Merge pull request #33040 from overleaf/em-parse-req-errors

Replace isZodErrorLike with custom error types in request validation

GitOrigin-RevId: 9cb453a2cde595a00f5049e4829ea9e3dbe17b28

services/notifications/app.ts

@@ -13,8 +13,10 @@ import methodOverride from 'method-override'
 import { mongoClient } from './app/js/mongodb.js'
 import NotificationsController from './app/js/NotificationsController.ts'
 import HealthCheckController from './app/js/HealthCheckController.ts'
-import { isZodErrorLike } from 'zod-validation-error'
-import { ParamsError } from '@overleaf/validation-tools'
+import {
+  InvalidParamsError,
+  InvalidRequestError,
+} from '@overleaf/validation-tools'
 
 const app = express()
 
@@ -56,10 +58,10 @@ const handleApiError: ErrorRequestHandler = (
   next: NextFunction
 ) => {
   req.logger.addFields({ err })
-  if (err instanceof ParamsError) {
+  if (err instanceof InvalidParamsError) {
     req.logger.setLevel('warn')
     res.sendStatus(404)
-  } else if (isZodErrorLike(err)) {
+  } else if (err instanceof InvalidRequestError) {
     req.logger.setLevel('warn')
     res.sendStatus(400)
   } else {

services/real-time/app/js/Router.js

@@ -40,7 +40,7 @@ export default Router = {
     attrs.client_id = client.id
     attrs.err = error
     attrs.method = method
-    if (isZodErrorLike(error)) {
+    if (attrs.validation && isZodErrorLike(error)) {
       logger.info(attrs, 'validation error')
       let message = 'invalid'
       try {
@@ -456,6 +456,7 @@ export default Router = {
           joinDocSchema.parse({ doc_id: docId, fromVersion, options })
         } catch (error) {
           return Router._handleError(callback, error, client, 'joinDoc', {
+            validation: 1,
             disconnect: 1,
           })
         }
@@ -485,6 +486,7 @@ export default Router = {
           zz.objectId().parse(docId)
         } catch (error) {
           return Router._handleError(callback, error, client, 'joinDoc', {
+            validation: 1,
             disconnect: 1,
           })
         }
@@ -570,6 +572,7 @@ export default Router = {
           applyOtUpdateSchema.parse({ doc_id: docId, update })
         } catch (error) {
           return Router._handleError(callback, error, client, 'applyOtUpdate', {
+            validation: 1,
             disconnect: 1,
           })
         }

services/web/app/src/Features/Errors/ErrorController.mjs

@@ -1,11 +1,14 @@
-import { isZodErrorLike, fromZodError } from 'zod-validation-error'
+import { fromZodError } from 'zod-validation-error'
+import {
+  InvalidRequestError,
+  InvalidParamsError,
+} from '@overleaf/validation-tools'
 import Errors, { NotFoundError } from './Errors.js'
 import SessionManager from '../Authentication/SessionManager.mjs'
 import SamlLogHandler from '../SamlLog/SamlLogHandler.mjs'
 import HttpErrorHandler from './HttpErrorHandler.mjs'
 import { plainTextResponse } from '../../infrastructure/Response.mjs'
 import { expressifyErrorHandler } from '@overleaf/promise-utils'
-import { ParamsError } from '@overleaf/validation-tools'
 
 function notFound(req, res) {
   res.status(404)
@@ -42,7 +45,7 @@ async function handleError(error, req, res, next) {
     if (shouldSendErrorResponse) {
       notFound(req, res)
     }
-  } else if (error instanceof ParamsError) {
+  } else if (error instanceof InvalidParamsError) {
     req.logger.setLevel('warn')
     if (shouldSendErrorResponse) {
       notFound(req, res)
@@ -104,11 +107,11 @@ async function handleError(error, req, res, next) {
       res.status(400)
       plainTextResponse(res, error.message)
     }
-  } else if (isZodErrorLike(error)) {
+  } else if (error instanceof InvalidRequestError) {
     req.logger.setLevel('warn')
     res.status(400)
     if (shouldSendErrorResponse) {
-      const validationError = fromZodError(error)
+      const validationError = fromZodError(error.zodError)
       res.render('general/400', { message: validationError.message })
     }
   } else {
@@ -126,7 +129,10 @@ async function handleError(error, req, res, next) {
 
 function handleApiError(err, req, res, next) {
   req.logger.addFields({ err })
-  if (err instanceof Errors.NotFoundError || err instanceof ParamsError) {
+  if (
+    err instanceof Errors.NotFoundError ||
+    err instanceof InvalidParamsError
+  ) {
     req.logger.setLevel('warn')
     res.sendStatus(404)
   } else if (
@@ -141,7 +147,7 @@ function handleApiError(err, req, res, next) {
   } else if (err instanceof Errors.ForbiddenError) {
     req.logger.setLevel('warn')
     res.sendStatus(403)
-  } else if (isZodErrorLike(err)) {
+  } else if (err instanceof InvalidRequestError) {
     req.logger.setLevel('warn')
     res.sendStatus(400)
   } else {

services/web/app/src/Features/Security/LoginRateLimiter.mjs

@@ -2,6 +2,7 @@ import { RateLimiter } from '../../infrastructure/RateLimiter.mjs'
 import { callbackify } from '@overleaf/promise-utils'
 import Settings from '@overleaf/settings'
 import EmailHelper from '../Helpers/EmailHelper.mjs'
+import { InvalidRequestError } from '@overleaf/validation-tools'
 
 const rateLimiterLoginEmail = new RateLimiter(
   'login',
@@ -12,7 +13,11 @@ const rateLimiterLoginEmail = new RateLimiter(
 )
 
 async function processLoginRequest(email) {
-  email = EmailHelper.emailSchema.parse(email)
+  try {
+    email = EmailHelper.emailSchema.parse(email)
+  } catch (err) {
+    throw new InvalidRequestError(err)
+  }
   try {
     await rateLimiterLoginEmail.consume(email, 1, {
       method: 'email',

services/web/app/src/infrastructure/Validation.mjs

@@ -2,7 +2,7 @@
 
 import { parseReq, z, zz } from '@overleaf/validation-tools'
 
-export { ParamsError, parseReq, z, zz } from '@overleaf/validation-tools'
+export { InvalidParamsError, parseReq, z, zz } from '@overleaf/validation-tools'
 
 export default {
   parseReq,

services/web/test/acceptance/src/AuthenticationTests.mjs

@@ -176,31 +176,12 @@ describe('Authentication', function () {
       }
     })
     it('should return 400 with bad email (missing @)', async function () {
-      const { statusCode, body } = await tryLoginWithEmail('foo')
+      const { statusCode } = await tryLoginWithEmail('foo')
       expect(statusCode).to.equal(400)
-      expect(body).to.deep.equal({
-        name: 'ZodValidationError',
-        details: [
-          { code: 'custom', path: [], message: 'Invalid email address' },
-        ],
-        statusCode: 400,
-      })
     })
     it('should return 400 with bad email (number)', async function () {
-      const { statusCode, body } = await tryLoginWithEmail(1)
+      const { statusCode } = await tryLoginWithEmail(1)
       expect(statusCode).to.equal(400)
-      expect(body).to.deep.equal({
-        name: 'ZodValidationError',
-        details: [
-          {
-            expected: 'string',
-            code: 'invalid_type',
-            path: [],
-            message: 'Invalid input: expected string, received number',
-          },
-        ],
-        statusCode: 400,
-      })
     })
   })
 })

services/web/test/acceptance/src/ProjectCRUDTests.mjs

@@ -219,14 +219,13 @@ describe('Project CRUD', function () {
     })
     it('returns a 400 when publicAccessLevel is an unsupported access level', async function () {
       await this.user.makePrivate(this.projectId)
-      const { response, body } = await this.user.doRequest('POST', {
+      const { response } = await this.user.doRequest('POST', {
         url: `/project/${this.projectId}/settings/admin`,
         json: {
           publicAccessLevel: 'readOnly',
         },
       })
       expect(response.statusCode).to.equal(400)
-      expect(body.details[0].message).to.equal('unexpected access level')
       const project = await Project.findById(this.projectId).exec()
       expect(project.publicAccesLevel).to.equal('private')
     })

services/web/test/acceptance/src/ProjectInviteTests.mjs

@@ -375,11 +375,6 @@ describe('ProjectInviteTests', function () {
                 return done(err)
               }
               expect(response.statusCode).to.equal(400)
-              expect(body.details).to.have.lengthOf(1)
-              expect(response.body.details[0].path).to.eql(['body', 'email'])
-              expect(response.body.details[0].message).to.equal(
-                'Invalid input: expected string, received object'
-              )
               done()
             }
           )
@@ -404,14 +399,6 @@ describe('ProjectInviteTests', function () {
                 return done(err)
               }
               expect(response.statusCode).to.equal(400)
-              expect(body.details).to.have.lengthOf(1)
-              expect(response.body.details[0].path).to.eql([
-                'body',
-                'privileges',
-              ])
-              expect(response.body.details[0].message).to.equal(
-                'Invalid option: expected one of "readOnly"|"readAndWrite"|"review"'
-              )
               done()
             }
           )

services/web/test/unit/src/Subscription/SubscriptionController.test.mjs

@@ -685,7 +685,7 @@ describe('SubscriptionController', function () {
       ctx.next = sinon.stub()
       await expect(
         ctx.SubscriptionController.pauseSubscription(ctx.req, ctx.res, ctx.next)
-      ).to.be.rejectedWith('Invalid params')
+      ).to.be.rejectedWith('Invalid request parameters')
     })
 
     it('should throw an error if an invalid pause length is provided', async function (ctx) {

services/web/test/unit/src/Tags/TagsController.test.mjs

@@ -1,6 +1,6 @@
 import { assert, beforeEach, describe, it, vi } from 'vitest'
 import sinon from 'sinon'
-import { ZodError } from 'zod'
+import { InvalidRequestError } from '@overleaf/validation-tools'
 
 const modulePath = '../../../../app/src/Features/Tags/TagsController.mjs'
 
@@ -202,7 +202,7 @@ describe('TagsController', function () {
     it('without a name', function (ctx) {
       ctx.req.body = { name: undefined }
       ctx.TagsController.renameTag(ctx.req, ctx.res).should.be.rejectedWith(
-        ZodError
+        InvalidRequestError
       )
     })
   })