fix: incorrect resource type match

Author: maurei

src/JsonApiDotNetCore/Middleware/IncomingTypeMatchFilter.cs

@@ -2,7 +2,10 @@
 using System.Linq;
 using System.Net.Http;
 using JsonApiDotNetCore.Configuration;
+using JsonApiDotNetCore.Controllers;
 using JsonApiDotNetCore.Errors;
+using JsonApiDotNetCore.Resources;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc.Filters;
 
 namespace JsonApiDotNetCore.Middleware
@@ -13,10 +16,12 @@ namespace JsonApiDotNetCore.Middleware
     public sealed class IncomingTypeMatchFilter : IActionFilter
     {
         private readonly IResourceContextProvider _provider;
+        private readonly IJsonApiRequest _jsonApiRequest;
 
-        public IncomingTypeMatchFilter(IResourceContextProvider provider)
+        public IncomingTypeMatchFilter(IResourceContextProvider provider, IJsonApiRequest jsonApiRequest)
         {
             _provider = provider;
+            _jsonApiRequest = jsonApiRequest;
         }
 
         public void OnActionExecuting(ActionExecutingContext context)
@@ -27,23 +32,36 @@ public void OnActionExecuting(ActionExecutingContext context)
             {
                 return;
             }
-
+            
             var request = context.HttpContext.Request;
-            if (request.Method == "PATCH" || request.Method == "POST")
+            
+            if (request.Method == HttpMethods.Patch || request.Method == HttpMethods.Post)
             {
-                var deserializedType = context.ActionArguments.FirstOrDefault().Value?.GetType();
-                var targetType = context.ActionDescriptor.Parameters.FirstOrDefault()?.ParameterType;
-
-                if (deserializedType != null && targetType != null && deserializedType != targetType)
+                var deserializedType = context.ActionArguments.Last().Value.GetType();
+                var targetType = (_jsonApiRequest.SecondaryResource ?? _jsonApiRequest.PrimaryResource).ResourceType;
+                
+                if (deserializedType != targetType)
                 {
                     ResourceContext resourceFromEndpoint = _provider.GetResourceContext(targetType);
                     ResourceContext resourceFromBody = _provider.GetResourceContext(deserializedType);
-
+            
                     throw new ResourceTypeMismatchException(new HttpMethod(request.Method), request.Path, resourceFromEndpoint, resourceFromBody);
                 }
             }
         }
 
+        private void ThrowIfResourceTypeMismatch(Type deserializedType, Type targetType, HttpRequest request)
+        {
+            if (deserializedType != targetType)
+            {
+                ResourceContext resourceFromEndpoint = _provider.GetResourceContext(targetType);
+                ResourceContext resourceFromBody = _provider.GetResourceContext(deserializedType);
+
+                throw new ResourceTypeMismatchException(new HttpMethod(request.Method), request.Path, resourceFromEndpoint,
+                    resourceFromBody);
+            }
+        }
+
         public void OnActionExecuted(ActionExecutedContext context) { /* noop */ }
     }
 }

test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/CreatingDataTests.cs

@@ -298,7 +298,7 @@ public async Task CreateResource_ResourceTypeMismatch_IsConflict()
             Assert.Equal("Resource type mismatch between request body and endpoint URL.", errorDocument.Errors[0].Title);
             Assert.Equal("Expected resource of type 'todoItems' in POST request body at endpoint '/api/v1/todoItems', instead of 'people'.", errorDocument.Errors[0].Detail);
         }
-
+        
         [Fact]
         public async Task CreateResource_UnknownResourceType_Fails()
         {

test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/ResourceTypeMismatchTests.cs

@@ -0,0 +1,93 @@
+using System.Collections.Generic;
+using System.Linq;
+using System.Net;
+using System.Threading.Tasks;
+using Bogus;
+using JsonApiDotNetCore.Serialization.Objects;
+using JsonApiDotNetCoreExample.Models;
+using JsonApiDotNetCoreExampleTests.Helpers.Models;
+using Microsoft.EntityFrameworkCore;
+using Newtonsoft.Json;
+using Xunit;
+using Person = JsonApiDotNetCoreExample.Models.Person;
+
+namespace JsonApiDotNetCoreExampleTests.Acceptance.Spec
+{
+    public sealed class ResourceTypeMismatchTests : FunctionalTestCollection<StandardApplicationFactory>
+    {
+        public ResourceTypeMismatchTests(StandardApplicationFactory factory) : base(factory) { }
+        
+        [Fact]
+        public async Task Posting_Resource_With_Mismatching_Resource_Type_Returns_Conflict()
+        {
+            // Arrange
+            string content = JsonConvert.SerializeObject(new
+            {
+                data = new
+                {
+                    type = "people"
+                }
+            });
+
+            // Act
+            var (body, response) = await Post("/api/v1/todoItems", content);
+
+            // Assert
+            var errorDocument = JsonConvert.DeserializeObject<ErrorDocument>(body);
+            Assert.Single(errorDocument.Errors);
+            Assert.Equal(HttpStatusCode.Conflict, errorDocument.Errors[0].StatusCode);
+            Assert.Equal("Resource type mismatch between request body and endpoint URL.", errorDocument.Errors[0].Title);
+            Assert.Equal("Expected resource of type 'todoItems' in POST request body at endpoint '/api/v1/todoItems', instead of 'people'.", errorDocument.Errors[0].Detail);
+        }
+        
+        [Fact]
+        public async Task Patching_Resource_With_Mismatching_Resource_Type_Returns_Conflict()
+        {
+            // Arrange
+            string content = JsonConvert.SerializeObject(new
+            {
+                data = new
+                {
+                    type = "people",
+                    id = 1
+                }
+            });
+
+            // Act
+            var (body, response) = await Patch("/api/v1/todoItems/1", content);
+
+            // Assert
+
+            var errorDocument = JsonConvert.DeserializeObject<ErrorDocument>(body);
+            Assert.Single(errorDocument.Errors);
+            Assert.Equal(HttpStatusCode.Conflict, errorDocument.Errors[0].StatusCode);
+            Assert.Equal("Resource type mismatch between request body and endpoint URL.", errorDocument.Errors[0].Title);
+            Assert.Equal("Expected resource of type 'todoItems' in PATCH request body at endpoint '/api/v1/todoItems/1', instead of 'people'.", errorDocument.Errors[0].Detail);
+        }
+        
+        [Fact]
+        public async Task Patching_Through_Relationship_Link_With_Mismatching_Resource_Type_Returns_Conflict()
+        {
+            // Arrange
+            string content = JsonConvert.SerializeObject(new
+            {
+                data = new
+                {
+                    type = "todoItems",
+                    id = 1
+                }
+            });
+
+            // Act
+            var (body, response) = await Patch("/api/v1/todoItems/1/relationships/owner", content);
+
+            // Assert
+
+            var errorDocument = JsonConvert.DeserializeObject<ErrorDocument>(body);
+            Assert.Single(errorDocument.Errors);
+            Assert.Equal(HttpStatusCode.Conflict, errorDocument.Errors[0].StatusCode);
+            Assert.Equal("Resource type mismatch between request body and endpoint URL.", errorDocument.Errors[0].Title);
+            Assert.Equal("Expected resource of type 'people' in PATCH request body at endpoint '/api/v1/todoItems/1/relationships/owner', instead of 'todoItems'.", errorDocument.Errors[0].Detail);
+        }
+    }
+}

test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/UpdatingRelationshipsTests.cs

@@ -282,7 +282,7 @@ public async Task Can_Update_ToMany_Relationship_By_Patching_Resource()
             // a "complete replace".
             Assert.Equal(2, updatedTodoItems.Count);
         }
-
+        
         [Fact]
         public async Task Can_Update_ToMany_Relationship_By_Patching_Resource_When_Targets_Already_Attached()
         {