CCM-12327: check/set lock number on update/delete endpoints

Author: harrim91

infrastructure/terraform/modules/backend-api/spec.tmpl.json

@@ -1553,6 +1553,15 @@
             "schema": {
               "type": "string"
             }
+          },
+          {
+            "description": "Lock number of the current version of the template",
+            "in": "header",
+            "name": "X-Lock-Number",
+            "required": true,
+            "schema": {
+              "type": "integer"
+            }
           }
         ],
         "responses": {
@@ -1665,6 +1674,15 @@
             "schema": {
               "type": "string"
             }
+          },
+          {
+            "description": "Lock number of the current version of the template",
+            "in": "header",
+            "name": "X-Lock-Number",
+            "required": true,
+            "schema": {
+              "type": "integer"
+            }
           }
         ],
         "requestBody": {
@@ -1741,6 +1759,15 @@
             "schema": {
               "type": "string"
             }
+          },
+          {
+            "description": "Lock number of the current version of the template",
+            "in": "header",
+            "name": "X-Lock-Number",
+            "required": true,
+            "schema": {
+              "type": "integer"
+            }
           }
         ],
         "responses": {
@@ -1806,6 +1833,15 @@
             "schema": {
               "type": "string"
             }
+          },
+          {
+            "description": "Lock number of the current version of the template",
+            "in": "header",
+            "name": "X-Lock-Number",
+            "required": true,
+            "schema": {
+              "type": "integer"
+            }
           }
         ],
         "responses": {

lambdas/backend-api/src/__tests__/templates/api/delete.test.ts

@@ -26,6 +26,9 @@ describe('Template API - Delete', () => {
       const event = mock<APIGatewayProxyEvent>({
         requestContext: { authorizer: ctx },
         pathParameters: { templateId: 'id' },
+        headers: {
+          'X-Lock-Number': '0',
+        },
       });
 
       const result = await handler(event, mock<Context>(), jest.fn());
@@ -51,6 +54,9 @@ describe('Template API - Delete', () => {
       },
       body: JSON.stringify({ name: 'test' }),
       pathParameters: { templateId: undefined },
+      headers: {
+        'X-Lock-Number': '0',
+      },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -83,6 +89,9 @@ describe('Template API - Delete', () => {
         authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
       },
       pathParameters: { templateId: '1-2-3' },
+      headers: {
+        'X-Lock-Number': '0',
+      },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -95,10 +104,14 @@ describe('Template API - Delete', () => {
       }),
     });
 
-    expect(mocks.templateClient.deleteTemplate).toHaveBeenCalledWith('1-2-3', {
-      userId: 'sub',
-      clientId: 'nhs-notify-client-id',
-    });
+    expect(mocks.templateClient.deleteTemplate).toHaveBeenCalledWith(
+      '1-2-3',
+      {
+        userId: 'sub',
+        clientId: 'nhs-notify-client-id',
+      },
+      '0'
+    );
   });
 
   test('should return no content', async () => {
@@ -113,6 +126,9 @@ describe('Template API - Delete', () => {
         authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
       },
       pathParameters: { templateId: '1-2-3' },
+      headers: {
+        'X-Lock-Number': '0',
+      },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -122,9 +138,44 @@ describe('Template API - Delete', () => {
       body: JSON.stringify({ statusCode: 204, template: undefined }),
     });
 
-    expect(mocks.templateClient.deleteTemplate).toHaveBeenCalledWith('1-2-3', {
-      userId: 'sub',
-      clientId: 'nhs-notify-client-id',
+    expect(mocks.templateClient.deleteTemplate).toHaveBeenCalledWith(
+      '1-2-3',
+      {
+        userId: 'sub',
+        clientId: 'nhs-notify-client-id',
+      },
+      '0'
+    );
+  });
+
+  test('coerces missing lock number header to empty string', async () => {
+    const { handler, mocks } = setup();
+
+    mocks.templateClient.deleteTemplate.mockResolvedValueOnce({
+      error: { errorMeta: { code: 409, description: 'Invalid lock number' } },
     });
+
+    const event = mock<APIGatewayProxyEvent>({
+      requestContext: {
+        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+      },
+      pathParameters: { templateId: '1-2-3' },
+    });
+
+    const result = await handler(event, mock<Context>(), jest.fn());
+
+    expect(result).toEqual({
+      statusCode: 409,
+      body: JSON.stringify({
+        statusCode: 409,
+        technicalMessage: 'Invalid lock number',
+      }),
+    });
+
+    expect(mocks.templateClient.deleteTemplate).toHaveBeenCalledWith(
+      '1-2-3',
+      { userId: 'sub', clientId: 'nhs-notify-client-id' },
+      ''
+    );
   });
 });

lambdas/backend-api/src/__tests__/templates/api/update.test.ts

@@ -28,6 +28,9 @@ describe('Template API - Update', () => {
         requestContext: { authorizer: ctx },
         pathParameters: { templateId: 'id' },
         body: JSON.stringify({ name: 'test' }),
+        headers: {
+          'X-Lock-Number': '1',
+        },
       });
 
       const result = await handler(event, mock<Context>(), jest.fn());
@@ -51,6 +54,9 @@ describe('Template API - Update', () => {
       requestContext: { authorizer: undefined },
       body: JSON.stringify({ name: 'test' }),
       pathParameters: { templateId: '1-2-3' },
+      headers: {
+        'X-Lock-Number': '1',
+      },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -88,6 +94,9 @@ describe('Template API - Update', () => {
       },
       pathParameters: { templateId: '1-2-3' },
       body: undefined,
+      headers: {
+        'X-Lock-Number': '1',
+      },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -106,7 +115,8 @@ describe('Template API - Update', () => {
     expect(mocks.templateClient.updateTemplate).toHaveBeenCalledWith(
       '1-2-3',
       {},
-      { userId: 'sub', clientId: 'nhs-notify-client-id' }
+      { userId: 'sub', clientId: 'nhs-notify-client-id' },
+      '1'
     );
   });
 
@@ -119,6 +129,9 @@ describe('Template API - Update', () => {
       },
       body: JSON.stringify({ name: 'test' }),
       pathParameters: { templateId: undefined },
+      headers: {
+        'X-Lock-Number': '1',
+      },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -152,6 +165,9 @@ describe('Template API - Update', () => {
       },
       body: JSON.stringify({ name: 'name' }),
       pathParameters: { templateId: '1-2-3' },
+      headers: {
+        'X-Lock-Number': '1',
+      },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -167,7 +183,8 @@ describe('Template API - Update', () => {
     expect(mocks.templateClient.updateTemplate).toHaveBeenCalledWith(
       '1-2-3',
       { name: 'name' },
-      { userId: 'sub', clientId: 'nhs-notify-client-id' }
+      { userId: 'sub', clientId: 'nhs-notify-client-id' },
+      '1'
     );
   });
 
@@ -186,7 +203,7 @@ describe('Template API - Update', () => {
       templateStatus: 'NOT_YET_SUBMITTED',
       createdAt: new Date().toISOString(),
       updatedAt: new Date().toISOString(),
-      lockNumber: 1,
+      lockNumber: 2,
     };
 
     mocks.templateClient.updateTemplate.mockResolvedValueOnce({
@@ -199,6 +216,9 @@ describe('Template API - Update', () => {
       },
       body: JSON.stringify(update),
       pathParameters: { templateId: '1-2-3' },
+      headers: {
+        'X-Lock-Number': '1',
+      },
     });
 
     const result = await handler(event, mock<Context>(), jest.fn());
@@ -211,7 +231,47 @@ describe('Template API - Update', () => {
     expect(mocks.templateClient.updateTemplate).toHaveBeenCalledWith(
       '1-2-3',
       update,
-      { userId: 'sub', clientId: 'nhs-notify-client-id' }
+      { userId: 'sub', clientId: 'nhs-notify-client-id' },
+      '1'
+    );
+  });
+
+  test('coerces lock number header to empty string if missing', async () => {
+    const { handler, mocks } = setup();
+
+    const update: CreateUpdateTemplate = {
+      name: 'updated-name',
+      message: 'message',
+      templateType: 'SMS',
+    };
+
+    mocks.templateClient.updateTemplate.mockResolvedValueOnce({
+      error: { errorMeta: { code: 409, description: 'Invalid lock number' } },
+    });
+
+    const event = mock<APIGatewayProxyEvent>({
+      requestContext: {
+        authorizer: { user: 'sub', clientId: 'nhs-notify-client-id' },
+      },
+      body: JSON.stringify(update),
+      pathParameters: { templateId: '1-2-3' },
+    });
+
+    const result = await handler(event, mock<Context>(), jest.fn());
+
+    expect(result).toEqual({
+      statusCode: 409,
+      body: JSON.stringify({
+        statusCode: 409,
+        technicalMessage: 'Invalid lock number',
+      }),
+    });
+
+    expect(mocks.templateClient.updateTemplate).toHaveBeenCalledWith(
+      '1-2-3',
+      update,
+      { userId: 'sub', clientId: 'nhs-notify-client-id' },
+      ''
     );
   });
 });