feat: implement OOO approve/reject functionality

[tejaskh3]

• Add OOO request approval/rejection logic
• Update request validation and error handling
• Add tests for OOO approval workflow

Date:

Developer Name:

---

Issue Ticket Number

Description

Documentation Updated?

• Yes
• No

Under Feature Flag

• Yes
• No

Database Changes

• Yes
• No

Breaking Changes

• Yes
• No

Development Tested?

• Yes
• No

Screenshots

Screenshot 1

Test Coverage

Screenshot 1

Additional Notes

Description by Korbit AI

What change is being made?

Implement approve/reject functionality for Out-of-Office (OOO) requests.

Why are these changes being made?

The changes introduce a new capability to handle OOO requests more effectively by allowing them to be approved or rejected. This includes adding necessary validations, updating necessary services, and removing unused and obsolete code related to impersonation and Discord services. The approval process is enhanced to ensure superuser roles can only approve requests, and proper logging and error handling are included for better traceability.

Is this description stale? Ask me to generate a new description by commenting /korbit-generate-pr-description

[coderabbitai]

Caution

Review failed

The pull request is closed.

Summary by CodeRabbit

• New Features

  • Added the ability for super users to acknowledge Out-of-Office (OOO) requests, including approval or rejection with optional comments.
  • Introduced validation and error handling for OOO request acknowledgment.
  • Enhanced type support for OOO request acknowledgment in TypeScript.

• Bug Fixes

  • Enabled Discord invite endpoints that were previously disabled.

• Refactor

  • Simplified task status handling for overdue tasks.
  • Streamlined authentication and authorization middleware by removing impersonation and Discord service logic.

• Chores

  • Removed unused configuration options and constants related to impersonation and Discord service.
  • Updated and expanded test coverage for new OOO request features and removed tests for deprecated functionality.

Walkthrough

This update removes all impersonation and Discord service token verification logic, including related configuration, constants, middleware, and tests. It introduces the core implementation, validation, and controller logic for acknowledging Out-Of-Office (OOO) requests, along with supporting types and test coverage. Several test suites are revised or activated to reflect these changes.

Changes

Files/Groups	Change Summary
config/custom-environment-variables.js, config/default.js, test/config/test.js	Removed impersonation and Discord service config properties.
constants/bot.ts, services/botVerificationService.js, test/utils/generateBotToken.js	Removed Discord service constants, verification, and token generation.
controllers/oooRequests.ts, services/oooRequest.ts, types/oooRequest.d.ts	Added OOO request acknowledgment controller, service logic, and types.
controllers/requests.ts, middlewares/validators/requests.ts	Integrated OOO acknowledgment into request update controller and validator.
middlewares/authenticate.js, services/authService.js	Removed impersonation logic and related token generation.
middlewares/authorizeBot.js	Simplified bot authorization; removed Discord service checks.
constants/requests.ts	Added/removed constants for OOO acknowledgment and removed impersonation log types.
middlewares/validators/oooRequests.ts	Added OOO acknowledgment request validator middleware.
models/requests.ts	Added function to fetch requests by ID with error handling.
models/tasks.js, test/unit/models/tasks.test.js, test/fixtures/tasks/tasks.js	Changed overdue tasks logic and updated/removal of related test data and assertions.
routes/discordactions.js	Enabled /invite endpoints by removing route-disabling middleware.
routes/index.ts	Removed impersonation route registration.
test/integration/discordactions.test.js, test/integration/requests.test.ts	Activated and updated integration tests for Discord actions and OOO acknowledgment.
test/integration/users.test.js	Removed tests related to overdue approved tasks.
test/unit/middlewares/authenticate.test.js, test/unit/services/authService.test.js	Removed impersonation and token refresh tests.
test/unit/middlewares/authorizeBot.test.js	Removed Discord service authorization tests.
test/unit/services/oooRequest.test.ts	Activated and expanded tests for OOO acknowledgment and validation logic.
test/fixtures/oooRequest/oooRequest.ts	Renamed exported test constant for OOO acknowledgment.
test/unit/models/requests.test.ts	Added tests for new getRequestById function.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant API
    participant Auth
    participant OOOService
    participant RequestsModel

    User->>API: PATCH /requests/:id (type: OOO)
    API->>Auth: Authenticate & Authorize
    Auth-->>API: User data
    API->>OOOService: acknowledgeOooRequest(id, body, superUserId)
    OOOService->>RequestsModel: getRequestById(id)
    RequestsModel-->>OOOService: Request data or error
    OOOService->>OOOService: validateOooAcknowledgeRequest(type, status)
    OOOService->>RequestsModel: updateRequest(id, newStatus, ...)
    RequestsModel-->>OOOService: Updated request or error
    OOOService-->>API: Success message & updated request
    API-->>User: Response (success or error)

Loading

Possibly related issues

• Update middleware to validate incoming request from Discord Service #2409: This PR removes Discord service token verification, directly affecting the issue's objective to update Discord service request validation.

Possibly related PRs

• Fix: Disable discord-actions/invite routes #2435: This PR removes disableRoute from /invite routes, while Fix: Disable discord-actions/invite routes #2435 adds it—directly opposing changes.
• feat: Add test cases for PATCH /requests/:id API for acknowledging OOO requests #2391: This PR implements OOO request acknowledgment; feat: Add test cases for PATCH /requests/:id API for acknowledging OOO requests #2391 adds tests for this feature.
• feat: add Discord service verification and token generation #2419: This PR removes Discord service token logic, which feat: add Discord service verification and token generation #2419 introduced.

Suggested labels

backend, tests, bug-fix

Suggested reviewers

• MayankBansal12
• AnujChhikara

Poem

A patch arrives, the code is neat,
Impersonation hops away on silent feet.
Discord tokens wave goodbye,
OOO requests now get a try!
Tests awaken, bugs retreat—
In backend fields, where rabbits meet,
We celebrate with thumping beat! 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cd129fb and 8bc63c3.

📒 Files selected for processing (33)

• config/custom-environment-variables.js (0 hunks)
• config/default.js (0 hunks)
• constants/bot.ts (1 hunks)
• constants/requests.ts (2 hunks)
• controllers/oooRequests.ts (3 hunks)
• controllers/requests.ts (3 hunks)
• middlewares/authenticate.js (2 hunks)
• middlewares/authorizeBot.js (2 hunks)
• middlewares/validators/oooRequests.ts (2 hunks)
• middlewares/validators/requests.ts (3 hunks)
• models/requests.ts (2 hunks)
• models/tasks.js (2 hunks)
• routes/discordactions.js (1 hunks)
• routes/index.ts (0 hunks)
• services/authService.js (0 hunks)
• services/botVerificationService.js (1 hunks)
• services/oooRequest.ts (2 hunks)
• test/config/test.js (0 hunks)
• test/fixtures/oooRequest/oooRequest.ts (1 hunks)
• test/fixtures/tasks/tasks.js (0 hunks)
• test/integration/discordactions.test.js (2 hunks)
• test/integration/requests.test.ts (13 hunks)
• test/integration/users.test.js (2 hunks)
• test/unit/middlewares/authenticate.test.js (0 hunks)
• test/unit/middlewares/authorizeBot.test.js (1 hunks)
• test/unit/middlewares/oooRequests.test.ts (2 hunks)
• test/unit/models/requests.test.ts (2 hunks)
• test/unit/models/tasks.test.js (2 hunks)
• test/unit/services/authService.test.js (0 hunks)
• test/unit/services/oooRequest.test.ts (5 hunks)
• test/unit/services/tasks.test.js (2 hunks)
• test/utils/generateBotToken.js (1 hunks)
• types/oooRequest.d.ts (1 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

To fix the problem, add a rate-limiting middleware to the affected route. The best approach is to use the well-known express-rate-limit package. This involves importing the package, configuring a limiter (e.g., allow a reasonable number of requests per minute per user/IP), and attaching it to the sensitive route(s) only. This avoids affecting other routes unnecessarily and minimizes the risk of breaking existing functionality.

Specifically:

• Add a require("express-rate-limit") import at the top.
• Define a rate limiter instance with appropriate settings (for example, windowMs: 1 minute, max: 5 requests per window).
• Insert the rate limiter middleware as the first or second argument for router.post("/roles", ...), immediately after the route path.

All changes are confined to routes/discordactions.js.

---

To fix the missing rate limiting issue for the /invite GET route, we should use a rate-limiting middleware such as express-rate-limit. We will require the package at the top of the file, configure a rate limiter (e.g., allow 100 requests per 15 minutes per IP), and apply this middleware specifically to the /invite GET route. This ensures that repeated requests to this endpoint are restricted, mitigating denial-of-service risks. The changes are all in routes/discordactions.js:

• Import express-rate-limit
• Define a rate limiter instance
• Apply it as middleware to the GET /invite route in addition to authenticate

---

To mitigate the risk of abuse on the /invite POST endpoint, a rate-limiting middleware should be introduced. The best approach is to use a well-known package such as express-rate-limit, which can easily be configured to limit the number of requests allowed per user or IP address within a given timeframe. The rate limiter should be applied specifically to the /invite POST route (line 41), ensuring minimal impact on other routes.

This involves:

• Adding an import for express-rate-limit at the top of the file.
• Defining a rate limiter instance with reasonable defaults (e.g., 5 requests per hour).
• Applying the rate limiter as middleware to the /invite POST route, before authentication (or immediately after, if rate-limiting should be per-user rather than per-IP).

Edits are confined to routes/discordactions.js, including the import, rate limiter definition, and the route modification.

---

[korbit-ai]

Review by Korbit AI

Korbit automatically attempts to detect when you fix issues in new commits.

Category	Issue	Status
	Unsafe Authorization Header Access ▹ view
	Incomplete Security Feature Documentation ▹ view

Files scanned

​

File Path	Reviewed
constants/bot.ts	✅
services/botVerificationService.js	✅
services/authService.js	✅
types/oooRequest.d.ts	✅
middlewares/authorizeBot.js	✅
routes/index.ts	✅
routes/discordactions.js	✅
middlewares/validators/oooRequests.ts	✅
constants/requests.ts	✅
models/requests.ts	✅
controllers/requests.ts	✅
middlewares/validators/requests.ts	✅
middlewares/authenticate.js	✅
controllers/oooRequests.ts	✅
services/oooRequest.ts	✅
models/tasks.js	✅

Explore our documentation to understand the languages and file types we support and the files we ignore.

Check out our docs on how you can make Korbit work best for you and your team.

Loving Korbit!? Share us on LinkedIn Reddit and X

[korbit-ai]

Unsafe Authorization Header Access

Tell me more

What is the issue?

The code assumes req.headers.authorization exists when accessing it, which could cause a runtime error if authorization header is missing.

Why this matters

If authorization header is undefined, attempting to call split() on it will throw a TypeError and crash the application.

Suggested change ∙ Feature Preview

Add a check for the existence of the authorization header before accessing it:

if (process.env.NODE_ENV !== 'production' && !token) {
      token = req.headers.authorization?.split(' ')[1] || null;
}

Provide feedback to improve future suggestions

💬 Looking for more details? Reply to this comment to chat with Korbit.

[korbit-ai]

Incomplete Security Feature Documentation

Tell me more

What is the issue?

The comment contains a typo ('authe' instead of 'auth') and doesn't explain the security implications of this feature.

Why this matters

Unclear documentation of security-related features can lead to misuse or security vulnerabilities.

Suggested change ∙ Feature Preview

/**

• Enable Bearer Token authentication for NON-PRODUCTION environments only.
• This is enabled as Swagger UI does not support cookie auth.
• Note: This is less secure than cookie-based auth and should never be enabled in production.
  */

Provide feedback to improve future suggestions

💬 Looking for more details? Reply to this comment to chat with Korbit.