CCM-12327: locking on submit

Author: harrim91

lambdas/backend-api/src/__tests__/templates/api/submit.test.ts

@@ -29,6 +29,7 @@ describe('Template API - Submit', () => {
       const event = mock<APIGatewayProxyEvent>({
         requestContext: { authorizer: ctx },
         pathParameters: { templateId: 'id' },
+        headers: { 'X-Lock-Number': '0' },
       });
 
       const result = await handler(event, mock<Context>(), jest.fn());
@@ -54,6 +55,7 @@ describe('Template API - Submit', () => {
       },
       body: JSON.stringify({ name: 'test' }),
       pathParameters: { templateId: undefined },
+      headers: { 'X-Lock-Number': '0' },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -86,6 +88,7 @@ describe('Template API - Submit', () => {
         authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
       },
       pathParameters: { templateId: '1-2-3' },
+      headers: { 'X-Lock-Number': '0' },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -98,10 +101,53 @@ describe('Template API - Submit', () => {
       }),
     });
 
-    expect(mocks.templateClient.submitTemplate).toHaveBeenCalledWith('1-2-3', {
-      userId: 'sub',
-      clientId: 'nhs-notify-client-id',
+    expect(mocks.templateClient.submitTemplate).toHaveBeenCalledWith(
+      '1-2-3',
+      {
+        userId: 'sub',
+        clientId: 'nhs-notify-client-id',
+      },
+      '0'
+    );
+  });
+
+  test('should coerce missing lock number header to empty string', async () => {
+    const { handler, mocks } = setup();
+
+    mocks.templateClient.submitTemplate.mockResolvedValueOnce({
+      error: {
+        errorMeta: {
+          code: 409,
+          description: 'Invalid lock number',
+        },
+      },
+    });
+
+    const event = mock<APIGatewayProxyEvent>({
+      requestContext: {
+        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+      },
+      pathParameters: { templateId: '1-2-3' },
+    });
+
+    const result = await handler(event, mock<Context>(), jest.fn());
+
+    expect(result).toEqual({
+      statusCode: 409,
+      body: JSON.stringify({
+        statusCode: 409,
+        technicalMessage: 'Invalid lock number',
+      }),
     });
+
+    expect(mocks.templateClient.submitTemplate).toHaveBeenCalledWith(
+      '1-2-3',
+      {
+        userId: 'sub',
+        clientId: 'nhs-notify-client-id',
+      },
+      ''
+    );
   });
 
   test('should return template', async () => {
@@ -127,6 +173,7 @@ describe('Template API - Submit', () => {
         authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
       },
       pathParameters: { templateId: '1-2-3' },
+      headers: { 'X-Lock-Number': '0' },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -136,9 +183,13 @@ describe('Template API - Submit', () => {
       body: JSON.stringify({ statusCode: 200, data: response }),
     });
 
-    expect(mocks.templateClient.submitTemplate).toHaveBeenCalledWith('1-2-3', {
-      userId: 'sub',
-      clientId: 'nhs-notify-client-id',
-    });
+    expect(mocks.templateClient.submitTemplate).toHaveBeenCalledWith(
+      '1-2-3',
+      {
+        userId: 'sub',
+        clientId: 'nhs-notify-client-id',
+      },
+      '0'
+    );
   });
 });

lambdas/backend-api/src/__tests__/templates/app/template-client.test.ts

@@ -1664,6 +1664,23 @@ describe('templateClient', () => {
   });
 
   describe('submitTemplate', () => {
+    test('returns failure result when lock number is invalid', async () => {
+      const { templateClient, mocks } = setup();
+
+      const result = await templateClient.submitTemplate(templateId, user, '');
+
+      expect(mocks.templateRepository.submit).not.toHaveBeenCalled();
+
+      expect(result).toEqual({
+        error: {
+          errorMeta: {
+            code: 409,
+            description: 'Invalid lock number',
+          },
+        },
+      });
+    });
+
     test('submitTemplate should return a failure result, when saving to the database unexpectedly fails', async () => {
       const { templateClient, mocks } = setup();
 
@@ -1676,11 +1693,12 @@ describe('templateClient', () => {
         },
       });
 
-      const result = await templateClient.submitTemplate(templateId, user);
+      const result = await templateClient.submitTemplate(templateId, user, 0);
 
       expect(mocks.templateRepository.submit).toHaveBeenCalledWith(
         templateId,
-        user
+        user,
+        0
       );
 
       expect(result).toEqual({
@@ -1717,11 +1735,12 @@ describe('templateClient', () => {
         data: template,
       });
 
-      const result = await templateClient.submitTemplate(templateId, user);
+      const result = await templateClient.submitTemplate(templateId, user, 0);
 
       expect(mocks.templateRepository.submit).toHaveBeenCalledWith(
         templateId,
-        user
+        user,
+        0
       );
 
       expect(result).toEqual({
@@ -1752,11 +1771,12 @@ describe('templateClient', () => {
         data: { ...template, owner: user.userId, version: 1 },
       });
 
-      const result = await templateClient.submitTemplate(templateId, user);
+      const result = await templateClient.submitTemplate(templateId, user, 0);
 
       expect(mocks.templateRepository.submit).toHaveBeenCalledWith(
         templateId,
-        user
+        user,
+        0
       );
 
       expect(result).toEqual({

lambdas/backend-api/src/__tests__/templates/infra/template-repository.test.ts

@@ -697,6 +697,7 @@ describe('templateRepository', () => {
   describe('submit', () => {
     test.each([
       {
+        testName: 'When template does not exist',
         Item: undefined,
         code: 404,
         message: 'Template not found',
@@ -707,6 +708,7 @@ describe('templateRepository', () => {
         Item: marshall({
           templateType: 'EMAIL',
           templateStatus: 'SUBMITTED',
+          lockNumber: 0,
         }),
         code: 400,
         message: 'Template with status SUBMITTED cannot be updated',
@@ -717,6 +719,7 @@ describe('templateRepository', () => {
         Item: marshall({
           templateType: 'LETTER',
           templateStatus: 'PENDING_UPLOAD',
+          lockNumber: 0,
         }),
         code: 400,
         message: 'Template cannot be submitted',
@@ -727,6 +730,7 @@ describe('templateRepository', () => {
         Item: marshall({
           templateType: 'LETTER',
           templateStatus: 'PENDING_VALIDATION',
+          lockNumber: 0,
         }),
         code: 400,
         message: 'Template cannot be submitted',
@@ -737,6 +741,7 @@ describe('templateRepository', () => {
         Item: marshall({
           templateType: 'EMAIL',
           templateStatus: 'DELETED',
+          lockNumber: 0,
         }),
         code: 404,
         message: 'Template not found',
@@ -747,6 +752,7 @@ describe('templateRepository', () => {
         Item: marshall({
           templateType: 'LETTER',
           templateStatus: 'NOT_YET_SUBMITTED',
+          lockNumber: 0,
           files: {
             pdfTemplate: {
               virusScanStatus: 'PASSED',
@@ -763,6 +769,16 @@ describe('templateRepository', () => {
         code: 400,
         message: 'Template cannot be submitted',
       },
+      {
+        testName: 'Fails when stored lock number differs from input',
+        Item: marshall({
+          templateType: 'SMS',
+          templateStatus: 'NOT_YET_SUBMITTED',
+          lockNumber: 1,
+        }),
+        code: 409,
+        message: 'Invalid lock number',
+      },
     ])('submit: $testName', async ({ Item, code, message }) => {
       const { templateRepository, mocks } = setup();
 
@@ -776,7 +792,8 @@ describe('templateRepository', () => {
 
       const response = await templateRepository.submit(
         'abc-def-ghi-jkl-123',
-        user
+        user,
+        0
       );
 
       expect(response).toEqual({
@@ -799,7 +816,8 @@ describe('templateRepository', () => {
 
       const response = await templateRepository.submit(
         'abc-def-ghi-jkl-123',
-        user
+        user,
+        0
       );
 
       expect(response).toEqual({
@@ -827,6 +845,7 @@ describe('templateRepository', () => {
         templateType: 'NHS_APP',
         updatedAt: 'now',
         createdAt: 'yesterday',
+        lockNumber: 1,
       };
 
       mocks.ddbDocClient
@@ -836,11 +855,41 @@ describe('templateRepository', () => {
         })
         .resolves({ Attributes: databaseTemplate });
 
-      const response = await templateRepository.submit(id, user);
+      const response = await templateRepository.submit(id, user, 0);
 
       expect(response).toEqual({
         data: databaseTemplate,
       });
+
+      expect(mocks.ddbDocClient).toHaveReceivedCommandWith(UpdateCommand, {
+        TableName: 'templates',
+        Key: { id: 'abc-def-ghi-jkl-123', owner: 'CLIENT#client-id' },
+        ReturnValues: 'ALL_NEW',
+        ReturnValuesOnConditionCheckFailure: 'ALL_OLD',
+        ExpressionAttributeNames: {
+          '#lockNumber': 'lockNumber',
+          '#templateStatus': 'templateStatus',
+          '#updatedAt': 'updatedAt',
+          '#updatedBy': 'updatedBy',
+        },
+        ExpressionAttributeValues: {
+          ':deleted': 'DELETED',
+          ':expectedLetterStatus': 'PROOF_AVAILABLE',
+          ':expectedLockNumber': 0,
+          ':expectedStatus': 'NOT_YET_SUBMITTED',
+          ':lockNumberIncrement': 1,
+          ':newStatus': 'SUBMITTED',
+          ':passed': 'PASSED',
+          ':submitted': 'SUBMITTED',
+          ':updatedAt': '2024-12-27T00:00:00.000Z',
+          ':updatedBy': 'user-id',
+        },
+
+        UpdateExpression:
+          'SET #templateStatus = :newStatus, #updatedAt = :updatedAt, #updatedBy = :updatedBy ADD #lockNumber :lockNumberIncrement',
+        ConditionExpression:
+          'attribute_exists(id) AND NOT #templateStatus IN (:deleted, :submitted) AND (attribute_not_exists(files.pdfTemplate) OR files.pdfTemplate.virusScanStatus = :passed) AND (attribute_not_exists(files.testDataCsv) OR files.testDataCsv.virusScanStatus = :passed) AND (#templateStatus = :expectedStatus OR #templateStatus = :expectedLetterStatus) AND (attribute_not_exists(#lockNumber) OR #lockNumber = :expectedLockNumber)',
+      });
     });
   });
 

lambdas/backend-api/src/templates/api/submit.ts

@@ -19,10 +19,14 @@ export function createHandler({
       return apiFailure(400, 'Invalid request');
     }
 
-    const { data, error } = await templateClient.submitTemplate(templateId, {
-      userId,
-      clientId,
-    });
+    const { data, error } = await templateClient.submitTemplate(
+      templateId,
+      {
+        userId,
+        clientId,
+      },
+      event.headers['X-Lock-Number'] ?? ''
+    );
 
     if (error) {
       return apiFailure(

lambdas/backend-api/src/templates/app/template-client.ts

@@ -303,11 +303,27 @@ export class TemplateClient {
 
   async submitTemplate(
     templateId: string,
-    user: User
+    user: User,
+    lockNumber: number | string
   ): Promise<Result<TemplateDto>> {
     const log = this.logger.child({ templateId, user });
 
-    const submitResult = await this.templateRepository.submit(templateId, user);
+    const lockNumberValidation = $LockNumber.safeParse(lockNumber);
+
+    if (!lockNumberValidation.success) {
+      log.error(
+        'Lock number failed validation',
+        z.treeifyError(lockNumberValidation.error)
+      );
+
+      return failure(ErrorCase.CONFLICT, 'Invalid lock number');
+    }
+
+    const submitResult = await this.templateRepository.submit(
+      templateId,
+      user,
+      lockNumber
+    );
 
     if (submitResult.error) {
       log