Request validation for /api/subscriptions.* (#5476)

* chore: req validation for subscriptions.list

* chore: req validation for subscriptions.info

* chore: req validation for subscriptions.create

* chore: req validation for subscriptions.delete

* fix: reuse validations

server/routes/api/subscriptions/index.ts

@@ -0,0 +1 @@
+export { default } from "./subscriptions";

server/routes/api/subscriptions/schema.ts

@@ -0,0 +1,44 @@
+import { z } from "zod";
+import { ValidateDocumentId } from "@server/validation";
+import BaseSchema from "../BaseSchema";
+
+export const SubscriptionsListSchema = BaseSchema.extend({
+  body: z.object({
+    documentId: z.string().refine(ValidateDocumentId.isValid, {
+      message: ValidateDocumentId.message,
+    }),
+    event: z.literal("documents.update"),
+  }),
+});
+
+export type SubscriptionsListReq = z.infer<typeof SubscriptionsListSchema>;
+
+export const SubscriptionsInfoSchema = BaseSchema.extend({
+  body: z.object({
+    documentId: z.string().refine(ValidateDocumentId.isValid, {
+      message: ValidateDocumentId.message,
+    }),
+    event: z.literal("documents.update"),
+  }),
+});
+
+export type SubscriptionsInfoReq = z.infer<typeof SubscriptionsInfoSchema>;
+
+export const SubscriptionsCreateSchema = BaseSchema.extend({
+  body: z.object({
+    documentId: z.string().refine(ValidateDocumentId.isValid, {
+      message: ValidateDocumentId.message,
+    }),
+    event: z.literal("documents.update"),
+  }),
+});
+
+export type SubscriptionsCreateReq = z.infer<typeof SubscriptionsCreateSchema>;
+
+export const SubscriptionsDeleteSchema = BaseSchema.extend({
+  body: z.object({
+    id: z.string().uuid(),
+  }),
+});
+
+export type SubscriptionsDeleteReq = z.infer<typeof SubscriptionsDeleteSchema>;

server/routes/api/subscriptions/subscriptions.test.ts

@@ -140,7 +140,7 @@ describe("#subscriptions.create", () => {
     expect(body.ok).toEqual(false);
     expect(body.error).toEqual("validation_error");
     expect(body.message).toEqual(
-      "Not a valid subscription event for documents"
+      `event: Invalid literal value, expected "documents.update"`
     );
   });
 });
@@ -323,7 +323,7 @@ describe("#subscriptions.info", () => {
     expect(response0.ok).toEqual(false);
     expect(response0.error).toEqual("validation_error");
     expect(response0.message).toEqual(
-      "Not a valid subscription event for documents"
+      `event: Invalid literal value, expected "documents.update"`
     );
 
     // `viewer` wants info about `subscriber`'s
@@ -343,7 +343,7 @@ describe("#subscriptions.info", () => {
     expect(response1.ok).toEqual(false);
     expect(response1.error).toEqual("validation_error");
     expect(response1.message).toEqual(
-      "Not a valid subscription event for documents"
+      `event: Invalid literal value, expected "documents.update"`
     );
   });
 });
@@ -515,7 +515,7 @@ describe("#subscriptions.list", () => {
     expect(body.ok).toEqual(false);
     expect(body.error).toEqual("validation_error");
     expect(body.message).toEqual(
-      "Not a valid subscription event for documents"
+      `event: Invalid literal value, expected "documents.update"`
     );
   });
 

server/routes/api/subscriptions/subscriptions.ts

@@ -3,12 +3,13 @@ import subscriptionCreator from "@server/commands/subscriptionCreator";
 import subscriptionDestroyer from "@server/commands/subscriptionDestroyer";
 import auth from "@server/middlewares/authentication";
 import { transaction } from "@server/middlewares/transaction";
+import validate from "@server/middlewares/validate";
 import { Subscription, Document } from "@server/models";
 import { authorize } from "@server/policies";
 import { presentSubscription } from "@server/presenters";
 import { APIContext } from "@server/types";
-import { assertIn, assertUuid } from "@server/validation";
-import pagination from "./middlewares/pagination";
+import pagination from "../middlewares/pagination";
+import * as T from "./schema";
 
 const router = new Router();
 
@@ -16,17 +17,10 @@ router.post(
   "subscriptions.list",
   auth(),
   pagination(),
-  async (ctx: APIContext) => {
+  validate(T.SubscriptionsListSchema),
+  async (ctx: APIContext<T.SubscriptionsListReq>) => {
     const { user } = ctx.state.auth;
-    const { documentId, event } = ctx.request.body;
-
-    assertUuid(documentId, "documentId is required");
-
-    assertIn(
-      event,
-      ["documents.update"],
-      `Not a valid subscription event for documents`
-    );
+    const { documentId, event } = ctx.input.body;
 
     const document = await Document.findByPk(documentId, { userId: user.id });
 
@@ -50,53 +44,43 @@ router.post(
   }
 );
 
-router.post("subscriptions.info", auth(), async (ctx: APIContext) => {
-  const { user } = ctx.state.auth;
-  const { documentId, event } = ctx.request.body;
+router.post(
+  "subscriptions.info",
+  auth(),
+  validate(T.SubscriptionsInfoSchema),
+  async (ctx: APIContext<T.SubscriptionsInfoReq>) => {
+    const { user } = ctx.state.auth;
+    const { documentId, event } = ctx.input.body;
 
-  assertUuid(documentId, "documentId is required");
+    const document = await Document.findByPk(documentId, { userId: user.id });
 
-  assertIn(
-    event,
-    ["documents.update"],
-    "Not a valid subscription event for documents"
-  );
+    authorize(user, "read", document);
 
-  const document = await Document.findByPk(documentId, { userId: user.id });
+    // There can be only one subscription with these props.
+    const subscription = await Subscription.findOne({
+      where: {
+        userId: user.id,
+        documentId: document.id,
+        event,
+      },
+      rejectOnEmpty: true,
+    });
 
-  authorize(user, "read", document);
-
-  // There can be only one subscription with these props.
-  const subscription = await Subscription.findOne({
-    where: {
-      userId: user.id,
-      documentId: document.id,
-      event,
-    },
-    rejectOnEmpty: true,
-  });
-
-  ctx.body = {
-    data: presentSubscription(subscription),
-  };
-});
+    ctx.body = {
+      data: presentSubscription(subscription),
+    };
+  }
+);
 
 router.post(
   "subscriptions.create",
   auth(),
+  validate(T.SubscriptionsCreateSchema),
   transaction(),
-  async (ctx: APIContext) => {
+  async (ctx: APIContext<T.SubscriptionsCreateReq>) => {
     const { auth, transaction } = ctx.state;
     const { user } = auth;
-    const { documentId, event } = ctx.request.body;
-
-    assertUuid(documentId, "documentId is required");
-
-    assertIn(
-      event,
-      ["documents.update"],
-      "Not a valid subscription event for documents"
-    );
+    const { documentId, event } = ctx.input.body;
 
     const document = await Document.findByPk(documentId, {
       userId: user.id,
@@ -122,13 +106,12 @@ router.post(
 router.post(
   "subscriptions.delete",
   auth(),
+  validate(T.SubscriptionsDeleteSchema),
   transaction(),
-  async (ctx: APIContext) => {
+  async (ctx: APIContext<T.SubscriptionsDeleteReq>) => {
     const { auth, transaction } = ctx.state;
     const { user } = auth;
-    const { id } = ctx.request.body;
-
-    assertUuid(id, "id is required");
+    const { id } = ctx.input.body;
 
     const subscription = await Subscription.findByPk(id, {
       rejectOnEmpty: true,