feat(api): boxes for user endpoints (#573)

Author: scheidtdav

app/lib/jwt.ts

@@ -50,7 +50,6 @@ export const createToken = (
   invariant(typeof JWT_SECRET === "string");
 
   invariant(typeof REFRESH_TOKEN_VALIDITY_MS === "string");
-
   const payload = { role: user.role };
   const signOptions = Object.assign(
     { subject: user.email, jwtid: uuidv4() },

app/models/device.server.ts

@@ -25,6 +25,11 @@ export function getDevice({ id }: Pick<Device, 'id'>) {
 			expiresAt: true,
 		},
 		with: {
+			user: {
+				columns: {
+					id: true
+				}
+			},
 			logEntries: {
 				where: (entry, { eq }) => eq(entry.public, true),
 				columns: {

app/routes/api.ts

@@ -101,14 +101,14 @@ const routes: { noauth: RouteInfo[]; auth: RouteInfo[] } = {
       path: `users/me`,
       method: "PUT",
     },
-    // {
-    //   path: `users/me/boxes`,
-    //   method: "GET",
-    // },
-    // {
-    //   path: `users/me/boxes/:boxId`,
-    //   method: "GET",
-    // },
+    {
+      path: `users/me/boxes`,
+      method: "GET",
+    },
+    {
+      path: `users/me/boxes/:boxId`,
+      method: "GET",
+    },
     // {
     //   path: `boxes/:boxId/script`,
     //   method: "GET",

app/routes/api.users.me.boxes.$deviceId.ts

@@ -0,0 +1,80 @@
+import { type LoaderFunction, type LoaderFunctionArgs } from "react-router";
+import { getUserFromJwt } from "~/lib/jwt";
+import { getDevice } from "~/models/device.server";
+import { user } from "~/schema";
+
+export const loader: LoaderFunction = async ({
+  request,
+  params,
+}: LoaderFunctionArgs) => {
+  try {
+    const jwtResponse = await getUserFromJwt(request);
+
+    if (typeof jwtResponse === "string")
+      return Response.json(
+        {
+          code: "Forbidden",
+          message:
+            "Invalid JWT authorization. Please sign in to obtain new JWT.",
+        },
+        {
+          status: 403,
+        },
+      );
+    const user = jwtResponse;
+
+    const deviceId = params.deviceId;
+    if (deviceId === undefined)
+      return Response.json(
+        {
+          code: "Bad Request",
+          message: "Invalid device id specified",
+        },
+        {
+          status: 400,
+        },
+      );
+
+    const box = await getDevice({ id: deviceId });
+    if (box === undefined)
+      return Response.json(
+        {
+          code: "Bad Request",
+          message: "There is no such device with the given id",
+        },
+        {
+          status: 400,
+          headers: { "Content-Type": "application/json; charset=utf-8" },
+        },
+      );
+
+    if (box.user.id !== user.id)
+      return Response.json(
+        { code: "Forbidden", message: "User does not own this senseBox" },
+        {
+          status: 403,
+          headers: { "Content-Type": "application/json; charset=utf-8" },
+        },
+      );
+
+    return Response.json(
+      { code: "Ok", data: { box: box } },
+      {
+        status: 200,
+        headers: { "Content-Type": "application/json; charset=utf-8" },
+      },
+    );
+  } catch (err) {
+    console.warn(err);
+    return Response.json(
+      {
+        error: "Internal Server Error",
+        message:
+          "The server was unable to complete your request. Please try again later.",
+      },
+      {
+        status: 500,
+      },
+    );
+  }
+};

app/routes/api.users.me.boxes.ts

@@ -0,0 +1,52 @@
+import { type LoaderFunction, type LoaderFunctionArgs } from "react-router";
+import { getUserFromJwt } from "~/lib/jwt";
+import { getUserDevices } from "~/models/device.server";
+
+export const loader: LoaderFunction = async ({
+  request,
+}: LoaderFunctionArgs) => {
+  try {
+    const jwtResponse = await getUserFromJwt(request);
+
+    if (typeof jwtResponse === "string")
+      return Response.json(
+        {
+          code: "Forbidden",
+          message:
+            "Invalid JWT authorization. Please sign in to obtain new JWT.",
+        },
+        {
+          status: 403,
+        },
+      );
+
+    const userBoxes = await getUserDevices(jwtResponse.id);
+
+    return Response.json(
+      {
+        code: "Ok",
+        data: {
+          boxes: userBoxes,
+          boxes_count: userBoxes.length,
+          sharedBoxes: [],
+        },
+      },
+      {
+        status: 200,
+        headers: { "Content-Type": "application/json; charset=utf-8" },
+      },
+    );
+  } catch (err) {
+    console.warn(err);
+    return Response.json(
+      {
+        error: "Internal Server Error",
+        message:
+          "The server was unable to complete your request. Please try again later.",
+      },
+      {
+        status: 500,
+      },
+    );
+  }
+};

tests/routes/api.users.me.boxes.$deviceId.spec.ts

@@ -0,0 +1,111 @@
+import { Params, type LoaderFunctionArgs } from "react-router";
+import { BASE_URL } from "vitest.setup";
+import { createToken } from "~/lib/jwt";
+import { registerUser } from "~/lib/user-service.server";
+import { createDevice } from "~/models/device.server";
+import { deleteUserByEmail } from "~/models/user.server";
+import { loader } from "~/routes/api.users.me.boxes.$deviceId";
+import { device, type User } from "~/schema";
+
+const BOX_TEST_USER = {
+  name: "testing my individual box",
+  email: "[email protected]",
+  password: "some secure password",
+};
+const BOX_TEST_USER_BOX = {
+  name: `${BOX_TEST_USER}s Box`,
+  exposure: "outdoor",
+  expiresAt: null,
+  tags: [],
+  latitude: 0,
+  longitude: 0,
+  model: "luftdaten.info",
+  mqttEnabled: false,
+  ttnEnabled: false,
+};
+
+const OTHER_TEST_USER = {
+  name: "dont steal my box",
+  email: "[email protected]",
+  password: "some secure password",
+};
+
+// TODO Give the users some boxes to test with
+
+describe("openSenseMap API Routes: /users", () => {
+  describe("/me/boxes/:deviceId", () => {
+    describe("GET", async () => {
+      let jwt: string = "";
+      let otherJwt: string = "";
+      let deviceId: string = "";
+
+      beforeAll(async () => {
+        const user = await registerUser(
+          BOX_TEST_USER.name,
+          BOX_TEST_USER.email,
+          BOX_TEST_USER.password,
+          "en_US",
+        );
+        const { token: t } = await createToken(user as User);
+        jwt = t;
+
+        const otherUser = await registerUser(
+          OTHER_TEST_USER.name,
+          OTHER_TEST_USER.email,
+          OTHER_TEST_USER.password,
+          "en_US",
+        );
+        const { token: t2 } = await createToken(otherUser as User);
+        otherJwt = t2;
+
+        const device = await createDevice(BOX_TEST_USER_BOX, (user as User).id);
+        deviceId = device.id;
+      });
+
+      it("should let users retrieve one of their boxes with all fields", async () => {
+        // Act: Get single box
+        const singleBoxRequest = new Request(
+          `${BASE_URL}/users/me/boxes/${deviceId}`,
+          { method: "GET", headers: { Authorization: `Bearer ${jwt}` } },
+        );
+        const params: Params<string> = { deviceId: deviceId };
+        const singleBoxResponse = (await loader({
+          request: singleBoxRequest,
+          params,
+        } as LoaderFunctionArgs)) as Response;
+        await singleBoxResponse.json();
+        // Assert: Response for single box
+        expect(singleBoxResponse.status).toBe(200);
+      });
+      it("should deny to retrieve a box of other user", async () => {
+        // Arrange
+        const forbiddenRequest = new Request(
+          `${BASE_URL}/users/me/boxes/${deviceId}`,
+          {
+            headers: { Authorization: `Bearer ${otherJwt}` },
+          },
+        );
+        const params: Params<string> = { deviceId: deviceId };
+
+        // Act: Try to get the original users box with the other user's JWT
+        const forbiddenResponse = (await loader({
+          request: forbiddenRequest,
+          params,
+        } as LoaderFunctionArgs)) as Response;
+        const forbiddenBody = await forbiddenResponse.json();
+        // Assert: Forbidden response
+        expect(forbiddenResponse.status).toBe(403);
+        expect(forbiddenBody).toEqual({
+          code: "Forbidden",
+          message: "User does not own this senseBox",
+        });
+      });
+
+      afterAll(async () => {
+        // delete the valid test user
+        await deleteUserByEmail(BOX_TEST_USER.email);
+        await deleteUserByEmail(OTHER_TEST_USER.email);
+      });
+    });
+  });
+});

tests/routes/api.users.me.boxes.spec.ts

@@ -0,0 +1,75 @@
+import { type LoaderFunctionArgs } from "react-router";
+import { BASE_URL } from "vitest.setup";
+import { createToken } from "~/lib/jwt";
+import { registerUser } from "~/lib/user-service.server";
+import { createDevice, deleteDevice } from "~/models/device.server";
+import { deleteUserByEmail } from "~/models/user.server";
+import { loader } from "~/routes/api.users.me.boxes";
+import { type User } from "~/schema";
+
+const BOXES_TEST_USER = {
+  name: "testing all my boxes",
+  email: "[email protected]",
+  password: "some secure password",
+};
+const TEST_BOX = {
+  name: `'${BOXES_TEST_USER.name}'s Box`,
+  exposure: "outdoor",
+  expiresAt: null,
+  tags: [],
+  latitude: 0,
+  longitude: 0,
+  model: "luftdaten.info",
+  mqttEnabled: false,
+  ttnEnabled: false,
+};
+
+describe("openSenseMap API Routes: /users", () => {
+  let jwt: string = "";
+  let deviceId = "";
+
+  describe("/me/boxes", () => {
+    describe("GET", async () => {
+      beforeAll(async () => {
+        const user = await registerUser(
+          BOXES_TEST_USER.name,
+          BOXES_TEST_USER.email,
+          BOXES_TEST_USER.password,
+          "en_US",
+        );
+        const { token } = await createToken(user as User);
+        jwt = token;
+        const device = await createDevice(TEST_BOX, (user as User).id);
+        deviceId = device.id;
+      });
+      it("should let users retrieve their boxes and sharedBoxes with all fields", async () => {
+        // Arrange
+        const request = new Request(`${BASE_URL}/users/me/boxes`, {
+          method: "GET",
+          headers: { Authorization: `Bearer ${jwt}` },
+        });
+
+        // Act
+        const response = (await loader({
+          request,
+        } as LoaderFunctionArgs)) as Response;
+        const body = await response?.json();
+
+        // Assert
+        expect(response.status).toBe(200);
+        expect(body.data.boxes[0].integrations.mqtt).toEqual({
+          enabled: false,
+        });
+        expect(body.data.sharedBoxes[0].integrations.mqtt).toEqual({
+          enabled: false,
+        });
+      });
+
+      afterAll(async () => {
+        // delete the valid test user
+        await deleteUserByEmail(BOXES_TEST_USER.email);
+        await deleteDevice({ id: deviceId });
+      });
+    });
+  });
+});