Merge pull request dubinc#831 from dubinc/link-api-response-fixes

Validate the response for /links endpoints

Author: steven-tey

apps/web/app/api/links/[linkId]/route.ts

@@ -1,9 +1,14 @@
 import { DubApiError, ErrorCodes } from "@/lib/api/errors";
-import { deleteLink, editLink, processLink } from "@/lib/api/links";
+import {
+  deleteLink,
+  editLink,
+  processLink,
+  transformLink,
+} from "@/lib/api/links";
 import { withWorkspace } from "@/lib/auth";
 import prisma from "@/lib/prisma";
 import { NewLinkProps } from "@/lib/types";
-import { updateLinkBodySchema } from "@/lib/zod/schemas";
+import { LinkSchemaExtended, updateLinkBodySchema } from "@/lib/zod/schemas";
 import { NextResponse } from "next/server";
 
 // GET /api/links/[linkId] – get a link
@@ -29,16 +34,17 @@ export const GET = withWorkspace(async ({ headers, link }) => {
       color: true,
     },
   });
-  return NextResponse.json(
-    {
-      ...link,
-      tagId: tags?.[0]?.id ?? null, // backwards compatibility
-      tags,
-    },
-    {
-      headers,
-    },
-  );
+
+  const response = transformLink({
+    ...link,
+    tags: tags.map((tag) => {
+      return { tag };
+    }),
+  });
+
+  return NextResponse.json(LinkSchemaExtended.parse(response), {
+    headers,
+  });
 });
 
 // PUT /api/links/[linkId] – update a link
@@ -97,7 +103,7 @@ export const PUT = withWorkspace(async ({ req, headers, workspace, link }) => {
     updatedLink: processedLink,
   });
 
-  return NextResponse.json(response, {
+  return NextResponse.json(LinkSchemaExtended.parse(response), {
     headers,
   });
 });

apps/web/app/api/links/bulk/route.ts

@@ -3,7 +3,10 @@ import { bulkCreateLinks, combineTagIds, processLink } from "@/lib/api/links";
 import { withWorkspace } from "@/lib/auth";
 import prisma from "@/lib/prisma";
 import { ProcessedLinkProps } from "@/lib/types";
-import { bulkCreateLinksBodySchema } from "@/lib/zod/schemas";
+import {
+  LinkSchemaExtended,
+  bulkCreateLinksBodySchema,
+} from "@/lib/zod/schemas";
 import { NextResponse } from "next/server";
 
 // POST /api/links/bulk – bulk create up to 100 links
@@ -118,9 +121,12 @@ export const POST = withWorkspace(
     const validLinksResponse =
       validLinks.length > 0 ? await bulkCreateLinks({ links: validLinks }) : [];
 
-    return NextResponse.json([...validLinksResponse, ...errorLinks], {
-      headers,
-    });
+    return NextResponse.json(
+      [...LinkSchemaExtended.array().parse(validLinksResponse), ...errorLinks],
+      {
+        headers,
+      },
+    );
   },
   {
     needNotExceededLinks: true,

apps/web/app/api/links/info/route.ts

@@ -2,7 +2,7 @@ import { DubApiError } from "@/lib/api/errors";
 import { LinkWithTags, transformLink } from "@/lib/api/links";
 import { withWorkspace } from "@/lib/auth";
 import prisma from "@/lib/prisma";
-import { getLinkInfoQuerySchema } from "@/lib/zod/schemas";
+import { LinkSchemaExtended, getLinkInfoQuerySchema } from "@/lib/zod/schemas";
 import { NextResponse } from "next/server";
 
 // GET /api/links/info – get the info for a link
@@ -52,7 +52,10 @@ export const GET = withWorkspace(async ({ headers, searchParams, link }) => {
     ? { ...link, ...tagsAndUser }
     : { ...link, tags: [] };
 
-  return NextResponse.json(transformLink(linkWithTags), {
-    headers,
-  });
+  return NextResponse.json(
+    LinkSchemaExtended.parse(transformLink(linkWithTags)),
+    {
+      headers,
+    },
+  );
 });

apps/web/app/api/links/route.ts

@@ -3,10 +3,19 @@ import { createLink, getLinksForWorkspace, processLink } from "@/lib/api/links";
 import { parseRequestBody } from "@/lib/api/utils";
 import { withWorkspace } from "@/lib/auth";
 import { ratelimit } from "@/lib/upstash";
-import { createLinkBodySchema, getLinksQuerySchema } from "@/lib/zod/schemas";
+import {
+  LinkSchemaExtended,
+  createLinkBodySchema,
+  getLinksQuerySchemaExtended,
+} from "@/lib/zod/schemas";
+import { UserSchema } from "@/lib/zod/schemas/users";
 import { LOCALHOST_IP, getSearchParamsWithArray } from "@dub/utils";
 import { NextResponse } from "next/server";
 
+const LinkSchemaWithUser = LinkSchemaExtended.extend({
+  user: UserSchema.nullable(),
+});
+
 // GET /api/links – get all links for a workspace
 export const GET = withWorkspace(async ({ req, headers, workspace }) => {
   const searchParams = getSearchParamsWithArray(req.url);
@@ -21,7 +30,8 @@ export const GET = withWorkspace(async ({ req, headers, workspace }) => {
     userId,
     showArchived,
     withTags,
-  } = getLinksQuerySchema.parse(searchParams);
+    includeUser,
+  } = getLinksQuerySchemaExtended.parse(searchParams);
 
   const response = await getLinksForWorkspace({
     workspaceId: workspace.id,
@@ -34,9 +44,14 @@ export const GET = withWorkspace(async ({ req, headers, workspace }) => {
     userId,
     showArchived,
     withTags,
+    includeUser,
   });
 
-  return NextResponse.json(response, {
+  const links = (includeUser ? LinkSchemaWithUser : LinkSchemaExtended)
+    .array()
+    .parse(response);
+
+  return NextResponse.json(links, {
     headers,
   });
 });
@@ -75,7 +90,7 @@ export const POST = withWorkspace(
 
     const response = await createLink(link);
 
-    return NextResponse.json(response, { headers });
+    return NextResponse.json(LinkSchemaExtended.parse(response), { headers });
   },
   {
     needNotExceededLinks: true,

apps/web/lib/api/links/get-links-for-workspace.ts

@@ -1,6 +1,6 @@
 import prisma from "@/lib/prisma";
 import z from "@/lib/zod";
-import { getLinksQuerySchema } from "@/lib/zod/schemas";
+import { getLinksQuerySchemaExtended } from "@/lib/zod/schemas";
 import { combineTagIds, transformLink } from "./utils";
 
 export async function getLinksForWorkspace({
@@ -15,7 +15,8 @@ export async function getLinksForWorkspace({
   userId,
   showArchived,
   withTags,
-}: z.infer<typeof getLinksQuerySchema> & {
+  includeUser,
+}: z.infer<typeof getLinksQuerySchemaExtended> & {
   workspaceId: string;
 }) {
   const combinedTagIds = combineTagIds({ tagId, tagIds });
@@ -60,7 +61,7 @@ export async function getLinksForWorkspace({
       ...(userId && { userId }),
     },
     include: {
-      user: true,
+      user: includeUser,
       tags: {
         include: {
           tag: {

apps/web/lib/swr/use-links.ts

@@ -23,7 +23,7 @@ export default function useLinks() {
   >(
     id
       ? `/api/links${getQueryString(
-          { workspaceId: id },
+          { workspaceId: id, includeUser: "true" },
           {
             ignore: ["import", "upgrade", "newLink"],
           },

apps/web/lib/zod/schemas/links.ts

@@ -272,7 +272,6 @@ export const LinkSchema = z
       .describe("Whether the short link is archived."),
     expiresAt: z
       .string()
-      .datetime()
       .nullable()
       .describe(
         "The date and time when the short link will expire in ISO-8601 format.",
@@ -424,3 +423,20 @@ export const getLinkInfoQuerySchema = domainKeySchema.partial().merge(
       .openapi({ example: "ext_123456" }),
   }),
 );
+
+// Used in API routes to parse the response before sending it back to the client
+// This is because Prisma returns a `Date` object
+// TODO: Find a better way to handle this
+export const LinkSchemaExtended = LinkSchema.extend({
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  expiresAt: z.date().nullable(),
+  lastClicked: z.date().nullable(),
+});
+
+export const getLinksQuerySchemaExtended = getLinksQuerySchema.merge(
+  z.object({
+    // Only Dub UI uses includeUser query parameter
+    includeUser: booleanQuerySchema.default("false"),
+  }),
+);

apps/web/lib/zod/schemas/users.ts

@@ -0,0 +1,11 @@
+import z from "@/lib/zod";
+
+export const UserSchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  email: z.string(),
+  emailVerified: z.boolean().nullable(),
+  image: z.string().nullable(),
+  subscribed: z.boolean().nullable(),
+  source: z.string().nullable(),
+});

apps/web/tests/links/bulk-create-link.test.ts

@@ -1,25 +1,57 @@
+import z from "@/lib/zod";
+import { LinkSchema } from "@/lib/zod/schemas";
 import { Link } from "@prisma/client";
 import { expect, test } from "vitest";
 import { randomId } from "../utils/helpers";
 import { IntegrationHarness } from "../utils/integration";
+import { link } from "../utils/resource";
+import { expectedLink } from "../utils/schema";
+
+const { domain } = link;
 
 test("POST /links/bulk", async (ctx) => {
   const h = new IntegrationHarness(ctx);
-  const { workspace, http } = await h.init();
+  const { workspace, http, user } = await h.init();
   const { workspaceId } = workspace;
+  const projectId = workspaceId.replace("ws_", "");
 
   const bulkLinks = Array.from({ length: 2 }, () => ({
     url: `https://example.com/${randomId()}`,
+    domain,
   }));
 
-  const { status, data: links } = await http.post<Link>({
+  const { status, data: links } = await http.post<Link[]>({
     path: "/links/bulk",
     query: { workspaceId },
     body: bulkLinks,
   });
 
+  const firstLink = links.find((l) => l.url === bulkLinks[0].url);
+  const secondLink = links.find((l) => l.url === bulkLinks[1].url);
+
   expect(status).toEqual(200);
   expect(links).toHaveLength(2);
+  expect(firstLink).toStrictEqual({
+    ...expectedLink,
+    url: bulkLinks[0].url,
+    userId: user.id,
+    projectId,
+    workspaceId,
+    shortLink: `https://${domain}/${firstLink?.key}`,
+    qrCode: `https://api.dub.co/qr?url=https://${domain}/${firstLink?.key}?qr=1`,
+    tags: [],
+  });
+  expect(secondLink).toStrictEqual({
+    ...expectedLink,
+    url: bulkLinks[1].url,
+    userId: user.id,
+    projectId,
+    workspaceId,
+    shortLink: `https://${domain}/${secondLink?.key}`,
+    qrCode: `https://api.dub.co/qr?url=https://${domain}/${secondLink?.key}?qr=1`,
+    tags: [],
+  });
+  expect(z.array(LinkSchema.strict()).parse(links)).toBeTruthy();
 
   await Promise.all([h.deleteLink(links[0].id), h.deleteLink(links[1].id)]);
 });

apps/web/tests/links/create-link.test.ts

@@ -1,3 +1,4 @@
+import { LinkSchema } from "@/lib/zod/schemas";
 import { Link, Tag } from "@prisma/client";
 import { describe, expect, test } from "vitest";
 import { randomId } from "../utils/helpers";
@@ -44,6 +45,7 @@ describe.sequential("POST /links", async () => {
       qrCode: `https://api.dub.co/qr?url=https://${domain}/${link.key}?qr=1`,
       tags: [],
     });
+    expect(LinkSchema.strict().parse(link)).toBeTruthy();
 
     await h.deleteLink(link.id);
   });
@@ -73,6 +75,7 @@ describe.sequential("POST /links", async () => {
       qrCode: `https://api.dub.co/qr?url=https://${domain}/${key}?qr=1`,
       tags: [],
     });
+    expect(LinkSchema.strict().parse(link)).toBeTruthy();
 
     await h.deleteLink(link.id);
   });
@@ -105,6 +108,7 @@ describe.sequential("POST /links", async () => {
       qrCode: `https://api.dub.co/qr?url=https://${domain}/${link.key}?qr=1`,
       tags: [],
     });
+    expect(LinkSchema.strict().parse(link)).toBeTruthy();
 
     await h.deleteLink(link.id);
   });
@@ -144,6 +148,7 @@ describe.sequential("POST /links", async () => {
       qrCode: `https://api.dub.co/qr?url=https://${domain}/${link.key}?qr=1`,
       tags: [],
     });
+    expect(LinkSchema.strict().parse(link)).toBeTruthy();
 
     await h.deleteLink(link.id);
   });
@@ -173,6 +178,7 @@ describe.sequential("POST /links", async () => {
       qrCode: `https://api.dub.co/qr?url=https://${domain}/${link.key}?qr=1`,
       tags: [],
     });
+    expect(LinkSchema.strict().parse(link)).toBeTruthy();
 
     await h.deleteLink(link.id);
   });
@@ -205,6 +211,7 @@ describe.sequential("POST /links", async () => {
       qrCode: `https://api.dub.co/qr?url=https://${domain}/${link.key}?qr=1`,
       tags: [],
     });
+    expect(LinkSchema.strict().parse(link)).toBeTruthy();
 
     await h.deleteLink(link.id);
   });
@@ -238,6 +245,7 @@ describe.sequential("POST /links", async () => {
       qrCode: `https://api.dub.co/qr?url=https://${domain}/${link.key}?qr=1`,
       tags: [],
     });
+    expect(LinkSchema.strict().parse(link)).toBeTruthy();
 
     await h.deleteLink(link.id);
   });
@@ -271,6 +279,7 @@ describe.sequential("POST /links", async () => {
       qrCode: `https://api.dub.co/qr?url=https://${domain}/${link.key}?qr=1`,
       tags: [],
     });
+    expect(LinkSchema.strict().parse(link)).toBeTruthy();
 
     await h.deleteLink(link.id);
   });
@@ -323,6 +332,7 @@ describe.sequential("POST /links", async () => {
       qrCode: `https://api.dub.co/qr?url=https://${domain}/${link.key}?qr=1`,
       tags: expect.arrayContaining(tags),
     });
+    expect(LinkSchema.strict().parse(link)).toBeTruthy();
 
     await Promise.all([
       ...tagIds.map((id) => h.deleteTag(id)),
@@ -358,6 +368,7 @@ describe.sequential("POST /links", async () => {
       qrCode: `https://api.dub.co/qr?url=https://${domain}/${link.key}?qr=1`,
       tags: [],
     });
+    expect(LinkSchema.strict().parse(link)).toBeTruthy();
 
     await h.deleteLink(link.id);
   });