knacky/mimic-big
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(backend): JSON error envelope for every HTTPException + strict_slashes=False
Some checks failed
ci / backend (lint + typecheck + unit tests) (push) Failing after 0s
Details
ci / frontend (lint + typecheck + build + unit tests) (push) Failing after 1s
Details

Browse Source 
Two issues spotted by ux-frontend consuming docs/api.md against the actual
code path:

1. `flask.abort(...)` returned the Werkzeug HTML error page for 400/403/404/
   422/etc. — only the 401 paths going through `api_error()` and the
   Flask-Login `unauthorized_handler` honoured the `{error, message}`
   envelope the contract promised. The frontend's `ApiClientError.body`
   parser was forced to fall back to a raw string, and the 422 case
   could not surface Pydantic per-field errors.

   Fix: register `@app.errorhandler(HTTPException)` that serialises every
   `HTTPException` to the same JSON envelope. 422s gain a `details: [...]`
   field holding the Pydantic `errors()` list (`loc` / `msg` / `type`),
   matching the shape now documented in `docs/api.md`.

   A `_HTTP_ERROR_CODES` map maps statuses to stable snake_case codes
   (`bad_request`, `not_found`, `method_not_allowed`,
   `validation_error`, `forbidden`, `internal_error`, ...). Unknown
   statuses fall back to `http_error`.

   `description` is `cast(object, ...)` because the Werkzeug stub pins it
   to `str | None` while `flask.abort(..., description=<list>)` is the
   officially supported way to smuggle a Pydantic errors list to the
   handler.

2. `@bp.get("")` on the engagements blueprint produced `/api/v1/engagements`
   (no slash). Hitting it with a trailing slash issued a 308 redirect,
   and some browsers drop the session cookie across that hop.

   Fix: `app.url_map.strict_slashes = False`. Both forms now match the
   same handler without redirect.

5 new integration tests cover the new envelope shape (422 with details,
unknown 404, malformed-JSON 400) and the dual-slash matching. `docs/api.md`
rewritten to reflect the table of stable codes, the `details` shape, and
the no-trailing-slash convention. `CHANGELOG.md` gains a follow-up entry.

Verification: ruff check / mypy --strict / pytest tests/unit all green
(61 unit + 5 new integration).
This commit is contained in:
knacky
2026-05-23 04:33:23 +02:00
parent dd321c2cd0
commit dd5c508b04
4 changed files with 200 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
CHANGELOG.md
View File

@@ -5,6 +5,26 @@ Versioning starts at `0.1.0` when sprint 0 lands.
## [Unreleased]
### Sprint 1 — backend follow-up fixes (`feature/backend-auth-wiring`)
- **Global JSON error envelope** — register `@app.errorhandler(HTTPException)`
so every aborted request now flows through the same
`{ "error": "<code>", "message": "<human>", "details"? }` JSON shape that
`docs/api.md` documented but only `api_error()` honoured before. 422
responses surface the Pydantic per-field list under `details` so the
frontend can map errors back to form fields. New stable codes:
`bad_request`, `not_found`, `method_not_allowed`, `validation_error`,
`forbidden`, `internal_error`, etc. (see updated `docs/api.md`).
- **`strict_slashes=False`** on the URL map — `/api/v1/engagements` and
`/api/v1/engagements/` match the same handler. Removes the 308 redirect
that some browsers drop the session cookie through.
- **5 new integration tests** covering both slash variants, 422
`validation_error` envelope shape (incl. `details`), unknown-route 404,
and 400 on a non-JSON body.
- **`docs/api.md`** rewritten: full error code table, 422 `details`
example, trailing-slash policy, dropped trailing slashes from all
endpoint headings.
### Sprint 1 — backend auth wiring (`feature/backend-auth-wiring`)
- **`POST /api/v1/auth/login`** — local-credentials login. Body `{username,