@terreno/api 0.9.2 → 0.10.0

package/src/openApi.ts

@@ -1,9 +1,10 @@
+import type express from "express";
 import flatten from "lodash/flatten";
 import merge from "lodash/merge";
 import type {Model} from "mongoose";
 import m2s from "mongoose-to-swagger";
 
-import type {ModelRouterOptions} from "./api";
+import type {ModelRouterOptions, OpenApiMiddleware} from "./api";
 import {logger} from "./logger";
 import {getOpenApiSpecForModel} from "./populate";
 
@@ -43,7 +44,7 @@ export const defaultOpenApiErrorResponses = {
 };
 
 // We repeat this constantly, so we make it a component so we only have to define it once.
-function createAPIErrorComponent(openApi: any) {
+function createAPIErrorComponent(openApi?: OpenApiMiddleware) {
   // Create a schema component called APIError
   openApi?.component("schemas", "APIError", {
     properties: {
@@ -112,7 +113,10 @@ function createAPIErrorComponent(openApi: any) {
   });
 }
 
-export function getOpenApiMiddleware<T>(model: Model<T>, options: Partial<ModelRouterOptions<T>>) {
+export function getOpenApiMiddleware<T>(
+  model: Model<T>,
+  options: Partial<ModelRouterOptions<T>>
+): express.RequestHandler {
   createAPIErrorComponent(options.openApi);
   if (!options.openApi?.path) {
     // Just log this once rather than for each middleware.
@@ -154,7 +158,10 @@ export function getOpenApiMiddleware<T>(model: Model<T>, options: Partial<ModelR
   );
 }
 
-export function listOpenApiMiddleware<T>(model: Model<T>, options: Partial<ModelRouterOptions<T>>) {
+export function listOpenApiMiddleware<T>(
+  model: Model<T>,
+  options: Partial<ModelRouterOptions<T>>
+): express.RequestHandler {
   if (!options.openApi?.path) {
     return noop;
   }
@@ -320,7 +327,7 @@ export function listOpenApiMiddleware<T>(model: Model<T>, options: Partial<Model
 export function createOpenApiMiddleware<T>(
   model: Model<T>,
   options: Partial<ModelRouterOptions<T>>
-) {
+): express.RequestHandler {
   if (!options.openApi?.path) {
     return noop;
   }
@@ -372,7 +379,7 @@ export function createOpenApiMiddleware<T>(
 export function patchOpenApiMiddleware<T>(
   model: Model<T>,
   options: Partial<ModelRouterOptions<T>>
-) {
+): express.RequestHandler {
   if (!options.openApi?.path) {
     return noop;
   }
@@ -424,7 +431,7 @@ export function patchOpenApiMiddleware<T>(
 export function deleteOpenApiMiddleware<T>(
   model: Model<T>,
   options: Partial<ModelRouterOptions<T>>
-) {
+): express.RequestHandler {
   if (!options.openApi?.path) {
     return noop;
   }

package/src/openApiBuilder.ts

@@ -283,7 +283,7 @@ export interface OpenApiBuildResult {
  */
 export class OpenApiMiddlewareBuilder {
   /** Router options containing OpenAPI configuration */
-  private options: Partial<ModelRouterOptions<any>>;
+  private options: Partial<ModelRouterOptions<unknown>>;
 
   /** Accumulated OpenAPI configuration from builder methods */
   private config: OpenApiConfig;
@@ -302,7 +302,7 @@ export class OpenApiMiddlewareBuilder {
    *
    * @param options - Router options containing the OpenAPI path configuration
    */
-  constructor(options: Partial<ModelRouterOptions<any>>) {
+  constructor(options: Partial<ModelRouterOptions<unknown>>) {
     this.options = options;
     this.config = {
       responses: {},
@@ -803,7 +803,7 @@ export class OpenApiMiddlewareBuilder {
  * ```
  */
 export function createOpenApiBuilder(
-  options: Partial<ModelRouterOptions<any>>
+  options: Partial<ModelRouterOptions<unknown>>
 ): OpenApiMiddlewareBuilder {
   return new OpenApiMiddlewareBuilder(options);
 }

package/src/openApiEtag.test.ts

@@ -0,0 +1,112 @@
+import {describe, expect, it, mock} from "bun:test";
+import crypto from "node:crypto";
+import type {NextFunction, Request, Response} from "express";
+
+import {openApiEtagMiddleware} from "./openApiEtag";
+
+interface BuildRequestOptions {
+  ifNoneMatch?: string;
+  method?: string;
+  path?: string;
+}
+
+const buildRequest = (options: BuildRequestOptions = {}): Request => {
+  const {ifNoneMatch, method = "GET", path = "/openapi.json"} = options;
+  return {
+    get: (header: string) => {
+      return header === "If-None-Match" ? ifNoneMatch : undefined;
+    },
+    method,
+    path,
+  } as Request;
+};
+
+const buildResponse = (): {
+  originalJson: ReturnType<typeof mock>;
+  res: Response;
+  set: ReturnType<typeof mock>;
+  status: ReturnType<typeof mock>;
+  end: ReturnType<typeof mock>;
+} => {
+  const originalJson = mock((body: unknown) => ({body}));
+  const resObject = {
+    json: originalJson,
+  } as unknown as Response & Record<string, unknown>;
+  const set = mock(() => resObject);
+  const status = mock(() => resObject);
+  const end = mock(() => resObject);
+
+  resObject.set = set;
+  resObject.status = status;
+  resObject.end = end;
+
+  return {
+    end,
+    originalJson,
+    res: resObject,
+    set,
+    status,
+  };
+};
+
+describe("openApiEtagMiddleware", () => {
+  it("skips non-openapi requests", () => {
+    const req = buildRequest({method: "POST", path: "/health"});
+    const {res, originalJson} = buildResponse();
+    const next = mock(() => {}) as NextFunction;
+
+    openApiEtagMiddleware(req, res, next);
+
+    expect(next).toHaveBeenCalledTimes(1);
+    expect(res.json).toBe(originalJson);
+  });
+
+  it("skips GET requests for non-openapi.json paths", () => {
+    const req = buildRequest({method: "GET", path: "/health"});
+    const {res, originalJson} = buildResponse();
+    const next = mock(() => {}) as NextFunction;
+
+    openApiEtagMiddleware(req, res, next);
+
+    expect(next).toHaveBeenCalledTimes(1);
+    expect(res.json).toBe(originalJson);
+  });
+
+  it("sets ETag and returns json body when no matching If-None-Match header is provided", () => {
+    const req = buildRequest();
+    const {res, originalJson, set, status, end} = buildResponse();
+    const next = mock(() => {}) as NextFunction;
+    const body = {openapi: "3.0.0", paths: {"/todos": {get: {}}}};
+
+    openApiEtagMiddleware(req, res, next);
+
+    const result = res.json(body) as unknown as {body: typeof body};
+    const expectedEtag = `"${crypto.createHash("sha256").update(JSON.stringify(body)).digest("hex").substring(0, 16)}"`;
+
+    expect(next).toHaveBeenCalledTimes(1);
+    expect(set).toHaveBeenCalledWith("ETag", expectedEtag);
+    expect(originalJson).toHaveBeenCalledWith(body);
+    expect(status).toHaveBeenCalledTimes(0);
+    expect(end).toHaveBeenCalledTimes(0);
+    expect(result).toEqual({body});
+  });
+
+  it("returns 304 when If-None-Match matches generated ETag", () => {
+    const body = {openapi: "3.0.0", paths: {"/users": {post: {}}}};
+    const etag = `"${crypto.createHash("sha256").update(JSON.stringify(body)).digest("hex").substring(0, 16)}"`;
+    const req = buildRequest({ifNoneMatch: etag});
+    const {res, originalJson, set, status, end} = buildResponse();
+    const next = mock(() => {}) as NextFunction;
+
+    openApiEtagMiddleware(req, res, next);
+
+    const result = res.json(body);
+
+    expect(next).toHaveBeenCalledTimes(1);
+    expect(set).toHaveBeenCalledWith("ETag", etag);
+    expect(status).toHaveBeenCalledWith(304);
+    expect(end).toHaveBeenCalledTimes(1);
+    expect(originalJson).toHaveBeenCalledTimes(0);
+    expect(result).toBe(res);
+  });
+});

package/src/permissions.middleware.test.ts

@@ -0,0 +1,197 @@
+import {describe, expect, it, mock, spyOn} from "bun:test";
+import * as Sentry from "@sentry/bun";
+import type express from "express";
+
+import {APIError} from "./errors";
+import {Permissions, permissionMiddleware} from "./permissions";
+
+describe("permissionMiddleware", () => {
+  const allPermissions = {
+    create: [Permissions.IsAny],
+    delete: [Permissions.IsAny],
+    list: [Permissions.IsAny],
+    read: [Permissions.IsAny],
+    update: [Permissions.IsAny],
+  };
+
+  const buildReq = (overrides: Record<string, unknown> = {}): express.Request => {
+    return {
+      method: "GET",
+      params: {},
+      user: {id: "user-1"},
+      ...overrides,
+    } as unknown as express.Request;
+  };
+
+  it("calls next immediately for OPTIONS requests", async () => {
+    const model = {
+      collection: {findOne: mock(async () => null)},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(buildReq({method: "OPTIONS"}), {} as express.Response, next as any);
+
+    expect(next).toHaveBeenCalledTimes(1);
+    expect((next as any).mock.calls[0]).toEqual([]);
+    expect(model.findById).toHaveBeenCalledTimes(0);
+  });
+
+  it("returns APIError for unsupported HTTP methods", async () => {
+    const model = {
+      collection: {findOne: mock(async () => null)},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(buildReq({method: "TRACE"}), {} as express.Response, next as any);
+
+    expect(next).toHaveBeenCalledTimes(1);
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(405);
+    expect(error.title).toContain("Method TRACE not allowed");
+  });
+
+  it("wraps query execution failures in a 500 APIError", async () => {
+    const exec = mock(async () => {
+      throw new Error("query failed");
+    });
+    const model = {
+      collection: {findOne: mock(async () => null)},
+      findById: mock(() => ({exec})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(
+      buildReq({method: "GET", params: {id: "507f1f77bcf86cd799439011"}}),
+      {} as express.Response,
+      next as any
+    );
+
+    expect(exec).toHaveBeenCalledTimes(1);
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(500);
+    expect(error.title).toContain("GET failed on 507f1f77bcf86cd799439011");
+  });
+
+  it("captures sentry message when document does not exist", async () => {
+    const captureMessageSpy = spyOn(Sentry, "captureMessage");
+    const model = {
+      collection: {findOne: mock(async () => null)},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(
+      buildReq({method: "GET", params: {id: "507f1f77bcf86cd799439011"}}),
+      {} as express.Response,
+      next as any
+    );
+
+    expect(captureMessageSpy).toHaveBeenCalledWith(
+      "Document 507f1f77bcf86cd799439011 not found for model MockModel"
+    );
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(404);
+    expect(error.meta).toBeUndefined();
+    captureMessageSpy.mockRestore();
+  });
+
+  it("returns hidden reason metadata when document is deleted", async () => {
+    const model = {
+      collection: {findOne: mock(async () => ({deleted: true}))},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(
+      buildReq({method: "GET", params: {id: "507f1f77bcf86cd799439011"}}),
+      {} as express.Response,
+      next as any
+    );
+
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(404);
+    expect(error.meta).toEqual({deleted: "true"});
+    expect(error.disableExternalErrorTracking).toBe(true);
+  });
+
+  it("returns hidden reason metadata when document is disabled", async () => {
+    const model = {
+      collection: {findOne: mock(async () => ({disabled: true}))},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(
+      buildReq({method: "GET", params: {id: "507f1f77bcf86cd799439011"}}),
+      {} as express.Response,
+      next as any
+    );
+
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(404);
+    expect(error.meta).toEqual({disabled: "true"});
+    expect(error.disableExternalErrorTracking).toBe(true);
+  });
+
+  it("returns hidden reason metadata when document is archived", async () => {
+    const model = {
+      collection: {findOne: mock(async () => ({archived: true}))},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(
+      buildReq({method: "GET", params: {id: "507f1f77bcf86cd799439011"}}),
+      {} as express.Response,
+      next as any
+    );
+
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(404);
+    expect(error.meta).toEqual({archived: "true"});
+    expect(error.disableExternalErrorTracking).toBe(true);
+  });
+
+  it("returns plain not found when hidden document has no reason", async () => {
+    const model = {
+      collection: {findOne: mock(async () => ({foo: "bar"}))},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(
+      buildReq({method: "GET", params: {id: "507f1f77bcf86cd799439011"}}),
+      {} as express.Response,
+      next as any
+    );
+
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(404);
+    expect(error.meta).toBeUndefined();
+  });
+});

package/src/populate.ts

@@ -138,8 +138,8 @@ export function getOpenApiSpecForModel(
   {
     populatePaths,
     extraModelProperties,
-  }: {populatePaths?: PopulatePath[]; extraModelProperties?: any} = {}
-): {properties: any; required: string[]} {
+  }: {populatePaths?: PopulatePath[]; extraModelProperties?: Record<string, unknown>} = {}
+): {properties: Record<string, unknown>; required: string[]} {
   const modelSwagger = m2s(model, {
     props: ["required", "enum"],
   });

package/src/syncConsents.ts

@@ -237,7 +237,7 @@ export const syncConsents = async (
 
   // Deactivate forms that are no longer in definitions
   if (deactivateRemoved) {
-    for (const [slug, form] of activeBySlug) {
+    for (const [slug] of activeBySlug) {
       if (!definitions[slug]) {
         logger.info(`syncConsents: deactivating "${slug}"`, {dryRun});
         if (!dryRun) {

package/src/tests/bunSetup.ts

@@ -6,17 +6,23 @@ import winston from "winston";
 import {setupEnvironment} from "../expressServer";
 import {logger, winstonLogger} from "../logger";
 
+const shouldConnectToTestDb = process.env.BUN_TEST_DISABLE_DB !== "true";
+
 // Connect to MongoDB once for all tests
-beforeAll(async () => {
-  await mongoose
-    .connect("mongodb://127.0.0.1/terreno?&connectTimeoutMS=360000")
-    .catch(logger.catch);
-});
+if (shouldConnectToTestDb) {
+  beforeAll(async () => {
+    await mongoose
+      .connect("mongodb://127.0.0.1/terreno?&connectTimeoutMS=360000")
+      .catch(logger.catch);
+  });
+}
 
 // Close MongoDB connection after all tests
-afterAll(async () => {
-  await mongoose.connection.close();
-});
+if (shouldConnectToTestDb) {
+  afterAll(async () => {
+    await mongoose.connection.close();
+  });
+}
 
 let logs: string[] = [];