fix(backend): reject unknown fields in source config

Add "+": "reject" to all arktype schemas so undeclared
keys return 400. Sources without a configSchema now
reject the config field entirely at the HTTP layer.

Co-authored-by: Ona <no-reply@ona.com>

apps/aelis-backend/src/enhancement/llm-client.ts

@@ -50,13 +50,11 @@ export function createLlmClient(config: LlmClientConfig): LlmClient {
 							schema: enhancementResultJsonSchema,
 						},
 					},
-					reasoning: { effort: "none" },
 					stream: false,
 				},
 			})
 
-			const message = response.choices?.[0]?.message
-			const content = message?.content ?? message?.reasoning
+			const content = response.choices?.[0]?.message?.content
 			if (typeof content !== "string") {
 				console.warn("[enhancement] LLM returned no content in response")
 				return null

apps/aelis-backend/src/session/user-session-manager.ts

@@ -5,10 +5,10 @@ import merge from "lodash.merge"
 
 import type { Database } from "../db/index.ts"
 import type { FeedEnhancer } from "../enhancement/enhance-feed.ts"
-import { InvalidSourceConfigError, SourceNotFoundError } from "../sources/errors.ts"
-import { sources } from "../sources/user-sources.ts"
 import type { FeedSourceProvider } from "./feed-source-provider.ts"
 
+import { InvalidSourceConfigError, SourceNotFoundError } from "../sources/errors.ts"
+import { sources } from "../sources/user-sources.ts"
 import { UserSession } from "./user-session.ts"
 
 export interface UserSessionManagerConfig {
@@ -38,27 +38,6 @@ export class UserSessionManager {
 		return this.providers.get(sourceId)
 	}
 
-	/**
-	 * Returns the user's config for a source, or defaults if no row exists.
-	 *
-	 * @throws {SourceNotFoundError} if the sourceId has no registered provider
-	 */
-	async fetchSourceConfig(
-		userId: string,
-		sourceId: string,
-	): Promise<{ enabled: boolean; config: unknown }> {
-		const provider = this.providers.get(sourceId)
-		if (!provider) {
-			throw new SourceNotFoundError(sourceId, userId)
-		}
-
-		const row = await sources(this.db, userId).find(sourceId)
-		return {
-			enabled: row?.enabled ?? false,
-			config: row?.config ?? {},
-		}
-	}
-
 	async getOrCreate(userId: string): Promise<UserSession> {
 		const existing = this.sessions.get(userId)
 		if (existing) return existing
@@ -125,16 +104,14 @@ export class UserSessionManager {
 		// read stale config. Use SELECT FOR UPDATE or atomic jsonb merge if
 		// this becomes a problem.
 		let mergedConfig: Record<string, unknown> | undefined
-		if (update.config !== undefined) {
+		if (update.config !== undefined && provider.configSchema) {
 			const existing = await sources(this.db, userId).find(sourceId)
 			const existingConfig = (existing?.config ?? {}) as Record<string, unknown>
 			mergedConfig = merge({}, existingConfig, update.config)
 
-			if (provider.configSchema) {
-				const validated = provider.configSchema(mergedConfig)
-				if (validated instanceof type.errors) {
-					throw new InvalidSourceConfigError(sourceId, validated.summary)
-				}
+			const validated = provider.configSchema(mergedConfig)
+			if (validated instanceof type.errors) {
+				throw new InvalidSourceConfigError(sourceId, validated.summary)
 			}
 		}
 
@@ -169,23 +146,24 @@ export class UserSessionManager {
 	async upsertSourceConfig(
 		userId: string,
 		sourceId: string,
-		data: { enabled: boolean; config: unknown },
+		data: { enabled: boolean; config?: unknown },
 	): Promise<void> {
 		const provider = this.providers.get(sourceId)
 		if (!provider) {
 			throw new SourceNotFoundError(sourceId, userId)
 		}
 
-		if (provider.configSchema) {
+		if (provider.configSchema && data.config !== undefined) {
 			const validated = provider.configSchema(data.config)
 			if (validated instanceof type.errors) {
 				throw new InvalidSourceConfigError(sourceId, validated.summary)
 			}
 		}
 
+		const config = data.config ?? {}
 		await sources(this.db, userId).upsertConfig(sourceId, {
 			enabled: data.enabled,
-			config: data.config,
+			config,
 		})
 
 		const session = this.sessions.get(userId)
@@ -193,7 +171,7 @@ export class UserSessionManager {
 			if (!data.enabled) {
 				session.removeSource(sourceId)
 			} else {
-				const source = await provider.feedSourceForUser(userId, data.config)
+				const source = await provider.feedSourceForUser(userId, config)
 				if (session.hasSource(sourceId)) {
 					session.replaceSource(sourceId, source)
 				} else {

apps/aelis-backend/src/sources/http.test.ts

@@ -138,10 +138,6 @@ function patch(app: Hono, sourceId: string, body: unknown) {
 	})
 }
 
-function get(app: Hono, sourceId: string) {
-	return app.request(`/api/sources/${sourceId}`, { method: "GET" })
-}
-
 function put(app: Hono, sourceId: string, body: unknown) {
 	return app.request(`/api/sources/${sourceId}`, {
 		method: "PUT",
@@ -154,72 +150,6 @@ function put(app: Hono, sourceId: string, body: unknown) {
 // Tests
 // ---------------------------------------------------------------------------
 
-describe("GET /api/sources/:sourceId", () => {
-	test("returns 401 without auth", async () => {
-		activeStore = createInMemoryStore()
-		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)])
-
-		const res = await get(app, "aelis.weather")
-
-		expect(res.status).toBe(401)
-	})
-
-	test("returns 404 for unknown source", async () => {
-		activeStore = createInMemoryStore()
-		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
-
-		const res = await get(app, "unknown.source")
-
-		expect(res.status).toBe(404)
-		const body = (await res.json()) as { error: string }
-		expect(body.error).toContain("not found")
-	})
-
-	test("returns enabled and config for existing source", async () => {
-		activeStore = createInMemoryStore()
-		activeStore.seed(MOCK_USER_ID, "aelis.weather", {
-			enabled: true,
-			config: { units: "metric" },
-		})
-		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
-
-		const res = await get(app, "aelis.weather")
-
-		expect(res.status).toBe(200)
-		const body = (await res.json()) as { enabled: boolean; config: unknown }
-		expect(body.enabled).toBe(true)
-		expect(body.config).toEqual({ units: "metric" })
-	})
-
-	test("returns defaults when user has no row for source", async () => {
-		activeStore = createInMemoryStore()
-		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
-
-		const res = await get(app, "aelis.weather")
-
-		expect(res.status).toBe(200)
-		const body = (await res.json()) as { enabled: boolean; config: unknown }
-		expect(body.enabled).toBe(false)
-		expect(body.config).toEqual({})
-	})
-
-	test("returns disabled source", async () => {
-		activeStore = createInMemoryStore()
-		activeStore.seed(MOCK_USER_ID, "aelis.weather", {
-			enabled: false,
-			config: { units: "imperial" },
-		})
-		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
-
-		const res = await get(app, "aelis.weather")
-
-		expect(res.status).toBe(200)
-		const body = (await res.json()) as { enabled: boolean; config: unknown }
-		expect(body.enabled).toBe(false)
-		expect(body.config).toEqual({ units: "imperial" })
-	})
-})
-
 describe("PATCH /api/sources/:sourceId", () => {
 	test("returns 401 without auth", async () => {
 		activeStore = createInMemoryStore()
@@ -287,6 +217,31 @@ describe("PATCH /api/sources/:sourceId", () => {
 		expect(body.error).toContain("Invalid JSON")
 	})
 
+	test("returns 400 when request body contains unknown fields", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather")
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.weather", {
+			enabled: true,
+			unknownField: "hello",
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 400 when weather config contains unknown fields", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.weather")
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.weather", {
+			config: { units: "metric", unknownField: "hello" },
+		})
+
+		expect(res.status).toBe(400)
+	})
+
 	test("returns 400 when weather config fails validation", async () => {
 		activeStore = createInMemoryStore()
 		activeStore.seed(MOCK_USER_ID, "aelis.weather")
@@ -410,7 +365,7 @@ describe("PATCH /api/sources/:sourceId", () => {
 		removeSpy.mockRestore()
 	})
 
-	test("accepts location source with arbitrary config (no schema)", async () => {
+	test("returns 400 when config is provided for source without schema", async () => {
 		activeStore = createInMemoryStore()
 		activeStore.seed(MOCK_USER_ID, "aelis.location")
 		const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
@@ -419,7 +374,19 @@ describe("PATCH /api/sources/:sourceId", () => {
 			config: { something: "value" },
 		})
 
-		expect(res.status).toBe(204)
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 400 when empty config is provided for source without schema", async () => {
+		activeStore = createInMemoryStore()
+		activeStore.seed(MOCK_USER_ID, "aelis.location")
+		const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await patch(app, "aelis.location", {
+			config: {},
+		})
+
+		expect(res.status).toBe(400)
 	})
 
 	test("updates enabled on location source", async () => {
@@ -493,6 +460,31 @@ describe("PUT /api/sources/:sourceId", () => {
 		expect(res.status).toBe(400)
 	})
 
+	test("returns 400 when request body contains unknown fields", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.weather", {
+			enabled: true,
+			config: { units: "metric" },
+			unknownField: "hello",
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 400 when weather config contains unknown fields", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.weather", {
+			enabled: true,
+			config: { units: "metric", unknownField: "hello" },
+		})
+
+		expect(res.status).toBe(400)
+	})
+
 	test("returns 400 when config fails schema validation", async () => {
 		activeStore = createInMemoryStore()
 		const { app } = createApp([createStubProvider("aelis.weather", weatherConfig)], MOCK_USER_ID)
@@ -611,7 +603,7 @@ describe("PUT /api/sources/:sourceId", () => {
 		expect(session.hasSource("aelis.weather")).toBe(true)
 	})
 
-	test("accepts location source with arbitrary config (no schema)", async () => {
+	test("returns 400 when config is provided for source without schema", async () => {
 		activeStore = createInMemoryStore()
 		const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
 
@@ -620,9 +612,29 @@ describe("PUT /api/sources/:sourceId", () => {
 			config: { something: "value" },
 		})
 
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 400 when empty config is provided for source without schema", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.location", {
+			enabled: true,
+			config: {},
+		})
+
+		expect(res.status).toBe(400)
+	})
+
+	test("returns 204 without config field for source without schema", async () => {
+		activeStore = createInMemoryStore()
+		const { app } = createApp([createStubProvider("aelis.location")], MOCK_USER_ID)
+
+		const res = await put(app, "aelis.location", {
+			enabled: true,
+		})
+
 		expect(res.status).toBe(204)
-		const row = activeStore.rows.get(`${MOCK_USER_ID}:aelis.location`)
-		expect(row).toBeDefined()
-		expect(row!.config).toEqual({ something: "value" })
 	})
 })

apps/aelis-backend/src/sources/http.ts

@@ -20,15 +20,22 @@ interface SourcesHttpHandlersDeps {
 }
 
 const UpdateSourceConfigRequestBody = type({
+	"+": "reject",
 	"enabled?": "boolean",
 	"config?": "unknown",
 })
 
 const ReplaceSourceConfigRequestBody = type({
+	"+": "reject",
 	enabled: "boolean",
 	config: "unknown",
 })
 
+const ReplaceSourceConfigNoConfigRequestBody = type({
+	"+": "reject",
+	enabled: "boolean",
+})
+
 export function registerSourcesHttpHandlers(
 	app: Hono,
 	{ sessionManager, authSessionMiddleware }: SourcesHttpHandlersDeps,
@@ -38,31 +45,10 @@ export function registerSourcesHttpHandlers(
 		await next()
 	})
 
-	app.get("/api/sources/:sourceId", inject, authSessionMiddleware, handleGetSource)
 	app.patch("/api/sources/:sourceId", inject, authSessionMiddleware, handleUpdateSource)
 	app.put("/api/sources/:sourceId", inject, authSessionMiddleware, handleReplaceSource)
 }
 
-async function handleGetSource(c: Context<Env>) {
-	const sourceId = c.req.param("sourceId")
-	if (!sourceId) {
-		return c.body(null, 404)
-	}
-
-	const sessionManager = c.get("sessionManager")
-	const user = c.get("user")!
-
-	try {
-		const result = await sessionManager.fetchSourceConfig(user.id, sourceId)
-		return c.json(result)
-	} catch (err) {
-		if (err instanceof SourceNotFoundError) {
-			return c.json({ error: err.message }, 404)
-		}
-		throw err
-	}
-}
-
 async function handleUpdateSource(c: Context<Env>) {
 	const sourceId = c.req.param("sourceId")
 	if (!sourceId) {
@@ -90,6 +76,10 @@ async function handleUpdateSource(c: Context<Env>) {
 		return c.json({ error: parsed.summary }, 400)
 	}
 
+	if (!provider.configSchema && "config" in parsed) {
+		return c.json({ error: `Source "${sourceId}" does not accept config` }, 400)
+	}
+
 	const { enabled, config: newConfig } = parsed
 	const user = c.get("user")!
 
@@ -131,12 +121,16 @@ async function handleReplaceSource(c: Context<Env>) {
 		return c.json({ error: "Invalid JSON" }, 400)
 	}
 
-	const parsed = ReplaceSourceConfigRequestBody(body)
+	const schema = provider.configSchema
+		? ReplaceSourceConfigRequestBody
+		: ReplaceSourceConfigNoConfigRequestBody
+	const parsed = schema(body)
 	if (parsed instanceof type.errors) {
 		return c.json({ error: parsed.summary }, 400)
 	}
 
-	const { enabled, config } = parsed
+	const { enabled } = parsed
+	const config = "config" in parsed ? parsed.config : undefined
 	const user = c.get("user")!
 
 	try {

apps/aelis-backend/src/tfl/provider.ts

@@ -8,6 +8,7 @@ export type TflSourceProviderOptions =
 	| { apiKey?: never; client: ITflApi }
 
 export const tflConfig = type({
+	"+": "reject",
 	"lines?": "string[]",
 })
 

apps/aelis-backend/src/weather/provider.ts

@@ -9,6 +9,7 @@ export interface WeatherSourceProviderOptions {
 }
 
 export const weatherConfig = type({
+	"+": "reject",
 	"units?": "'metric' | 'imperial'",
 	"hourlyLimit?": "number",
 	"dailyLimit?": "number",