feat: add tsoa for API type control and documentation

[Andreybest]

Resolves #1430.

Add tsoa for endpoint type checking and generation of OpenAPI documentation. Generates swagger.json to /dist folder.
All tests for endpoints that were present, passes (with minor changes), all logic is preserved.

Caveats:

1. tsoa checks for field presence, but does not check if string in field is empty, thus should be checked manually (or I've missed something in configuration). For example: POST api/v1/push/{id}/reject (rejectPush), if empty or whitespaces provided, will not check for it, thus old logic for theck with .trim() is left.
2. tsoa has a configuration field noImplicitAdditionalProperties, that allows to change behavior of endpoints for rejecting of excess fields. Currently set to ignore due to POST api/v1/repo (createRepo), this endpoint passes body to a db.createRepo(body), and inner type expects additionalProperties that are passed to a row in a DB. Question: is this expected or not? If not, maybe we should enable more strict mode on noImplicitAdditionalProperties? :)

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name	Link
🔨 Latest commit	c4a752c
🔍 Latest deploy log	https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/6a04c5e1664d770008911f27

[jescalada]

Thanks for the contribution, @Andreybest! 🚀

Things are looking good so far, just a few things to mention other than the code comments:

• It'd be great to have screenshots of the generated OpenAPI spec to see if things are working as we hoped
• I noticed a duplicate interface (AttestationAnswer) and am wondering if there aren't other interfaces that can be reused or combined into one
• Test coverage seems to go down somewhat (-1.5%), we should improve coverage on any code additions such as proxyStore.ts, etc.

We might need another review since the changes are quite large @finos/git-proxy-maintainers

[jescalada]

Another bit to double-check for proper restart behaviour

[kriswest]

again probably missing a call to RegisterRoutes(app);

[jescalada]

Maybe the request/response interfaces could be stored here?

[Andreybest]

Moved to common.interfaces.ts. To follow naming with other responses/requests

[jescalada]

Same as the comment on users.test.ts, I don't think setting isAuthenticated is necessary as it's exclusively used for the jwtAuthHandler which is disabled by default.

[Andreybest]

Removed

[jescalada]

This comment is a bit misleading - JWT auth isn't required by default. The isAuthenticated flag is used only for JWT anyways and shouldn't be necessary here AFAIK 🤔

[Andreybest]

Removed

[jescalada]

Might be worth mentioning that JWT API auth is optional - and might be subject to change as it's a feature only used by our org. It's a bit confusing and poorly documented so we'll be polishing things once v2 is out...

[Andreybest]

In this case, it is only used for 2 things:

1. For a name in the decorator to be used as Security('jwt')
2. As a documentation for OpenAPI

It does not do any functionally, but it is required anyway if we want to use Security decorator properly

[kriswest]

@jescalada and @Andreybest There is a docusaurus plugin for rendering OpenAPI docs at:

https://docusaurus-openapi.tryingpan.dev/
https://github.com/PaloAltoNetworks/docusaurus-openapi-docs

Whereas in the FDC3 website we use a very simple static page and the Redoc lib to render the same: https://github.com/finos/FDC3/blob/main/website/src/pages/schemas/next/app-directory.html

Note that you have to link to this as an external link or docusaurus will return a 404 when navigating within the site:

https://github.com/finos/FDC3/blob/ffea3be0735bdd7a72ffba5473addfe49535833e/website/docs/app-directory/spec.md?plain=1#L7-L13

[Andreybest]

Thank you for the review @jescalada !
Can you please review it again? Applied changes to most of your comments :)

1. Screenshot of swagger

2. Duplicate removed, quickly checked, should be no more repetiotions (but not sure) 3. Don't see a message from code cov bot on this matter, can you please show me where I can find a code coverage stats?

[Andreybest]

Checked all commits on main branch for new changes to logic for endpoints. None was changed, checked up to commit 6981427c50a5e5ccd3e91a2d4229b27135f8dcc3

[Andreybest]

Thanks for change @fabiovincenzi ! Added your suggested change.

[Andreybest]

Checked all commits on main branch for new changes to logic for endpoints. None was changed, checked up to commit: ad58c5a47f64b6380da1ce1d7f6556c17e7e9efc

[codecov]

Codecov Report

❌ Patch coverage is 85.87413% with 101 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.91%. Comparing base (ad58c5a) to head (c4a752c).

Files with missing lines	Patch %	Lines
src/service/controllers/AuthController.ts	76.43%	42 Missing and 3 partials ⚠️
src/service/controllers/PushController.ts	90.85%	15 Missing and 1 partial ⚠️
src/service/authentication.ts	77.35%	10 Missing and 2 partials ⚠️
src/service/index.ts	60.86%	9 Missing ⚠️
src/service/controllers/RepoController.ts	95.78%	7 Missing and 1 partial ⚠️
src/service/controllers/HomeController.ts	53.84%	6 Missing ⚠️
src/service/proxyStore.ts	70.00%	3 Missing ⚠️
src/app.ts	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1501      +/-   ##
==========================================
- Coverage   90.21%   89.91%   -0.30%     
==========================================
  Files          69       70       +1     
  Lines        5511     5486      -25     
  Branches      944      922      -22     
==========================================
- Hits         4972     4933      -39     
- Misses        521      532      +11     
- Partials       18       21       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[re-vlad]

just small non critical change requested

[re-vlad]

This allows arbitrary additional properties in request bodies. The current implementation in createRepo() passes the entire body to db.createRepo(body), but this should be validated against a strict schema. The db schema should be the source of truth, not the API layer accepting arbitrary data. So, change "noImplicitAdditionalProperties": "ignore" to "noImplicitAdditionalProperties": "throw"

[kriswest]

is this file checked in @Andreybest ?

[Andreybest]

This one is generated during build

[Andreybest]

I do not commit it, you suggest it to be included in repo?

[kriswest]

A perennial question! I've tended to go with committing it as reviewing the generated code can often help you spot issues in what its generated from, and it helps someone trying to navigate through the code to understand something. Tooling such as SAST scanners an code coverage calculators may need it to be there to work as they should.

If committing generated code, then its worth either adding a commit hook (best to check for modifications in this) or PR check box to confirm its been done ;-)