Return better error for whitespace relationship name in request URL

Author: bkoelman

src/JsonApiDotNetCore/Controllers/BaseJsonApiController.cs

@@ -134,15 +134,16 @@ public virtual async Task<IActionResult> GetAsync([DisallowNull] TId id, Cancell
     /// GET /articles/1/revisions HTTP/1.1
     /// ]]></code>
     /// </summary>
-    public virtual async Task<IActionResult> GetSecondaryAsync([DisallowNull] TId id, string relationshipName, CancellationToken cancellationToken)
+    public virtual async Task<IActionResult> GetSecondaryAsync([DisallowNull] TId id, [PreserveEmptyString] string relationshipName,
+        CancellationToken cancellationToken)
     {
         _traceWriter.LogMethodStart(new
         {
             id,
             relationshipName
         });
 
-        ArgumentGuard.NotNullNorEmpty(relationshipName);
+        ArgumentGuard.NotNull(relationshipName);
 
         if (_getSecondary == null)
         {
@@ -163,15 +164,16 @@ public virtual async Task<IActionResult> GetSecondaryAsync([DisallowNull] TId id
     /// GET /articles/1/relationships/revisions HTTP/1.1
     /// ]]></code>
     /// </summary>
-    public virtual async Task<IActionResult> GetRelationshipAsync([DisallowNull] TId id, string relationshipName, CancellationToken cancellationToken)
+    public virtual async Task<IActionResult> GetRelationshipAsync([DisallowNull] TId id, [PreserveEmptyString] string relationshipName,
+        CancellationToken cancellationToken)
     {
         _traceWriter.LogMethodStart(new
         {
             id,
             relationshipName
         });
 
-        ArgumentGuard.NotNullNorEmpty(relationshipName);
+        ArgumentGuard.NotNull(relationshipName);
 
         if (_getRelationship == null)
         {
@@ -247,7 +249,7 @@ private string GetLocationUrl(string resourceId)
     /// <param name="cancellationToken">
     /// Propagates notification that request handling should be canceled.
     /// </param>
-    public virtual async Task<IActionResult> PostRelationshipAsync([DisallowNull] TId id, string relationshipName,
+    public virtual async Task<IActionResult> PostRelationshipAsync([DisallowNull] TId id, [PreserveEmptyString] string relationshipName,
         [FromBody] ISet<IIdentifiable> rightResourceIds, CancellationToken cancellationToken)
     {
         _traceWriter.LogMethodStart(new
@@ -257,7 +259,7 @@ public virtual async Task<IActionResult> PostRelationshipAsync([DisallowNull] TI
             rightResourceIds
         });
 
-        ArgumentGuard.NotNullNorEmpty(relationshipName);
+        ArgumentGuard.NotNull(relationshipName);
         ArgumentGuard.NotNull(rightResourceIds);
 
         if (_addToRelationship == null)
@@ -322,8 +324,8 @@ public virtual async Task<IActionResult> PatchAsync([DisallowNull] TId id, [From
     /// <param name="cancellationToken">
     /// Propagates notification that request handling should be canceled.
     /// </param>
-    public virtual async Task<IActionResult> PatchRelationshipAsync([DisallowNull] TId id, string relationshipName, [FromBody] object? rightValue,
-        CancellationToken cancellationToken)
+    public virtual async Task<IActionResult> PatchRelationshipAsync([DisallowNull] TId id, [PreserveEmptyString] string relationshipName,
+        [FromBody] object? rightValue, CancellationToken cancellationToken)
     {
         _traceWriter.LogMethodStart(new
         {
@@ -332,7 +334,7 @@ public virtual async Task<IActionResult> PatchRelationshipAsync([DisallowNull] T
             rightValue
         });
 
-        ArgumentGuard.NotNullNorEmpty(relationshipName);
+        ArgumentGuard.NotNull(relationshipName);
 
         if (_setRelationship == null)
         {
@@ -383,7 +385,7 @@ public virtual async Task<IActionResult> DeleteAsync([DisallowNull] TId id, Canc
     /// <param name="cancellationToken">
     /// Propagates notification that request handling should be canceled.
     /// </param>
-    public virtual async Task<IActionResult> DeleteRelationshipAsync([DisallowNull] TId id, string relationshipName,
+    public virtual async Task<IActionResult> DeleteRelationshipAsync([DisallowNull] TId id, [PreserveEmptyString] string relationshipName,
         [FromBody] ISet<IIdentifiable> rightResourceIds, CancellationToken cancellationToken)
     {
         _traceWriter.LogMethodStart(new
@@ -393,7 +395,7 @@ public virtual async Task<IActionResult> DeleteRelationshipAsync([DisallowNull]
             rightResourceIds
         });
 
-        ArgumentGuard.NotNullNorEmpty(relationshipName);
+        ArgumentGuard.NotNull(relationshipName);
         ArgumentGuard.NotNull(rightResourceIds);
 
         if (_removeFromRelationship == null)

src/JsonApiDotNetCore/Controllers/PreserveEmptyStringAttribute.cs

@@ -0,0 +1,15 @@
+using System.ComponentModel.DataAnnotations;
+using JetBrains.Annotations;
+
+namespace JsonApiDotNetCore.Controllers;
+
+[PublicAPI]
+[AttributeUsage(AttributeTargets.Parameter)]
+public sealed class PreserveEmptyStringAttribute : DisplayFormatAttribute
+{
+    public PreserveEmptyStringAttribute()
+    {
+        // Workaround for https://github.com/dotnet/aspnetcore/issues/29948#issuecomment-1898216682
+        ConvertEmptyStringToNull = false;
+    }
+}

src/JsonApiDotNetCore/Services/JsonApiResourceService.cs

@@ -109,6 +109,7 @@ public virtual async Task<TResource> GetAsync([DisallowNull] TId id, Cancellatio
 
         using IDisposable _ = CodeTimingSessionManager.Current.Measure("Service - Get secondary resource(s)");
 
+        ArgumentGuard.NotNull(relationshipName);
         AssertPrimaryResourceTypeInJsonApiRequestIsNotNull(_request.PrimaryResourceType);
         AssertHasRelationship(_request.Relationship, relationshipName);
 
@@ -146,10 +147,9 @@ public virtual async Task<TResource> GetAsync([DisallowNull] TId id, Cancellatio
             relationshipName
         });
 
-        ArgumentGuard.NotNullNorEmpty(relationshipName);
-
         using IDisposable _ = CodeTimingSessionManager.Current.Measure("Service - Get relationship");
 
+        ArgumentGuard.NotNull(relationshipName);
         AssertPrimaryResourceTypeInJsonApiRequestIsNotNull(_request.PrimaryResourceType);
         AssertHasRelationship(_request.Relationship, relationshipName);
 
@@ -350,11 +350,10 @@ public virtual async Task AddToToManyRelationshipAsync([DisallowNull] TId leftId
             rightResourceIds
         });
 
-        ArgumentGuard.NotNullNorEmpty(relationshipName);
-        ArgumentGuard.NotNull(rightResourceIds);
-
         using IDisposable _ = CodeTimingSessionManager.Current.Measure("Service - Add to to-many relationship");
 
+        ArgumentGuard.NotNull(relationshipName);
+        ArgumentGuard.NotNull(rightResourceIds);
         AssertHasRelationship(_request.Relationship, relationshipName);
 
         TResource? resourceFromDatabase = null;
@@ -501,10 +500,9 @@ public virtual async Task SetRelationshipAsync([DisallowNull] TId leftId, string
             rightValue
         });
 
-        ArgumentGuard.NotNullNorEmpty(relationshipName);
-
         using IDisposable _ = CodeTimingSessionManager.Current.Measure("Service - Set relationship");
 
+        ArgumentGuard.NotNull(relationshipName);
         AssertHasRelationship(_request.Relationship, relationshipName);
 
         object? effectiveRightValue = _request.Relationship.RightType.IsPartOfTypeHierarchy()
@@ -573,11 +571,10 @@ public virtual async Task RemoveFromToManyRelationshipAsync([DisallowNull] TId l
             rightResourceIds
         });
 
-        ArgumentGuard.NotNullNorEmpty(relationshipName);
-        ArgumentGuard.NotNull(rightResourceIds);
-
         using IDisposable _ = CodeTimingSessionManager.Current.Measure("Repository - Remove from to-many relationship");
 
+        ArgumentGuard.NotNull(relationshipName);
+        ArgumentGuard.NotNull(rightResourceIds);
         AssertHasRelationship(_request.Relationship, relationshipName);
         var hasManyRelationship = (HasManyAttribute)_request.Relationship;
 

test/JsonApiDotNetCoreTests/IntegrationTests/IdObfuscation/ObfuscatedIdentifiableController.cs

@@ -31,14 +31,16 @@ public Task<IActionResult> GetAsync([Required] string id, CancellationToken canc
     }
 
     [HttpGet("{id}/{relationshipName}")]
-    public Task<IActionResult> GetSecondaryAsync([Required] string id, [Required] string relationshipName, CancellationToken cancellationToken)
+    public Task<IActionResult> GetSecondaryAsync([Required] string id, [Required] [PreserveEmptyString] string relationshipName,
+        CancellationToken cancellationToken)
     {
         int idValue = _codec.Decode(id);
         return base.GetSecondaryAsync(idValue, relationshipName, cancellationToken);
     }
 
     [HttpGet("{id}/relationships/{relationshipName}")]
-    public Task<IActionResult> GetRelationshipAsync([Required] string id, [Required] string relationshipName, CancellationToken cancellationToken)
+    public Task<IActionResult> GetRelationshipAsync([Required] string id, [Required] [PreserveEmptyString] string relationshipName,
+        CancellationToken cancellationToken)
     {
         int idValue = _codec.Decode(id);
         return base.GetRelationshipAsync(idValue, relationshipName, cancellationToken);
@@ -51,7 +53,7 @@ public override Task<IActionResult> PostAsync([FromBody] [Required] TResource re
     }
 
     [HttpPost("{id}/relationships/{relationshipName}")]
-    public Task<IActionResult> PostRelationshipAsync([Required] string id, [Required] string relationshipName,
+    public Task<IActionResult> PostRelationshipAsync([Required] string id, [Required] [PreserveEmptyString] string relationshipName,
         [FromBody] [Required] ISet<IIdentifiable> rightResourceIds, CancellationToken cancellationToken)
     {
         int idValue = _codec.Decode(id);
@@ -67,8 +69,8 @@ public Task<IActionResult> PatchAsync([Required] string id, [FromBody] [Required
 
     [HttpPatch("{id}/relationships/{relationshipName}")]
     // Parameter `[Required] object? rightValue` makes Swashbuckle generate the OpenAPI request body as required. We don't actually validate ModelState, so it doesn't hurt.
-    public Task<IActionResult> PatchRelationshipAsync([Required] string id, [Required] string relationshipName, [FromBody] [Required] object? rightValue,
-        CancellationToken cancellationToken)
+    public Task<IActionResult> PatchRelationshipAsync([Required] string id, [Required] [PreserveEmptyString] string relationshipName,
+        [FromBody] [Required] object? rightValue, CancellationToken cancellationToken)
     {
         int idValue = _codec.Decode(id);
         return base.PatchRelationshipAsync(idValue, relationshipName, rightValue, cancellationToken);
@@ -82,7 +84,7 @@ public Task<IActionResult> DeleteAsync([Required] string id, CancellationToken c
     }
 
     [HttpDelete("{id}/relationships/{relationshipName}")]
-    public Task<IActionResult> DeleteRelationshipAsync([Required] string id, [Required] string relationshipName,
+    public Task<IActionResult> DeleteRelationshipAsync([Required] string id, [Required] [PreserveEmptyString] string relationshipName,
         [FromBody] [Required] ISet<IIdentifiable> rightResourceIds, CancellationToken cancellationToken)
     {
         int idValue = _codec.Decode(id);

test/JsonApiDotNetCoreTests/IntegrationTests/ReadWrite/Fetching/FetchRelationshipTests.cs

@@ -243,4 +243,31 @@ await _testContext.RunOnDatabaseAsync(async dbContext =>
         error.Title.Should().Be("The requested relationship does not exist.");
         error.Detail.Should().Be($"Resource of type 'workItems' does not contain a relationship named '{Unknown.Relationship}'.");
     }
+
+    [Fact]
+    public async Task Cannot_get_relationship_for_whitespace_relationship_name()
+    {
+        WorkItem workItem = _fakers.WorkItem.GenerateOne();
+
+        await _testContext.RunOnDatabaseAsync(async dbContext =>
+        {
+            dbContext.WorkItems.Add(workItem);
+            await dbContext.SaveChangesAsync();
+        });
+
+        string route = $"/workItems/{workItem.StringId}/relationships/%20%20";
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.NotFound);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.NotFound);
+        error.Title.Should().Be("The requested relationship does not exist.");
+        error.Detail.Should().Be("Resource of type 'workItems' does not contain a relationship named '  '.");
+    }
 }

test/JsonApiDotNetCoreTests/IntegrationTests/ReadWrite/Fetching/FetchResourceTests.cs

@@ -376,4 +376,32 @@ await _testContext.RunOnDatabaseAsync(async dbContext =>
         error.Title.Should().Be("The requested relationship does not exist.");
         error.Detail.Should().Be($"Resource of type 'workItems' does not contain a relationship named '{Unknown.Relationship}'.");
     }
+
+    [Fact]
+    public async Task Cannot_get_secondary_resource_for_whitespace_relationship_name()
+    {
+        // Arrange
+        WorkItem workItem = _fakers.WorkItem.GenerateOne();
+
+        await _testContext.RunOnDatabaseAsync(async dbContext =>
+        {
+            dbContext.WorkItems.Add(workItem);
+            await dbContext.SaveChangesAsync();
+        });
+
+        string route = $"/workItems/{workItem.StringId}/%20";
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteGetAsync<Document>(route);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.NotFound);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.NotFound);
+        error.Title.Should().Be("The requested relationship does not exist.");
+        error.Detail.Should().Be("Resource of type 'workItems' does not contain a relationship named ' '.");
+    }
 }

test/JsonApiDotNetCoreTests/IntegrationTests/ReadWrite/Updating/Relationships/AddToToManyRelationshipTests.cs

@@ -601,6 +601,48 @@ await _testContext.RunOnDatabaseAsync(async dbContext =>
         error.Meta.Should().NotContainKey("requestBody");
     }
 
+    [Fact]
+    public async Task Cannot_add_to_whitespace_relationship_in_url()
+    {
+        // Arrange
+        WorkItem existingWorkItem = _fakers.WorkItem.GenerateOne();
+
+        await _testContext.RunOnDatabaseAsync(async dbContext =>
+        {
+            dbContext.WorkItems.Add(existingWorkItem);
+            await dbContext.SaveChangesAsync();
+        });
+
+        var requestBody = new
+        {
+            data = new[]
+            {
+                new
+                {
+                    type = "userAccounts",
+                    id = Unknown.StringId.For<UserAccount, long>()
+                }
+            }
+        };
+
+        string route = $"/workItems/{existingWorkItem.StringId}/relationships/%20%20";
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecutePostAsync<Document>(route, requestBody);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.NotFound);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.NotFound);
+        error.Title.Should().Be("The requested relationship does not exist.");
+        error.Detail.Should().Be("Resource of type 'workItems' does not contain a relationship named '  '.");
+        error.Source.Should().BeNull();
+        error.Meta.Should().NotContainKey("requestBody");
+    }
+
     [Fact]
     public async Task Cannot_add_for_relationship_mismatch_between_url_and_body()
     {

test/JsonApiDotNetCoreTests/IntegrationTests/ReadWrite/Updating/Relationships/RemoveFromToManyRelationshipTests.cs

@@ -714,6 +714,48 @@ await _testContext.RunOnDatabaseAsync(async dbContext =>
         error.Meta.Should().NotContainKey("requestBody");
     }
 
+    [Fact]
+    public async Task Cannot_remove_from_whitespace_relationship_in_url()
+    {
+        // Arrange
+        WorkItem existingWorkItem = _fakers.WorkItem.GenerateOne();
+
+        await _testContext.RunOnDatabaseAsync(async dbContext =>
+        {
+            dbContext.WorkItems.Add(existingWorkItem);
+            await dbContext.SaveChangesAsync();
+        });
+
+        var requestBody = new
+        {
+            data = new[]
+            {
+                new
+                {
+                    type = "userAccounts",
+                    id = Unknown.StringId.For<UserAccount, long>()
+                }
+            }
+        };
+
+        string route = $"/workItems/{existingWorkItem.StringId}/relationships/%20";
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecuteDeleteAsync<Document>(route, requestBody);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.NotFound);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.NotFound);
+        error.Title.Should().Be("The requested relationship does not exist.");
+        error.Detail.Should().Be("Resource of type 'workItems' does not contain a relationship named ' '.");
+        error.Source.Should().BeNull();
+        error.Meta.Should().NotContainKey("requestBody");
+    }
+
     [Fact]
     public async Task Cannot_remove_for_relationship_mismatch_between_url_and_body()
     {