SIMSBIOHUB-894: Bug fix to clear invalid cached carts (#349)

* clear invalid cached carts

add record_end_date & tighten middleware

linter

add 404 test

improve tests

skip redundant get request on cart creation with features

only clear on 401 403 404

fix pagination

* promise all

* clean up

Author: mauberti-bc

api/src/models/cart.ts

@@ -22,7 +22,8 @@ export type CartSubmissionFeature = z.infer<typeof CartSubmissionFeature>;
 export const Cart = z.object({
   cart_id: z.string(),
   system_user_id: z.number().nullable(),
-  cart_status: z.nativeEnum(CartStatus)
+  cart_status: z.nativeEnum(CartStatus),
+  record_end_date: z.string().nullable()
 });
 
 export type Cart = z.infer<typeof Cart>;

api/src/openapi/schemas/cart.ts

@@ -59,15 +59,16 @@ export const GetCartSubmissionFeaturesSchema: OpenAPIV3.SchemaObject = {
 
 export const GetCartSchema: OpenAPIV3.SchemaObject = {
   type: 'object',
-  required: ['cart_id', 'system_user_id', 'cart_status'],
+  required: ['cart_id', 'system_user_id', 'cart_status', 'record_end_date'],
   additionalProperties: false,
   properties: {
     cart_id: { type: 'string', format: 'uuid' },
     system_user_id: { type: 'integer', nullable: true },
     cart_status: {
       type: 'string',
       enum: ['active', 'checked_out', 'expired', 'abandoned']
-    }
+    },
+    record_end_date: { type: 'string', nullable: true }
   }
 };
 

api/src/paths/cart/index.test.ts

@@ -51,7 +51,8 @@ describe('cart', () => {
         cart: {
           cart_id: '1111-2222-3333-4444',
           system_user_id: 1,
-          cart_status: CartStatus.ACTIVE
+          cart_status: CartStatus.ACTIVE,
+          record_end_date: null
         },
         features: [],
         pagination: {
@@ -90,7 +91,8 @@ describe('cart', () => {
         cart: {
           cart_id: '1111-2222-3333-4444',
           system_user_id: null,
-          cart_status: CartStatus.ACTIVE
+          cart_status: CartStatus.ACTIVE,
+          record_end_date: null
         },
         features: [],
         pagination: {

api/src/paths/cart/{cartId}/index.test.ts

@@ -54,7 +54,8 @@ describe('cart/{cartId}', () => {
       const fakeCart = {
         cart_id: 'cart-123',
         system_user_id: null,
-        cart_status: CartStatus.ACTIVE
+        cart_status: CartStatus.ACTIVE,
+        record_end_date: null
       };
 
       const fakePaginatedResponse = {
@@ -112,7 +113,8 @@ describe('cart/{cartId}', () => {
       const fakeCart = {
         cart_id: 'cart-123',
         system_user_id: null,
-        cart_status: CartStatus.ACTIVE
+        cart_status: CartStatus.ACTIVE,
+        record_end_date: null
       };
 
       const fakePaginatedResponse = {
@@ -161,7 +163,8 @@ describe('cart/{cartId}', () => {
       const fakeCart = {
         cart_id: 'cart-123',
         system_user_id: null,
-        cart_status: CartStatus.ACTIVE
+        cart_status: CartStatus.ACTIVE,
+        record_end_date: null
       };
 
       const fakePaginatedResponse = {
@@ -177,7 +180,7 @@ describe('cart/{cartId}', () => {
       };
 
       sinon.stub(CartService.prototype, 'getCartById').resolves(fakeCart);
-      sinon
+      const getPaginatedCartFeaturesResponseStub = sinon
         .stub(CartSubmissionFeatureService.prototype, 'getPaginatedCartFeaturesResponse')
         .resolves(fakePaginatedResponse);
 
@@ -189,9 +192,12 @@ describe('cart/{cartId}', () => {
 
       await requestHandler(mockReq, mockRes, mockNext);
 
-      // Check that default pagination is set in request
-      expect(mockReq.query.limit).to.equal('25');
-      expect(mockReq.query.page).to.equal('1');
+      expect(getPaginatedCartFeaturesResponseStub).to.have.been.calledOnceWith('cart-123', {
+        page: 1,
+        limit: 25,
+        sort: undefined,
+        order: undefined
+      });
       expect(mockDBConnection.commit).to.have.been.calledOnce;
       expect(mockDBConnection.release).to.have.been.calledOnce;
       expect(mockRes.statusValue).to.equal(200);
@@ -233,7 +239,8 @@ describe('cart/{cartId}', () => {
       const fakeCart = {
         cart_id: 'cart-123',
         system_user_id: null,
-        cart_status: CartStatus.ACTIVE
+        cart_status: CartStatus.ACTIVE,
+        record_end_date: null
       };
 
       sinon.stub(CartService.prototype, 'getCartById').resolves(fakeCart);
@@ -265,7 +272,7 @@ describe('cart/{cartId}', () => {
       });
       sinon.stub(db, 'getAPIUserDBConnection').returns(mockDBConnection);
       sinon.stub(CartService.prototype, 'getCartById').rejects(new Error('Cart not found'));
-      const featureStub = sinon.stub(CartSubmissionFeatureService.prototype, 'getPaginatedCartFeaturesResponse');
+      sinon.stub(CartSubmissionFeatureService.prototype, 'getPaginatedCartFeaturesResponse');
 
       const requestHandler = getCartWithFeaturesById();
       const { mockReq, mockRes, mockNext } = getRequestHandlerMocks();
@@ -278,7 +285,6 @@ describe('cart/{cartId}', () => {
         expect.fail('Expected handler to throw');
       } catch (error) {
         expect((error as ApiError).message).to.equal('Cart not found');
-        expect(featureStub).to.not.have.been.called;
         expect(mockDBConnection.rollback).to.have.been.calledOnce;
         expect(mockDBConnection.release).to.have.been.calledOnce;
       }

api/src/paths/cart/{cartId}/index.ts

@@ -117,19 +117,16 @@ export function getCartWithFeaturesById(): RequestHandler {
       const cartService = new CartService(connection);
       const cartSubmissionFeatureService = new CartSubmissionFeatureService(connection);
 
-      // Return first 25 features from page 1 if pagination not specified
-      req.query.limit = req.query.limit || '25';
-      req.query.page = req.query.page || '1';
-
       const pagination = makePaginationOptionsFromRequest(req);
 
-      const cart = await cartService.getCartById(cartId);
-
-      const paginatedFeatures = await cartSubmissionFeatureService.getPaginatedCartFeaturesResponse(cartId, pagination);
+      const [cart, paginatedFeatures] = await Promise.all([
+        cartService.getCartById(cartId),
+        cartSubmissionFeatureService.getPaginatedCartFeaturesResponse(cartId, pagination)
+      ]);
 
       await connection.commit();
 
-      res.status(200).json({
+      return res.status(200).json({
         ...paginatedFeatures,
         cart
       });

api/src/repositories/cart-repository.test.ts

@@ -19,7 +19,8 @@ describe('CartRepository', () => {
       const mockCart: Cart = {
         cart_id: 'cart-1',
         cart_status: CartStatus.ACTIVE,
-        system_user_id: 1
+        system_user_id: 1,
+        record_end_date: null
       };
 
       const mockQueryResponse = {
@@ -65,7 +66,8 @@ describe('CartRepository', () => {
       const mockCart: Cart = {
         cart_id: 'cart-1',
         cart_status: CartStatus.ABANDONED,
-        system_user_id: 1
+        system_user_id: 1,
+        record_end_date: null
       };
 
       const mockQueryResponse = {
@@ -107,7 +109,8 @@ describe('CartRepository', () => {
       const mockCart: Cart = {
         cart_id: 'cart-1',
         cart_status: CartStatus.ACTIVE,
-        system_user_id: 1
+        system_user_id: 1,
+        record_end_date: null
       };
 
       const mockQueryResponse = {

api/src/repositories/cart-repository.ts

@@ -20,7 +20,9 @@ export class CartRepository extends BaseRepository {
    */
   async findCartById(cartId: string): Promise<Cart | null> {
     const knex = getKnex();
-    const query = knex('cart').where('cart_id', cartId).select('cart_id', 'cart_status', 'system_user_id');
+    const query = knex('cart')
+      .where('cart_id', cartId)
+      .select('cart_id', 'cart_status', 'system_user_id', 'record_end_date');
 
     const response = await this.connection.knex(query, Cart);
 
@@ -36,7 +38,9 @@ export class CartRepository extends BaseRepository {
    */
   async getCartById(cartId: string): Promise<Cart> {
     const knex = getKnex();
-    const query = knex('cart').where('cart_id', cartId).select('cart_id', 'cart_status', 'system_user_id');
+    const query = knex('cart')
+      .where('cart_id', cartId)
+      .select('cart_id', 'cart_status', 'system_user_id', 'record_end_date');
 
     const response = await this.connection.knex(query, Cart);
 
@@ -68,7 +72,7 @@ export class CartRepository extends BaseRepository {
         system_user_id: systemUserId,
         cart_status: CartStatus.ACTIVE
       })
-      .returning(['cart_id', 'cart_status', 'system_user_id']);
+      .returning(['cart_id', 'cart_status', 'system_user_id', 'record_end_date']);
 
     const response = await this.connection.knex(query, Cart);
 

api/src/services/authorization/authorization-service.test.ts

@@ -541,7 +541,8 @@ describe('authorizeByCart', function () {
   const fakeCart: Cart = {
     cart_id: 'cart-1',
     cart_status: CartStatus.ACTIVE,
-    system_user_id: 1
+    system_user_id: 1,
+    record_end_date: null
   };
 
   const systemUser: SystemUser = {
@@ -569,7 +570,8 @@ describe('authorizeByCart', function () {
     const fakeCart: Cart = {
       cart_id: 'cart-1',
       system_user_id: 1,
-      cart_status: CartStatus.ACTIVE
+      cart_status: CartStatus.ACTIVE,
+      record_end_date: null
     };
 
     sinon.stub(CartService.prototype, 'findCartById').resolves(fakeCart);
@@ -592,7 +594,8 @@ describe('authorizeByCart', function () {
     const fakeCartWithDifferentOwner: Cart = {
       cart_id: 'cart-1',
       cart_status: CartStatus.ACTIVE,
-      system_user_id: 2
+      system_user_id: 2,
+      record_end_date: null
     };
     sinon.stub(CartService.prototype, 'findCartById').resolves(fakeCartWithDifferentOwner);
     sinon.stub(AuthorizationService.prototype, 'getCachedSystemUser').resolves(systemUser);
@@ -612,7 +615,8 @@ describe('authorizeByCart', function () {
     const fakeUnauthenticatedCart: Cart = {
       cart_id: 'cart-1',
       cart_status: CartStatus.ACTIVE,
-      system_user_id: null // No system_user_id, indicating it's unauthenticated
+      system_user_id: null, // No system_user_id, indicating it's unauthenticated
+      record_end_date: null
     };
     sinon.stub(CartService.prototype, 'findCartById').resolves(fakeUnauthenticatedCart);
     sinon.stub(AuthorizationService.prototype, 'getCachedSystemUser').resolves(systemUser);
@@ -656,6 +660,108 @@ describe('authorizeByCart', function () {
 
     expect(result).to.be.false;
   });
+
+  it('returns false if cart is checked out', async function () {
+    const mockDBConnection = getMockDBConnection();
+    sinon.stub(CartService.prototype, 'findCartById').resolves({
+      cart_id: 'cart-1',
+      cart_status: CartStatus.CHECKED_OUT,
+      system_user_id: 1,
+      record_end_date: null
+    });
+    sinon.stub(AuthorizationService.prototype, 'getCachedSystemUser').resolves(systemUser);
+
+    const authorizationService = new AuthorizationService(mockDBConnection);
+
+    const result = await authorizationService.authorizeByCart({
+      discriminator: 'Cart',
+      cartId: 'cart-1'
+    });
+
+    expect(result).to.be.false;
+  });
+
+  it('returns false if cart is expired', async function () {
+    const mockDBConnection = getMockDBConnection();
+    sinon.stub(CartService.prototype, 'findCartById').resolves({
+      cart_id: 'cart-1',
+      cart_status: CartStatus.EXPIRED,
+      system_user_id: 1,
+      record_end_date: null
+    });
+    sinon.stub(AuthorizationService.prototype, 'getCachedSystemUser').resolves(systemUser);
+
+    const authorizationService = new AuthorizationService(mockDBConnection);
+
+    const result = await authorizationService.authorizeByCart({
+      discriminator: 'Cart',
+      cartId: 'cart-1'
+    });
+
+    expect(result).to.be.false;
+  });
+
+  it('returns false if cart is abandoned', async function () {
+    const mockDBConnection = getMockDBConnection();
+    sinon.stub(CartService.prototype, 'findCartById').resolves({
+      cart_id: 'cart-1',
+      cart_status: CartStatus.ABANDONED,
+      system_user_id: 1,
+      record_end_date: null
+    });
+    sinon.stub(AuthorizationService.prototype, 'getCachedSystemUser').resolves(systemUser);
+
+    const authorizationService = new AuthorizationService(mockDBConnection);
+
+    const result = await authorizationService.authorizeByCart({
+      discriminator: 'Cart',
+      cartId: 'cart-1'
+    });
+
+    expect(result).to.be.false;
+  });
+
+  it('returns false if cart record_end_date is in the past', async function () {
+    const mockDBConnection = getMockDBConnection();
+    sinon.stub(CartService.prototype, 'findCartById').resolves({
+      cart_id: 'cart-1',
+      cart_status: CartStatus.ACTIVE,
+      system_user_id: 1,
+      record_end_date: '2000-01-01T00:00:00.000Z'
+    });
+    sinon.stub(AuthorizationService.prototype, 'getCachedSystemUser').resolves(systemUser);
+
+    const authorizationService = new AuthorizationService(mockDBConnection);
+
+    const result = await authorizationService.authorizeByCart({
+      discriminator: 'Cart',
+      cartId: 'cart-1'
+    });
+
+    expect(result).to.be.false;
+  });
+
+  it('returns true if cart record_end_date is in the future and user owns the cart', async function () {
+    const mockDBConnection = getMockDBConnection();
+    sinon.stub(CartService.prototype, 'findCartById').resolves({
+      cart_id: 'cart-1',
+      cart_status: CartStatus.ACTIVE,
+      system_user_id: 1,
+      record_end_date: '2999-01-01T00:00:00.000Z'
+    });
+
+    const systemUser = { system_user_id: 1 } as SystemUserExtended;
+    sinon.stub(AuthorizationService.prototype, 'getCachedSystemUser').resolves(systemUser);
+
+    const authorizationService = new AuthorizationService(mockDBConnection);
+
+    const result = await authorizationService.authorizeByCart({
+      discriminator: 'Cart',
+      cartId: 'cart-1'
+    });
+
+    expect(result).to.be.true;
+  });
 });
 
 describe('hasAtLeastOneValidValue', () => {

api/src/services/authorization/authorization-service.ts

@@ -1,3 +1,4 @@
+import dayjs from 'dayjs';
 import { SYSTEM_ROLE } from '../../constants/roles';
 import { IDBConnection } from '../../database/db';
 import { SystemUser, SystemUserExtended } from '../../repositories/user-repository';
@@ -260,6 +261,18 @@ export class AuthorizationService extends DBService {
       return false;
     }
 
+    // Only active carts are accessible
+    if (cart.cart_status !== 'active') {
+      return false;
+    }
+
+    // Deny access to carts whose validity window has ended
+    const recordEndDate = cart.record_end_date ? dayjs(cart.record_end_date) : null;
+    const cartValidityEnded = recordEndDate !== null && (!recordEndDate.isValid() || !recordEndDate.isAfter(dayjs()));
+    if (cartValidityEnded) {
+      return false;
+    }
+
     // Ensure we have the current system user
     const currentUser = await this.getCachedSystemUser();