Check pActiveLib validity (MRA-836) (#361)

ammsalme · web-flow · commit 90f39eedd982 · 2025-02-14T14:07:50.000+02:00
* Add allowedLibs check for pActiveLibrary (MRA-836)
* Add .env* to .gitignore

* 3.4.1-alpha.5
diff --git a/.gitignore b/.gitignore
@@ -4,5 +4,5 @@ coverage
 dist
 .nyc_output
 .vscode
-.env
+.env*
 tmp/
diff --git a/README.md b/README.md
@@ -22,7 +22,8 @@ Melinda REST API for ILS integration
 | REQUIRE_AUTH_FOR_READ | No        | false                        |
 | REQUIRE_KVP_FOR_WRITE | No        | false                        |
 | DEFAULT_ACCEPT        | No        | application/json             |
-| FIX_TYPES             | No        | UNDEL,DELET
+| FIX_TYPES             | No        | UNDEL,DELET                  |
+| ALLOWED_LIBS          | No        | []                           |
 
 ### ApiDoc
 https://bib-rest.api.melinda.kansalliskirjasto.fi/swagger/
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -14,7 +14,7 @@
 		"url": "git@github.com:natlibfi/melinda-rest-api-http.git"
 	},
 	"license": "MIT",
-	"version": "3.4.1-alpha.3",
+	"version": "3.4.1-alpha.5",
 	"main": "dist/index.js",
 	"engines": {
 		"node": ">=18"
diff --git a/src/app.js b/src/app.js
@@ -15,7 +15,7 @@ export default async function ({
   sruUrl, amqpUrl, mongoUri,
   pollWaitTime, recordType,
   requireAuthForRead, requireKVPForWrite,
-  fixTypes
+  fixTypes, allowedLibs
 }) {
   const logger = createLogger();
   const server = await initExpress();
@@ -46,11 +46,11 @@ export default async function ({
     }));
 
     app.use(passport.initialize());
-    app.use('/bulk', passport.authenticate('melinda', {session: false}), await createBulkRouter({mongoUri, amqpUrl, recordType})); // Must be here to avoid bodyparser
+    app.use('/bulk', passport.authenticate('melinda', {session: false}), await createBulkRouter({mongoUri, amqpUrl, recordType, allowedLibs})); // Must be here to avoid bodyparser
     app.use(bodyParser.text({limit: '5MB', type: '*/*'}));
     app.use('/apidoc', createApiDocRouter());
     app.use('/logs', passport.authenticate('melinda', {session: false}), await createLogsRouter({mongoUri}));
-    app.use('/', await createPrioRouter({sruUrl, amqpUrl, mongoUri, pollWaitTime, recordType, requireAuthForRead, requireKVPForWrite, fixTypes}));
+    app.use('/', await createPrioRouter({sruUrl, amqpUrl, mongoUri, pollWaitTime, recordType, requireAuthForRead, requireKVPForWrite, fixTypes, allowedLibs}));
     app.use(handleError);
 
     return app.listen(httpPort, () => logger.info(`Started Melinda REST API for ${recordType} records in port ${httpPort}`));
diff --git a/src/config.js b/src/config.js
@@ -37,3 +37,6 @@ export const CONTENT_TYPES = [
 export const DEFAULT_ACCEPT = readEnvironmentVariable('DEFAULT_ACCEPT', {defaultValue: 'application/json'});
 
 export const fixTypes = readEnvironmentVariable('FIX_TYPES', {defaultValue: ['DELET', 'UNDEL']});
+
+// We default allowedLibs to empty array for backwards compatibility, as it is anyways checked in aleph-record-load-api
+export const allowedLibs = readEnvironmentVariable('ALLOWED_LIBS', {defaultValue: []});
diff --git a/src/interfaces/bulk.js b/src/interfaces/bulk.js
@@ -33,7 +33,7 @@ import {CONTENT_TYPES} from '../config';
 import {generateQuery, generateShowParams} from './utils';
 // import {inspect} from 'util';
 
-export default async function ({mongoUri, amqpUrl}) {
+export default async function ({mongoUri, amqpUrl, allowedLibs}) {
   const logger = createLogger();
   const mongoOperator = await mongoFactory(mongoUri, 'bulk');
   const amqpOperator = await amqpFactory(amqpUrl, true);
@@ -266,9 +266,16 @@ export default async function ({mongoUri, amqpUrl}) {
     return recordStatuses;
   }
 
+  // eslint-disable-next-line max-statements
   function validateQueryParams(queryParams) {
     logger.silly(`bulk/validateQueryParams: queryParams: ${JSON.stringify(queryParams)}`);
 
+    // Note: for backwards compatibility, if we have default empty allowedLibs, we do note check lib here (aleph-record-load-api handles it later)
+    if (queryParams.pActiveLibrary && allowedLibs.length > 0 && !allowedLibs.includes(queryParams.pActiveLibrary)) {
+      logger.debug(`Invalid pActiveLibrary parameter '${queryParams.pActiveLibrary} - not included in ${JSON.stringify(allowedLibs)}`);
+      throw new HttpError(httpStatus.BAD_REQUEST, `Invalid pActiveLibrary parameter '${queryParams.pActiveLibrary}'`);
+    }
+
     if (queryParams.pOldNew && queryParams.pActiveLibrary) {
       const {pOldNew} = queryParams;
 
@@ -277,6 +284,7 @@ export default async function ({mongoUri, amqpUrl}) {
         throw new HttpError(httpStatus.BAD_REQUEST, `Invalid pOldNew query parameter '${pOldNew}'. (Valid values: OLD/NEW)`);
       }
 
+      // DEVELOP: if we want to use FIX operation for bulk, we'll need to handle this choice differently
       const operation = pOldNew === 'NEW' ? OPERATIONS.CREATE : OPERATIONS.UPDATE;
 
       const recordLoadParams = {
diff --git a/src/routes/bulk.js b/src/routes/bulk.js
@@ -10,11 +10,11 @@ import {authorizeKVPOnly, checkId, checkContentType} from './routeUtils';
 import {checkQueryParams} from './queryUtils';
 import {inspect} from 'util';
 
-export default async function ({mongoUri, amqpUrl, recordType}) {
+export default async function ({mongoUri, amqpUrl, recordType, allowedLibs}) {
   const logger = createLogger();
 
   const OPERATION_TYPES = [OPERATIONS.CREATE, OPERATIONS.UPDATE];
-  const Service = await createService({mongoUri, amqpUrl});
+  const Service = await createService({mongoUri, amqpUrl, allowedLibs});
 
   return new Router()
     .use(authorizeKVPOnly)
@@ -31,6 +31,7 @@ export default async function ({mongoUri, amqpUrl, recordType}) {
   async function create(req, res, next) {
     try {
       logger.silly('routes/Bulk create');
+      // DEVELOP: why we pass req.user.id here?
       const {operation, recordLoadParams, noStream, operationSettings} = Service.validateQueryParams(req.query, req.user.id);
 
       // We have match and merge settings just for bib records in validator
diff --git a/src/routes/prio.js b/src/routes/prio.js
@@ -14,7 +14,7 @@ import {CONTENT_TYPES, DEFAULT_ACCEPT} from '../config';
 import {checkQueryParams} from './queryUtils';
 
 // eslint-disable-next-line no-unused-vars
-export default async ({sruUrl, amqpUrl, mongoUri, pollWaitTime, recordType, requireAuthForRead, requireKVPForWrite, fixTypes}) => {
+export default async ({sruUrl, amqpUrl, mongoUri, pollWaitTime, recordType, requireAuthForRead, requireKVPForWrite, fixTypes, allowedLibs}) => {
   const logger = createLogger();
   //const apiDoc = fs.readFileSync(path.join(__dirname, '..', 'api.yaml'), 'utf8');
   const Service = await createService({

-Original file line number
+Diff line change
 dist
 .nyc_output
 .vscode
 -.env
 +.env*
 tmp/