CCM-11492 Validate routing config ID

Author: nicki-nhs

frontend/src/__tests__/utils/is-valid-uuid.test.ts

@@ -0,0 +1,14 @@
+import { isValidUuid } from '@utils/is-valid-uuid';
+
+describe('isValidUuid', () => {
+  it('returns true for valid UUID v4', () => {
+    expect(isValidUuid('a3f1c2e4-5b6d-4e8f-9a2b-1c3d4e5f6a7b')).toBe(true);
+    expect(isValidUuid('b7e2d3c4-8f9a-4b1c-9d2e-3f4a5b6c7d8e')).toBe(true);
+  });
+
+  it('returns false for invalid UUIDs', () => {
+    expect(isValidUuid('not-a-uuid')).toBe(false);
+    expect(isValidUuid('123456')).toBe(false);
+    expect(isValidUuid('11111111-1111-1111-1111-111111111111')).toBe(false);
+  });
+});

frontend/src/__tests__/utils/message-plans.test.ts

@@ -39,11 +39,15 @@ const routingConfigApiMock = jest.mocked(routingConfigurationApiClient);
 const loggerMock = jest.mocked(logger);
 const getTemplateMock = jest.mocked(getTemplate);
 
+const validRoutingConfigId = 'a3f1c2e4-5b6d-4e8f-9a2b-1c3d4e5f6a7b';
+const notFoundRoutingConfigId = 'b1a2c3d4-e5f6-4890-ab12-cd34ef56ab78';
+const invalidRoutingConfigId = 'not-a-uuid';
+
 const baseConfig: RoutingConfig = {
-  id: 'routing-config-12',
+  id: validRoutingConfigId,
   name: 'Test message plan',
   status: 'DRAFT' as RoutingConfigStatus,
-  clientId: 'clientemplate-1',
+  clientId: 'client-1',
   campaignId: 'campaign-1',
   createdAt: '2025-01-01T00:00:00.000Z',
   updatedAt: '2025-01-01T00:00:00.000Z',
@@ -56,7 +60,7 @@ describe('@utils/message-plans', () => {
     jest.resetAllMocks();
     getSessionServerMock.mockResolvedValue({
       accessToken: 'mock-token',
-      clientId: 'clientemplate-1',
+      clientId: 'client-1',
     });
   });
 
@@ -67,7 +71,7 @@ describe('@utils/message-plans', () => {
         clientId: undefined,
       });
 
-      await expect(getMessagePlan('routing-config-12')).rejects.toThrow(
+      await expect(getMessagePlan(validRoutingConfigId)).rejects.toThrow(
         'Failed to get access token'
       );
 
@@ -77,11 +81,11 @@ describe('@utils/message-plans', () => {
     it('should return the routing config on success', async () => {
       routingConfigApiMock.get.mockResolvedValueOnce({ data: baseConfig });
 
-      const response = await getMessagePlan('routing-config-12');
+      const response = await getMessagePlan(validRoutingConfigId);
 
       expect(routingConfigApiMock.get).toHaveBeenCalledWith(
         'mock-token',
-        'routing-config-12'
+        validRoutingConfigId
       );
       expect(response).toEqual(baseConfig);
     });
@@ -93,11 +97,11 @@ describe('@utils/message-plans', () => {
         },
       });
 
-      const response = await getMessagePlan('routing-config-6');
+      const response = await getMessagePlan(notFoundRoutingConfigId);
 
       expect(routingConfigApiMock.get).toHaveBeenCalledWith(
         'mock-token',
-        'routing-config-6'
+        notFoundRoutingConfigId
       );
       expect(response).toBeUndefined();
       expect(loggerMock.error).toHaveBeenCalledWith(
@@ -109,6 +113,12 @@ describe('@utils/message-plans', () => {
         })
       );
     });
+
+    it('should throw error for invalid routing config ID', async () => {
+      await expect(getMessagePlan(invalidRoutingConfigId)).rejects.toThrow(
+        'Invalid routing configuration ID'
+      );
+    });
   });
 
   describe('updateMessagePlan', () => {
@@ -119,7 +129,7 @@ describe('@utils/message-plans', () => {
       });
 
       await expect(
-        updateMessagePlan('routing-config-12', baseConfig)
+        updateMessagePlan(validRoutingConfigId, baseConfig)
       ).rejects.toThrow('Failed to get access token');
 
       expect(routingConfigApiMock.update).not.toHaveBeenCalled();
@@ -134,11 +144,11 @@ describe('@utils/message-plans', () => {
 
       routingConfigApiMock.update.mockResolvedValueOnce({ data: updated });
 
-      const response = await updateMessagePlan('routing-config-12', updated);
+      const response = await updateMessagePlan(validRoutingConfigId, updated);
 
       expect(routingConfigApiMock.update).toHaveBeenCalledWith(
         'mock-token',
-        'routing-config-12',
+        validRoutingConfigId,
         updated
       );
       expect(response).toEqual(updated);
@@ -152,11 +162,14 @@ describe('@utils/message-plans', () => {
         },
       });
 
-      const response = await updateMessagePlan('routing-config-12', baseConfig);
+      const response = await updateMessagePlan(
+        validRoutingConfigId,
+        baseConfig
+      );
 
       expect(routingConfigApiMock.update).toHaveBeenCalledWith(
         'mock-token',
-        'routing-config-12',
+        validRoutingConfigId,
         baseConfig
       );
       expect(response).toBeUndefined();
@@ -169,6 +182,12 @@ describe('@utils/message-plans', () => {
         })
       );
     });
+
+    it('should throw error for invalid routing config ID', async () => {
+      await expect(
+        updateMessagePlan(invalidRoutingConfigId, baseConfig)
+      ).rejects.toThrow('Invalid routing configuration ID');
+    });
   });
 
   describe('getMessagePlanTemplateIds', () => {

frontend/src/utils/is-valid-uuid.ts

@@ -0,0 +1,5 @@
+export function isValidUuid(id: string): boolean {
+  return /^[\da-f]{8}-[\da-f]{4}-4[\da-f]{3}-[89ab][\da-f]{3}-[\da-f]{12}$/i.test(
+    id
+  );
+}

frontend/src/utils/message-plans.ts

@@ -8,10 +8,15 @@ import {
 import { getSessionServer } from './amplify-utils';
 import { logger } from 'nhs-notify-web-template-management-utils/logger';
 import { getTemplate } from './form-actions';
+import { isValidUuid } from './is-valid-uuid';
 
 export async function getMessagePlan(
   routingConfigId: string
 ): Promise<RoutingConfig | undefined> {
+  if (!isValidUuid(routingConfigId)) {
+    throw new Error('Invalid routing configuration ID');
+  }
+
   const { accessToken } = await getSessionServer();
 
   if (!accessToken) {
@@ -36,6 +41,10 @@ export async function updateMessagePlan(
   routingConfigId: string,
   updatedMessagePlan: RoutingConfig
 ): Promise<RoutingConfig | undefined> {
+  if (!isValidUuid(routingConfigId)) {
+    throw new Error('Invalid routing configuration ID');
+  }
+
   const { accessToken } = await getSessionServer();
 
   if (!accessToken) {

lambdas/backend-client/src/__tests__/routing-config-api-client.test.ts

@@ -1,8 +1,12 @@
 import axios from 'axios';
 import MockAdapter from 'axios-mock-adapter';
 import { createAxiosClient } from '../axios-client';
-import { RoutingConfigurationApiClient } from '../routing-config-api-client';
+import {
+  isValidUuid,
+  RoutingConfigurationApiClient,
+} from '../routing-config-api-client';
 import { RoutingConfigStatus } from '../types/generated';
+import { ErrorCase } from '../types/error-cases';
 
 jest.mock('../axios-client', () => {
   const actual = jest.requireActual('../axios-client');
@@ -14,6 +18,10 @@ jest.mock('../axios-client', () => {
 
 const createAxiosClientMock = jest.mocked(createAxiosClient);
 
+const validRoutingConfigId = '2a4b6c8d-0e1f-4a2b-9c3d-5e6f7a8b9c0d';
+const notFoundRoutingConfigId = '3b5d7f9a-1c2e-4b3d-8f0a-6e7d8c9b0a1f';
+const invalidRoutingConfigId = 'not-a-uuid';
+
 describe('RoutingConfigurationApiClient', () => {
   const axiosMock = new MockAdapter(axios);
 
@@ -24,30 +32,49 @@ describe('RoutingConfigurationApiClient', () => {
 
   describe('get', () => {
     it('should return error when failing to fetch from API', async () => {
-      axiosMock.onGet('/v1/routing-configuration/routing-config-1').reply(400, {
-        statusCode: 400,
-        technicalMessage: 'Bad request',
-        details: { message: 'Broken' },
-      });
+      axiosMock
+        .onGet(`/v1/routing-configuration/${notFoundRoutingConfigId}`)
+        .reply(404, {
+          statusCode: 404,
+          technicalMessage: 'Not Found',
+          details: { message: 'Routing configuration not found' },
+        });
 
       const client = new RoutingConfigurationApiClient();
 
-      const response = await client.get('mock-token', 'routing-config-1');
+      const response = await client.get('mock-token', notFoundRoutingConfigId);
 
       expect(response.error).toEqual({
         errorMeta: {
-          code: 400,
-          description: 'Bad request',
-          details: { message: 'Broken' },
+          code: 404,
+          description: 'Not Found',
+          details: { message: 'Routing configuration not found' },
         },
       });
       expect(response.data).toBeUndefined();
       expect(axiosMock.history.get.length).toBe(1);
     });
 
+    it('should return error for invalid routing config ID', async () => {
+      const client = new RoutingConfigurationApiClient();
+
+      const response = await client.get('mock-token', invalidRoutingConfigId);
+
+      expect(response.error).toEqual({
+        errorMeta: {
+          code: ErrorCase.VALIDATION_FAILED,
+          description: 'Invalid routing configuration ID format',
+          details: { id: invalidRoutingConfigId },
+        },
+        actualError: undefined,
+      });
+      expect(response.data).toBeUndefined();
+      expect(axiosMock.history.get.length).toBe(0);
+    });
+
     it('should return routing configuration on success', async () => {
       const data = {
-        id: 'routing-config-1',
+        id: validRoutingConfigId,
         name: 'Test message plan',
         status: 'DRAFT' as RoutingConfigStatus,
         clientId: 'client-1',
@@ -58,13 +85,15 @@ describe('RoutingConfigurationApiClient', () => {
         cascadeGroupOverrides: [],
       };
 
-      axiosMock.onGet('/v1/routing-configuration/routing-config-1').reply(200, {
-        data,
-      });
+      axiosMock
+        .onGet(`/v1/routing-configuration/${validRoutingConfigId}`)
+        .reply(200, {
+          data,
+        });
 
       const client = new RoutingConfigurationApiClient();
 
-      const response = await client.get('mock-token', 'routing-config-1');
+      const response = await client.get('mock-token', validRoutingConfigId);
 
       expect(response.error).toBeUndefined();
       expect(response.data).toEqual(data);
@@ -74,16 +103,18 @@ describe('RoutingConfigurationApiClient', () => {
 
   describe('update', () => {
     it('should return error when failing to update via API', async () => {
-      axiosMock.onPut('/v1/routing-configuration/routing-config-2').reply(400, {
-        statusCode: 400,
-        technicalMessage: 'Bad request',
-        details: { message: 'Broken' },
-      });
+      axiosMock
+        .onPut(`/v1/routing-configuration/${notFoundRoutingConfigId}`)
+        .reply(404, {
+          statusCode: 404,
+          technicalMessage: 'Not Found',
+          details: { message: 'Routing configuration not found' },
+        });
 
       const client = new RoutingConfigurationApiClient();
 
       const body = {
-        id: 'routing-config-2',
+        id: notFoundRoutingConfigId,
         name: 'Test plan',
         status: 'DRAFT' as RoutingConfigStatus,
         clientId: 'client-1',
@@ -96,24 +127,57 @@ describe('RoutingConfigurationApiClient', () => {
 
       const response = await client.update(
         'test-token',
-        'routing-config-2',
+        notFoundRoutingConfigId,
         body
       );
 
       expect(response.error).toEqual({
         errorMeta: {
-          code: 400,
-          description: 'Bad request',
-          details: { message: 'Broken' },
+          code: 404,
+          description: 'Not Found',
+          details: { message: 'Routing configuration not found' },
         },
       });
       expect(response.data).toBeUndefined();
       expect(axiosMock.history.put.length).toBe(1);
     });
 
+    it('should return error for invalid routing config ID', async () => {
+      const client = new RoutingConfigurationApiClient();
+
+      const body = {
+        id: invalidRoutingConfigId,
+        name: 'Test plan',
+        status: 'DRAFT' as RoutingConfigStatus,
+        clientId: 'client-1',
+        campaignId: 'campaign-1',
+        createdAt: '2025-01-01T00:00:00.000Z',
+        updatedAt: '2025-01-02T00:00:00.000Z',
+        cascade: [],
+        cascadeGroupOverrides: [],
+      };
+
+      const response = await client.update(
+        'mock-token',
+        invalidRoutingConfigId,
+        body
+      );
+
+      expect(response.error).toEqual({
+        errorMeta: {
+          code: ErrorCase.VALIDATION_FAILED,
+          description: 'Invalid routing configuration ID format',
+          details: { id: invalidRoutingConfigId },
+        },
+        actualError: undefined,
+      });
+      expect(response.data).toBeUndefined();
+      expect(axiosMock.history.get.length).toBe(0);
+    });
+
     it('should return updated routing configuration on success', async () => {
       const body = {
-        id: 'routing-config-2',
+        id: '4c6e8f0a-2b3d-4c5e-9a1b-7d8c9b0a1f2e',
         name: 'Updated Plan',
         status: 'DRAFT' as RoutingConfigStatus,
         clientId: 'client-1',
@@ -132,7 +196,7 @@ describe('RoutingConfigurationApiClient', () => {
 
       const response = await client.update(
         'test-token',
-        'routing-config-2',
+        '4c6e8f0a-2b3d-4c5e-9a1b-7d8c9b0a1f2e',
         body
       );
 
@@ -141,4 +205,17 @@ describe('RoutingConfigurationApiClient', () => {
       expect(axiosMock.history.put.length).toBe(1);
     });
   });
+
+  describe('isValidUuid', () => {
+    it('returns true for valid UUID v4', () => {
+      expect(isValidUuid('a3f1c2e4-5b6d-4e8f-9a2b-1c3d4e5f6a7b')).toBe(true);
+      expect(isValidUuid('b7e2d3c4-8f9a-4b1c-9d2e-3f4a5b6c7d8e')).toBe(true);
+    });
+
+    it('returns false for invalid UUIDs', () => {
+      expect(isValidUuid('not-a-uuid')).toBe(false);
+      expect(isValidUuid('123456')).toBe(false);
+      expect(isValidUuid('11111111-1111-1111-1111-111111111111')).toBe(false);
+    });
+  });
 });