contributors ---
+    if (resourceType === "Dataset") {
+      Sentry.captureMessage(
+        `Datacite file for ${datasetId}:${revisionShort} is Dataset type but provided no contributors.`,
+      )
+    }
+
+    // --- Fallback: dataset_description.json authors ---
+    const datasetDescription = await description(obj)
+    if (datasetDescription?.Authors?.length) {
+      return datasetDescription.Authors.map((
+        author: string,
+        index: number,
+      ) => ({
+        name: author.trim(),
+        givenName: undefined,
+        familyName: undefined,
+        orcid: undefined,
+        contributorType: "Researcher",
+        order: index + 1,
+        userId: undefined,
+      }))
+    }
+
+    return []
+  } catch (err) {
+    Sentry.captureException(err)
+    return []
+  }
+}
+
+/**
+ * GraphQL mutation resolver
+ */
+export interface UserInfo {
+  id?: string
+  _id?: string
+}
+
+export interface GraphQLContext {
+  userInfo: UserInfo | null
+}
+
+export const updateContributors = async (
+  _parent: DatasetOrSnapshot,
+  args: { datasetId: string; newContributors: Contributor[] },
+  context: GraphQLContext,
+) => {
+  const userId = context?.userInfo?.id || context?.userInfo?._id
+  if (!userId) {
+    return { success: false, dataset: null }
+  }
+
+  try {
+    const contributorsToSave = args.newContributors.map((c, index) => ({
+      ...c,
+      contributorType: c.contributorType || "Researcher",
+      order: c.order ?? index + 1,
+    }))
+
+    const result = await updateContributorsUtil(
+      args.datasetId,
+      contributorsToSave,
+      userId,
+    )
+
+    return {
+      success: true,
+      dataset: {
+        id: args.datasetId,
+        draft: {
+          id: args.datasetId,
+          contributors: contributorsToSave.sort((a, b) =>
+            (a.order ?? 0) - (b.order ?? 0)
+          ),
+          files: result.draft.files || [],
+          modified: new Date().toISOString(),
+        },
+      },
+    }
+  } catch (err) {
+    Sentry.captureException(err)
+    return { success: false, dataset: null }
+  }
+}

package/src/datalad/dataset.ts

@@ -124,7 +124,7 @@ export const deleteDataset = async (datasetId, user) => {
   )
   await request
     .del(`${getDatasetWorker(datasetId)}/datasets/${datasetId}`)
-  await Dataset.deleteOne({ datasetId }).exec()
+  await Dataset.deleteOne({ id: datasetId }).exec()
   await updateEvent(event)
   return true
 }

package/src/graphql/resolvers/__tests__/importRemoteDataset.spec.ts

@@ -1,17 +1,13 @@
 import { vi } from "vitest"
 import { allowedImportUrl, importRemoteDataset } from "../importRemoteDataset"
-import createFetchMock from "vitest-fetch-mock"
 
 vi.mock("ioredis")
 vi.mock("../../../config")
 vi.mock("../../permissions")
 
 describe("importRemoteDataset mutation", () => {
-  it("given a user with access, it creates an import record for later processing", () => {
-    const fetchMock = createFetchMock(vi)
-    fetchMock.doMock()
-    fetchMock.mockOnce(JSON.stringify(true))
-    importRemoteDataset(
+  it("given a user with access, it creates an import record for later processing", async () => {
+    await importRemoteDataset(
       {},
       { datasetId: "ds000000", url: "" },
       { user: "1234", userInfo: { admin: true } },

package/src/graphql/resolvers/__tests__/user.spec.ts

@@ -133,9 +133,24 @@ describe("user resolvers", () => {
   })
 
   describe("users()", () => {
-    it("rejects data for non-admin context", async () => {
-      await expect(users(null, {}, nonAdminContext)).rejects.toThrow(
-        "You must be a site admin to retrieve users",
+    it("returns sanitized data for non-admin context", async () => {
+      const result = await users(null, {}, nonAdminContext)
+
+      // Should return all non-migrated users (same as admin)
+      expect(result.users.length).toBe(6)
+      expect(result.totalCount).toBe(6)
+
+      // Sensitive fields should be hidden
+      result.users.forEach((u) => {
+        expect(u.email).toBeNull()
+        expect(u.blocked).toBeNull()
+        expect(u.admin).toBeNull()
+      })
+
+      // Non-sensitive fields should still be populated
+      const userIds = result.users.map((u) => u.id)
+      expect(userIds).toEqual(
+        expect.arrayContaining(["u1", "u2", "u3", "u4", "u6", "u7"]),
       )
     })
 

package/src/graphql/resolvers/cache.ts

@@ -1,23 +1,27 @@
 import { redis } from "../../libs/redis.js"
-import CacheItem from "../../cache/item"
-import { CacheType } from "../../cache/types"
 
 /**
- * Clear the snapshotDownload cache after exports
+ * Clear all cache entries for a given datasetId
  */
 export async function cacheClear(
   obj: Record<string, unknown>,
-  { datasetId, tag }: { datasetId: string; tag: string },
+  { datasetId }: { datasetId: string },
   { userInfo }: { userInfo: { admin: boolean } },
 ): Promise<boolean> {
   // Check for admin and validate datasetId argument
   if (userInfo?.admin && datasetId.length == 8 && datasetId.startsWith("ds")) {
-    const downloadCache = new CacheItem(redis, CacheType.snapshotDownload, [
-      datasetId,
-      tag,
-    ])
     try {
-      await downloadCache.drop()
+      const stream = redis.scanStream({
+        // Scan for any keys that include the datasetId
+        match: `*${datasetId}*`,
+      })
+      const pipeline = redis.pipeline()
+      for await (const keys of stream) {
+        for (const key of keys) {
+          pipeline.del(key)
+        }
+      }
+      await pipeline.exec()
       return true
     } catch (_err) {
       return false