controllers/helpers/pagination: Return 400 Bad Request for invalid seek parameters (#7775)

Turbo87 · web-flow · commit 2945bfd7b108 · 2023-12-20T14:33:25.000+01:00
well... it's still `200 OK` due to the cargo rewrite middleware, but it would be 400 if that wasn't there...
diff --git a/src/controllers/helpers/pagination.rs b/src/controllers/helpers/pagination.rs
@@ -248,7 +248,7 @@ pub(crate) struct RawSeekPayload(String);
 
 impl RawSeekPayload {
     pub(crate) fn decode<D: for<'a> Deserialize<'a>>(&self) -> AppResult<D> {
-        decode_seek(&self.0)
+        decode_seek(&self.0).map_err(|_| bad_request("invalid seek parameter"))
     }
 }
 
@@ -294,7 +294,7 @@ pub(crate) fn encode_seek<S: Serialize>(params: S) -> AppResult<String> {
 }
 
 /// Decode a list of params previously encoded with [`encode_seek`].
-pub(crate) fn decode_seek<D: for<'a> Deserialize<'a>>(seek: &str) -> AppResult<D> {
+pub(crate) fn decode_seek<D: for<'a> Deserialize<'a>>(seek: &str) -> anyhow::Result<D> {
     let decoded = serde_json::from_slice(&general_purpose::URL_SAFE_NO_PAD.decode(seek)?)?;
     Ok(decoded)
 }
diff --git a/src/tests/routes/crates/list.rs b/src/tests/routes/crates/list.rs
@@ -6,6 +6,7 @@ use crates_io::schema::crates;
 use diesel::{dsl::*, prelude::*, update};
 use googletest::prelude::*;
 use http::StatusCode;
+use insta::assert_json_snapshot;
 
 #[test]
 fn index() {
@@ -793,6 +794,15 @@ fn test_pages_work_even_with_seek_based_pagination() {
     assert!(second.meta.next_page.unwrap().contains("page=3"));
 }
 
+#[test]
+fn invalid_seek_parameter() {
+    let (_app, anon, _cookie) = TestApp::init().with_user();
+
+    let response = anon.get::<()>("/api/v1/crates?seek=broken");
+    assert_eq!(response.status(), StatusCode::OK);
+    assert_json_snapshot!(response.into_json());
+}
+
 #[test]
 fn pagination_parameters_only_accept_integers() {
     let (app, anon, user) = TestApp::init().with_user();
diff --git a/src/tests/routes/crates/snapshots/all__routes__crates__list__invalid_seek_parameter.snap b/src/tests/routes/crates/snapshots/all__routes__crates__list__invalid_seek_parameter.snap
@@ -0,0 +1,11 @@
+---
+source: src/tests/routes/crates/list.rs
+expression: response.into_json()
+---
+{
+  "errors": [
+    {
+      "detail": "invalid seek parameter"
+    }
+  ]
+}

Original file line number	Diff line number	Diff line change
`@@ -248,7 +248,7 @@ pub(crate) struct RawSeekPayload(String);`
`248`	`248`
`249`	`249`	`impl RawSeekPayload {`
`250`	`250`	`pub(crate) fn decode<D: for<'a> Deserialize<'a>>(&self) -> AppResult<D> {`
`251`		`- decode_seek(&self.0)`
	`251`	`+ decode_seek(&self.0).map_err(\|_\| bad_request("invalid seek parameter"))`
`252`	`252`	`}`
`253`	`253`	`}`
`254`	`254`
`@@ -294,7 +294,7 @@ pub(crate) fn encode_seek<S: Serialize>(params: S) -> AppResult<String> {`
`294`	`294`	`}`
`295`	`295`
`296`	`296`	/// Decode a list of params previously encoded with [`encode_seek`].
`297`		`-pub(crate) fn decode_seek<D: for<'a> Deserialize<'a>>(seek: &str) -> AppResult<D> {`
	`297`	`+pub(crate) fn decode_seek<D: for<'a> Deserialize<'a>>(seek: &str) -> anyhow::Result<D> {`
`298`	`298`	`let decoded = serde_json::from_slice(&general_purpose::URL_SAFE_NO_PAD.decode(seek)?)?;`
`299`	`299`	`Ok(decoded)`
`300`	`300`	`}`