yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: add server side validation schema for fileOperations (#4989)

Browse Source 
* refactor: move files to subfolder

* refactor: schema for fileOperations.info

* refactor: schema for fileOperations.list

* refactor: schema for fileOperations.delete

* refactor: schema for fileOperations.redirect
This commit is contained in:
Mohamed ELIDRISSI
2023-03-09 04:01:51 +01:00
committed by GitHub
parent c039501035
commit e2429f6d85
4 changed files with 90 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

309
server/routes/api/fileOperations/fileOperations.test.ts Normal file
View File

@@ -0,0 +1,309 @@
import { FileOperationState, FileOperationType } from "@shared/types";
import { Collection, User, Event, FileOperation } from "@server/models";
import {
buildAdmin,
buildCollection,
buildFileOperation,
buildTeam,
buildUser,
} from "@server/test/factories";
import { getTestServer } from "@server/test/support";
const server = getTestServer();
jest.mock("@server/utils/s3");
describe("#fileOperations.info", () => {
it("should return fileOperation", async () => {
const team = await buildTeam();
const admin = await buildAdmin({
teamId: team.id,
});
const exportData = await buildFileOperation({
type: FileOperationType.Export,
teamId: team.id,
userId: admin.id,
});
const res = await server.post("/api/fileOperations.info", {
body: {
id: exportData.id,
token: admin.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toBe(exportData.id);
expect(body.data.state).toBe(exportData.state);
});
it("should require user to be an admin", async () => {
const team = await buildTeam();
const admin = await buildAdmin({
teamId: team.id,
});
const user = await buildUser({
teamId: team.id,
});
const exportData = await buildFileOperation({
type: FileOperationType.Export,
teamId: team.id,
userId: admin.id,
});
const res = await server.post("/api/fileOperations.info", {
body: {
id: exportData.id,
token: user.getJwtToken(),
},
});
expect(res.status).toEqual(403);
});
it("should require authorization", async () => {
const team = await buildTeam();
const admin = await buildAdmin();
await buildUser({
teamId: team.id,
});
const exportData = await buildFileOperation({
type: FileOperationType.Export,
teamId: team.id,
userId: admin.id,
});
const res = await server.post("/api/fileOperations.info", {
body: {
id: exportData.id,
token: admin.getJwtToken(),
},
});
expect(res.status).toEqual(403);
});
});
describe("#fileOperations.list", () => {
it("should return fileOperations list", async () => {
const team = await buildTeam();
const admin = await buildAdmin({
teamId: team.id,
});
const exportData = await buildFileOperation({
type: FileOperationType.Export,
teamId: team.id,
userId: admin.id,
});
const res = await server.post("/api/fileOperations.list", {
body: {
token: admin.getJwtToken(),
type: FileOperationType.Export,
},
});
const body = await res.json();
const data = body.data[0];
expect(res.status).toEqual(200);
expect(body.data.length).toBe(1);
expect(data.id).toBe(exportData.id);
expect(data.key).toBe(undefined);
expect(data.state).toBe(exportData.state);
});
it("should return exports with collection data", async () => {
const team = await buildTeam();
const admin = await buildAdmin({
teamId: team.id,
});
const collection = await buildCollection({
userId: admin.id,
teamId: team.id,
});
const exportData = await buildFileOperation({
type: FileOperationType.Export,
teamId: team.id,
userId: admin.id,
collectionId: collection.id,
});
const res = await server.post("/api/fileOperations.list", {
body: {
token: admin.getJwtToken(),
type: FileOperationType.Export,
},
});
const body = await res.json();
const data = body.data[0];
expect(res.status).toEqual(200);
expect(body.data.length).toBe(1);
expect(data.id).toBe(exportData.id);
expect(data.key).toBe(undefined);
expect(data.state).toBe(exportData.state);
expect(data.collectionId).toBe(collection.id);
});
it("should return exports with collection data even if collection is deleted", async () => {
const team = await buildTeam();
const admin = await buildAdmin({
teamId: team.id,
});
const collection = await buildCollection({
userId: admin.id,
teamId: team.id,
});
const exportData = await buildFileOperation({
type: FileOperationType.Export,
teamId: team.id,
userId: admin.id,
collectionId: collection.id,
});
await collection.destroy();
const isCollectionPresent = await Collection.findByPk(collection.id);
expect(isCollectionPresent).toBe(null);
const res = await server.post("/api/fileOperations.list", {
body: {
token: admin.getJwtToken(),
type: FileOperationType.Export,
},
});
const body = await res.json();
const data = body.data[0];
expect(res.status).toEqual(200);
expect(body.data.length).toBe(1);
expect(data.id).toBe(exportData.id);
expect(data.key).toBe(undefined);
expect(data.state).toBe(exportData.state);
expect(data.collectionId).toBe(collection.id);
});
it("should return exports with user data even if user is deleted", async () => {
const team = await buildTeam();
const admin2 = await buildAdmin({
teamId: team.id,
});
const admin = await buildAdmin({
teamId: team.id,
});
const collection = await buildCollection({
userId: admin.id,
teamId: team.id,
});
const exportData = await buildFileOperation({
type: FileOperationType.Export,
teamId: team.id,
userId: admin.id,
collectionId: collection.id,
});
await admin.destroy();
const isAdminPresent = await User.findByPk(admin.id);
expect(isAdminPresent).toBe(null);
const res = await server.post("/api/fileOperations.list", {
body: {
token: admin2.getJwtToken(),
type: FileOperationType.Export,
},
});
const body = await res.json();
const data = body.data[0];
expect(res.status).toEqual(200);
expect(body.data.length).toBe(1);
expect(data.id).toBe(exportData.id);
expect(data.key).toBe(undefined);
expect(data.state).toBe(exportData.state);
expect(data.user.id).toBe(admin.id);
});
it("should require admin", async () => {
const user = await buildUser();
const res = await server.post("/api/fileOperations.list", {
body: {
token: user.getJwtToken(),
type: FileOperationType.Export,
},
});
expect(res.status).toEqual(403);
});
});
describe("#fileOperations.redirect", () => {
it("should not redirect when file operation is not complete", async () => {
const team = await buildTeam();
const admin = await buildAdmin({
teamId: team.id,
});
const exportData = await buildFileOperation({
type: FileOperationType.Export,
teamId: team.id,
userId: admin.id,
});
const res = await server.post("/api/fileOperations.redirect", {
body: {
token: admin.getJwtToken(),
id: exportData.id,
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body.message).toEqual("export is not complete yet");
});
it("should require authorization", async () => {
const team = await buildTeam();
const user = await buildUser({
teamId: team.id,
});
const admin = await buildAdmin();
const exportData = await buildFileOperation({
state: FileOperationState.Complete,
type: FileOperationType.Export,
teamId: team.id,
userId: user.id,
});
const res = await server.post("/api/fileOperations.redirect", {
body: {
token: admin.getJwtToken(),
id: exportData.id,
},
});
expect(res.status).toEqual(403);
});
});
describe("#fileOperations.delete", () => {
it("should delete file operation", async () => {
const team = await buildTeam();
const admin = await buildAdmin({
teamId: team.id,
});
const exportData = await buildFileOperation({
type: FileOperationType.Export,
teamId: team.id,
userId: admin.id,
state: FileOperationState.Complete,
});
const deleteResponse = await server.post("/api/fileOperations.delete", {
body: {
token: admin.getJwtToken(),
id: exportData.id,
},
});
expect(deleteResponse.status).toBe(200);
expect(await Event.count()).toBe(1);
expect(await FileOperation.count()).toBe(0);
});
it("should require authorization", async () => {
const team = await buildTeam();
const user = await buildUser({
teamId: team.id,
});
const admin = await buildAdmin();
const exportData = await buildFileOperation({
type: FileOperationType.Export,
teamId: team.id,
userId: user.id,
});
const res = await server.post("/api/fileOperations.delete", {
body: {
token: admin.getJwtToken(),
id: exportData.id,
},
});
expect(res.status).toEqual(403);
});
});

125
server/routes/api/fileOperations/fileOperations.ts Normal file
View File

@@ -0,0 +1,125 @@
import Router from "koa-router";
import { WhereOptions } from "sequelize";
import fileOperationDeleter from "@server/commands/fileOperationDeleter";
import { ValidationError } from "@server/errors";
import auth from "@server/middlewares/authentication";
import validate from "@server/middlewares/validate";
import { FileOperation, Team } from "@server/models";
import { authorize } from "@server/policies";
import { presentFileOperation } from "@server/presenters";
import { APIContext } from "@server/types";
import { getSignedUrl } from "@server/utils/s3";
import pagination from "../middlewares/pagination";
import * as T from "./schema";
const router = new Router();
router.post(
"fileOperations.info",
auth({ admin: true }),
validate(T.FileOperationsInfoSchema),
async (ctx: APIContext<T.FileOperationsInfoReq>) => {
const { id } = ctx.input.body;
const { user } = ctx.state.auth;
const fileOperation = await FileOperation.findByPk(id, {
rejectOnEmpty: true,
});
authorize(user, "read", fileOperation);
ctx.body = {
data: presentFileOperation(fileOperation),
};
}
);
router.post(
"fileOperations.list",
auth({ admin: true }),
pagination(),
validate(T.FileOperationsListSchema),
async (ctx: APIContext<T.FileOperationsListReq>) => {
const { direction, sort, type } = ctx.input.body;
const { user } = ctx.state.auth;
const where: WhereOptions<FileOperation> = {
teamId: user.teamId,
type,
};
const team = await Team.findByPk(user.teamId);
authorize(user, "manage", team);
const [exports, total] = await Promise.all([
FileOperation.findAll({
where,
order: [[sort, direction]],
offset: ctx.state.pagination.offset,
limit: ctx.state.pagination.limit,
}),
FileOperation.count({
where,
}),
]);
ctx.body = {
pagination: { ...ctx.state.pagination, total },
data: exports.map(presentFileOperation),
};
}
);
const handleFileOperationsRedirect = async (
ctx: APIContext<T.FileOperationsRedirectReq>
) => {
const id = (ctx.input.body.id ?? ctx.input.query.id) as string;
const { user } = ctx.state.auth;
const fileOperation = await FileOperation.unscoped().findByPk(id, {
rejectOnEmpty: true,
});
authorize(user, "read", fileOperation);
if (fileOperation.state !== "complete") {
throw ValidationError(`${fileOperation.type} is not complete yet`);
}
const accessUrl = await getSignedUrl(fileOperation.key);
ctx.redirect(accessUrl);
};
router.get(
"fileOperations.redirect",
auth({ admin: true }),
validate(T.FileOperationsRedirectSchema),
handleFileOperationsRedirect
);
router.post(
"fileOperations.redirect",
auth({ admin: true }),
validate(T.FileOperationsRedirectSchema),
handleFileOperationsRedirect
);
router.post(
"fileOperations.delete",
auth({ admin: true }),
validate(T.FileOperationsDeleteSchema),
async (ctx: APIContext<T.FileOperationsDeleteReq>) => {
const { id } = ctx.input.body;
const { user } = ctx.state.auth;
const fileOperation = await FileOperation.unscoped().findByPk(id, {
rejectOnEmpty: true,
});
authorize(user, "delete", fileOperation);
await fileOperationDeleter(fileOperation, user, ctx.request.ip);
ctx.body = {
success: true,
};
}
);
export default router;

1
server/routes/api/fileOperations/index.ts Normal file
View File

@@ -0,0 +1 @@
export { default } from "./fileOperations";

67
server/routes/api/fileOperations/schema.ts Normal file
View File

@@ -0,0 +1,67 @@
import { isEmpty } from "lodash";
import z from "zod";
import { FileOperationType } from "@shared/types";
import { FileOperation } from "@server/models";
import BaseSchema from "../BaseSchema";
const CollectionsSortParamsSchema = z.object({
/** The attribute to sort by */
sort: z
.string()
.refine((val) => Object.keys(FileOperation.getAttributes()).includes(val), {
message: "Invalid sort parameter",
})
.default("createdAt"),
/** The direction of the sorting */
direction: z
.string()
.optional()
.transform((val) => (val !== "ASC" ? "DESC" : val)),
});
export const FileOperationsInfoSchema = BaseSchema.extend({
body: z.object({
/** Id of the file operation to be retrieved */
id: z.string().uuid(),
}),
});
export type FileOperationsInfoReq = z.infer<typeof FileOperationsInfoSchema>;
export const FileOperationsListSchema = BaseSchema.extend({
body: CollectionsSortParamsSchema.extend({
/** File Operation Type */
type: z.nativeEnum(FileOperationType),
}),
});
export type FileOperationsListReq = z.infer<typeof FileOperationsListSchema>;
export const FileOperationsRedirectSchema = BaseSchema.extend({
body: z.object({
/** Id of the file operation to access */
id: z.string().uuid().optional(),
}),
query: z.object({
/** Id of the file operation to access */
id: z.string().uuid().optional(),
}),
}).refine((req) => !(isEmpty(req.body.id) && isEmpty(req.query.id)), {
message: "id is required",
});
export type FileOperationsRedirectReq = z.infer<
typeof FileOperationsRedirectSchema
>;
export const FileOperationsDeleteSchema = BaseSchema.extend({
body: z.object({
/** Id of the file operation to delete */
id: z.string().uuid(),
}),
});
export type FileOperationsDeleteReq = z.infer<
typeof FileOperationsDeleteSchema
>;