Validate API request query (#4642)

* fix: refactor to accommodate authentication, transaction and pagination together into ctx.state

* feat: allow passing response type to APIContext

* feat: preliminary work for initial review

* fix: use unknown for base types

* fix: api/attachments

* fix: api/documents

* fix: jsdoc comment for input

* fix: replace at() with index access for compatibility

* fix: validation err message

* fix: error handling

* fix: remove unnecessary extend

server/routes/api/attachments/attachments.test.ts

@@ -307,6 +307,24 @@ describe("#attachments.redirect", () => {
     expect(res.status).toEqual(302);
   });
 
+  it("should return a redirect for the attachment if id supplied via query params", async () => {
+    const user = await buildUser();
+    const attachment = await buildAttachment({
+      teamId: user.teamId,
+      userId: user.id,
+    });
+    const res = await server.post(
+      `/api/attachments.redirect?id=${attachment.id}`,
+      {
+        body: {
+          token: user.getJwtToken(),
+        },
+        redirect: "manual",
+      }
+    );
+    expect(res.status).toEqual(302);
+  });
+
   it("should return a redirect for an attachment belonging to a trashed document user has access to", async () => {
     const user = await buildUser();
     const collection = await buildCollection({
@@ -385,4 +403,16 @@ describe("#attachments.redirect", () => {
     });
     expect(res.status).toEqual(403);
   });
+
+  it("should fail in absence of id", async () => {
+    const user = await buildUser();
+    const res = await server.post("/api/attachments.redirect", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(400);
+    expect(body.message).toEqual("id is required");
+  });
 });

server/routes/api/attachments/attachments.ts

@@ -13,7 +13,7 @@ import { authorize } from "@server/policies";
 import { presentAttachment } from "@server/presenters";
 import { APIContext } from "@server/types";
 import { getPresignedPost, publicS3Endpoint } from "@server/utils/s3";
-import { assertIn, assertUuid } from "@server/validation";
+import { assertIn } from "@server/validation";
 import * as T from "./schema";
 
 const router = new Router();
@@ -24,7 +24,7 @@ router.post(
   validate(T.AttachmentsCreateSchema),
   transaction(),
   async (ctx: APIContext<T.AttachmentCreateReq>) => {
-    const { name, documentId, contentType, size, preset } = ctx.input;
+    const { name, documentId, contentType, size, preset } = ctx.input.body;
     const { auth, transaction } = ctx.state;
     const { user } = auth;
 
@@ -113,7 +113,7 @@ router.post(
   auth(),
   validate(T.AttachmentDeleteSchema),
   async (ctx: APIContext<T.AttachmentDeleteReq>) => {
-    const { id } = ctx.input;
+    const { id } = ctx.input.body;
     const { user } = ctx.state.auth;
     const attachment = await Attachment.findByPk(id, {
       rejectOnEmpty: true,
@@ -141,9 +141,10 @@ router.post(
   }
 );
 
-const handleAttachmentsRedirect = async (ctx: APIContext) => {
-  const id = ctx.request.body?.id ?? ctx.request.query?.id;
-  assertUuid(id, "id is required");
+const handleAttachmentsRedirect = async (
+  ctx: APIContext<T.AttachmentsRedirectReq>
+) => {
+  const id = (ctx.input.body.id ?? ctx.input.query.id) as string;
 
   const { user } = ctx.state.auth;
   const attachment = await Attachment.findByPk(id, {
@@ -165,7 +166,17 @@ const handleAttachmentsRedirect = async (ctx: APIContext) => {
   }
 };
 
-router.get("attachments.redirect", auth(), handleAttachmentsRedirect);
-router.post("attachments.redirect", auth(), handleAttachmentsRedirect);
+router.get(
+  "attachments.redirect",
+  auth(),
+  validate(T.AttachmentsRedirectSchema),
+  handleAttachmentsRedirect
+);
+router.post(
+  "attachments.redirect",
+  auth(),
+  validate(T.AttachmentsRedirectSchema),
+  handleAttachmentsRedirect
+);
 
 export default router;

server/routes/api/attachments/schema.ts

@@ -1,28 +1,49 @@
+import { isEmpty } from "lodash";
 import { z } from "zod";
 import { AttachmentPreset } from "@shared/types";
+import BaseSchema from "@server/routes/api/BaseSchema";
 
-export const AttachmentsCreateSchema = z.object({
-  /** Attachment name */
-  name: z.string(),
+export const AttachmentsCreateSchema = BaseSchema.extend({
+  body: z.object({
+    /** Attachment name */
+    name: z.string(),
 
-  /** Id of the document to which the Attachment belongs */
-  documentId: z.string().uuid().optional(),
+    /** Id of the document to which the Attachment belongs */
+    documentId: z.string().uuid().optional(),
 
-  /** File size of the Attachment */
-  size: z.number(),
+    /** File size of the Attachment */
+    size: z.number(),
 
-  /** Content-Type of the Attachment */
-  contentType: z.string().optional().default("application/octet-stream"),
+    /** Content-Type of the Attachment */
+    contentType: z.string().optional().default("application/octet-stream"),
 
-  /** Attachment type */
-  preset: z.nativeEnum(AttachmentPreset),
+    /** Attachment type */
+    preset: z.nativeEnum(AttachmentPreset),
+  }),
 });
 
 export type AttachmentCreateReq = z.infer<typeof AttachmentsCreateSchema>;
 
-export const AttachmentDeleteSchema = z.object({
-  /** Id of the attachment to be deleted */
-  id: z.string().uuid(),
+export const AttachmentDeleteSchema = BaseSchema.extend({
+  body: z.object({
+    /** Id of the attachment to be deleted */
+    id: z.string().uuid(),
+  }),
 });
 
 export type AttachmentDeleteReq = z.infer<typeof AttachmentDeleteSchema>;
+
+export const AttachmentsRedirectSchema = BaseSchema.extend({
+  body: z.object({
+    /** Id of the attachment to be deleted */
+    id: z.string().uuid().optional(),
+  }),
+  query: z.object({
+    /** Id of the attachment to be deleted */
+    id: z.string().uuid().optional(),
+  }),
+}).refine((req) => !(isEmpty(req.body.id) && isEmpty(req.query.id)), {
+  message: "id is required",
+});
+
+export type AttachmentsRedirectReq = z.infer<typeof AttachmentsRedirectSchema>;