tdm-calculator
tdm-calculator copied to clipboard
hackforla
Implement Server-Side Request Validation and API endpoint tests
Dependency:
This issue tracks all sub issues below. It can be closed upon completion of all sub issues
Overview
A best practice is for the Web API server to verify that the body of all requests meet appropriate validation criteria. We need to create a workflow for testing all endpoints. We will need to set up tests and web API request validation for the endpoints.
Each route must complete the following:
- Identify overexposed public surface and delete (i.e. remove any unnecessary/stale code as there are may be endpoints for features that will never be used)
- Write tests for all endpoints for a given route. Confirm there is documentation for testing
- Server side validation schema must be set up for the endpoints
Action Items
Routes:
- [x] #1400
- [x] #1499
- [x] #1554
- [x] #1581
- [x] #1625
- [ ] #1624
- [x] #1629
Resources/Instructions
Server Side Validation
- https://www.npmjs.com/package/express-json-validator-middleware
- https://simonplend.com/how-to-handle-request-validation-in-your-express-api/
Testing
- TDM Testing Wiki
- https://jestjs.io/
- https://node.testcontainers.org/
@agosmou @azajzon This is partially implemented for the /accounts routes in the develop branch at this time. See the referenced article in this issue description for the explanation. The middleware for validation is in the /server/middleware/validate.js file, the example schemas in the /server/app/schemas folder, and these are wired to the /accounts/* endpoints at the end of the accounts controller /server/app/controllers/account-controller.js.
To address concerns raised by Issue #1360 , we might want to make validation for the registration endpoint more restrictive - e..g. limit to valid-looking emails, and first and last names that aren't obvious script injection attempts.