mark-hartmann / jsonapi Goto Github PK

Right now, this package supports go 1.13+, which was released almost three and a half years ago and is no longer supported since go 1.15.

Theoretically everything works in go 1.13, but sticking to this version excludes newer features that might be helpful, so support should be updated to at least 1.16. Perhaps it's not a bad idea to follow the release policy of go itself.

When generating the self link, a fieldset for the underlying resource of the relationship is specified as query parameter, although the result is not of type resource.

/type/id/relationships/relname => self: /type/id/relationships/relname?fields%5Breltype%5D=x%2Cy%2Cz

The godoc of the NewRequest function says:

schema can be nil, in which case no checks will be done [...]

however the schema is needed in both the NewURL and the UnmarshalDocument function.

In the NewURLFromRaw function it is checked if NewSimpleURL returns an error:

su, err := NewSimpleURL(url)
if err != nil {
    return nil, err
}

However, NewSimpleURL returns an error only if the pointer to url is nil, which cannot happen because we return early if the url failed to parse.

Under certain circumstances it is possible that an incorrect url is assembled. This is especially seen in the TestMarshalDocument tests where URLs like /fake/path?fields%5Bmocktype% are generated when no fields are passed (len(u.Params.Fields[type]) == 0).

This happens because there is no check if the slice is empty or not, and instead of four characters only three are cut away.

The following attribute names are forbidden in the json schema: relationships, links, id, type:

"attributes": {
  "description": "Members of the attributes object (\"attributes\") represent information about the resource object in which it's defined.",
  "type": "object",
  "patternProperties": {
    "^[a-zA-Z0-9](?:[-\\w]*[a-zA-Z0-9])?$": {
      "description": "Attributes may contain any valid JSON value."
    }
  },
  "not": {
    "anyOf": [
      {"required": ["relationships"]},
      {"required": ["links"]},
      {"required": ["id"]},
      {"required": ["type"]}
    ]
  },
  "additionalProperties": false
}

The solution is quite simple and can be easily integrated into the existing Schema.Check function, where it is only a matter of iterating the attributes and checking their names. The attribute names must also be checked against the regex defined in the patternProperties member: ^[a-zA-Z0-9](?:[-\\w]*[a-zA-Z0-9])?$.

When creating these two structs, some fields are initialized with an empty map or an empty slice, others are not:

sURL := SimpleURL{
    Fragments: []string{},
    Route:     "",
    // implicit Page: nil
    Fields:       map[string][]string{},
    Filter:       nil,
    SortingRules: []string{},
    Include:      []string{},
    Params:       map[string][]string{},
}

It should be either/or, but not both.

When generating the payload, the plMap is converted into a byte array using json.Marshal. HTML characters like & and </> are converted to unicode, apparently so that some older browsers do not confuse them with HTML.

However, this causes problems, especially with link-members, because they are then output, for example, like this: /test?foo=bar\\u0026baz=123.

This affects multiple parts of the package (e.g. Meta-objects), and you can't expect the client to un-escape everything.

Solution:

Replace relevant areas with appropriately configured json-encoder:

buf := new(bytes.Buffer)
enc := json.NewEncoder(buf)
enc.SetEscapeHTML(false)
_ = enc.Encode(data)

// return buf.Bytes();

Methods of Schema or Type, such as Type.AddRel() or Schema.AddAttr() should really panic and not return an error, because these are not runtime errors, which are for example due to faulty requests made by a user, but represent a serious programming problem. An invalid schema makes an application practically unusable.

This would also simplify the signatures and reduce the amount of unnecessary error handling. So instead of :

import "github.com/mark-hartmann/jsonapi"

func main() {
    schema := &jsonapi.Schema{}
    if err := schema.AddType(TypeOne); err != nil {
        // ...
    }
    if err := schema.AddType(TypeTwo); err != nil {
        // ...
    }
    if err := schema.AddType(TypeThree); err != nil {
        // ...
    }

    if errs := schema.Check(); len(errs) != 0 {
	panic("schema build failed")
    }
}

We could simply write:

import "github.com/mark-hartmann/jsonapi"

func main() {
    schema := &jsonapi.Schema{}
    schema.AddType(TypeOne)
    schema.AddType(TypeTwo)
    schema.AddType(TypeThree)

    schema.Check()
}