Merge pull request #254 from CodeForPhilly/secure-eligibilitycheck-endpoints

chore: Updated security and organization of endpoints in EligibilityCheckResource.java

Author: Michael-Dratch

builder-api/src/main/java/org/acme/controller/EligibilityCheckResource.java

@@ -20,6 +20,24 @@ public class EligibilityCheck {
     private String evaluationUrl;
     private Boolean isArchived;
 
+    public EligibilityCheck() {
+    }
+
+    public EligibilityCheck(
+        String name,
+        String module,
+        String description,
+        List<ParameterDefinition> parameterDefinitions,
+        String ownerId
+    ) {
+        this.name = name;
+        this.module = module;
+        this.description = description;
+        this.parameterDefinitions = parameterDefinitions;
+        this.ownerId = ownerId;
+        this.version = "1.0.0";
+    }
+
     public String getId() {
         return this.id;
     }

builder-api/src/main/java/org/acme/model/domain/EligibilityCheck.java

@@ -1,6 +1,5 @@
 package org.acme.model.dto;
 
 public class CheckDmnRequest {
-    public String id;
     public String dmnModel;
 }

builder-api/src/main/java/org/acme/model/dto/CheckDmnRequest.java

@@ -0,0 +1,11 @@
+package org.acme.model.dto;
+
+import org.acme.model.domain.ParameterDefinition;
+import java.util.List;
+
+public class CreateCheckRequest {
+    public String name;
+    public String module;
+    public String description;
+    public List<ParameterDefinition> parameterDefinitions;
+}

builder-api/src/main/java/org/acme/model/dto/CreateCheckRequest.java

@@ -0,0 +1,9 @@
+package org.acme.model.dto;
+
+import org.acme.model.domain.ParameterDefinition;
+import java.util.List;
+
+public class UpdateCheckRequest {
+    public String description;
+    public List<ParameterDefinition> parameterDefinitions;
+}

builder-api/src/main/java/org/acme/model/dto/UpdateCheckRequest.java

@@ -1,6 +1,6 @@
 quarkus.http.cors.enabled=true
 quarkus.http.cors.origins=*
-quarkus.http.cors.methods=GET,POST,PUT,DELETE
+quarkus.http.cors.methods=GET,POST,PUT,PATCH,DELETE
 quarkus.http.cors.headers=Authorization,Content-Type
 
 quarkus.datasource.db-kind=sqlite

builder-api/src/main/resources/application.properties

@@ -1,6 +1,6 @@
 import { authFetch } from "@/api/auth";
 
-import type { EligibilityCheck, OptionalBoolean } from "@/types";
+import type { EligibilityCheck, OptionalBoolean, CreateCheckRequest, UpdateCheckRequest } from "@/types";
 
 const apiUrl = import.meta.env.VITE_API_URL;
 
@@ -54,7 +54,7 @@ export const fetchCheck = async (
   }
 };
 
-export const addCheck = async (check: EligibilityCheck) => {
+export const addCheck = async (check: CreateCheckRequest): Promise<EligibilityCheck> => {
   const url = apiUrl + "/custom-checks";
   try {
     const response = await authFetch(url, {
@@ -63,7 +63,12 @@ export const addCheck = async (check: EligibilityCheck) => {
         "Content-Type": "application/json",
         Accept: "application/json",
       },
-      body: JSON.stringify(check),
+      body: JSON.stringify({
+        name: check.name,
+        module: check.module,
+        description: check.description,
+        parameterDefinitions: check.parameterDefinitions,
+      }),
     });
 
     if (!response.ok) {
@@ -77,16 +82,21 @@ export const addCheck = async (check: EligibilityCheck) => {
   }
 };
 
-export const updateCheck = async (check: EligibilityCheck) => {
-  const url = apiUrl + "/custom-checks";
+export const updateCheck = async (checkId: string, updates: UpdateCheckRequest): Promise<EligibilityCheck> => {
+  const url = apiUrl + `/custom-checks/${checkId}`;
   try {
+    // Build request body with only non-undefined fields (partial update)
+    const body: UpdateCheckRequest = {};
+    if (updates.description !== undefined) body.description = updates.description;
+    if (updates.parameterDefinitions !== undefined) body.parameterDefinitions = updates.parameterDefinitions;
+
     const response = await authFetch(url, {
-      method: "PUT",
+      method: "PATCH",
       headers: {
         "Content-Type": "application/json",
         Accept: "application/json",
       },
-      body: JSON.stringify(check),
+      body: JSON.stringify(body),
     });
 
     if (!response.ok) {
@@ -101,15 +111,15 @@ export const updateCheck = async (check: EligibilityCheck) => {
 };
 
 export const saveCheckDmn = async (checkId: string, dmnModel: string) => {
-  const url = apiUrl + "/save-check-dmn";
+  const url = apiUrl + `/custom-checks/${checkId}/dmn`;
   try {
     const response = await authFetch(url, {
-      method: "POST",
+      method: "PUT",
       headers: {
         "Content-Type": "application/json",
         Accept: "application/json",
       },
-      body: JSON.stringify({ id: checkId, dmnModel: dmnModel }),
+      body: JSON.stringify({ dmnModel: dmnModel }),
     });
 
     if (!response.ok) {
@@ -125,15 +135,15 @@ export const validateCheckDmn = async (
   checkId: string,
   dmnModel: string
 ): Promise<string[]> => {
-  const url = apiUrl + "/validate-check-dmn";
+  const url = apiUrl + `/custom-checks/${checkId}/dmn/validate`;
   try {
     const response = await authFetch(url, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
         Accept: "application/json",
       },
-      body: JSON.stringify({ id: checkId, dmnModel: dmnModel }),
+      body: JSON.stringify({ dmnModel: dmnModel }),
     });
 
     if (!response.ok) {
@@ -143,7 +153,7 @@ export const validateCheckDmn = async (
     const data = await response.json();
     return data.errors;
   } catch (error) {
-    console.error("Error validation DMN for check:", error);
+    console.error("Error validating DMN for check:", error);
     throw error; // rethrow so you can handle it in your component if needed
   }
 };
@@ -203,7 +213,7 @@ export const evaluateWorkingCheck = async (
 export const getRelatedPublishedChecks = async (
   checkId: string
 ): Promise<EligibilityCheck[]> => {
-  const url = apiUrl + `/custom-checks/${checkId}/published-check-versions`;
+  const url = apiUrl + `/custom-checks/${checkId}/versions`;
   try {
     const response = await authFetch(url, {
       method: "GET",
@@ -226,7 +236,7 @@ export const getRelatedPublishedChecks = async (
 export const publishCheck = async (
   checkId: string
 ): Promise<OptionalBoolean> => {
-  const url = apiUrl + `/publish-check/${checkId}`;
+  const url = apiUrl + `/custom-checks/${checkId}/publish`;
   try {
     const response = await authFetch(url, {
       method: "POST",

builder-frontend/src/api/check.ts

@@ -68,16 +68,15 @@ const eligibilityCheckDetailResource = (
   });
 
   const addParameter = async (parameterDef: ParameterDefinition) => {
-    const updatedCheck: EligibilityCheckDetail = {
-      ...eligibilityCheck,
-      parameterDefinitions: [
-        ...(eligibilityCheck.parameterDefinitions || []),
-        parameterDef,
-      ],
-    };
+    const updatedParameterDefinitions = [
+      ...(eligibilityCheck.parameterDefinitions || []),
+      parameterDef,
+    ];
     setActionInProgress(true);
     try {
-      await updateCheck(updatedCheck);
+      await updateCheck(eligibilityCheck.id, {
+        parameterDefinitions: updatedParameterDefinitions,
+      });
       await refetch();
     } catch (e) {
       console.error("Failed to add parameter", e);
@@ -92,14 +91,12 @@ const eligibilityCheckDetailResource = (
     const updatedParameters = [...eligibilityCheck.parameterDefinitions];
     updatedParameters[parameterIndex] = parameterDef;
     console.log("updatedParameters", updatedParameters);
-    const updatedCheck: EligibilityCheckDetail = {
-      ...eligibilityCheck,
-      parameterDefinitions: updatedParameters,
-    };
 
     setActionInProgress(true);
     try {
-      await updateCheck(updatedCheck);
+      await updateCheck(eligibilityCheck.id, {
+        parameterDefinitions: updatedParameters,
+      });
       await refetch();
     } catch (e) {
       console.error("Failed to update parameter", e);
@@ -110,14 +107,12 @@ const eligibilityCheckDetailResource = (
   const removeParameter = async (parameterIndex: number) => {
     const updatedParameters = [...eligibilityCheck.parameterDefinitions];
     updatedParameters.splice(parameterIndex, 1);
-    const updatedCheck: EligibilityCheckDetail = {
-      ...eligibilityCheck,
-      parameterDefinitions: updatedParameters,
-    };
 
     setActionInProgress(true);
     try {
-      await updateCheck(updatedCheck);
+      await updateCheck(eligibilityCheck.id, {
+        parameterDefinitions: updatedParameters,
+      });
       await refetch();
     } catch (e) {
       console.error("Failed to remove parameter", e);

builder-frontend/src/components/homeScreen/eligibilityCheckList/eligibilityCheckDetail/eligibilityCheckDetailResource.ts

@@ -1,13 +1,13 @@
 import { createResource, createEffect, Accessor, createSignal } from "solid-js";
 import { createStore } from "solid-js/store";
 
-import type { EligibilityCheck } from "@/types";
+import type { EligibilityCheck, CreateCheckRequest } from "@/types";
 import { addCheck, archiveCheck, fetchUserDefinedChecks } from "@/api/check";
 
 export interface EligibilityCheckResource {
   checks: () => EligibilityCheck[];
   actions: {
-    addNewCheck: (check: EligibilityCheck) => Promise<void>;
+    addNewCheck: (check: CreateCheckRequest) => Promise<void>;
     removeCheck: (checkIdToRemove: string) => Promise<void>;
   };
   actionInProgress: Accessor<boolean>;
@@ -32,7 +32,7 @@ const eligibilityCheckResource = (): EligibilityCheckResource => {
   });
 
   // Actions
-  const addNewCheck = async (check: EligibilityCheck) => {
+  const addNewCheck = async (check: CreateCheckRequest) => {
     setActionInProgress(true);
     try {
       await addCheck(check);

builder-frontend/src/components/homeScreen/eligibilityCheckList/eligibilityCheckResource.ts

@@ -1,6 +1,6 @@
 import { createStore } from "solid-js/store";
 
-import type { EligibilityCheck } from "@/types";
+import type { CreateCheckRequest } from "@/types";
 
 type CheckValues = {
   name: string;
@@ -11,7 +11,7 @@ const EditCheckModal = ({
   modalAction,
   closeModal,
 }: {
-  modalAction: (check: EligibilityCheck) => Promise<void>;
+  modalAction: (check: CreateCheckRequest) => Promise<void>;
   closeModal: () => void;
 }) => {
   const [newCheck, setNewCheck] = createStore<CheckValues>({
@@ -84,17 +84,10 @@ const EditCheckModal = ({
                 console.log("Please fill in all fields.");
                 return;
               }
-              const check: EligibilityCheck = {
-                id:
-                  newCheck.module.toLowerCase() +
-                  "-" +
-                  newCheck.name.toLowerCase().replace(/\s+/g, "_"),
+              const check: CreateCheckRequest = {
                 name: newCheck.name,
-                version: "1.0.0",
-
                 module: newCheck.module,
                 description: newCheck.description,
-                inputDefinition: {},
                 parameterDefinitions: [],
               };
               await modalAction(check);