mirror of
https://github.com/kennethnym/aris.git
synced 2026-04-04 09:01:17 +01:00
fix(backend): reject unknown fields in source config (#88)
Add "+": "reject" to all arktype schemas so undeclared keys return 400. Sources without a configSchema now reject the config field entirely at the HTTP layer. Co-authored-by: Ona <no-reply@ona.com>
This commit is contained in:
GitHub
@@ -287,6 +287,31 @@ describe("PATCH /api/sources/:sourceId", () => {
|
||||
expect(body.error).toContain("Invalid JSON")
|
||||
})
|
||||
|
||||
test("returns 400 when request body contains unknown fields", async () => {
|
||||
activeStore = createInMemoryStore()
|
||||
activeStore.seed(MOCK_USER_ID, "aelis.weather")
|
||||
const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
|
||||
|
||||
const res = await patch(app, "aelis.weather", {
|
||||
enabled: true,
|
||||
unknownField: "hello",
|
||||
})
|
||||
|
||||
expect(res.status).toBe(400)
|
||||
})
|
||||
|
||||
test("returns 400 when weather config contains unknown fields", async () => {
|
||||
activeStore = createInMemoryStore()
|
||||
activeStore.seed(MOCK_USER_ID, "aelis.weather")
|
||||
const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
|
||||
|
||||
const res = await patch(app, "aelis.weather", {
|
||||
config: { units: "metric", unknownField: "hello" },
|
||||
})
|
||||
|
||||
expect(res.status).toBe(400)
|
||||
})
|
||||
|
||||
test("returns 400 when weather config fails validation", async () => {
|
||||
activeStore = createInMemoryStore()
|
||||
activeStore.seed(MOCK_USER_ID, "aelis.weather")
|
||||
@@ -410,7 +435,7 @@ describe("PATCH /api/sources/:sourceId", () => {
|
||||
removeSpy.mockRestore()
|
||||
})
|
||||
|
||||
test("accepts location source with arbitrary config (no schema)", async () => {
|
||||
test("returns 400 when config is provided for source without schema", async () => {
|
||||
activeStore = createInMemoryStore()
|
||||
activeStore.seed(MOCK_USER_ID, "aelis.location")
|
||||
const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
|
||||
@@ -419,7 +444,19 @@ describe("PATCH /api/sources/:sourceId", () => {
|
||||
config: { something: "value" },
|
||||
})
|
||||
|
||||
expect(res.status).toBe(204)
|
||||
expect(res.status).toBe(400)
|
||||
})
|
||||
|
||||
test("returns 400 when empty config is provided for source without schema", async () => {
|
||||
activeStore = createInMemoryStore()
|
||||
activeStore.seed(MOCK_USER_ID, "aelis.location")
|
||||
const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
|
||||
|
||||
const res = await patch(app, "aelis.location", {
|
||||
config: {},
|
||||
})
|
||||
|
||||
expect(res.status).toBe(400)
|
||||
})
|
||||
|
||||
test("updates enabled on location source", async () => {
|
||||
@@ -493,6 +530,31 @@ describe("PUT /api/sources/:sourceId", () => {
|
||||
expect(res.status).toBe(400)
|
||||
})
|
||||
|
||||
test("returns 400 when request body contains unknown fields", async () => {
|
||||
activeStore = createInMemoryStore()
|
||||
const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
|
||||
|
||||
const res = await put(app, "aelis.weather", {
|
||||
enabled: true,
|
||||
config: { units: "metric" },
|
||||
unknownField: "hello",
|
||||
})
|
||||
|
||||
expect(res.status).toBe(400)
|
||||
})
|
||||
|
||||
test("returns 400 when weather config contains unknown fields", async () => {
|
||||
activeStore = createInMemoryStore()
|
||||
const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
|
||||
|
||||
const res = await put(app, "aelis.weather", {
|
||||
enabled: true,
|
||||
config: { units: "metric", unknownField: "hello" },
|
||||
})
|
||||
|
||||
expect(res.status).toBe(400)
|
||||
})
|
||||
|
||||
test("returns 400 when config fails schema validation", async () => {
|
||||
activeStore = createInMemoryStore()
|
||||
const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
|
||||
@@ -611,7 +673,7 @@ describe("PUT /api/sources/:sourceId", () => {
|
||||
expect(session.hasSource("aelis.weather")).toBe(true)
|
||||
})
|
||||
|
||||
test("accepts location source with arbitrary config (no schema)", async () => {
|
||||
test("returns 400 when config is provided for source without schema", async () => {
|
||||
activeStore = createInMemoryStore()
|
||||
const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
|
||||
|
||||
@@ -620,9 +682,29 @@ describe("PUT /api/sources/:sourceId", () => {
|
||||
config: { something: "value" },
|
||||
})
|
||||
|
||||
expect(res.status).toBe(400)
|
||||
})
|
||||
|
||||
test("returns 400 when empty config is provided for source without schema", async () => {
|
||||
activeStore = createInMemoryStore()
|
||||
const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
|
||||
|
||||
const res = await put(app, "aelis.location", {
|
||||
enabled: true,
|
||||
config: {},
|
||||
})
|
||||
|
||||
expect(res.status).toBe(400)
|
||||
})
|
||||
|
||||
test("returns 204 without config field for source without schema", async () => {
|
||||
activeStore = createInMemoryStore()
|
||||
const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
|
||||
|
||||
const res = await put(app, "aelis.location", {
|
||||
enabled: true,
|
||||
})
|
||||
|
||||
expect(res.status).toBe(204)
|
||||
const row = activeStore.rows.get(`${MOCK_USER_ID}:aelis.location`)
|
||||
expect(row).toBeDefined()
|
||||
expect(row!.config).toEqual({ something: "value" })
|
||||
})
|
||||
})
|
||||
|
||||
@@ -20,15 +20,22 @@ interface SourcesHttpHandlersDeps {
|
||||
}
|
||||
|
||||
const UpdateSourceConfigRequestBody = type({
|
||||
"+": "reject",
|
||||
"enabled?": "boolean",
|
||||
"config?": "unknown",
|
||||
})
|
||||
|
||||
const ReplaceSourceConfigRequestBody = type({
|
||||
"+": "reject",
|
||||
enabled: "boolean",
|
||||
config: "unknown",
|
||||
})
|
||||
|
||||
const ReplaceSourceConfigNoConfigRequestBody = type({
|
||||
"+": "reject",
|
||||
enabled: "boolean",
|
||||
})
|
||||
|
||||
export function registerSourcesHttpHandlers(
|
||||
app: Hono,
|
||||
{ sessionManager, authSessionMiddleware }: SourcesHttpHandlersDeps,
|
||||
@@ -90,6 +97,10 @@ async function handleUpdateSource(c: Context<Env>) {
|
||||
return c.json({ error: parsed.summary }, 400)
|
||||
}
|
||||
|
||||
if (!provider.configSchema && "config" in parsed) {
|
||||
return c.json({ error: `Source "${sourceId}" does not accept config` }, 400)
|
||||
}
|
||||
|
||||
const { enabled, config: newConfig } = parsed
|
||||
const user = c.get("user")!
|
||||
|
||||
@@ -131,12 +142,16 @@ async function handleReplaceSource(c: Context<Env>) {
|
||||
return c.json({ error: "Invalid JSON" }, 400)
|
||||
}
|
||||
|
||||
const parsed = ReplaceSourceConfigRequestBody(body)
|
||||
const schema = provider.configSchema
|
||||
? ReplaceSourceConfigRequestBody
|
||||
: ReplaceSourceConfigNoConfigRequestBody
|
||||
const parsed = schema(body)
|
||||
if (parsed instanceof type.errors) {
|
||||
return c.json({ error: parsed.summary }, 400)
|
||||
}
|
||||
|
||||
const { enabled, config } = parsed
|
||||
const { enabled } = parsed
|
||||
const config = "config" in parsed ? parsed.config : undefined
|
||||
const user = c.get("user")!
|
||||
|
||||
try {
|
||||
|
||||
Reference in New Issue
Block a user