feat: set types

CasLubbers · CasLubbers · commit 496cbaa5ef0a · 2025-11-06T15:51:03.000+01:00
diff --git a/src/api/v1/apps/{teamId}.ts b/src/api/v1/apps/{teamId}.ts
@@ -11,7 +11,9 @@ const debug = Debug('otomi:api:v1:apps')
 export const getApps = (req: OpenApiRequestExt, res: Response): void => {
   const { teamId } = req.params
   const { picks } = req.query
-  res.json(req.otomi.getApps(teamId, picks as string[]))
+  // Handle comma-separated string or array
+  const picksArray = typeof picks === 'string' ? picks.split(',') : (picks as string[])
+  res.json(req.otomi.getApps(teamId, picksArray))
 }
 
 /**
diff --git a/src/api/v1/settings.ts b/src/api/v1/settings.ts
@@ -10,8 +10,10 @@ const debug = Debug('otomi:api:v1:settings')
  */
 export const getSettings = (req: OpenApiRequestExt, res: Response): void => {
   const { ids } = req.query
-  debug(`getSettings(${ids})`)
-  const v = req.otomi.getSettings(ids as string[] | undefined)
+  // Handle comma-separated string or array
+  const idsArray = ids ? (typeof ids === 'string' ? ids.split(',') : (ids as string[])) : undefined
+  debug(`getSettings(${idsArray})`)
+  const v = req.otomi.getSettings(idsArray)
   if (v?.otomi) {
     const { otomi: otomiSettings, ...restSettings } = v
     // Remove the otomi.adminPassword from otomi settings response
diff --git a/src/app.ts b/src/app.ts
@@ -212,7 +212,7 @@ export async function initApp(inOtomiStack?: OtomiStack) {
       apiSpec: path.join(__dirname, 'generated-schema.json'),
       validateRequests: {
         allowUnknownQueryParameters: false,
-        coerceTypes: true, // Equivalent to enableObjectCoercion
+        coerceTypes: 'array',
       },
       validateResponses: false, // Start with false, can enable later for debugging
       validateSecurity: {
diff --git a/src/middleware/security-handlers.ts b/src/middleware/security-handlers.ts
@@ -21,7 +21,9 @@ import { getSessionStack } from './session'
 export async function groupAuthzSecurityHandler(req: Request, scopes: string[], schema: any): Promise<boolean> {
   const extReq = req as OpenApiRequestExt
 
-  // JWT middleware already ran and set req.user if token was valid
+  // In dev mode, JWT middleware sets a mock user without requiring Authorization header
+  // In production, JWT middleware sets req.user only if valid token exists
+  // Allow requests to proceed if user was set by JWT middleware
   if (!extReq.user) {
     throw { status: 401, message: 'Unauthorized - No valid JWT token provided' }
   }
