fix: #520

Author: maurei

src/JsonApiDotNetCore/Formatters/JsonApiReader.cs

@@ -1,7 +1,9 @@
 using System;
+using System.Collections;
 using System.IO;
 using System.Threading.Tasks;
 using JsonApiDotNetCore.Internal;
+using JsonApiDotNetCore.Models;
 using JsonApiDotNetCore.Serialization;
 using JsonApiDotNetCore.Services;
 using Microsoft.AspNetCore.Mvc.Formatters;
@@ -37,7 +39,7 @@ public Task<InputFormatterResult> ReadAsync(InputFormatterContext context)
             {
                 var body = GetRequestBody(context.HttpContext.Request.Body);
 
-                object model =null;
+                object model = null;
 
                 if (_jsonApiContext.IsRelationshipPath)
                 {
@@ -48,10 +50,29 @@ public Task<InputFormatterResult> ReadAsync(InputFormatterContext context)
                     model = _deSerializer.Deserialize(body);
                 }
 
+
                 if (model == null)
                 {
                     _logger?.LogError("An error occurred while de-serializing the payload");
                 }
+
+                if (context.HttpContext.Request.Method == "PATCH")
+                {
+                    bool idMissing;
+                    if (model is IList list)
+                    {
+                        idMissing = CheckForId(list);
+                    }
+                    else
+                    {
+                        idMissing = CheckForId(model);
+                    }
+                    if (idMissing)
+                    {
+                        _logger?.LogError("Payload must include id attribute");
+                        throw new JsonApiException(400, "Payload must include id attribute");
+                    }
+                }
                 return InputFormatterResult.SuccessAsync(model);
             }
             catch (Exception ex)
@@ -62,6 +83,38 @@ public Task<InputFormatterResult> ReadAsync(InputFormatterContext context)
             }
         }
 
+        private bool CheckForId(object model)
+        {
+            if (model == null) return false;
+            if (model is ResourceObject ro)
+            {
+                if (string.IsNullOrEmpty(ro.Id)) return true;
+            }
+            else if (model is IIdentifiable identifiable)
+            {
+                if (string.IsNullOrEmpty(identifiable.StringId)) return true;
+            }
+            return false;
+        }
+
+        private bool CheckForId(IList modelList)
+        {
+            foreach (var model in modelList)
+            {
+                if (model == null) continue;
+                if (model is ResourceObject ro)
+                {
+                    if (string.IsNullOrEmpty(ro.Id)) return true;
+                }
+                else if (model is IIdentifiable identifiable)
+                {
+                    if (string.IsNullOrEmpty(identifiable.StringId)) return true;
+                }
+            }
+            return false;
+
+        }
+
         private string GetRequestBody(Stream body)
         {
             using (var reader = new StreamReader(body))

test/JsonApiDotNetCoreExampleTests/Acceptance/CamelCasedModelsControllerTests.cs

@@ -143,6 +143,7 @@ public async Task Can_Patch_CamelCasedModels()
                 data = new
                 {
                     type = "camelCasedModels",
+                    id = model.Id,
                     attributes = new Dictionary<string, object>()
                     {
                         { "compoundAttr", newModel.CompoundAttr }

test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/UpdatingDataTests.cs

@@ -55,8 +55,9 @@ public async Task Response400IfUpdatingNotSettableAttribute()
 
             var content = new
             {
-                datea = new
+                date = new
                 {
+                    id = todoItem.Id,
                     type = "todo-items",
                     attributes = new
                     {
@@ -90,6 +91,7 @@ public async Task Respond_404_If_EntityDoesNotExist()
             {
                 data = new
                 {
+                    id = maxPersonId + 100,
                     type = "todo-items",
                     attributes = new
                     {
@@ -108,6 +110,41 @@ public async Task Respond_404_If_EntityDoesNotExist()
             Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
         }
 
+        [Fact]
+        public async Task Respond_400_If_IdNotInAttributeList()
+        {
+            // Arrange
+            var maxPersonId = _context.TodoItems.LastOrDefault()?.Id ?? 0;
+            var todoItem = _todoItemFaker.Generate();
+            var builder = new WebHostBuilder()
+                .UseStartup<Startup>();
+
+            var server = new TestServer(builder);
+            var client = server.CreateClient();
+
+            var content = new
+            {
+                data = new
+                {
+                    type = "todo-items",
+                    attributes = new
+                    {
+                        description = todoItem.Description,
+                        ordinal = todoItem.Ordinal,
+                        createdDate = DateTime.Now
+                    }
+                }
+            };
+            var request = PrepareRequest("PATCH", $"/api/v1/todo-items/{maxPersonId}", content);
+
+            // Act
+            var response = await client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(422, Convert.ToInt32(response.StatusCode));
+
+        }
+
 
         [Fact]
         public async Task Can_Patch_Entity()
@@ -129,6 +166,7 @@ public async Task Can_Patch_Entity()
             {
                 data = new
                 {
+                    id = todoItem.Id,
                     type = "todo-items",
                     attributes = new
                     {
@@ -187,6 +225,8 @@ public async Task Patch_Entity_With_HasMany_Does_Not_Included_Relationships()
                 data = new
                 {
                     type = "people",
+                    id = person.Id,
+
                     attributes = new Dictionary<string, object>
                     {
                         { "last-name",  newPerson.LastName },
@@ -234,6 +274,7 @@ public async Task Can_Patch_Entity_And_HasOne_Relationships()
                 data = new
                 {
                     type = "todo-items",
+                    id = todoItem.Id,
                     attributes = new
                     {
                         description = todoItem.Description,

test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/UpdatingRelationshipsTests.cs

@@ -549,6 +549,7 @@ public async Task Can_Delete_Relationship_By_Patching_Resource()
             {
                 data = new
                 {
+                    id = todoItem.Id,
                     type = "todo-items",
                     relationships = new
                     {

test/JsonApiDotNetCoreExampleTests/Acceptance/TodoItemsControllerTests.cs

@@ -588,6 +588,7 @@ public async Task Can_Patch_TodoItem()
             {
                 data = new
                 {
+                    id = todoItem.Id,
                     type = "todo-items",
                     attributes = new Dictionary<string, object>()
                     {
@@ -639,6 +640,7 @@ public async Task Can_Patch_TodoItemWithNullable()
             {
                 data = new
                 {
+                    id = todoItem.Id,
                     type = "todo-items",
                     attributes = new Dictionary<string, object>()
                     {
@@ -690,6 +692,7 @@ public async Task Can_Patch_TodoItemWithNullValue()
             {
                 data = new
                 {
+                    id = todoItem.Id,
                     type = "todo-items",
                     attributes = new Dictionary<string, object>()
                     {