Validate request body

francisco-videira-nhs · francisco-videira-nhs · commit 4a10a019487f · 2025-08-21T20:21:38.000Z
diff --git a/lambdas/api-handler/src/contracts/errors.ts b/lambdas/api-handler/src/contracts/errors.ts
@@ -32,7 +32,8 @@ export enum ApiErrorDetail {
   InvalidRequestMissingSupplierId = 'The supplier ID is missing from the request',
   InvalidRequestMissingBody = 'The request is missing the body',
   InvalidRequestMissingLetterIdPathParameter = 'The request is missing the letter id path parameter',
-  InvalidRequestLetterIdsMismatch = 'The letter ID in the request body does not match the letter ID path parameter'
+  InvalidRequestLetterIdsMismatch = 'The letter ID in the request body does not match the letter ID path parameter',
+  InvalidRequestBody = 'The request body is invalid'
 }
 
 export function buildApiError(params: {
diff --git a/lambdas/api-handler/src/contracts/letter-api.ts b/lambdas/api-handler/src/contracts/letter-api.ts
@@ -1,18 +1,41 @@
-export interface LetterApiAttributes {
-  reasonCode: number;
-  reasonText: string;
-  requestedProductionStatus: 'ACTIVE' | 'HOLD' | 'CANCEL';
-  status: LetterApiStatus;
-}
-
-export interface LetterApiResource {
-  id: string;
-  type: 'Letter';
-  attributes: LetterApiAttributes;
-}
-
-export interface LetterApiDocument {
-  data: LetterApiResource;
-}
-
-export type LetterApiStatus = 'PENDING' | 'ACCEPTED' | 'REJECTED' | 'PRINTED' | 'ENCLOSED' | 'CANCELLED' | 'DISPATCHED' | 'FAILED' | 'RETURNED' | 'DESTROYED' | 'FORWARDED' | 'DELIVERED';
+import { z } from "zod";
+
+export const LetterApiStatusSchema = z.enum([
+  "PENDING",
+  "ACCEPTED",
+  "REJECTED",
+  "PRINTED",
+  "ENCLOSED",
+  "CANCELLED",
+  "DISPATCHED",
+  "FAILED",
+  "RETURNED",
+  "DESTROYED",
+  "FORWARDED",
+  "DELIVERED",
+]);
+
+export type LetterApiStatus = z.infer<typeof LetterApiStatusSchema>;
+
+export const LetterApiAttributesSchema = z.object({
+  reasonCode: z.number(),
+  reasonText: z.string(),
+  requestedProductionStatus: z.enum(["ACTIVE", "HOLD", "CANCEL"]),
+  status: LetterApiStatusSchema,
+});
+
+export type LetterApiAttributes = z.infer<typeof LetterApiAttributesSchema>;
+
+export const LetterApiResourceSchema = z.object({
+  id: z.string(),
+  type: z.literal("Letter"),
+  attributes: LetterApiAttributesSchema,
+});
+
+export type LetterApiResource = z.infer<typeof LetterApiResourceSchema>;
+
+export const LetterApiDocumentSchema = z.object({
+  data: LetterApiResourceSchema,
+});
+
+export type LetterApiDocument = z.infer<typeof LetterApiDocumentSchema>;
diff --git a/lambdas/api-handler/src/errors/index.ts b/lambdas/api-handler/src/errors/index.ts
@@ -1,17 +1,13 @@
 import { ApiErrorDetail } from "../contracts/errors";
 
-export class NotFoundError extends Error {
+class ApiError extends Error {
   detail: ApiErrorDetail;
-  constructor(detail: ApiErrorDetail) {
-    super(detail);
+  constructor(detail: ApiErrorDetail, message?: string, cause?: Error) {
+    super(message ?? detail, { cause });
     this.detail = detail;
   }
 }
 
-export class ValidationError extends Error {
-  detail: ApiErrorDetail;
-  constructor(detail: ApiErrorDetail) {
-    super(detail);
-    this.detail = detail;
-  }
-}
+export class NotFoundError extends ApiError {}
+
+export class ValidationError extends ApiError {}
diff --git a/lambdas/api-handler/src/handlers/__tests__/patch-letters.test.ts b/lambdas/api-handler/src/handlers/__tests__/patch-letters.test.ts
@@ -1,11 +1,10 @@
 import { patchLetters } from '../../index';
-import type { APIGatewayProxyResult, Context } from 'aws-lambda';
+import { APIGatewayProxyResult, Context } from 'aws-lambda';
 import { mockDeep } from 'jest-mock-extended';
 import { makeApiGwEvent } from './utils/test-utils';
 import * as letterService from '../../services/letter-operations';
-import { NotFoundError, ValidationError } from '../../errors';
 import { LetterApiDocument, LetterApiStatus } from '../../contracts/letter-api';
-import { ErrorResponse, mapErrorToResponse } from '../../mappers/error-mapper';
+import { mapErrorToResponse } from '../../mappers/error-mapper';
 
 jest.mock('../../services/letter-operations');
 jest.mock('../../mappers/error-mapper');
@@ -116,4 +115,52 @@ describe('patchLetters API Handler', () => {
 
     expect(result).toEqual(expectedErrorResponse);
   });
+
+  it('returns error when request body does not have correct shape', async () => {
+    const event = makeApiGwEvent({
+      path: '/letters/id1',
+      body: '{test: "test"}',
+      pathParameters: {id: "id1"},
+      headers: {'nhsd-supplier-id': 'supplier1'}});
+    const context = mockDeep<Context>();
+    const callback = jest.fn();
+
+    const result = await patchLetters(event, context, callback);
+
+    expect(result).toEqual(expectedErrorResponse);
+  });
+
+  it('returns error when request body is not json', async () => {
+    const event = makeApiGwEvent({
+      path: '/letters/id1',
+      body: '{#invalidJSON',
+      pathParameters: {id: "id1"},
+      headers: {'nhsd-supplier-id': 'supplier1'}});
+    const context = mockDeep<Context>();
+    const callback = jest.fn();
+
+    const result = await patchLetters(event, context, callback);
+
+    expect(result).toEqual(expectedErrorResponse);
+  });
+
+  it('returns error if unexpected error is thrown', async () => {
+    const event = makeApiGwEvent({
+      path: '/letters/id1',
+      body: '{#invalidJSON',
+      pathParameters: {id: "id1"},
+      headers: {'nhsd-supplier-id': 'supplier1'}});
+    const context = mockDeep<Context>();
+    const callback = jest.fn();
+
+    const spy = jest.spyOn(JSON, "parse").mockImplementation(() => {
+      throw "Unexpected error";
+    });
+
+    const result = await patchLetters(event, context, callback);
+
+    expect(result).toEqual(expectedErrorResponse);
+
+    spy.mockRestore();
+  });
 });
diff --git a/lambdas/api-handler/src/handlers/patch-letters.ts b/lambdas/api-handler/src/handlers/patch-letters.ts
@@ -1,7 +1,7 @@
 import { APIGatewayProxyHandler } from 'aws-lambda';
 import { createLetterRepository } from '../infrastructure/letter-repo-factory';
 import { patchLetterStatus } from '../services/letter-operations';
-import { LetterApiDocument } from '../contracts/letter-api';
+import { LetterApiDocument, LetterApiDocumentSchema } from '../contracts/letter-api';
 import * as errors from '../contracts/errors';
 import { ValidationError } from '../errors';
 import { mapErrorToResponse } from '../mappers/error-mapper';
@@ -14,7 +14,16 @@ export const patchLetters: APIGatewayProxyHandler = async (event) => {
     const letterId = assertNotEmpty( event.pathParameters?.id, errors.ApiErrorDetail.InvalidRequestMissingLetterIdPathParameter);
     const body = assertNotEmpty(event.body, errors.ApiErrorDetail.InvalidRequestMissingBody);
 
-    const patchLetterRequest: LetterApiDocument = JSON.parse(body);
+    let patchLetterRequest: LetterApiDocument;
+
+    try {
+      patchLetterRequest = LetterApiDocumentSchema.parse(JSON.parse(body));
+    } catch (error) {
+      if (error instanceof Error) {
+        throw new ValidationError(errors.ApiErrorDetail.InvalidRequestBody, error.message, error);
+      }
+      else throw error;
+    }
 
     const result = await patchLetterStatus(patchLetterRequest.data, letterId!, supplierId!, letterRepo);
 

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,8 @@ export enum ApiErrorDetail {`
`32`	`32`	`InvalidRequestMissingSupplierId = 'The supplier ID is missing from the request',`
`33`	`33`	`InvalidRequestMissingBody = 'The request is missing the body',`
`34`	`34`	`InvalidRequestMissingLetterIdPathParameter = 'The request is missing the letter id path parameter',`
`35`		`- InvalidRequestLetterIdsMismatch = 'The letter ID in the request body does not match the letter ID path parameter'`
	`35`	`+ InvalidRequestLetterIdsMismatch = 'The letter ID in the request body does not match the letter ID path parameter',`
	`36`	`+ InvalidRequestBody = 'The request body is invalid'`
`36`	`37`	`}`
`37`	`38`
`38`	`39`	`export function buildApiError(params: {`