Merge pull request #2292 from vikasosmium/deprecate-stocks-self-GET-route

vikasosmium · web-flow · commit c976b31be6f9 · 2024-12-14T01:19:56.000+05:30
Added New Route to fetch User Stocks
diff --git a/controllers/stocks.js b/controllers/stocks.js
@@ -44,10 +44,42 @@ const fetchStocks = async (req, res) => {
  * @param req {Object} - Express request object
  * @param res {Object} - Express response object
  */
+/**
+ * @deprecated
+ * WARNING: This API endpoint is being deprecated and will be removed in future.
+ * Please use the updated API endpoint: `/stocks/:userId` for retrieving user stocks details.
+ *
+ * This API is kept temporarily for backward compatibility.
+ */
 const getSelfStocks = async (req, res) => {
   try {
     const { id: userId } = req.userData;
     const userStocks = await stocks.fetchUserStocks(userId);
+
+    res.set(
+      "X-Deprecation-Warning",
+      "WARNING: This endpoint is being deprecated and will be removed in the future. Please use `/stocks/:userId` route to get the user stocks details."
+    );
+    return res.json({
+      message: userStocks.length > 0 ? "User stocks returned successfully!" : "No stocks found",
+      userStocks,
+    });
+  } catch (err) {
+    logger.error(`Error while getting user stocks ${err}`);
+    return res.boom.badImplementation(INTERNAL_SERVER_ERROR);
+  }
+};
+
+/**
+ * Fetches all the stocks of the authenticated user
+ *
+ * @param req {Object} - Express request object
+ * @param res {Object} - Express response object
+ */
+const getUserStocks = async (req, res) => {
+  try {
+    const userStocks = await stocks.fetchUserStocks(req.params.userId);
+
     return res.json({
       message: userStocks.length > 0 ? "User stocks returned successfully!" : "No stocks found",
       userStocks,
@@ -62,4 +94,5 @@ module.exports = {
   addNewStock,
   fetchStocks,
   getSelfStocks,
+  getUserStocks,
 };
diff --git a/middlewares/userAuthorization.ts b/middlewares/userAuthorization.ts
@@ -0,0 +1,9 @@
+import { NextFunction } from "express";
+import { CustomRequest, CustomResponse } from "../types/global";
+
+export const userAuthorization = (req: CustomRequest, res: CustomResponse, next: NextFunction) => {
+  if (req.params.userId === req.userData.id) {
+    return next();
+  }
+  res.boom.forbidden("Unauthorized access");
+};
diff --git a/models/stocks.js b/models/stocks.js
@@ -6,7 +6,7 @@ const userStocksModel = firestore.collection("user-stocks");
  * Adds Stocks
  *
  * @param stockData { Object }: stock data object to be stored in DB
- * @return {Promise<{stockId: string}>}
+ * @return {Promise<{id: string, stockData: Object}>}
  */
 const addStock = async (stockData) => {
   try {
diff --git a/routes/stocks.js b/routes/stocks.js
@@ -2,12 +2,15 @@ const express = require("express");
 const router = express.Router();
 const authenticate = require("../middlewares/authenticate");
 const authorizeRoles = require("../middlewares/authorizeRoles");
-const { addNewStock, fetchStocks, getSelfStocks } = require("../controllers/stocks");
+const { addNewStock, fetchStocks, getSelfStocks, getUserStocks } = require("../controllers/stocks");
 const { createStock } = require("../middlewares/validators/stocks");
 const { SUPERUSER } = require("../constants/roles");
+const { devFlagMiddleware } = require("../middlewares/devFlag");
+const { userAuthorization } = require("../middlewares/userAuthorization");
 
 router.get("/", fetchStocks);
 router.post("/", authenticate, authorizeRoles([SUPERUSER]), createStock, addNewStock);
-router.get("/user/self", authenticate, getSelfStocks);
+router.get("/user/self", authenticate, getSelfStocks); // this route will soon be deprecated, please use `/stocks/:userId` route.
+router.get("/:userId", devFlagMiddleware, authenticate, userAuthorization, getUserStocks);
 
 module.exports = router;
diff --git a/test/integration/stocks.test.ts b/test/integration/stocks.test.ts
@@ -0,0 +1,97 @@
+import chai from "chai";
+import chaiHttp from "chai-http";
+import app from "../../server";
+import authService from "../../services/authService";
+import addUser from "../utils/addUser";
+import cleanDb from "../utils/cleanDb";
+import stocks from "../../models/stocks";
+import sinon from "sinon";
+import config from "config";
+
+const cookieName: string = config.get("userToken.cookieName");
+chai.use(chaiHttp);
+const { expect } = chai;
+
+describe("GET /stocks/:userId", function () {
+  let jwt: string;
+  let userId: string;
+  let userStock;
+  const stockData = { name: "EURO", quantity: 2, price: 10 };
+
+  beforeEach(async function () {
+    userId = await addUser();
+    jwt = authService.generateAuthToken({ userId });
+    const { id } = await stocks.addStock(stockData);
+    userStock = { stockId: id, stockName: "EURO", quantity: 1, orderValue: 10, initialStockValue: 2 };
+  });
+
+  afterEach(async function () {
+    await cleanDb();
+    sinon.restore();
+  });
+
+  it("Should return user stocks when stocks are available", async function () {
+    await stocks.updateUserStocks(userId, userStock);
+
+    const res = await chai.request(app).get(`/stocks/${userId}?dev=true`).set("cookie", `${cookieName}=${jwt}`);
+
+    expect(res).to.have.status(200);
+    expect(res.body).to.be.an("object");
+    expect(res.body.message).to.equal("User stocks returned successfully!");
+    expect(res.body.userStocks).to.be.an("array");
+    expect(res.body.userStocks.map(({ id, ...rest }) => rest)).to.deep.equal([{ ...userStock, userId }]);
+  });
+
+  it("Should return empty object when no stocks are found", function (done) {
+    chai
+      .request(app)
+      .get(`/stocks/${userId}?dev=true`)
+      .set("cookie", `${cookieName}=${jwt}`)
+      .end((err, res) => {
+        if (err) return done(err);
+
+        expect(res).to.have.status(200);
+        expect(res.body).to.be.an("object");
+        expect(res.body.message).to.equal("No stocks found");
+        expect(res.body.userStocks).to.be.an("array");
+
+        return done();
+      });
+  });
+
+  it("Should return 403 for unauthorized access", function (done) {
+    const userId = "anotherUser123";
+
+    chai
+      .request(app)
+      .get(`/stocks/${userId}?dev=true`)
+      .set("cookie", `${cookieName}=${jwt}`)
+      .end((err, res) => {
+        if (err) return done(err);
+
+        expect(res).to.have.status(403);
+        expect(res.body).to.be.an("object");
+        expect(res.body.message).to.equal("Unauthorized access");
+
+        return done();
+      });
+  });
+
+  it("Should return 500 when an internal server error occurs", function (done) {
+    sinon.stub(stocks, "fetchUserStocks").throws(new Error("Database error"));
+
+    chai
+      .request(app)
+      .get(`/stocks/${userId}?dev=true`)
+      .set("cookie", `${cookieName}=${jwt}`)
+      .end((err, res) => {
+        if (err) return done(err);
+
+        expect(res).to.have.status(500);
+        expect(res.body).to.be.an("object");
+        expect(res.body.message).to.equal("An internal server error occurred");
+
+        return done();
+      });
+  });
+});
diff --git a/test/unit/middlewares/userAuthorization.test.ts b/test/unit/middlewares/userAuthorization.test.ts
@@ -0,0 +1,70 @@
+import * as sinon from "sinon";
+import chai from "chai";
+const { expect } = chai;
+const { userAuthorization } = require("../../../middlewares/userAuthorization");
+
+describe("userAuthorization Middleware", function () {
+  let req;
+  let res;
+  let next;
+
+  beforeEach(function () {
+    req = {
+      params: {},
+      userData: {},
+    };
+    res = {
+      boom: {
+        forbidden: sinon.spy((message) => {
+          res.status = 403;
+          res.message = message;
+        }),
+      },
+    };
+    next = sinon.spy();
+  });
+
+  it("should call next() if userId matches userData.id", function () {
+    req.params.userId = "123";
+    req.userData.id = "123";
+
+    userAuthorization(req, res, next);
+
+    expect(next.calledOnce).to.be.true;
+    expect(res.boom.forbidden.notCalled).to.be.true;
+  });
+
+  it("should call res.boom.forbidden() if userId does not match userData.id", function () {
+    req.params.userId = "123";
+    req.userData.id = "456";
+
+    userAuthorization(req, res, next);
+
+    expect(res.boom.forbidden.calledOnce).to.be.true;
+    expect(res.status).to.equal(403);
+    expect(res.message).to.equal("Unauthorized access");
+    expect(next.notCalled).to.be.true;
+  });
+
+  it("should call res.boom.forbidden() if userData.id is missing", function () {
+    req.params.userId = "123";
+
+    userAuthorization(req, res, next);
+
+    expect(res.boom.forbidden.calledOnce).to.be.true;
+    expect(res.status).to.equal(403);
+    expect(res.message).to.equal("Unauthorized access");
+    expect(next.notCalled).to.be.true;
+  });
+
+  it("should call res.boom.forbidden() if userId is missing", function () {
+    req.userData.id = "123";
+
+    userAuthorization(req, res, next);
+
+    expect(res.boom.forbidden.calledOnce).to.be.true;
+    expect(res.status).to.equal(403);
+    expect(res.message).to.equal("Unauthorized access");
+    expect(next.notCalled).to.be.true;
+  });
+});

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ const userStocksModel = firestore.collection("user-stocks");`
`6`	`6`	`* Adds Stocks`
`7`	`7`	`*`
`8`	`8`	`* @param stockData { Object }: stock data object to be stored in DB`
`9`		`- * @return {Promise<{stockId: string}>}`
	`9`	`+ * @return {Promise<{id: string, stockData: Object}>}`
`10`	`10`	`*/`
`11`	`11`	`const addStock = async (stockData) => {`
`12`	`12`	`try {`