@terreno/api 0.9.3 → 0.11.0

package/src/openApiValidator.test.ts

@@ -1,13 +1,21 @@
 import {afterEach, beforeEach, describe, expect, it} from "bun:test";
+import type {ErrorObject} from "ajv";
 
 import {modelRouter} from "./api";
 import {addAuthRoutes, setupAuth} from "./auth";
 import {
   buildQuerySchemaFromFields,
   configureOpenApiValidator,
+  createModelValidators,
+  createValidator,
+  getOpenApiValidatorConfig,
+  getSchemaFromModel,
   isOpenApiValidatorConfigured,
   resetOpenApiValidatorConfig,
+  validateModelRequestBody,
+  validateQueryParams,
   validateRequestBody,
+  validateResponseData,
 } from "./openApiValidator";
 import {Permissions} from "./permissions";
 import {authAsUser, FoodModel, getBaseServer, RequiredModel, setupDb, UserModel} from "./tests";
@@ -237,5 +245,407 @@ describe("openApiValidator", () => {
         middleware(req, res, () => {});
       }).toThrow();
     });
+
+    it("calls onError callback instead of throwing when provided at option level", () => {
+      configureOpenApiValidator();
+
+      let capturedErrors: ErrorObject[] = [];
+      const middleware = validateRequestBody(
+        {name: {required: true, type: "string"}},
+        {
+          onError: (errors) => {
+            capturedErrors = errors;
+          },
+        }
+      );
+
+      let nextCalled = false;
+      const req = {body: {}, method: "POST", path: "/test"} as any;
+      const res = {} as any;
+      middleware(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(nextCalled).toBe(true);
+      expect(capturedErrors.length).toBeGreaterThan(0);
+    });
+
+    it("calls global onValidationError when no per-route handler", () => {
+      let capturedErrors: ErrorObject[] = [];
+      configureOpenApiValidator({
+        onValidationError: (errors) => {
+          capturedErrors = errors;
+        },
+      });
+
+      const middleware = validateRequestBody({name: {required: true, type: "string"}});
+
+      let nextCalled = false;
+      const req = {body: {}, method: "POST", path: "/test"} as any;
+      const res = {} as any;
+      middleware(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(nextCalled).toBe(true);
+      expect(capturedErrors.length).toBeGreaterThan(0);
+    });
+
+    it("skips validation when enabled=false on options", () => {
+      configureOpenApiValidator();
+
+      const middleware = validateRequestBody(
+        {name: {required: true, type: "string"}},
+        {enabled: false}
+      );
+
+      let nextCalled = false;
+      const req = {body: {}, method: "POST", path: "/test"} as any;
+      const res = {} as any;
+      middleware(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(nextCalled).toBe(true);
+    });
+
+    it("respects validateRequests=false in global config", () => {
+      configureOpenApiValidator({validateRequests: false});
+
+      const middleware = validateRequestBody({name: {required: true, type: "string"}});
+
+      let nextCalled = false;
+      const req = {body: {}, method: "POST", path: "/test"} as any;
+      const res = {} as any;
+      middleware(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(nextCalled).toBe(true);
+    });
+  });
+
+  describe("validateQueryParams middleware", () => {
+    it("is a no-op when not configured", () => {
+      resetOpenApiValidatorConfig();
+
+      const middleware = validateQueryParams({
+        page: {type: "number"},
+      });
+
+      let nextCalled = false;
+      const req = {method: "GET", path: "/test", query: {}} as any;
+      const res = {} as any;
+      middleware(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(nextCalled).toBe(true);
+    });
+
+    it("coerces types when configured", () => {
+      configureOpenApiValidator({coerceTypes: true});
+
+      const middleware = validateQueryParams({
+        page: {type: "number"},
+      });
+
+      const req = {method: "GET", path: "/test", query: {page: "3"}} as any;
+      const res = {} as any;
+      middleware(req, res, () => {});
+
+      expect(req.query.page).toBe(3);
+    });
+
+    it("throws validation error when query does not match", () => {
+      configureOpenApiValidator({coerceTypes: false});
+
+      const middleware = validateQueryParams({
+        page: {required: true, type: "number"},
+      });
+
+      const req = {method: "GET", path: "/test", query: {}} as any;
+      const res = {} as any;
+      // Required top-level property missing triggers an error
+      // We need required: [] at schema level via required: true on property. Confirm via calling.
+      expect(() => {
+        middleware(req, res, () => {});
+      }).toThrow();
+    });
+
+    it("uses onError callback for query validation", () => {
+      let captured: any[] = [];
+      configureOpenApiValidator({coerceTypes: false});
+
+      const middleware = validateQueryParams(
+        {page: {required: true, type: "number"}},
+        {
+          onError: (errors) => {
+            captured = errors;
+          },
+        }
+      );
+
+      let nextCalled = false;
+      const req = {method: "GET", path: "/test", query: {}} as any;
+      const res = {} as any;
+      middleware(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(nextCalled).toBe(true);
+      expect(captured.length).toBeGreaterThan(0);
+    });
+
+    it("skips query validation when enabled=false", () => {
+      configureOpenApiValidator();
+
+      const middleware = validateQueryParams(
+        {page: {required: true, type: "number"}},
+        {enabled: false}
+      );
+
+      let nextCalled = false;
+      const req = {method: "GET", path: "/test", query: {}} as any;
+      const res = {} as any;
+      middleware(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(nextCalled).toBe(true);
+    });
+  });
+
+  describe("validateResponseData", () => {
+    it("returns valid when validateResponses is disabled", () => {
+      configureOpenApiValidator({validateResponses: false});
+      const result = validateResponseData({foo: "bar"}, {name: {type: "string"}});
+      expect(result.valid).toBe(true);
+    });
+
+    it("validates response shape when validateResponses is enabled", () => {
+      configureOpenApiValidator({validateResponses: true});
+      const result = validateResponseData(
+        {name: "Apple"},
+        {name: {required: true, type: "string"}}
+      );
+      expect(result.valid).toBe(true);
+    });
+
+    it("returns errors for invalid response shape", () => {
+      configureOpenApiValidator({coerceTypes: false, validateResponses: true});
+      const result = validateResponseData(
+        {name: 42 as any},
+        {name: {required: true, type: "string"}}
+      );
+      expect(result.valid).toBe(false);
+      expect(result.errors).toBeDefined();
+    });
+  });
+
+  describe("createValidator", () => {
+    it("runs body then query validation and calls next once both pass", () => {
+      configureOpenApiValidator({coerceTypes: true});
+
+      const middleware = createValidator({
+        body: {name: {required: true, type: "string"}},
+        query: {page: {type: "number"}},
+      });
+
+      let nextCalled = false;
+      const req = {
+        body: {name: "ok"},
+        method: "POST",
+        path: "/test",
+        query: {page: "2"},
+      } as any;
+      const res = {} as any;
+      middleware(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(nextCalled).toBe(true);
+      expect(req.query.page).toBe(2);
+    });
+
+    it("skips when neither body nor query schemas are provided", () => {
+      configureOpenApiValidator();
+
+      const middleware = createValidator({});
+
+      let nextCalled = false;
+      const req = {body: {}, method: "POST", path: "/test", query: {}} as any;
+      const res = {} as any;
+      middleware(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(nextCalled).toBe(true);
+    });
+
+    it("runs only query validation when only query provided", () => {
+      configureOpenApiValidator({coerceTypes: true});
+
+      const middleware = createValidator({
+        query: {page: {type: "number"}},
+      });
+
+      let nextCalled = false;
+      const req = {method: "GET", path: "/test", query: {page: "5"}} as any;
+      const res = {} as any;
+      middleware(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(nextCalled).toBe(true);
+      expect(req.query.page).toBe(5);
+    });
+
+    it("propagates body validation error via next", () => {
+      let capturedErrors: ErrorObject[] = [];
+      configureOpenApiValidator({
+        onValidationError: (errors) => {
+          capturedErrors = errors;
+        },
+      });
+
+      const middleware = createValidator({
+        body: {name: {required: true, type: "string"}},
+        query: {page: {type: "number"}},
+      });
+
+      const req = {body: {}, method: "POST", path: "/test", query: {}} as any;
+      const res = {} as any;
+
+      let nextCalled = false;
+      middleware(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(capturedErrors.length).toBeGreaterThan(0);
+      expect(nextCalled).toBe(true);
+    });
+  });
+
+  describe("createModelValidators", () => {
+    beforeEach(() => {
+      configureOpenApiValidator();
+    });
+
+    it("returns create and update middleware", () => {
+      const validators = createModelValidators(RequiredModel);
+      expect(typeof validators.create).toBe("function");
+      expect(typeof validators.update).toBe("function");
+    });
+
+    it("create validator rejects body with wrong type", () => {
+      configureOpenApiValidator({coerceTypes: false});
+      const {create} = createModelValidators(RequiredModel);
+
+      const req = {body: {name: 123}, method: "POST", path: "/required"} as any;
+      const res = {} as any;
+      expect(() => {
+        create(req, res, () => {});
+      }).toThrow();
+    });
+
+    it("update validator allows a partial body", () => {
+      const {update} = createModelValidators(RequiredModel);
+
+      let nextCalled = false;
+      const req = {body: {about: "info"}, method: "PATCH", path: "/required"} as any;
+      const res = {} as any;
+      update(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(nextCalled).toBe(true);
+    });
+
+    it("supports onAdditionalPropertiesRemoved option", () => {
+      configureOpenApiValidator({removeAdditional: true});
+      const removedProps: string[] = [];
+      const {create} = createModelValidators(RequiredModel, {
+        onAdditionalPropertiesRemoved: (props) => {
+          removedProps.push(...props);
+        },
+      });
+
+      // Extra property gets stripped and hook is called
+      const req = {
+        body: {extra: "strip me", name: "Apple"},
+        method: "POST",
+        path: "/required",
+      } as any;
+      create(req, {} as any, () => {});
+      expect(removedProps).toContain("extra");
+    });
+
+    it("supports onError option", () => {
+      configureOpenApiValidator({coerceTypes: false});
+      let errorHandled: any[] = [];
+      const {create} = createModelValidators(RequiredModel, {
+        onError: (errors) => {
+          errorHandled = errors;
+        },
+      });
+
+      // Wrong type triggers error handler
+      const req = {body: {name: 42}, method: "POST", path: "/required"} as any;
+      create(req, {} as any, () => {});
+      expect(errorHandled.length).toBeGreaterThan(0);
+    });
+  });
+
+  describe("validateModelRequestBody", () => {
+    beforeEach(() => {
+      configureOpenApiValidator();
+    });
+
+    it("creates a validator from a Mongoose model", () => {
+      const middleware = validateModelRequestBody(RequiredModel);
+
+      const req = {body: {}, method: "POST", path: "/required"} as any;
+      const res = {} as any;
+      expect(() => {
+        middleware(req, res, () => {});
+      }).toThrow();
+    });
+
+    it("respects excludeFields option", () => {
+      const middleware = validateModelRequestBody(RequiredModel, {
+        excludeFields: ["name"],
+      });
+
+      // Without 'name' required, empty body passes
+      let nextCalled = false;
+      const req = {body: {}, method: "POST", path: "/required"} as any;
+      const res = {} as any;
+      middleware(req, res, () => {
+        nextCalled = true;
+      });
+
+      expect(nextCalled).toBe(true);
+    });
+  });
+
+  describe("getSchemaFromModel", () => {
+    it("returns properties for a Mongoose model", () => {
+      const schema = getSchemaFromModel(RequiredModel);
+      expect(schema.name).toBeDefined();
+      expect(schema.about).toBeDefined();
+    });
+  });
+
+  describe("getOpenApiValidatorConfig", () => {
+    it("returns a shallow copy of the config", () => {
+      configureOpenApiValidator({removeAdditional: false});
+      const config = getOpenApiValidatorConfig();
+      expect(config.removeAdditional).toBe(false);
+
+      // Mutating the returned copy should not affect internal state
+      (config as any).removeAdditional = true;
+      expect(getOpenApiValidatorConfig().removeAdditional).toBe(false);
+    });
   });
 });

package/src/permissions.middleware.test.ts

@@ -0,0 +1,197 @@
+import {describe, expect, it, mock, spyOn} from "bun:test";
+import * as Sentry from "@sentry/bun";
+import type express from "express";
+
+import {APIError} from "./errors";
+import {Permissions, permissionMiddleware} from "./permissions";
+
+describe("permissionMiddleware", () => {
+  const allPermissions = {
+    create: [Permissions.IsAny],
+    delete: [Permissions.IsAny],
+    list: [Permissions.IsAny],
+    read: [Permissions.IsAny],
+    update: [Permissions.IsAny],
+  };
+
+  const buildReq = (overrides: Record<string, unknown> = {}): express.Request => {
+    return {
+      method: "GET",
+      params: {},
+      user: {id: "user-1"},
+      ...overrides,
+    } as unknown as express.Request;
+  };
+
+  it("calls next immediately for OPTIONS requests", async () => {
+    const model = {
+      collection: {findOne: mock(async () => null)},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(buildReq({method: "OPTIONS"}), {} as express.Response, next as any);
+
+    expect(next).toHaveBeenCalledTimes(1);
+    expect((next as any).mock.calls[0]).toEqual([]);
+    expect(model.findById).toHaveBeenCalledTimes(0);
+  });
+
+  it("returns APIError for unsupported HTTP methods", async () => {
+    const model = {
+      collection: {findOne: mock(async () => null)},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(buildReq({method: "TRACE"}), {} as express.Response, next as any);
+
+    expect(next).toHaveBeenCalledTimes(1);
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(405);
+    expect(error.title).toContain("Method TRACE not allowed");
+  });
+
+  it("wraps query execution failures in a 500 APIError", async () => {
+    const exec = mock(async () => {
+      throw new Error("query failed");
+    });
+    const model = {
+      collection: {findOne: mock(async () => null)},
+      findById: mock(() => ({exec})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(
+      buildReq({method: "GET", params: {id: "507f1f77bcf86cd799439011"}}),
+      {} as express.Response,
+      next as any
+    );
+
+    expect(exec).toHaveBeenCalledTimes(1);
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(500);
+    expect(error.title).toContain("GET failed on 507f1f77bcf86cd799439011");
+  });
+
+  it("captures sentry message when document does not exist", async () => {
+    const captureMessageSpy = spyOn(Sentry, "captureMessage");
+    const model = {
+      collection: {findOne: mock(async () => null)},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(
+      buildReq({method: "GET", params: {id: "507f1f77bcf86cd799439011"}}),
+      {} as express.Response,
+      next as any
+    );
+
+    expect(captureMessageSpy).toHaveBeenCalledWith(
+      "Document 507f1f77bcf86cd799439011 not found for model MockModel"
+    );
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(404);
+    expect(error.meta).toBeUndefined();
+    captureMessageSpy.mockRestore();
+  });
+
+  it("returns hidden reason metadata when document is deleted", async () => {
+    const model = {
+      collection: {findOne: mock(async () => ({deleted: true}))},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(
+      buildReq({method: "GET", params: {id: "507f1f77bcf86cd799439011"}}),
+      {} as express.Response,
+      next as any
+    );
+
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(404);
+    expect(error.meta).toEqual({deleted: "true"});
+    expect(error.disableExternalErrorTracking).toBe(true);
+  });
+
+  it("returns hidden reason metadata when document is disabled", async () => {
+    const model = {
+      collection: {findOne: mock(async () => ({disabled: true}))},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(
+      buildReq({method: "GET", params: {id: "507f1f77bcf86cd799439011"}}),
+      {} as express.Response,
+      next as any
+    );
+
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(404);
+    expect(error.meta).toEqual({disabled: "true"});
+    expect(error.disableExternalErrorTracking).toBe(true);
+  });
+
+  it("returns hidden reason metadata when document is archived", async () => {
+    const model = {
+      collection: {findOne: mock(async () => ({archived: true}))},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(
+      buildReq({method: "GET", params: {id: "507f1f77bcf86cd799439011"}}),
+      {} as express.Response,
+      next as any
+    );
+
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(404);
+    expect(error.meta).toEqual({archived: "true"});
+    expect(error.disableExternalErrorTracking).toBe(true);
+  });
+
+  it("returns plain not found when hidden document has no reason", async () => {
+    const model = {
+      collection: {findOne: mock(async () => ({foo: "bar"}))},
+      findById: mock(() => ({exec: mock(async () => null)})),
+      modelName: "MockModel",
+    } as any;
+    const middleware = permissionMiddleware(model, {permissions: allPermissions});
+    const next = mock(() => {});
+
+    await middleware(
+      buildReq({method: "GET", params: {id: "507f1f77bcf86cd799439011"}}),
+      {} as express.Response,
+      next as any
+    );
+
+    const [error] = (next as any).mock.calls[0];
+    expect(error).toBeInstanceOf(APIError);
+    expect(error.status).toBe(404);
+    expect(error.meta).toBeUndefined();
+  });
+});