Add 403 status when client-generated IDs are forbidden (default)

Author: bkoelman

src/JsonApiDotNetCore.OpenApi/SwaggerComponents/JsonApiOperationDocumentationFilter.cs

@@ -33,16 +33,20 @@ internal sealed class JsonApiOperationDocumentationFilter : IOperationFilter
     private const string TextRequestBodyIncompatibleType = "A resource type in the request body is incompatible.";
     private const string TextRequestBodyIncompatibleIdOrType = "A resource type or identifier in the request body is incompatible.";
     private const string TextRequestBodyValidationFailed = "Validation of the request body failed.";
+    private const string TextRequestBodyClientId = "Client-generated IDs cannot be used at this endpoint.";
 
+    private readonly IJsonApiOptions _options;
     private readonly IControllerResourceMapping _controllerResourceMapping;
     private readonly ResourceFieldValidationMetadataProvider _resourceFieldValidationMetadataProvider;
 
-    public JsonApiOperationDocumentationFilter(IControllerResourceMapping controllerResourceMapping,
+    public JsonApiOperationDocumentationFilter(IJsonApiOptions options, IControllerResourceMapping controllerResourceMapping,
         ResourceFieldValidationMetadataProvider resourceFieldValidationMetadataProvider)
     {
+        ArgumentGuard.NotNull(options);
         ArgumentGuard.NotNull(controllerResourceMapping);
         ArgumentGuard.NotNull(resourceFieldValidationMetadataProvider);
 
+        _options = options;
         _controllerResourceMapping = controllerResourceMapping;
         _resourceFieldValidationMetadataProvider = resourceFieldValidationMetadataProvider;
     }
@@ -190,6 +194,13 @@ private void ApplyPostResource(OpenApiOperation operation, ResourceType resource
         SetResponseDescription(operation.Responses, HttpStatusCode.BadRequest, TextRequestBodyMissingOrMalformed);
         SetResponseDescription(operation.Responses, HttpStatusCode.Conflict, TextRequestBodyIncompatibleType);
         SetResponseDescription(operation.Responses, HttpStatusCode.UnprocessableEntity, TextRequestBodyValidationFailed);
+
+        ClientIdGenerationMode clientIdGeneration = resourceType.ClientIdGeneration ?? _options.ClientIdGeneration;
+
+        if (clientIdGeneration == ClientIdGenerationMode.Forbidden)
+        {
+            SetResponseDescription(operation.Responses, HttpStatusCode.Forbidden, TextRequestBodyClientId);
+        }
     }
 
     private void ApplyPatchResource(OpenApiOperation operation, ResourceType resourceType)

test/OpenApiClientTests/LegacyClient/swagger.g.json

@@ -76,6 +76,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }
@@ -544,6 +547,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }
@@ -1262,6 +1268,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }

test/OpenApiClientTests/NamingConventions/CamelCase/swagger.g.json

@@ -76,6 +76,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }

test/OpenApiClientTests/NamingConventions/KebabCase/swagger.g.json

@@ -76,6 +76,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }

test/OpenApiClientTests/NamingConventions/PascalCase/swagger.g.json

@@ -76,6 +76,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }

test/OpenApiClientTests/ResourceFieldValidation/NullableReferenceTypesOff/ModelStateValidationOff/swagger.g.json

@@ -76,6 +76,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }

test/OpenApiClientTests/ResourceFieldValidation/NullableReferenceTypesOff/ModelStateValidationOn/swagger.g.json

@@ -76,6 +76,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }

test/OpenApiClientTests/ResourceFieldValidation/NullableReferenceTypesOn/ModelStateValidationOff/swagger.g.json

@@ -76,6 +76,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }

test/OpenApiClientTests/ResourceFieldValidation/NullableReferenceTypesOn/ModelStateValidationOn/swagger.g.json

@@ -76,6 +76,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }

test/OpenApiTests/DocComments/DocCommentsStartup.cs

@@ -1,4 +1,5 @@
 using JetBrains.Annotations;
+using JsonApiDotNetCore.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.OpenApi.Models;
 using Swashbuckle.AspNetCore.SwaggerGen;
@@ -10,6 +11,12 @@ namespace OpenApiTests.DocComments;
 public sealed class DocCommentsStartup<TDbContext> : OpenApiStartup<TDbContext>
     where TDbContext : TestableDbContext
 {
+    protected override void SetJsonApiOptions(JsonApiOptions options)
+    {
+        options.ClientIdGeneration = ClientIdGenerationMode.Allowed;
+        base.SetJsonApiOptions(options);
+    }
+
     protected override void SetupSwaggerGenAction(SwaggerGenOptions options)
     {
         options.SwaggerDoc("v1", new OpenApiInfo

test/OpenApiTests/DocComments/DocCommentsTests.cs

@@ -483,4 +483,17 @@ public async Task Enums_are_documented()
             schemasElement.Should().HaveProperty("spaceKind.description", "Lists the various kinds of spaces within a skyscraper.");
         });
     }
+
+    [Fact]
+    public async Task Forbidden_status_is_added_when_client_generated_IDs_are_disabled()
+    {
+        // Act
+        JsonElement document = await _testContext.GetSwaggerDocumentAsync();
+
+        // Assert
+        document.Should().ContainPath("paths./elevators.post.responses").With(responseElement =>
+        {
+            responseElement.Should().HaveProperty("403.description", "Client-generated IDs cannot be used at this endpoint.");
+        });
+    }
 }

test/OpenApiTests/DocComments/Elevator.cs

@@ -1,4 +1,5 @@
 using JetBrains.Annotations;
+using JsonApiDotNetCore.Configuration;
 using JsonApiDotNetCore.Resources;
 using JsonApiDotNetCore.Resources.Annotations;
 
@@ -8,7 +9,7 @@ namespace OpenApiTests.DocComments;
 /// An elevator within a skyscraper.
 /// </summary>
 [UsedImplicitly(ImplicitUseTargetFlags.Members)]
-[Resource(ControllerNamespace = "OpenApiTests.DocComments")]
+[Resource(ControllerNamespace = "OpenApiTests.DocComments", ClientIdGeneration = ClientIdGenerationMode.Forbidden)]
 public sealed class Elevator : Identifiable<long>
 {
     /// <summary>

test/OpenApiTests/LegacyOpenApiIntegration/swagger.json

@@ -76,6 +76,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }
@@ -544,6 +547,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }
@@ -1262,6 +1268,9 @@
           },
           "422": {
             "description": "Validation of the request body failed."
+          },
+          "403": {
+            "description": "Client-generated IDs cannot be used at this endpoint."
           }
         }
       }