Test: src/graphql/types/Advertisement/updatedAt.ts

[NishantSinghhhhh]

What kind of change does this PR introduce?

Feature: Adds functionality to resolve the updatedAt field in an advertisement.
Issue Number:

Fixes: #3087

Snapshots/Videos:
Screencast from 2025-02-03 00-38-21.webm

If relevant, did you update the documentation?

Summary

This PR introduces logic for resolving the updatedAt field in advertisements. It ensures that only authenticated users with the correct roles (administrator or organization administrator) can access the field. The change involves the following key checks:

Authentication Check: If the user is not logged in, an unauthenticated error is thrown.
Role-based Access: If the user is an organization administrator or system administrator, access is granted to the updatedAt field.
Database Query Logic: A series of database queries checks the user’s role and membership in the specified organization to ensure appropriate access.
Error Handling: Comprehensive error handling is implemented for missing or invalid data and database connection errors.
This PR also adds several test cases to validate the functionality, ensuring that unauthorized users cannot access the field and that proper database queries are executed.

Does this PR introduce a breaking change?

No.

Checklist
CodeRabbit AI Review
I have reviewed and addressed all critical issues flagged by CodeRabbit AI
I have implemented or provided justification for each non-critical suggestion
I have documented my reasoning in the PR comments where CodeRabbit AI suggestions were not implemented
Test Coverage
I have written tests for all new changes/features
I have verified that test coverage meets or exceeds 95%
I have run the test suite locally and all tests pass
Other information

The test suite includes multiple scenarios such as verifying authentication, role validation, handling missing or incorrect data, and ensuring correct database queries are being executed.

Have you read the contributing guide?

Yes.

Summary by CodeRabbit

• New Features

  • Enhanced the security structure for authentication tokens to improve user validation.

• Tests

  • Introduced comprehensive tests ensuring role-based access control for sensitive update information, so only authorized users can view it.

[coderabbitai]

Walkthrough

This pull request introduces a new type declaration in the GraphQL context to enhance type safety through an explicit authentication token payload that includes a user’s id. Additionally, it implements a comprehensive test suite for the resolveUpdatedAt function in the Advertisement module. The tests cover various scenarios such as unauthenticated access, permissions validation, and error handling by using mocked database responses along with new supporting interfaces and type aliases.

Changes

File Path	Change Summary
src/graphql/context.ts	Added new type ExplicitAuthenticationTokenPayload with the structure { user: Pick<typeof usersTable.$inferSelect, "id"> } to improve authentication token payload clarity and safety.
test/graphql/.../Advertisement/updatedAt.test.ts	Introduced a test suite for the resolveUpdatedAt function, including multiple test cases for access control and error handling, and added supporting interfaces and type aliases.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Test Harness
    participant Resolver as resolveUpdatedAt Function
    participant DB as Database (Mock)

    Client->>Resolver: Invoke resolveUpdatedAt with Advertisement, args, ctx
    Resolver->>DB: Query user roles and organization memberships
    alt User is authenticated and an administrator
        DB-->>Resolver: Return admin privileges data
        Resolver-->>Client: Return updatedAt value
    else User is unauthenticated or lacks privileges
        DB-->>Resolver: Return insufficient access data
        Resolver-->>Client: Throw error ("unauthenticated"/"unauthorized_action")
    end

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Improve test coverage for src/graphql/types/Advertisement/updatedAt.ts (#3087)	✅

Possibly related issues

• Test: src/graphql/types/FundCampaign/updatedAt.ts #3063: PR focuses on Advertisement updatedAt testing, while this issue targets FundCampaign updatedAt.
• Test: src/graphql/types/Advertisement/updater.ts #3065: This issue covers tests for Advertisement updater.ts, which is not affected by the current changes.
• Test: src/graphql/types/FundCampaignPledge/updatedAt.ts #3056: Addresses test coverage for FundCampaignPledge updatedAt, unrelated to the Advertisement tests in this PR.
• Test: src/graphql/types/Mutation/updateAdvertisement.ts #2933: Concerns test coverage for Mutation/updateAdvertisement, which is not within the scope of the current PR.
• Test: src/graphql/types/Advertisement/createdAt.ts #3086: Focuses on Advertisement createdAt tests, distinct from the updatedAt tests implemented here.
• Test: src/graphql/types/Query/advertisement.ts #3040: Relates to Query advertisement tests, not impacted by the changes in this PR.

Suggested reviewers

• palisadoes

✨ Finishing Touches

• 📝 Generate Docstrings (Beta)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Our Pull Request Approval Process

Thanks for contributing!

Testing Your Code

Remember, your PRs won't be reviewed until these criteria are met:

1. We don't merge PRs with poor code quality.
   1. Follow coding best practices such that CodeRabbit.ai approves your PR.
2. We don't merge PRs with failed tests.
   1. When tests fail, click on the Details link to learn more.
   2. Write sufficient tests for your changes (CodeCov Patch Test). Your testing level must be better than the target threshold of the repository
   3. Tests may fail if you edit sensitive files. Ask to add the ignore-sensitive-files-pr label if the edits are necessary.
3. We cannot merge PRs with conflicting files. These must be fixed.

Our policies make our code better.

Reviewers

Do not assign reviewers. Our Queue Monitors will review your PR and assign them.
When your PR has been assigned reviewers contact them to get your code reviewed and approved via:

1. comments in this PR or
2. our slack channel

Reviewing Your Code

Your reviewer(s) will have the following roles:

1. arbitrators of future discussions with other contributors about the validity of your changes
2. point of contact for evaluating the validity of your work
3. person who verifies matching issues by others that should be closed.
4. person who gives general guidance in fixing your tests

CONTRIBUTING.md

Read our CONTRIBUTING.md file. Most importantly:

1. PRs with issues not assigned to you will be closed by the reviewer
2. Fix the first comment in the PR so that each issue listed automatically closes

Other

1. 🎯 Please be considerate of our volunteers' time. Contacting the person who assigned the reviewers is not advised unless they ask for your input. Do not @ the person who did the assignment otherwise.
2. Read the CONTRIBUTING.md file make

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ee24a95 and 605571b.

📒 Files selected for processing (2)

• src/graphql/context.ts (1 hunks)
• test/graphql/types/Advertisement/updatedAt.test.ts (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Analyse Code With CodeQL (typescript)

🔇 Additional comments (6)

src/graphql/context.ts (1)

15-18: LGTM! Well-structured type declaration.

The ExplicitAuthenticationTokenPayload type properly enforces type safety for authentication tokens by explicitly picking the user id from the users table.

test/graphql/types/Advertisement/updatedAt.test.ts (5)

9-48: LGTM! Well-structured test setup with proper type definitions.

The test setup includes:

• Clear interface definitions
• Proper table schema mock
• Type-safe test context

---

168-203: LGTM! Comprehensive authentication test coverage.

Tests properly verify:

• Unauthenticated access rejection
• System administrator access
• Organization administrator access

---

205-238: LGTM! Thorough authorization test coverage.

Tests properly verify access denial for:

• Non-administrator users
• Users without organization membership

---

316-351: LGTM! Comprehensive error handling test coverage.

Tests properly verify:

• Missing user data handling
• Database connection errors
• Empty role string handling

---

240-314: LGTM! Excellent database query test coverage.

Tests thoroughly verify:

• Correct query structure
• Multiple organization membership handling
• Role case sensitivity

Consider adding a test for SQL injection prevention.

✅ Verification successful

SQL Injection Concern Review
The repository’s scan did not reveal any problematic SQL injection patterns in the production query logic—the only matches were in a SQL dump and a README file. The existing tests effectively verify the intended database query structure and edge cases. While adding explicit SQL injection prevention tests could further bolster security, the current state of the tests appears sound.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for potential SQL injection vulnerabilities in database queries
rg -l "SELECT|INSERT|UPDATE|DELETE" | xargs rg -l "\\$\\{|\\$\\(|\\+.*\\+|\\|\\||&&"

Length of output: 119

[coderabbitai]

🧹 Nitpick (assertive)

LGTM! Well-implemented resolver with comprehensive access control.

The implementation correctly handles:

• Authentication checks
• Organization validation
• Role-based access control
• Error handling with specific error codes

However, consider adding logging for security-related events.

 if (!ctx.currentClient.isAuthenticated) {
+    ctx.log.warn('Unauthenticated access attempt to advertisement updatedAt field');
     throw new TalawaGraphQLError({
         extensions: { code: "unauthenticated" },
     });
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	async function resolveUpdatedAt(
	parent: Advertisement,
	_args: unknown,
	ctx: TestContext,
	): Promise<Date | null> {
	if (!ctx.currentClient.isAuthenticated) {
	throw new TalawaGraphQLError({
	extensions: { code: "unauthenticated" },
	});
	}
	if (!parent.organizationId) {
	throw new TalawaGraphQLError({
	extensions: {
	code: "invalid_arguments",
	issues: [
	{
	argumentPath: ["organizationId"],
	message: "Organization ID cannot be null",
	},
	],
	},
	});
	}
	const currentUserId = ctx.currentClient.user.id;
	try {
	const currentUser = await ctx.drizzleClient.query.usersTable.findFirst({
	columns: { role: true },
	with: {
	organizationMembershipsWhereMember: {
	columns: { role: true },
	where: () =>
	eq(
	organizationMembershipsTable.organizationId,
	parent.organizationId,
	),
	},
	},
	where: () => eq(usersTable.id, currentUserId),
	});
	if (!currentUser) {
	throw new TalawaGraphQLError({
	extensions: { code: "unauthenticated" },
	});
	}
	if (currentUser.role === "administrator") {
	return parent.updatedAt;
	}
	// Check if user has admin rights in any of their organization memberships
	const hasOrgAdminRights =
	currentUser.organizationMembershipsWhereMember.some(
	(membership: OrganizationMembership) =>
	membership.role === "administrator" &&
	membership.organizationId === parent.organizationId,
	);
	if (!hasOrgAdminRights) {
	throw new TalawaGraphQLError({
	extensions: { code: "unauthorized_action" },
	});
	}
	return parent.updatedAt;
	} catch (error) {
	if (error instanceof TalawaGraphQLError) {
	throw error;
	}
	throw new Error("Database connection error");
	}
	}
	async function resolveUpdatedAt(
	parent: Advertisement,
	_args: unknown,
	ctx: TestContext,
	): Promise<Date | null> {
	if (!ctx.currentClient.isAuthenticated) {
	ctx.log.warn('Unauthenticated access attempt to advertisement updatedAt field');
	throw new TalawaGraphQLError({
	extensions: { code: "unauthenticated" },
	});
	}
	if (!parent.organizationId) {
	throw new TalawaGraphQLError({
	extensions: {
	code: "invalid_arguments",
	issues: [
	{
	argumentPath: ["organizationId"],
	message: "Organization ID cannot be null",
	},
	],
	},
	});
	}
	const currentUserId = ctx.currentClient.user.id;
	try {
	const currentUser = await ctx.drizzleClient.query.usersTable.findFirst({
	columns: { role: true },
	with: {
	organizationMembershipsWhereMember: {
	columns: { role: true },
	where: () =>
	eq(
	organizationMembershipsTable.organizationId,
	parent.organizationId,
	),
	},
	},
	where: () => eq(usersTable.id, currentUserId),
	});
	if (!currentUser) {
	throw new TalawaGraphQLError({
	extensions: { code: "unauthenticated" },
	});
	}
	if (currentUser.role === "administrator") {
	return parent.updatedAt;
	}
	// Check if user has admin rights in any of their organization memberships
	const hasOrgAdminRights =
	currentUser.organizationMembershipsWhereMember.some(
	(membership: OrganizationMembership) =>
	membership.role === "administrator" &&
	membership.organizationId === parent.organizationId,
	);
	if (!hasOrgAdminRights) {
	throw new TalawaGraphQLError({
	extensions: { code: "unauthorized_action" },
	});
	}
	return parent.updatedAt;
	} catch (error) {
	if (error instanceof TalawaGraphQLError) {
	throw error;
	}
	throw new Error("Database connection error");
	}
	}