feat(accounts): AccessDeniedException

Signed-off-by: Lexus Drumgold <[email protected]>

Author: unicornware

src/__snapshots__/app.e2e.snap

@@ -94,6 +94,15 @@ exports[`e2e:app > GET / > should respond with api documentation (json) 1`] = `
               }
             }
           },
+          "403": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/AccessDeniedException"
+                }
+              }
+            }
+          },
           "404": {
             "content": {
               "application/json": {
@@ -182,6 +191,38 @@ exports[`e2e:app > GET / > should respond with api documentation (json) 1`] = `
       }
     },
     "schemas": {
+      "AccessDeniedException": {
+        "type": "object",
+        "properties": {
+          "code": {
+            "type": "number",
+            "description": "http response status code",
+            "enum": [
+              403
+            ]
+          },
+          "id": {
+            "type": "string",
+            "description": "unique id representing the exception",
+            "enum": [
+              "accounts/access-denied"
+            ]
+          },
+          "message": {
+            "type": "string",
+            "description": "human-readable description of the exception"
+          },
+          "reason": {
+            "type": "null"
+          }
+        },
+        "required": [
+          "code",
+          "id",
+          "message",
+          "reason"
+        ]
+      },
       "AccountCreatedPayload": {
         "type": "object",
         "properties": {

src/errors/enums/exception-id.mts

@@ -9,6 +9,7 @@
  * @enum {Lowercase<string>}
  */
 enum ExceptionId {
+  ACCESS_DENIED = 'accounts/access-denied',
   EMAIL_CONFLICT = 'accounts/email-conflict',
   INTERNAL_SERVER_ERROR = 'sneusers/internal-error',
   INVALID_CREDENTIAL = 'accounts/invalid-credential',

src/errors/models/validation.exception.mts

@@ -33,7 +33,7 @@ class ValidationException extends Exception {
    *
    * @public
    * @instance
-   * @member {ExceptionId.VALIDATION_FAILURE} code
+   * @member {ExceptionId.VALIDATION_FAILURE} id
    */
   @ApiProperty({ enum: [ExceptionId.VALIDATION_FAILURE] })
   declare public id: (typeof ExceptionId)['VALIDATION_FAILURE']

src/subdomains/accounts/__tests__/accounts.module.e2e.spec.mts

@@ -301,24 +301,25 @@ describe('e2e:accounts/AccountsModule', () => {
     })
 
     describe('401 (UNAUTHORIZED)', () => {
-      let account1: Account
-      let account2: Account
+      let account: Account
 
       afterAll(async () => {
         await seeder.down()
       })
 
       beforeAll(async () => {
-        await seeder.up(2)
-        account1 = new Account(seeder.seeds[0]!)
-        account2 = new Account(seeder.seeds[1]!)
+        await seeder.up(1)
+        account = new Account(seeder.seeds[0]!)
       })
 
-      it('authentication failure (no auth token)', async () => {
+      it('authentication failure (invalid token)', async () => {
         // Arrange
         const request: InjectOptions = {
+          headers: {
+            authorization: `bearer ${faker.internet.jwt()}`
+          },
           method,
-          url: routes.ACCOUNTS + routes.APP + account1.uid
+          url: routes.ACCOUNTS + routes.APP + account.uid
         }
 
         // Act
@@ -334,14 +335,11 @@ describe('e2e:accounts/AccountsModule', () => {
         expect(payload).to.have.property('reason', null)
       })
 
-      it('authentication failure (token mismatch)', async () => {
+      it('authentication failure (missing token)', async () => {
         // Arrange
         const request: InjectOptions = {
-          headers: {
-            authorization: `bearer ${await auth.accessToken(account1)}`
-          },
           method,
-          url: routes.ACCOUNTS + routes.APP + account2.uid
+          url: routes.ACCOUNTS + routes.APP + account.uid
         }
 
         // Act
@@ -358,6 +356,43 @@ describe('e2e:accounts/AccountsModule', () => {
       })
     })
 
+    describe('403 (FORBIDDEN)', () => {
+      let account1: Account
+      let account2: Account
+      let result: Response
+
+      afterAll(async () => {
+        await seeder.down()
+      })
+
+      beforeAll(async () => {
+        await seeder.up(2)
+        account1 = new Account(seeder.seeds[0]!)
+        account2 = new Account(seeder.seeds[1]!)
+
+        result = await app.inject({
+          headers: {
+            authorization: `bearer ${await auth.accessToken(account2)}`
+          },
+          method,
+          url: routes.ACCOUNTS + routes.APP + account1.uid
+        })
+      })
+
+      it('authentication failure (uid mismatch)', async () => {
+        // Act
+        const payload = result.json()
+
+        // Expect
+        expect(result).to.be.json.with.status(HttpStatus.FORBIDDEN)
+        expect(payload).to.have.keys(ERROR_PAYLOAD_KEYS)
+        expect(payload).to.have.property('code', HttpStatus.FORBIDDEN)
+        expect(payload).to.have.property('id', ExceptionId.ACCESS_DENIED)
+        expect(payload).to.have.property('message').be.a('string').and.not.empty
+        expect(payload).to.have.property('reason', null)
+      })
+    })
+
     describe('404 (NOT FOUND)', () => {
       let account: Account
       let url: string
@@ -367,9 +402,14 @@ describe('e2e:accounts/AccountsModule', () => {
         url = routes.ACCOUNTS + routes.APP + account.uid
       })
 
-      it('fail on missing account (no auth token)', async () => {
+      it('fail on missing account (authenticated)', async () => {
+        // Arrange
+        const headers: IncomingHttpHeaders = {
+          authorization: `bearer ${await auth.accessToken(account)}`
+        }
+
         // Act
-        const result = await app.inject({ method, url })
+        const result = await app.inject({ headers, method, url })
         const payload = result.json()
 
         // Expect
@@ -382,14 +422,9 @@ describe('e2e:accounts/AccountsModule', () => {
         expect(payload).to.have.nested.property('reason.uid', account.uid)
       })
 
-      it('fail on missing account (with auth token)', async () => {
-        // Arrange
-        const headers: IncomingHttpHeaders = {
-          authorization: `bearer ${await auth.accessToken(account)}`
-        }
-
+      it('fail on missing account (unauthenticated)', async () => {
         // Act
-        const result = await app.inject({ headers, method, url })
+        const result = await app.inject({ method, url })
         const payload = result.json()
 
         // Expect

src/subdomains/accounts/controllers/accounts.controller.mts

@@ -21,6 +21,7 @@ import UnhandledExceptionFilter from '#filters/unhandled.filter'
 import TransformPipe from '#pipes/transform.pipe'
 import type { Account } from '@flex-development/sneusers/accounts'
 import {
+  AccessDeniedException,
   EmailConflictException,
   InvalidCredentialException,
   MissingAccountException
@@ -49,6 +50,7 @@ import {
   ApiBearerAuth,
   ApiConflictResponse,
   ApiCreatedResponse,
+  ApiForbiddenResponse,
   ApiHeader,
   ApiInternalServerErrorResponse,
   ApiNoContentResponse,
@@ -140,6 +142,7 @@ class AccountsController {
   @ApiBearerAuth(AuthStrategy.JWT)
   @ApiNoContentResponse()
   @ApiUnauthorizedResponse({ type: InvalidCredentialException })
+  @ApiForbiddenResponse({ type: AccessDeniedException })
   @ApiNotFoundResponse({ type: MissingAccountException })
   public async delete(@Param() params: DeleteAccountCommand): Promise<null> {
     ok(params instanceof DeleteAccountCommand, 'expected a command')

src/subdomains/accounts/errors/__tests__/access-denied.exception.spec.mts

@@ -0,0 +1,51 @@
+/**
+ * @file Unit Tests - AccessDeniedException
+ * @module sneusers/accounts/errors/tests/unit/AccessDeniedException
+ */
+
+import TestSubject from '#accounts/errors/access-denied.exception'
+import ExceptionCode from '#errors/enums/exception-code'
+import ExceptionId from '#errors/enums/exception-id'
+import Exception from '#errors/models/base.exception'
+
+describe('unit:accounts/errors/AccessDeniedException', () => {
+  describe('constructor', () => {
+    let subject: TestSubject
+
+    beforeAll(() => {
+      subject = new TestSubject()
+    })
+
+    it('should be instanceof Exception', () => {
+      expect(subject).to.be.instanceof(Exception)
+    })
+
+    it('should set #cause', () => {
+      expect(subject).to.have.property('cause', null)
+    })
+
+    it('should set #code', () => {
+      expect(subject).to.have.property('code', ExceptionCode.FORBIDDEN)
+    })
+
+    it('should set #id', () => {
+      expect(subject).to.have.property('id', ExceptionId.ACCESS_DENIED)
+    })
+
+    it('should set #message', () => {
+      expect(subject).to.have.property('message', 'Access denied')
+    })
+
+    it('should set #name', () => {
+      expect(subject).to.have.property('name', TestSubject.name)
+    })
+
+    it('should set #reason', () => {
+      expect(subject).to.have.property('reason', null)
+    })
+
+    it('should set #stack', () => {
+      expect(subject).to.have.property('stack').be.a('string').that.is.not.empty
+    })
+  })
+})

src/subdomains/accounts/errors/access-denied.exception.mts

@@ -0,0 +1,66 @@
+/**
+ * @file Errors - AccessDeniedException
+ * @module sneusers/accounts/errors/AccessDeniedException
+ */
+
+import {
+  Exception,
+  ExceptionCode,
+  ExceptionId
+} from '@flex-development/sneusers/errors'
+import { ApiProperty, ApiSchema } from '@nestjs/swagger'
+
+/**
+ * An access denied exception.
+ *
+ * @class
+ * @extends {Exception}
+ */
+@ApiSchema()
+class AccessDeniedException extends Exception {
+  /**
+   * HTTP response status code.
+   *
+   * @public
+   * @instance
+   * @member {ExceptionCode.FORBIDDEN} code
+   */
+  @ApiProperty({ enum: [ExceptionCode.FORBIDDEN] })
+  declare public code: (typeof ExceptionCode)['FORBIDDEN']
+
+  /**
+   * Unique id representing the exception.
+   *
+   * @public
+   * @instance
+   * @member {ExceptionId.ACCESS_DENIED} id
+   */
+  @ApiProperty({ enum: [ExceptionId.ACCESS_DENIED] })
+  declare public id: (typeof ExceptionId)['ACCESS_DENIED']
+
+  /**
+   * The reason for the exception.
+   *
+   * @public
+   * @instance
+   * @member {null} reason
+   */
+  @ApiProperty({ type: 'null' })
+  declare public reason: null
+
+  /**
+   * Create a new access denied exception.
+   */
+  constructor() {
+    super({
+      code: ExceptionCode.FORBIDDEN,
+      id: ExceptionId.ACCESS_DENIED,
+      message: 'Access denied',
+      reason: null
+    })
+
+    this.name = 'AccessDeniedException'
+  }
+}
+
+export default AccessDeniedException

src/subdomains/accounts/errors/email-conflict.exception.mts

@@ -34,7 +34,7 @@ class EmailConflictException extends Exception {
    *
    * @public
    * @instance
-   * @member {ExceptionId.EMAIL_CONFLICT} code
+   * @member {ExceptionId.EMAIL_CONFLICT} id
    */
   @ApiProperty({ enum: [ExceptionId.EMAIL_CONFLICT] })
   declare public id: (typeof ExceptionId)['EMAIL_CONFLICT']

src/subdomains/accounts/errors/index.mts

@@ -3,6 +3,9 @@
  * @module sneusers/accounts/errors
  */
 
+export {
+  default as AccessDeniedException
+} from '#accounts/errors/access-denied.exception'
 export {
   default as EmailConflictException
 } from '#accounts/errors/email-conflict.exception'

src/subdomains/accounts/errors/invalid-credential.exception.mts

@@ -33,7 +33,7 @@ class InvalidCredentialException extends Exception {
    *
    * @public
    * @instance
-   * @member {ExceptionId.INVALID_CREDENTIAL} code
+   * @member {ExceptionId.INVALID_CREDENTIAL} id
    */
   @ApiProperty({ enum: [ExceptionId.INVALID_CREDENTIAL] })
   declare public id: (typeof ExceptionId)['INVALID_CREDENTIAL']