fix(signature-collection): Tweaks for parliamentary collection

[juni-haukur]

...

• IsOwner - allow delegations
• Signatures - show invalid signatures as well
• listbyid - prevent users from seeing lists they do not own
• admin - fix cansign from paper

What

Specify what you're trying to achieve

Why

Specify why you need to achieve this

Screenshots / Gifs

Attach Screenshots / Gifs to help reviewers understand the scope of the pull request

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• New Features

  • Enhanced access control for signature collection methods.
  • Improved functionality for checking signing permissions based on the signee context.

• Bug Fixes

  • Streamlined mapping of signatures in the shared client service, though this may include invalid signatures.

• Documentation

  • Updated method signatures and return types for clarity and improved functionality.

[coderabbitai]

Walkthrough

The changes in this pull request involve modifications to the SignatureCollectionResolver, SignatureCollectionService, SignatureCollectionAdminResolver, and SignatureCollectionAdminService classes to enhance access control and update method signatures. New parameters related to the signee context have been introduced, and several methods have been updated to reflect these changes. Additionally, the SignatureCollectionSharedClientService class has been modified to streamline the mapping of signatures.

Changes

File	Change Summary
libs/api/domains/signature-collection/src/lib/signatureCollection.resolver.ts	- Updated method signatures for signatureCollectionList, signatureCollectionCanSignFromPaper, and added @AllowManager() to signatureCollectionIsOwner.
libs/api/domains/signature-collection/src/lib/signatureCollection.service.ts	- Updated method signatures for list and canSignFromPaper, added NotFoundException and UnauthorizedException, and introduced checkListAccess method for validating access based on signee.
libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.resolver.ts	- Changed return type of signatureCollectionAdminCanSignInfo from Promise<CanSignInfo> to Promise<SignatureCollectionSuccess> and updated method to use listId. Removed import for CanSignInfo.
libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.service.ts	- Updated getCanSignInfo method signature and logic to use listId instead of nationalId, changing return type to Promise<SignatureCollectionSuccess>.
libs/clients/signature-collection/src/lib/signature-collection-shared.service.ts	- Modified getSignatures method to streamline mapping of signatures, returning mapped signatures directly without filtering.

Possibly related PRs

• feat(signature-collection-api): Expose canSign/info #16061: The signatureCollectionCanSign method in the SignatureCollectionResolver was modified to include a new input type, which relates to the changes made in the main PR regarding the handling of signee parameters.
• fix(service-portal): Tweaks for parliamentary signature collection #16123: The introduction of the SignatureCollectionCanSignFromPaperInput class and the corresponding method updates in the SignatureCollectionResolver align with the changes in the main PR that enhance access control and method signatures.
• fix(signature-collection): Not stop paper signatures when already signed #16137: The modifications to the canSignFromPaper method in the SignatureCollectionService reflect similar changes in the main PR, focusing on the logic for determining signing eligibility based on the signee.
• fix(signature-collection): Get candidate collectors #16146: The addition of the signatureCollectionCollectors method in the SignatureCollectionResolver is related to the changes in the main PR that enhance the resolver's capabilities and access control.
• feat(signature-collection): Signature lookup for admin #16232: The introduction of the signatureCollectionSignatureLookup method in the SignatureCollectionAdminResolver is relevant as it expands the functionality of the resolver, similar to the enhancements made in the main PR.
• feat(signature-collection): Admin lock signature list endpoint #16250: The new signatureCollectionLockList method in the SignatureCollectionAdminResolver is related to the main PR's focus on enhancing administrative capabilities within the signature collection context.

Suggested reviewers

• kksteini

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 5895cfe and 1b28b6f.

📒 Files selected for processing (1)

• libs/api/domains/signature-collection/src/lib/signatureCollection.resolver.ts (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• libs/api/domains/signature-collection/src/lib/signatureCollection.resolver.ts

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.76%. Comparing base (1d5a051) to head (1b28b6f).
Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #16407      +/-   ##
==========================================
+ Coverage   36.73%   36.76%   +0.02%     
==========================================
  Files        6808     6807       -1     
  Lines      141061   140972      -89     
  Branches    40217    40140      -77     
==========================================
+ Hits        51817    51826       +9     
+ Misses      89244    89146      -98     

Flag	Coverage Δ
api	3.37% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 17 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1563a0d...1b28b6f. Read the comment docs.

[datadog-island-is]

Datadog Report

Branch report: fix/signature-collection-parliamentary-tweaks
Commit report: f475732
Test service: api

✅ 0 Failed, 4 Passed, 0 Skipped, 3.22s Total Time
➡️ Test Sessions change in coverage: 1 no change

[coderabbitai]

Actionable comments posted: 4

🧹 Outside diff range and nitpick comments (1)

libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.service.ts (1)

57-70: Consider adding error handling and refactoring for better separation of concerns.

While the overall logic improvement is good, there are a few suggestions to enhance the code:

1. Add error handling for the API calls to getSignee and list. These could potentially fail and throw exceptions.

2. Consider refactoring this method to adhere better to the Single Responsibility Principle. It's currently fetching data and determining eligibility. These could potentially be separated.

Here's a suggested refactoring:

async getCanSignInfo(
  auth: User,
  nationalId: string,
  listId: string,
): Promise<SignatureCollectionSuccess> {
  try {
    const [signatureSignee, list] = await Promise.all([
      this.signatureCollectionBasicService.getSignee(auth, nationalId),
      this.list(listId, auth)
    ]);

    const canSign = this.determineCanSign(signatureSignee);
    const success = canSign && list.area.id === signatureSignee.area?.id;

    return {
      success,
      reasons: success ? [] : signatureSignee.canSignInfo,
    };
  } catch (error) {
    // Log the error and return a failure response
    console.error('Error in getCanSignInfo:', error);
    return { success: false, reasons: [ReasonKey.UnknownError] };
  }
}

private determineCanSign(signatureSignee: any): boolean {
  return signatureSignee.canSign ||
    (signatureSignee.canSignInfo?.length === 1 &&
      (signatureSignee.canSignInfo[0] === ReasonKey.AlreadySigned ||
        signatureSignee.canSignInfo[0] === ReasonKey.noInvalidSignature));
}

This refactoring:

• Adds error handling
• Uses Promise.all for concurrent API calls
• Extracts the canSign logic into a separate method
• Improves readability and maintainability

Despite these suggestions, the overall logic improvement in determining signing eligibility is commendable. The new implementation provides a more comprehensive check, including area validation.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between a0d9ae7 and cc8d651.

📒 Files selected for processing (5)

• libs/api/domains/signature-collection/src/lib/signatureCollection.resolver.ts (3 hunks)
• libs/api/domains/signature-collection/src/lib/signatureCollection.service.ts (4 hunks)
• libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.resolver.ts (1 hunks)
• libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.service.ts (1 hunks)
• libs/clients/signature-collection/src/lib/signature-collection-shared.service.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

libs/api/domains/signature-collection/src/lib/signatureCollection.resolver.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/api/domains/signature-collection/src/lib/signatureCollection.service.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.resolver.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.service.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/clients/signature-collection/src/lib/signature-collection-shared.service.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

🔇 Additional comments (3)

libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.resolver.ts (1)

50-60: LGTM! Simplified method implementation.

The changes to the signatureCollectionAdminCanSignInfo method look good. The simplification improves readability and maintainability. The return type change from CanSignInfo to SignatureCollectionSuccess aligns with the updated implementation.

To ensure these changes don't have unintended consequences, please verify:

1. The SignatureCollectionAdminService.getCanSignInfo method signature matches this update.
2. All callers of signatureCollectionAdminCanSignInfo are updated to handle the new return type.

Run the following script to check for potential issues:

libs/api/domains/signature-collection/src/lib/signatureCollection.resolver.ts (2)

Line range hint 48-54: Method signatureCollectionIsOwner correctly returns ownership status

The signatureCollectionIsOwner method appropriately checks if the current signee is the owner and returns the result as a SignatureCollectionSuccess object. The use of decorators @AllowManager(), @Scopes(ApiScope.signatureCollection), and @Audit() is appropriate and enhances access control and auditing.

---

101-104: Addition of signee parameter to signatureCollectionList method

Including @CurrentSignee() signee: SignatureCollectionSignee in the method signature ensures that the signee context is properly passed to the service layer. Updating the service call to this.signatureCollectionService.list(input.listId, user, signee) correctly incorporates the signee parameter.

[coderabbitai]

Actionable comments posted: 3

🧹 Outside diff range and nitpick comments (1)

libs/api/domains/signature-collection/src/lib/signatureCollection.service.ts (1)

167-181: Clarify variable naming to avoid confusion

The variables signee and signatureSignee have similar names, which might cause confusion. Consider renaming signatureSignee to improve readability.

Suggested change:

• Rename signatureSignee to targetSignee or paperSignee to differentiate it from signee.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between a0d9ae7 and cc8d651.

📒 Files selected for processing (5)

• libs/api/domains/signature-collection/src/lib/signatureCollection.resolver.ts (3 hunks)
• libs/api/domains/signature-collection/src/lib/signatureCollection.service.ts (4 hunks)
• libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.resolver.ts (1 hunks)
• libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.service.ts (1 hunks)
• libs/clients/signature-collection/src/lib/signature-collection-shared.service.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

libs/api/domains/signature-collection/src/lib/signatureCollection.resolver.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/api/domains/signature-collection/src/lib/signatureCollection.service.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.resolver.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.service.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/clients/signature-collection/src/lib/signature-collection-shared.service.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

🔇 Additional comments (7)

libs/api/domains/signature-collection/src/lib/signatureCollectionAdmin.resolver.ts (2)

Line range hint 1-310: LGTM: Well-structured resolver adhering to coding guidelines

The SignatureCollectionAdminResolver class is well-structured and follows good practices:

1. Proper use of TypeScript for type definitions.
2. Effective use of decorators for authentication, authorization, and auditing.
3. Clear separation of concerns between different query and mutation methods.
4. Reusable design suitable for use across different NextJS apps.

The code structure supports effective tree-shaking and bundling. Keep up the good work in maintaining clean and reusable code!

---

50-60: ⚠️ Potential issue

Verify the impact of the return type change and update related components.

The signatureCollectionAdminCanSignInfo method has been updated to return Promise<SignatureCollectionSuccess> instead of Promise<CanSignInfo>. This change simplifies the method and aligns it with the underlying service method. However, it may impact clients expecting the old CanSignInfo structure.

1. Ensure that all clients using this method are updated to handle the new return type.
2. Update any documentation or API specifications to reflect this change.
3. Consider adding a comment explaining the reason for this change, especially if it's part of a larger refactoring effort.

To verify the impact of this change, run the following script:

This script will help identify any potential areas that need to be updated due to the change in return type.

✅ Verification successful

Impact of Return Type Change Verified Successfully.

The signatureCollectionAdminCanSignInfo method now returns Promise<SignatureCollectionSuccess>, and based on the analysis:

1. Internal Usage:

   • No other internal components depend on this method beyond the resolver itself.

2. External Clients:

   • Ensure that any external clients or API consumers are updated to handle the new SignatureCollectionSuccess return type.

3. Documentation:

   • Update all relevant documentation and API specifications to reflect the change in return type.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for usages of CanSignInfo type and signatureCollectionAdminCanSignInfo method

# Search for CanSignInfo type usage
echo "Searching for CanSignInfo type usage:"
rg --type typescript "CanSignInfo"

# Search for signatureCollectionAdminCanSignInfo method calls
echo "Searching for signatureCollectionAdminCanSignInfo method calls:"
rg --type typescript "signatureCollectionAdminCanSignInfo"

Length of output: 385

---

Script:

#!/bin/bash
# Description: Check for usages of CanSignInfo type and signatureCollectionAdminCanSignInfo method

# Search for CanSignInfo type usage in .ts and .tsx files
echo "Searching for CanSignInfo type usage in TypeScript files:"
fd --type f --extension ts --extension tsx | xargs rg "CanSignInfo"

# Search for signatureCollectionAdminCanSignInfo method calls in .ts and .tsx files
echo "Searching for signatureCollectionAdminCanSignInfo method calls in TypeScript files:"
fd --type f --extension ts --extension tsx | xargs rg "signatureCollectionAdminCanSignInfo"

Length of output: 1255

libs/api/domains/signature-collection/src/lib/signatureCollection.service.ts (2)

1-5: Imports added appropriately

The necessary exceptions NotFoundException and UnauthorizedException have been imported from @nestjs/common for use in the service.

---

95-99: Method list updated to include signee parameter

The method signature now includes signee: SignatureCollectionSignee to enforce access control by checking list ownership with checkListAccess.

libs/api/domains/signature-collection/src/lib/signatureCollection.resolver.ts (3)

48-48: Appropriate use of @AllowManager() decorator

Adding the @AllowManager() decorator to signatureCollectionIsOwner allows managers to access this method, aligning with the PR objective to allow delegations and enhance access control.

---

101-104: Enhancement: Added @CurrentSignee() parameter to signatureCollectionList

Including the @CurrentSignee() signee parameter in the signatureCollectionList method and passing it to the service ensures that the signee's context is correctly incorporated, enhancing security by preventing users from accessing lists they do not own. This change supports the PR objective to restrict access to lists.

---

145-151: Update: Added @CurrentSignee() parameter to signatureCollectionCanSignFromPaper

By adding the @CurrentSignee() signee parameter and passing it to canSignFromPaper, the method now accurately reflects the signee's context, ensuring proper permission checks for signing from paper. This addresses the PR objective to fix the "cansign" feature for paper signatures.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between cc8d651 and 5895cfe.

📒 Files selected for processing (1)

• libs/api/domains/signature-collection/src/lib/signatureCollection.service.ts (4 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

libs/api/domains/signature-collection/src/lib/signatureCollection.service.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

🔇 Additional comments (3)

libs/api/domains/signature-collection/src/lib/signatureCollection.service.ts (3)

1-5: LGTM: New imports are consistent with the changes.

The addition of NotFoundException and UnauthorizedException imports aligns well with the new error handling in the checkListAccess method.

---

95-101: LGTM: Enhanced access control in the list method.

The updated list method now includes proper access control by:

1. Adding the signee parameter to the method signature.
2. Utilizing the checkListAccess method to verify ownership before retrieving the list.

These changes effectively implement the principle of least privilege and improve the overall security of the application.

---

35-39: 🛠️ Refactor suggestion

LGTM: New checkListAccess method enhances access control.

The new method effectively verifies list ownership before allowing access. Consider a minor improvement:

Remove the redundant || false from the condition:

-    if (!signee.ownedLists?.some((list) => list.id === listId) || false) {
+    if (!signee.ownedLists?.some((list) => list.id === listId)) {

This simplifies the condition without changing its behavior.

Likely invalid or redundant comment.