feat: monolithic env var editing with bulk save (#158)
All checks were successful
Check / check (push) Successful in 6s
All checks were successful
Check / check (push) Successful in 6s
This PR fixes env var handling by consolidating individual add/edit/delete operations into a single monolithic bulk save.
## Changes
- **Template**: Restored original table-based UI with key/value rows, edit/delete buttons, and add form. Uses Alpine.js to manage the env var list client-side. On form submit, all env vars are collected into a hidden textarea and POSTed as a single bulk request.
- **Handler**: `HandleEnvVarSave` atomically replaces all env vars (DELETE all + INSERT full set).
- **Routes**: Single `POST /apps/{id}/env` endpoint replaces individual env var CRUD routes.
- **Models**: Added `DeleteEnvVarsByAppID` and `FindEnvVarsByAppID` for bulk operations.
closes #156
closes #163
Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Co-authored-by: Jeffrey Paul <sneak@noreply.example.org>
Co-authored-by: user <user@Mac.lan guest wan>
Reviewed-on: #158
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
This commit was merged in pull request #158.
This commit is contained in:
@@ -560,45 +560,242 @@ func testOwnershipVerification(t *testing.T, cfg ownedResourceTestConfig) {
|
||||
cfg.verifyFn(t, testCtx, resourceID)
|
||||
}
|
||||
|
||||
// TestDeleteEnvVarOwnershipVerification tests that deleting an env var
|
||||
// via another app's URL path returns 404 (IDOR prevention).
|
||||
func TestDeleteEnvVarOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
|
||||
// TestHandleEnvVarSaveBulk tests that HandleEnvVarSave replaces all env vars
|
||||
// for an app with the submitted set (monolithic delete-all + insert-all).
|
||||
func TestHandleEnvVarSaveBulk(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testOwnershipVerification(t, ownedResourceTestConfig{
|
||||
appPrefix1: "envvar-owner-app",
|
||||
appPrefix2: "envvar-other-app",
|
||||
createFn: func(t *testing.T, tc *testContext, ownerApp *models.App) int64 {
|
||||
t.Helper()
|
||||
testCtx := setupTestHandlers(t)
|
||||
createdApp := createTestApp(t, testCtx, "envvar-bulk-app")
|
||||
|
||||
envVar := models.NewEnvVar(tc.database)
|
||||
envVar.AppID = ownerApp.ID
|
||||
envVar.Key = "SECRET"
|
||||
envVar.Value = "hunter2"
|
||||
require.NoError(t, envVar.Save(context.Background()))
|
||||
// Create some pre-existing env vars
|
||||
for _, kv := range [][2]string{{"OLD_KEY", "old_value"}, {"REMOVE_ME", "gone"}} {
|
||||
ev := models.NewEnvVar(testCtx.database)
|
||||
ev.AppID = createdApp.ID
|
||||
ev.Key = kv[0]
|
||||
ev.Value = kv[1]
|
||||
require.NoError(t, ev.Save(context.Background()))
|
||||
}
|
||||
|
||||
return envVar.ID
|
||||
},
|
||||
deletePath: func(appID string, resourceID int64) string {
|
||||
return "/apps/" + appID + "/env/" + strconv.FormatInt(resourceID, 10) + "/delete"
|
||||
},
|
||||
chiParams: func(appID string, resourceID int64) map[string]string {
|
||||
return map[string]string{"id": appID, "varID": strconv.FormatInt(resourceID, 10)}
|
||||
},
|
||||
handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleEnvVarDelete() },
|
||||
verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
|
||||
t.Helper()
|
||||
// Submit a new set as a JSON array of key/value objects
|
||||
body := `[{"key":"NEW_KEY","value":"new_value"},{"key":"ANOTHER","value":"42"}]`
|
||||
|
||||
found, findErr := models.FindEnvVar(context.Background(), tc.database, resourceID)
|
||||
require.NoError(t, findErr)
|
||||
assert.NotNil(t, found, "env var should still exist after IDOR attempt")
|
||||
},
|
||||
})
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/"+createdApp.ID+"/env",
|
||||
strings.NewReader(body),
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusOK, recorder.Code)
|
||||
|
||||
// Verify old env vars are gone and new ones exist
|
||||
envVars, err := models.FindEnvVarsByAppID(
|
||||
context.Background(), testCtx.database, createdApp.ID,
|
||||
)
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, envVars, 2)
|
||||
|
||||
keys := make(map[string]string)
|
||||
for _, ev := range envVars {
|
||||
keys[ev.Key] = ev.Value
|
||||
}
|
||||
|
||||
assert.Equal(t, "new_value", keys["NEW_KEY"])
|
||||
assert.Equal(t, "42", keys["ANOTHER"])
|
||||
assert.Empty(t, keys["OLD_KEY"], "old env vars should be deleted")
|
||||
assert.Empty(t, keys["REMOVE_ME"], "old env vars should be deleted")
|
||||
}
|
||||
|
||||
// TestHandleEnvVarSaveAppNotFound tests that HandleEnvVarSave returns 404
|
||||
// for a non-existent app.
|
||||
func TestHandleEnvVarSaveAppNotFound(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
|
||||
body := `[{"key":"KEY","value":"value"}]`
|
||||
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/nonexistent-id/env",
|
||||
strings.NewReader(body),
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusNotFound, recorder.Code)
|
||||
}
|
||||
|
||||
// TestHandleEnvVarSaveEmptyKeyRejected verifies that submitting a JSON
|
||||
// array containing an entry with an empty key returns 400.
|
||||
func TestHandleEnvVarSaveEmptyKeyRejected(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
createdApp := createTestApp(t, testCtx, "envvar-emptykey-app")
|
||||
|
||||
body := `[{"key":"VALID_KEY","value":"ok"},{"key":"","value":"bad"}]`
|
||||
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/"+createdApp.ID+"/env",
|
||||
strings.NewReader(body),
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusBadRequest, recorder.Code)
|
||||
}
|
||||
|
||||
// TestHandleEnvVarSaveDuplicateKeyRejected verifies that when the client
|
||||
// sends duplicate keys, the server rejects them with 400 Bad Request.
|
||||
func TestHandleEnvVarSaveDuplicateKeyRejected(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
createdApp := createTestApp(t, testCtx, "envvar-dedup-app")
|
||||
|
||||
// Send two entries with the same key — should be rejected
|
||||
body := `[{"key":"FOO","value":"first"},{"key":"BAR","value":"bar"},{"key":"FOO","value":"second"}]`
|
||||
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/"+createdApp.ID+"/env",
|
||||
strings.NewReader(body),
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusBadRequest, recorder.Code)
|
||||
assert.Contains(t, recorder.Body.String(), "duplicate environment variable key: FOO")
|
||||
}
|
||||
|
||||
// TestHandleEnvVarSaveCrossAppIsolation verifies that posting env vars
|
||||
// to appA's endpoint does not affect appB's env vars (IDOR prevention).
|
||||
func TestHandleEnvVarSaveCrossAppIsolation(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
appA := createTestApp(t, testCtx, "envvar-iso-appA")
|
||||
appB := createTestApp(t, testCtx, "envvar-iso-appB")
|
||||
|
||||
// Give appB some env vars
|
||||
for _, kv := range [][2]string{{"B_KEY1", "b_val1"}, {"B_KEY2", "b_val2"}} {
|
||||
ev := models.NewEnvVar(testCtx.database)
|
||||
ev.AppID = appB.ID
|
||||
ev.Key = kv[0]
|
||||
ev.Value = kv[1]
|
||||
require.NoError(t, ev.Save(context.Background()))
|
||||
}
|
||||
|
||||
// POST new env vars to appA's endpoint
|
||||
body := `[{"key":"A_KEY","value":"a_val"}]`
|
||||
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/"+appA.ID+"/env",
|
||||
strings.NewReader(body),
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusOK, recorder.Code)
|
||||
|
||||
// Verify appA has exactly what we sent
|
||||
appAVars, err := models.FindEnvVarsByAppID(
|
||||
context.Background(), testCtx.database, appA.ID,
|
||||
)
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, appAVars, 1)
|
||||
assert.Equal(t, "A_KEY", appAVars[0].Key)
|
||||
|
||||
// Verify appB's env vars are completely untouched
|
||||
appBVars, err := models.FindEnvVarsByAppID(
|
||||
context.Background(), testCtx.database, appB.ID,
|
||||
)
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, appBVars, 2, "appB env vars must not be affected")
|
||||
|
||||
bKeys := make(map[string]string)
|
||||
for _, ev := range appBVars {
|
||||
bKeys[ev.Key] = ev.Value
|
||||
}
|
||||
|
||||
assert.Equal(t, "b_val1", bKeys["B_KEY1"])
|
||||
assert.Equal(t, "b_val2", bKeys["B_KEY2"])
|
||||
}
|
||||
|
||||
// TestHandleEnvVarSaveBodySizeLimit verifies that a request body
|
||||
// exceeding the 1 MB limit is rejected.
|
||||
func TestHandleEnvVarSaveBodySizeLimit(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
createdApp := createTestApp(t, testCtx, "envvar-sizelimit-app")
|
||||
|
||||
// Build a JSON body that exceeds 1 MB
|
||||
// Each entry is ~30 bytes; 40000 entries ≈ 1.2 MB
|
||||
var sb strings.Builder
|
||||
|
||||
sb.WriteString("[")
|
||||
|
||||
for i := range 40000 {
|
||||
if i > 0 {
|
||||
sb.WriteString(",")
|
||||
}
|
||||
|
||||
sb.WriteString(`{"key":"K` + strconv.Itoa(i) + `","value":"val"}`)
|
||||
}
|
||||
|
||||
sb.WriteString("]")
|
||||
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/"+createdApp.ID+"/env",
|
||||
strings.NewReader(sb.String()),
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusBadRequest, recorder.Code,
|
||||
"oversized body should be rejected with 400")
|
||||
}
|
||||
|
||||
// TestDeleteLabelOwnershipVerification tests that deleting a label
|
||||
// via another app's URL path returns 404 (IDOR prevention).
|
||||
func TestDeleteLabelOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
|
||||
func TestDeleteLabelOwnershipVerification(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testOwnershipVerification(t, ownedResourceTestConfig{
|
||||
@@ -714,41 +911,43 @@ func TestDeletePortOwnershipVerification(t *testing.T) {
|
||||
assert.NotNil(t, found, "port should still exist after IDOR attempt")
|
||||
}
|
||||
|
||||
// TestHandleEnvVarDeleteUsesCorrectRouteParam verifies that HandleEnvVarDelete
|
||||
// reads the "varID" chi URL parameter (matching the route definition {varID}),
|
||||
// not a mismatched name like "envID".
|
||||
func TestHandleEnvVarDeleteUsesCorrectRouteParam(t *testing.T) {
|
||||
// TestHandleEnvVarSaveEmptyClears verifies that submitting an empty JSON
|
||||
// array deletes all existing env vars for the app.
|
||||
func TestHandleEnvVarSaveEmptyClears(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
createdApp := createTestApp(t, testCtx, "envvar-clear-app")
|
||||
|
||||
createdApp := createTestApp(t, testCtx, "envdelete-param-app")
|
||||
// Create a pre-existing env var
|
||||
ev := models.NewEnvVar(testCtx.database)
|
||||
ev.AppID = createdApp.ID
|
||||
ev.Key = "DELETE_ME"
|
||||
ev.Value = "gone"
|
||||
require.NoError(t, ev.Save(context.Background()))
|
||||
|
||||
envVar := models.NewEnvVar(testCtx.database)
|
||||
envVar.AppID = createdApp.ID
|
||||
envVar.Key = "DELETE_ME"
|
||||
envVar.Value = "gone"
|
||||
require.NoError(t, envVar.Save(context.Background()))
|
||||
|
||||
// Use chi router with the real route pattern to test param name
|
||||
// Submit empty JSON array
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env-vars/{varID}/delete", testCtx.handlers.HandleEnvVarDelete())
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/"+createdApp.ID+"/env-vars/"+strconv.FormatInt(envVar.ID, 10)+"/delete",
|
||||
nil,
|
||||
"/apps/"+createdApp.ID+"/env",
|
||||
strings.NewReader("[]"),
|
||||
)
|
||||
recorder := httptest.NewRecorder()
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusSeeOther, recorder.Code)
|
||||
assert.Equal(t, http.StatusOK, recorder.Code)
|
||||
|
||||
// Verify the env var was actually deleted
|
||||
found, findErr := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID)
|
||||
require.NoError(t, findErr)
|
||||
assert.Nil(t, found, "env var should be deleted when using correct route param")
|
||||
// Verify all env vars are gone
|
||||
envVars, err := models.FindEnvVarsByAppID(
|
||||
context.Background(), testCtx.database, createdApp.ID,
|
||||
)
|
||||
require.NoError(t, err)
|
||||
assert.Empty(t, envVars, "all env vars should be deleted")
|
||||
}
|
||||
|
||||
// TestHandleVolumeAddValidatesPaths verifies that HandleVolumeAdd validates
|
||||
|
||||
Reference in New Issue
Block a user