refactor: improve typing of generic route execution context

Author: d-gubert

apps/meteor/app/api/server/ApiClass.ts

@@ -28,7 +28,6 @@ import type {
 	NotFoundResult,
 	Operations,
 	Options,
-	PartialThis,
 	SuccessResult,
 	TypedThis,
 	TypedAction,
@@ -37,6 +36,7 @@ import type {
 	RedirectStatusCodes,
 	RedirectResult,
 	UnavailableResult,
+	GenericRouteExecutionContext,
 } from './definition';
 import { getUserInfo } from './helpers/getUserInfo';
 import { parseJsonQuery } from './helpers/parseJsonQuery';
@@ -156,12 +156,7 @@ const generateConnection = (
 	clientAddress: ipAddress,
 });
 
-export class APIClass<
-	TBasePath extends string = '',
-	TOperations extends {
-		[x: string]: unknown;
-	} = {},
-> {
+export class APIClass<TBasePath extends string = '', TOperations extends Record<string, unknown> = Record<string, never>> {
 	public typedRoutes: Record<string, Record<string, Route>> = {};
 
 	protected apiPath?: string;
@@ -170,7 +165,7 @@ export class APIClass<
 
 	private _routes: { path: string; options: Options; endpoints: Record<string, string> }[] = [];
 
-	public authMethods: ((req: Request) => Promise<IUser | undefined>)[];
+	public authMethods: ((routeContext: GenericRouteExecutionContext) => Promise<IUser | undefined>)[];
 
 	protected helperMethods: Map<string, () => any> = new Map();
 
@@ -248,11 +243,11 @@ export class APIClass<
 		};
 	}
 
-	async parseJsonQuery(this: PartialThis) {
-		return parseJsonQuery(this);
+	async parseJsonQuery(routeContext: GenericRouteExecutionContext) {
+		return parseJsonQuery(routeContext);
 	}
 
-	public addAuthMethod(func: (req: Request) => Promise<IUser | undefined>): void {
+	public addAuthMethod(func: (routeContext: GenericRouteExecutionContext) => Promise<IUser | undefined>): void {
 		this.authMethods.push(func);
 	}
 
@@ -822,8 +817,12 @@ export class APIClass<
 				const api = this;
 				(operations[method as keyof Operations<TPathPattern, TOptions>] as Record<string, any>).action =
 					async function _internalRouteActionHandler() {
+						this.queryOperations = options.queryOperations;
+						this.queryFields = options.queryFields;
+						this.logger = logger;
+
 						if (options.authRequired || options.authOrAnonRequired) {
-							const user = await api.authenticatedRoute.call(api, this.request);
+							const user = await api.authenticatedRoute(this);
 							this.user = user!;
 							this.userId = this.user?._id;
 							const authToken = this.request.headers.get('x-auth-token');
@@ -918,9 +917,7 @@ export class APIClass<
 									connection: connection as unknown as IMethodConnection,
 								}));
 
-							this.queryOperations = options.queryOperations;
-							(this as any).queryFields = options.queryFields;
-							this.parseJsonQuery = api.parseJsonQuery.bind(this as unknown as PartialThis);
+							this.parseJsonQuery = () => api.parseJsonQuery(this);
 
 							result = (await DDP._CurrentInvocation.withValue(invocation as any, async () => originalAction.apply(this))) || api.success();
 						} catch (e: any) {
@@ -972,9 +969,9 @@ export class APIClass<
 		});
 	}
 
-	protected async authenticatedRoute(req: Request): Promise<IUser | null> {
-		const userId = req.headers.get('x-user-id');
-		const userToken = req.headers.get('x-auth-token');
+	protected async authenticatedRoute(routeContext: GenericRouteExecutionContext): Promise<IUser | null> {
+		const userId = routeContext.request.headers.get('x-user-id');
+		const userToken = routeContext.request.headers.get('x-auth-token');
 
 		if (userId && userToken) {
 			return Users.findOne(
@@ -990,7 +987,7 @@ export class APIClass<
 
 		for (const method of this.authMethods) {
 			// eslint-disable-next-line no-await-in-loop -- we want serial execution
-			const user = await method(req);
+			const user = await method(routeContext);
 
 			if (user) {
 				return user;

apps/meteor/app/api/server/definition.ts

@@ -142,21 +142,16 @@ export type SharedOptions<TMethod extends string> = (
 	};
 };
 
-export type PartialThis = {
-	user(bodyParams: Record<string, unknown>, user: any): Promise<any>;
-	readonly request: Request & { query: Record<string, string> };
-	readonly response: Response;
-	readonly userId: string;
-	readonly bodyParams: Record<string, unknown>;
-	readonly path: string;
-	readonly queryParams: Record<string, string>;
-	readonly queryOperations?: string[];
-	readonly queryFields?: string[];
-	readonly logger: Logger;
-	readonly route: string;
-};
+export type GenericRouteExecutionContext = ActionThis<any, any, any>;
+
+export type RouteExecutionContext<TMethod extends Method, TPathPattern extends PathPattern, TOptions> = ActionThis<
+	TMethod,
+	TPathPattern,
+	TOptions
+>;
 
 export type ActionThis<TMethod extends Method, TPathPattern extends PathPattern, TOptions> = {
+	readonly logger: Logger;
 	route: string;
 	readonly requestIp: string;
 	urlParams: UrlParams<TPathPattern>;
@@ -183,6 +178,8 @@ export type ActionThis<TMethod extends Method, TPathPattern extends PathPattern,
 	readonly request: Request;
 
 	readonly queryOperations: TOptions extends { queryOperations: infer T } ? T : never;
+	readonly queryFields: TOptions extends { queryFields: infer T } ? T : never;
+
 	parseJsonQuery(): Promise<{
 		sort: Record<string, 1 | -1>;
 		/**

apps/meteor/app/api/server/helpers/parseJsonQuery.ts

@@ -1,10 +1,11 @@
 import ejson from 'ejson';
 import { Meteor } from 'meteor/meteor';
 
+import { isPlainObject } from '../../../../lib/utils/isPlainObject';
 import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { apiDeprecationLogger } from '../../../lib/server/lib/deprecationWarningLogger';
 import { API } from '../api';
-import type { PartialThis } from '../definition';
+import type { GenericRouteExecutionContext } from '../definition';
 import { clean } from '../lib/cleanQuery';
 import { isValidQuery } from '../lib/isValidQuery';
 
@@ -13,7 +14,7 @@ const pathAllowConf = {
 	'def': ['$or', '$and', '$regex'],
 };
 
-export async function parseJsonQuery(api: PartialThis): Promise<{
+export async function parseJsonQuery(api: GenericRouteExecutionContext): Promise<{
 	sort: Record<string, 1 | -1>;
 	/**
 	 * @deprecated To access "fields" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable.
@@ -24,10 +25,18 @@ export async function parseJsonQuery(api: PartialThis): Promise<{
 	 */
 	query: Record<string, unknown>;
 }> {
-	const { userId, queryParams: params, logger, queryFields, queryOperations, response, route } = api;
+	const { userId, response, route, logger } = api;
+
+	const params = isPlainObject(api.queryParams) ? api.queryParams : {};
+	const queryFields = Array.isArray(api.queryFields) ? (api.queryFields as string[]) : [];
+	const queryOperations = Array.isArray(api.queryOperations) ? (api.queryOperations as string[]) : [];
+
+	if (!userId) {
+		throw new Meteor.Error('error-invalid-user', 'Invalid user');
+	}
 
 	let sort;
-	if (params.sort) {
+	if (typeof params?.sort === 'string') {
 		try {
 			sort = JSON.parse(params.sort);
 			Object.entries(sort).forEach(([key, value]) => {
@@ -50,7 +59,7 @@ export async function parseJsonQuery(api: PartialThis): Promise<{
 		`The usage of the "${parameter}" parameter in endpoint "${endpoint}" breaks the security of the API and can lead to data exposure. It has been deprecated and will be removed in the version ${version}.`;
 
 	let fields: Record<string, 0 | 1> | undefined;
-	if (params.fields && isUnsafeQueryParamsAllowed) {
+	if (typeof params?.fields === 'string' && isUnsafeQueryParamsAllowed) {
 		try {
 			apiDeprecationLogger.parameter(route, 'fields', '8.0.0', response, messageGenerator);
 			fields = JSON.parse(params.fields) as Record<string, 0 | 1>;
@@ -100,7 +109,7 @@ export async function parseJsonQuery(api: PartialThis): Promise<{
 	}
 
 	let query: Record<string, any> = {};
-	if (params.query && isUnsafeQueryParamsAllowed) {
+	if (typeof params?.query === 'string' && isUnsafeQueryParamsAllowed) {
 		apiDeprecationLogger.parameter(route, 'query', '8.0.0', response, messageGenerator);
 		try {
 			query = ejson.parse(params.query);

apps/meteor/app/integrations/server/api/api.ts

@@ -9,10 +9,11 @@ import type { RateLimiterOptionsToCheck } from 'meteor/rate-limit';
 import { WebApp } from 'meteor/webapp';
 import _ from 'underscore';
 
+import { isPlainObject } from '../../../../lib/utils/isPlainObject';
 import { APIClass } from '../../../api/server/ApiClass';
 import type { RateLimiterOptions } from '../../../api/server/api';
 import { API, defaultRateLimiterOptions } from '../../../api/server/api';
-import type { FailureResult, PartialThis, SuccessResult, UnavailableResult } from '../../../api/server/definition';
+import type { FailureResult, GenericRouteExecutionContext, SuccessResult, UnavailableResult } from '../../../api/server/definition';
 import type { WebhookResponseItem } from '../../../lib/server/functions/processWebhookMessage';
 import { processWebhookMessage } from '../../../lib/server/functions/processWebhookMessage';
 import { settings } from '../../../settings/server';
@@ -39,11 +40,10 @@ type IntegrationOptions = {
 	};
 };
 
-type IntegrationThis = Omit<PartialThis, 'user'> & {
+type IntegrationThis = GenericRouteExecutionContext & {
 	request: Request & {
 		integration: IIncomingIntegration;
 	};
-	urlParams: Record<string, string>;
 	user: IUser & { username: RequiredField<IUser, 'username'> };
 };
 
@@ -138,8 +138,8 @@ async function executeIntegrationRest(
 
 	const scriptEngine = getEngine(this.request.integration);
 
-	let { bodyParams } = this;
-	const separateResponse = this.bodyParams?.separateResponse === true;
+	let bodyParams = isPlainObject(this.bodyParams) ? this.bodyParams : {};
+	const separateResponse = bodyParams.separateResponse === true;
 	let scriptResponse: Record<string, any> | undefined;
 
 	if (scriptEngine.integrationHasValidScript(this.request.integration) && this.request.body) {
@@ -152,21 +152,22 @@ async function executeIntegrationRest(
 		const contentRaw = Buffer.concat(buffers).toString('utf8');
 		const protocol = `${this.request.headers.get('x-forwarded-proto')}:` || 'http:';
 		const url = new URL(this.request.url, `${protocol}//${this.request.headers.get('host')}`);
+		const query = isPlainObject(this.queryParams) ? this.queryParams : {};
 
 		const request = {
 			url: {
+				query,
 				hash: url.hash,
 				search: url.search,
-				query: this.queryParams,
 				pathname: url.pathname,
 				path: this.request.url,
 			},
 			url_raw: this.request.url,
 			url_params: this.urlParams,
-			content: this.bodyParams,
+			content: bodyParams,
 			content_raw: contentRaw,
 			headers: Object.fromEntries(this.request.headers.entries()),
-			body: this.bodyParams,
+			body: bodyParams,
 			user: {
 				_id: this.user._id,
 				name: this.user.name || '',
@@ -191,7 +192,7 @@ async function executeIntegrationRest(
 				return API.v1.failure(result.error);
 			}
 
-			bodyParams = result && result.content;
+			bodyParams = result?.content;
 
 			if (!('separateResponse' in bodyParams)) {
 				bodyParams.separateResponse = separateResponse;
@@ -312,8 +313,8 @@ function integrationInfoRest(): { statusCode: number; body: { success: boolean }
 }
 
 class WebHookAPI extends APIClass<'/hooks'> {
-	override async authenticatedRoute(this: IntegrationThis): Promise<IUser | null> {
-		const { integrationId, token } = this.urlParams;
+	override async authenticatedRoute(routeContext: IntegrationThis): Promise<IUser | null> {
+		const { integrationId, token } = routeContext.urlParams;
 		const integration = await Integrations.findOneByIdAndToken<IIncomingIntegration>(integrationId, decodeURIComponent(token));
 
 		if (!integration) {
@@ -322,9 +323,9 @@ class WebHookAPI extends APIClass<'/hooks'> {
 			throw new Error('Invalid integration id or token provided.');
 		}
 
-		this.request.integration = integration;
+		routeContext.request.integration = integration;
 
-		return Users.findOneById(this.request.integration.userId);
+		return Users.findOneById(routeContext.request.integration.userId);
 	}
 
 	override shouldAddRateLimitToRoute(options: { rateLimiterOptions?: RateLimiterOptions | boolean }): boolean {

apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts

@@ -5,6 +5,7 @@ import type express from 'express';
 import { Meteor } from 'meteor/meteor';
 import { WebApp } from 'meteor/webapp';
 
+import { isPlainObject } from '../../../../lib/utils/isPlainObject';
 import { OAuth2Server } from '../../../../server/oauth2-server/oauth';
 import { API } from '../../../api/server';
 
@@ -74,10 +75,9 @@ oauth2server.app.get('/oauth/userinfo', async (req: Request, res: Response) => {
 	});
 });
 
-API.v1.addAuthMethod((request: globalThis.Request) => {
-	const url = new URL(request.url);
-	const headers = Object.fromEntries(request.headers.entries());
-	const query = Object.fromEntries(url.searchParams.entries());
+API.v1.addAuthMethod((routeContext) => {
+	const headers = Object.fromEntries(routeContext.request.headers.entries());
+	const query = (isPlainObject(routeContext.queryParams) ? routeContext.queryParams : {}) as Record<string, string | undefined>;
 
 	return oAuth2ServerAuth({ headers, query });
 });

apps/meteor/ee/server/apps/communication/endpoints/appLogsExportHandler.ts

@@ -7,6 +7,7 @@ import { json2csv } from 'json-2-csv';
 import type { AppsRestApi } from '../rest';
 import { makeAppLogsQuery } from './lib/makeAppLogsQuery';
 import { APIClass } from '../../../../../app/api/server/ApiClass';
+import type { GenericRouteExecutionContext } from '../../../../../app/api/server/definition';
 
 const isErrorResponse = ajv.compile<{
 	success: false;
@@ -25,18 +26,18 @@ const isErrorResponse = ajv.compile<{
 });
 
 class ExportHandlerAPI extends APIClass {
-	protected override async authenticatedRoute(req: Request): Promise<IUser | null> {
-		const { rc_uid, rc_token } = parse(req.headers.get('cookie') || '');
+	protected override async authenticatedRoute(routeContext: GenericRouteExecutionContext): Promise<IUser | null> {
+		const { rc_uid, rc_token } = parse(routeContext.request.headers.get('cookie') || '');
 
 		if (rc_uid) {
-			req.headers.set('x-user-id', rc_uid);
+			routeContext.request.headers.set('x-user-id', rc_uid);
 		}
 
 		if (rc_token) {
-			req.headers.set('x-auth-token', rc_token);
+			routeContext.request.headers.set('x-auth-token', rc_token);
 		}
 
-		return super.authenticatedRoute(req);
+		return super.authenticatedRoute(routeContext);
 	}
 }
 

apps/meteor/lib/utils/isPlainObject.ts

@@ -1,3 +1,3 @@
-export function isPlainObject(value: unknown) {
+export function isPlainObject(value: unknown): value is Record<string | symbol, unknown> {
 	return value !== null && typeof value === 'object' && !Array.isArray(value);
 }