CCM-12327: locking in request proof endpoint

Author: harrim91

lambdas/backend-api/src/__tests__/templates/api/proof.test.ts

@@ -27,6 +27,7 @@ describe('Template API - request proof', () => {
       const event = mock<APIGatewayProxyEvent>({
         requestContext: { authorizer: ctx },
         pathParameters: { templateId: 'id' },
+        headers: { 'X-Lock-Number': '0' },
       });
 
       const result = await handler(event, mock<Context>(), jest.fn());
@@ -51,6 +52,7 @@ describe('Template API - request proof', () => {
         authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
       },
       pathParameters: { templateId: undefined },
+      headers: { 'X-Lock-Number': '0' },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -83,6 +85,7 @@ describe('Template API - request proof', () => {
         authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
       },
       pathParameters: { templateId: 'template-id' },
+      headers: { 'X-Lock-Number': '0' },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -97,7 +100,44 @@ describe('Template API - request proof', () => {
 
     expect(mocks.templateClient.requestProof).toHaveBeenCalledWith(
       'template-id',
-      { userId: 'sub', clientId: 'nhs-notify-client-id' }
+      { userId: 'sub', clientId: 'nhs-notify-client-id' },
+      '0'
+    );
+  });
+
+  test('should coerce missing lock number header to empty string', async () => {
+    const { handler, mocks } = setup();
+
+    mocks.templateClient.requestProof.mockResolvedValueOnce({
+      error: {
+        errorMeta: {
+          code: 409,
+          description: 'Invalid lock number',
+        },
+      },
+    });
+
+    const event = mock<APIGatewayProxyEvent>({
+      requestContext: {
+        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+      },
+      pathParameters: { templateId: 'template-id' },
+    });
+
+    const result = await handler(event, mock<Context>(), jest.fn());
+
+    expect(result).toEqual({
+      statusCode: 409,
+      body: JSON.stringify({
+        statusCode: 409,
+        technicalMessage: 'Invalid lock number',
+      }),
+    });
+
+    expect(mocks.templateClient.requestProof).toHaveBeenCalledWith(
+      'template-id',
+      { userId: 'sub', clientId: 'nhs-notify-client-id' },
+      ''
     );
   });
 
@@ -137,6 +177,7 @@ describe('Template API - request proof', () => {
         authorizer: { user: 'sub', clientId: 'notify-client-id' },
       },
       pathParameters: { templateId: 'id' },
+      headers: { 'X-Lock-Number': '0' },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -146,9 +187,13 @@ describe('Template API - request proof', () => {
       body: JSON.stringify({ statusCode: 200, data: response }),
     });
 
-    expect(mocks.templateClient.requestProof).toHaveBeenCalledWith('id', {
-      userId: 'sub',
-      clientId: 'notify-client-id',
-    });
+    expect(mocks.templateClient.requestProof).toHaveBeenCalledWith(
+      'id',
+      {
+        userId: 'sub',
+        clientId: 'notify-client-id',
+      },
+      '0'
+    );
   });
 });

lambdas/backend-api/src/__tests__/templates/app/template-client.test.ts

@@ -1766,14 +1766,33 @@ describe('templateClient', () => {
   });
 
   describe('requestProof', () => {
+    test('returns failure result when lock number is invalid', async () => {
+      const { templateClient, mocks } = setup();
+
+      const result = await templateClient.requestProof(templateId, user, '');
+
+      expect(
+        mocks.templateRepository.proofRequestUpdate
+      ).not.toHaveBeenCalled();
+
+      expect(result).toEqual({
+        error: {
+          errorMeta: {
+            code: 409,
+            description: 'Invalid lock number',
+          },
+        },
+      });
+    });
+
     test('should return a failure result, when proofing is disabled', async () => {
       const { templateClient, mocks } = setup();
 
       mocks.clientConfigRepository.get.mockResolvedValueOnce({
         data: { features: { proofing: false } },
       });
 
-      const result = await templateClient.requestProof(templateId, user);
+      const result = await templateClient.requestProof(templateId, user, 1);
 
       expect(
         mocks.templateRepository.proofRequestUpdate
@@ -1796,7 +1815,7 @@ describe('templateClient', () => {
         error: { errorMeta: { description: 'err', code: 500 } },
       });
 
-      const result = await templateClient.requestProof(templateId, user);
+      const result = await templateClient.requestProof(templateId, user, 1);
 
       expect(
         mocks.templateRepository.proofRequestUpdate
@@ -1840,11 +1859,12 @@ describe('templateClient', () => {
         },
       });
 
-      const result = await templateClient.requestProof(templateId, user);
+      const result = await templateClient.requestProof(templateId, user, 1);
 
       expect(mocks.templateRepository.proofRequestUpdate).toHaveBeenCalledWith(
         templateId,
-        user
+        user,
+        1
       );
 
       expect(result).toEqual({
@@ -1902,11 +1922,12 @@ describe('templateClient', () => {
         },
       });
 
-      const result = await templateClient.requestProof(templateId, user);
+      const result = await templateClient.requestProof(templateId, user, 1);
 
       expect(mocks.templateRepository.proofRequestUpdate).toHaveBeenCalledWith(
         templateId,
-        user
+        user,
+        1
       );
 
       expect(result).toEqual({
@@ -1954,11 +1975,12 @@ describe('templateClient', () => {
         },
       });
 
-      const result = await templateClient.requestProof(templateId, user);
+      const result = await templateClient.requestProof(templateId, user, 1);
 
       expect(mocks.templateRepository.proofRequestUpdate).toHaveBeenCalledWith(
         templateId,
-        user
+        user,
+        1
       );
 
       expect(result).toEqual({
@@ -2023,11 +2045,12 @@ describe('templateClient', () => {
         },
       });
 
-      const result = await templateClient.requestProof(templateId, user);
+      const result = await templateClient.requestProof(templateId, user, 1);
 
       expect(mocks.templateRepository.proofRequestUpdate).toHaveBeenCalledWith(
         templateId,
-        user
+        user,
+        1
       );
 
       expect(mocks.queueMock.send).toHaveBeenCalledTimes(1);
@@ -2098,11 +2121,12 @@ describe('templateClient', () => {
 
       mocks.queueMock.send.mockResolvedValueOnce({ data: { $metadata: {} } });
 
-      const result = await templateClient.requestProof(templateId, user);
+      const result = await templateClient.requestProof(templateId, user, 1);
 
       expect(mocks.templateRepository.proofRequestUpdate).toHaveBeenCalledWith(
         templateId,
-        user
+        user,
+        1
       );
 
       expect(mocks.queueMock.send).toHaveBeenCalledTimes(1);

lambdas/backend-api/src/__tests__/templates/infra/template-repository.test.ts

@@ -1734,14 +1734,15 @@ describe('templateRepository', () => {
 
       const result = await templateRepository.proofRequestUpdate(
         'template-id',
-        user
+        user,
+        0
       );
 
       expect(result).toEqual({ data: { id: 'template-id' } });
 
       expect(mocks.ddbDocClient).toHaveReceivedCommandWith(UpdateCommand, {
         ConditionExpression:
-          '#templateStatus = :condition_1_templateStatus AND #templateType = :condition_2_templateType AND #clientId = :condition_3_clientId AND #proofingEnabled = :condition_4_proofingEnabled',
+          '#templateStatus = :condition_1_templateStatus AND #templateType = :condition_2_templateType AND #clientId = :condition_3_clientId AND #proofingEnabled = :condition_4_proofingEnabled AND (#lockNumber = :condition_5_1_lockNumber OR attribute_not_exists (#lockNumber))',
         ExpressionAttributeNames: {
           '#clientId': 'clientId',
           '#templateStatus': 'templateStatus',
@@ -1750,12 +1751,15 @@ describe('templateRepository', () => {
           '#updatedBy': 'updatedBy',
           '#proofingEnabled': 'proofingEnabled',
           '#supplierReferences': 'supplierReferences',
+          '#lockNumber': 'lockNumber',
         },
         ExpressionAttributeValues: {
           ':condition_1_templateStatus': 'PENDING_PROOF_REQUEST',
           ':condition_2_templateType': 'LETTER',
           ':condition_3_clientId': clientId,
           ':condition_4_proofingEnabled': true,
+          ':condition_5_1_lockNumber': 0,
+          ':lockNumber': 1,
           ':templateStatus': 'WAITING_FOR_PROOF',
           ':updatedAt': '2024-12-27T00:00:00.000Z',
           ':updatedBy': userId,
@@ -1766,7 +1770,7 @@ describe('templateRepository', () => {
         ReturnValuesOnConditionCheckFailure: 'ALL_OLD',
         TableName: 'templates',
         UpdateExpression:
-          'SET #templateStatus = :templateStatus, #updatedAt = :updatedAt, #updatedBy = :updatedBy, #supplierReferences = if_not_exists(#supplierReferences, :supplierReferences)',
+          'SET #templateStatus = :templateStatus, #updatedAt = :updatedAt, #updatedBy = :updatedBy, #supplierReferences = if_not_exists(#supplierReferences, :supplierReferences) ADD #lockNumber :lockNumber',
       });
     });
 
@@ -1782,7 +1786,8 @@ describe('templateRepository', () => {
 
       const result = await templateRepository.proofRequestUpdate(
         'template-id',
-        user
+        user,
+        0
       );
 
       expect(result).toEqual({
@@ -1796,6 +1801,37 @@ describe('templateRepository', () => {
       });
     });
 
+    it('returns 409 error response when conditional check fails when lock numbers are different', async () => {
+      const { templateRepository, mocks } = setup();
+
+      const err = new ConditionalCheckFailedException({
+        message: 'condition check failed',
+        $metadata: {},
+        Item: {
+          templateStatus: { S: 'PENDING_UPLOAD' },
+          lockNumber: { N: '1' },
+        },
+      });
+
+      mocks.ddbDocClient.on(UpdateCommand).rejectsOnce(err);
+
+      const result = await templateRepository.proofRequestUpdate(
+        'template-id',
+        user,
+        0
+      );
+
+      expect(result).toEqual({
+        error: {
+          actualError: err,
+          errorMeta: {
+            code: 409,
+            description: 'Invalid lock number',
+          },
+        },
+      });
+    });
+
     it('returns 400 error response when conditional check fails, but item exists, with a status other than DELETED or PENDING_PROOF_REQUEST', async () => {
       const { templateRepository, mocks } = setup();
 
@@ -1804,14 +1840,16 @@ describe('templateRepository', () => {
         $metadata: {},
         Item: {
           templateStatus: { S: 'PENDING_UPLOAD' },
+          lockNumber: { N: '0' },
         },
       });
 
       mocks.ddbDocClient.on(UpdateCommand).rejectsOnce(err);
 
       const result = await templateRepository.proofRequestUpdate(
         'template-id',
-        user
+        user,
+        0
       );
 
       expect(result).toEqual({
@@ -1834,7 +1872,8 @@ describe('templateRepository', () => {
 
       const result = await templateRepository.proofRequestUpdate(
         'template-id',
-        user
+        user,
+        0
       );
 
       expect(result).toEqual({

lambdas/backend-api/src/templates/api/proof.ts

@@ -16,10 +16,14 @@ export function createHandler({
       return apiFailure(400, 'Invalid request');
     }
 
-    const { data, error } = await templateClient.requestProof(templateId, {
-      userId,
-      clientId,
-    });
+    const { data, error } = await templateClient.requestProof(
+      templateId,
+      {
+        userId,
+        clientId,
+      },
+      event.headers['X-Lock-Number'] ?? ''
+    );
 
     if (error) {
       return apiFailure(

lambdas/backend-api/src/templates/app/template-client.ts

@@ -419,10 +419,22 @@ export class TemplateClient {
 
   async requestProof(
     templateId: string,
-    user: User
+    user: User,
+    lockNumber: number | string
   ): Promise<Result<TemplateDto>> {
     const log = this.logger.child({ templateId, user });
 
+    const lockNumberValidation = $LockNumber.safeParse(lockNumber);
+
+    if (!lockNumberValidation.success) {
+      log.error(
+        'Lock number failed validation',
+        z.treeifyError(lockNumberValidation.error)
+      );
+
+      return failure(ErrorCase.CONFLICT, 'Invalid lock number');
+    }
+
     const clientConfigurationResult = await this.clientConfigRepository.get(
       user.clientId
     );
@@ -451,7 +463,11 @@ export class TemplateClient {
     }
 
     const proofRequestUpdateResult =
-      await this.templateRepository.proofRequestUpdate(templateId, user);
+      await this.templateRepository.proofRequestUpdate(
+        templateId,
+        user,
+        lockNumberValidation.data
+      );
 
     if (proofRequestUpdateResult.error) {
       log