Fix Location Header in POST Response header (#1626)

severussundar · web-flow · commit 5e3874e6a771 · 2023-08-19T11:15:28.000+05:30
## Why make this change? - Closes #1613 - According to [HTTP POST Specs](https://www.rfc-editor.org/rfc/rfc9110#name-post), when a POST request results in the creation of a new item, then a Location header field should be returned in the response header. > If one or more resources has been created on the origin server as a result of successfully processing a POST request, the origin server SHOULD send a [201 (Created)](https://www.rfc-editor.org/rfc/rfc9110#status.201) response containing a [Location](https://www.rfc-editor.org/rfc/rfc9110#field.location) header field that provides an identifier for the primary resource created ([Section 10.2.2](https://www.rfc-editor.org/rfc/rfc9110#field.location)) and a representation that describes the status of the request while referring to the new resource(s). - The Location header returned in the response headers were incorrect > Tables/View: `https://localhost:5001/api/Book//id/5009` > Stored Procedures: `https://localhost:5001/api/CountBooks//CountBooks` - When `base-route` is configured in the config file, the Location returned did not account for it. So, a subsequent GET request performed using the Location is unsuccessful. ## What is this change? - `RestController`: Logic to construct the `Location` header is updated to accommodate the `base-route` field - `RestService`: Helper method to extract the configured base-route is added - `ConfigurationTests`: Integration tests to validate the Location field when a) base-route is configured b) base-route is absent for tables and stored procedures are added. ## How was this tested? - [x] Integration Tests - [x] Manual Tests ## Sample Request(s) - Table and base-route is not configured ![image](https://github.com/Azure/data-api-builder/assets/11196553/9956423e-29ea-47eb-8c89-a11e0a27186f) - Stored Procedure and base-route is not configured ![image](https://github.com/Azure/data-api-builder/assets/11196553/1628386c-62d1-4113-a66d-489202e244d6) - Table and base-route is configured. Configured base-route: `/data-api` ![image](https://github.com/Azure/data-api-builder/assets/11196553/a7ad4c42-3745-4286-85ae-2770e8161949) - Stored Procedure and base-route is configured. Configured base-route: `/data-api` ![image](https://github.com/Azure/data-api-builder/assets/11196553/28d05694-b298-4ce5-9644-66f4b9921d0e)
diff --git a/src/Core/Resolvers/SqlMutationEngine.cs b/src/Core/Resolvers/SqlMutationEngine.cs
@@ -253,13 +253,16 @@ await _queryExecutor.ExecuteQueryAsync(
                     {
                         using (JsonDocument jsonDocument = JsonDocument.Parse(resultArray.ToJsonString()))
                         {
-                            return new CreatedResult(location: context.EntityName, OkMutationResponse(jsonDocument.RootElement.Clone()).Value);
+                            // The final location header for stored procedures should be of the form ../api/<SP-Entity-Name>
+                            // Location header is constructed using the base URL, base-route and the set location value.
+                            // Since, SP-Entity-Name is already available in the base URL, location is set as an empty string.
+                            return new CreatedResult(location: string.Empty, OkMutationResponse(jsonDocument.RootElement.Clone()).Value);
                         }
                     }
                     else
                     {   // If no result set returned, just return a 201 Created with empty array instead of array with single null value
                         return new CreatedResult(
-                            location: context.EntityName,
+                            location: string.Empty,
                             value: new
                             {
                                 value = JsonDocument.Parse("[]").RootElement.Clone()
diff --git a/src/Core/Services/RestService.cs b/src/Core/Services/RestService.cs
@@ -372,6 +372,7 @@ public string GetRouteAfterPathBase(string route)
             // The RuntimeConfigProvider enforces the expectation that the configured REST path starts with a
             // forward slash '/'.
             configuredRestPathBase = configuredRestPathBase.Substring(1);
+
             if (!route.StartsWith(configuredRestPathBase))
             {
                 throw new DataApiBuilderException(
@@ -404,6 +405,20 @@ public bool TryGetRestRouteFromConfig([NotNullWhen(true)] out string? configured
             return false;
         }
 
+        /// <summary>
+        /// Helper method to extract the configured base route
+        /// </summary>
+        public string GetBaseRouteFromConfig()
+        {
+            if (_runtimeConfigProvider.TryGetConfig(out RuntimeConfig? config)
+                && config.Runtime.BaseRoute is not null)
+            {
+                return config.Runtime.BaseRoute;
+            }
+
+            return string.Empty;
+        }
+
         /// <summary>
         /// Tries to get the Entity name and primary key route from the provided string
         /// returns the entity name via a lookup using the string which includes
diff --git a/src/Service.Tests/Configuration/ConfigurationTests.cs b/src/Service.Tests/Configuration/ConfigurationTests.cs
@@ -1389,6 +1389,207 @@ public async Task TestGlobalFlagToEnableRestAndGraphQLForHostedAndNonHostedEnvir
             }
         }
 
+        /// <summary>
+        /// Validates the Location header field returned for a POST request when a 201 response is returned. The idea behind returning
+        /// a Location header is to provide a URL against which a GET request can be performed to fetch the details of the new item.
+        /// Base Route is not configured in the config file used for this test. If base-route is configured, the Location header URL should contain the base-route.
+        /// This test performs a POST request, and in the event that it results in a 201 response, it performs a subsequent GET request
+        /// with the Location header to validate the correctness of the URL.
+        /// </summary>
+        /// <param name="entityType">Type of the entity</param>
+        /// <param name="requestPath">Request path for performing POST API requests on the entity</param>
+        [DataTestMethod]
+        [TestCategory(TestCategory.MSSQL)]
+        [DataRow(EntitySourceType.Table, "/api/Book", DisplayName = "Location Header validation - Table, Base Route not configured")]
+        [DataRow(EntitySourceType.StoredProcedure, "/api/GetBooks", DisplayName = "Location Header validation - Stored Procedures, Base Route not configured")]
+        public async Task ValidateLocationHeaderFieldForPostRequests(EntitySourceType entityType, string requestPath)
+        {
+
+            GraphQLRuntimeOptions graphqlOptions = new(Enabled: false);
+            RestRuntimeOptions restRuntimeOptions = new(Enabled: true);
+
+            DataSource dataSource = new(DatabaseType.MSSQL,
+                GetConnectionStringFromEnvironmentConfig(environment: TestCategory.MSSQL), Options: null);
+
+            RuntimeConfig configuration;
+
+            if (entityType is EntitySourceType.StoredProcedure)
+            {
+                Entity entity = new(Source: new("get_books", EntitySourceType.StoredProcedure, null, null),
+                              Rest: new(new SupportedHttpVerb[] { SupportedHttpVerb.Get, SupportedHttpVerb.Post }),
+                              GraphQL: null,
+                              Permissions: new[] { GetMinimalPermissionConfig(AuthorizationResolver.ROLE_ANONYMOUS) },
+                              Relationships: null,
+                              Mappings: null
+                             );
+
+                string entityName = "GetBooks";
+                configuration = InitMinimalRuntimeConfig(dataSource, graphqlOptions, restRuntimeOptions, entity, entityName);
+            }
+            else
+            {
+                configuration = InitMinimalRuntimeConfig(dataSource, graphqlOptions, restRuntimeOptions);
+            }
+
+            const string CUSTOM_CONFIG = "custom-config.json";
+            File.WriteAllText(CUSTOM_CONFIG, configuration.ToJson());
+            string[] args = new[]
+            {
+                $"--ConfigFileName={CUSTOM_CONFIG}"
+            };
+
+            using (TestServer server = new(Program.CreateWebHostBuilder(args)))
+            using (HttpClient client = server.CreateClient())
+            {
+                HttpMethod httpMethod = SqlTestHelper.ConvertRestMethodToHttpMethod(SupportedHttpVerb.Post);
+                HttpRequestMessage request = new(httpMethod, requestPath);
+                if (entityType is not EntitySourceType.StoredProcedure)
+                {
+                    string requestBody = @"{
+                        ""title"": ""Harry Potter and the Order of Phoenix"",
+                        ""publisher_id"": 1234
+                    }";
+
+                    JsonElement requestBodyElement = JsonDocument.Parse(requestBody).RootElement.Clone();
+                    request = new(httpMethod, requestPath)
+                    {
+                        Content = JsonContent.Create(requestBodyElement)
+                    };
+                }
+
+                HttpResponseMessage response = await client.SendAsync(request);
+
+                // Location header field is expected only when POST request results in the creation of a new item
+                Assert.AreEqual(HttpStatusCode.Created, response.StatusCode);
+
+                string locationHeader = response.Headers.Location.AbsoluteUri;
+
+                // GET request performed using the Location header should be successful.
+                HttpRequestMessage followUpRequest = new(HttpMethod.Get, response.Headers.Location);
+                HttpResponseMessage followUpResponse = await client.SendAsync(followUpRequest);
+                Assert.AreEqual(HttpStatusCode.OK, followUpResponse.StatusCode);
+
+                // Delete the new record created as part of this test
+                if (entityType is EntitySourceType.Table)
+                {
+                    HttpRequestMessage cleanupRequest = new(HttpMethod.Delete, locationHeader);
+                    await client.SendAsync(cleanupRequest);
+                }
+            }
+        }
+
+        /// <summary>
+        /// Validates the Location header field returned for a POST request when it results in a 201 response. The idea behind returning
+        /// a Location header is to provide a URL against which a GET request can be performed to fetch the details of the new item.
+        /// Base Route is configured in the config file used for this test. So, it is expected that the Location header returned will contain the base-route.
+        /// This test performs a POST request, and checks if it results in a 201 response. If so, the test validates the correctness of the Location header in two steps.
+        /// Since base-route has significance only in the SWA-DAB integrated scenario and this test is executed against DAB running independently,
+        /// a subsequent GET request against the Location header will result in an error. So, the correctness of the base-route returned is validated with the help of
+        /// an expected location header value. The correctness of the PK part of the Location string is validated by performing a GET request after stripping off
+        /// the base-route from the Location URL.
+        /// </summary>
+        /// <param name="entityType">Type of the entity</param>
+        /// <param name="requestPath">Request path for performing POST API requests on the entity</param>
+        /// <param name="baseRoute">Configured base route</param>
+        /// <param name="expectedLocationHeader">Expected value for Location field in the response header. Since, the PK of the new record is not known beforehand,
+        /// the expectedLocationHeader excludes the PK. Because of this, the actual location header is validated by checking if it starts with the expectedLocationHeader.</param>
+        [DataTestMethod]
+        [TestCategory(TestCategory.MSSQL)]
+        [DataRow(EntitySourceType.Table, "/api/Book", "/data-api", "http://localhost/data-api/api/Book/id/", DisplayName = "Location Header validation - Table, Base Route configured")]
+        [DataRow(EntitySourceType.StoredProcedure, "/api/GetBooks", "/data-api", "http://localhost/data-api/api/GetBooks", DisplayName = "Location Header validation - Stored Procedure, Base Route configured")]
+        public async Task ValidateLocationHeaderWhenBaseRouteIsConfigured(
+            EntitySourceType entityType,
+            string requestPath,
+            string baseRoute,
+            string expectedLocationHeader)
+        {
+            GraphQLRuntimeOptions graphqlOptions = new(Enabled: false);
+            RestRuntimeOptions restRuntimeOptions = new(Enabled: true);
+
+            DataSource dataSource = new(DatabaseType.MSSQL,
+                GetConnectionStringFromEnvironmentConfig(environment: TestCategory.MSSQL), Options: null);
+
+            RuntimeConfig configuration;
+
+            if (entityType is EntitySourceType.StoredProcedure)
+            {
+                Entity entity = new(Source: new("get_books", EntitySourceType.StoredProcedure, null, null),
+                              Rest: new(new SupportedHttpVerb[] { SupportedHttpVerb.Get, SupportedHttpVerb.Post }),
+                              GraphQL: null,
+                              Permissions: new[] { GetMinimalPermissionConfig(AuthorizationResolver.ROLE_ANONYMOUS) },
+                              Relationships: null,
+                              Mappings: null
+                             );
+
+                string entityName = "GetBooks";
+                configuration = InitMinimalRuntimeConfig(dataSource, graphqlOptions, restRuntimeOptions, entity, entityName);
+            }
+            else
+            {
+                configuration = InitMinimalRuntimeConfig(dataSource, graphqlOptions, restRuntimeOptions);
+            }
+
+            const string CUSTOM_CONFIG = "custom-config.json";
+
+            AuthenticationOptions AuthenticationOptions = new(Provider: EasyAuthType.StaticWebApps.ToString(), null);
+            HostOptions staticWebAppsHostOptions = new(null, AuthenticationOptions);
+
+            RuntimeOptions runtimeOptions = configuration.Runtime;
+            RuntimeOptions baseRouteEnabledRuntimeOptions = new(runtimeOptions.Rest, runtimeOptions.GraphQL, staticWebAppsHostOptions, "/data-api");
+            RuntimeConfig baseRouteEnabledConfig = configuration with { Runtime = baseRouteEnabledRuntimeOptions };
+            File.WriteAllText(CUSTOM_CONFIG, baseRouteEnabledConfig.ToJson());
+
+            string[] args = new[]
+            {
+                $"--ConfigFileName={CUSTOM_CONFIG}"
+            };
+
+            using (TestServer server = new(Program.CreateWebHostBuilder(args)))
+            using (HttpClient client = server.CreateClient())
+            {
+                HttpMethod httpMethod = SqlTestHelper.ConvertRestMethodToHttpMethod(SupportedHttpVerb.Post);
+                HttpRequestMessage request = new(httpMethod, requestPath);
+                if (entityType is not EntitySourceType.StoredProcedure)
+                {
+                    string requestBody = @"{
+                        ""title"": ""Harry Potter and the Order of Phoenix"",
+                        ""publisher_id"": 1234
+                    }";
+
+                    JsonElement requestBodyElement = JsonDocument.Parse(requestBody).RootElement.Clone();
+                    request = new(httpMethod, requestPath)
+                    {
+                        Content = JsonContent.Create(requestBodyElement)
+                    };
+                }
+
+                HttpResponseMessage response = await client.SendAsync(request);
+                Assert.AreEqual(HttpStatusCode.Created, response.StatusCode);
+
+                string locationHeader = response.Headers.Location.AbsoluteUri;
+                Assert.IsTrue(locationHeader.StartsWith(expectedLocationHeader));
+
+                // The URL to perform the GET request is constructed by skipping the base-route.
+                // Base Route field is applicable only in SWA-DAB integrated scenario. When DAB engine is run independently, all the
+                // APIs are hosted on /api. But, the returned Location header in this test will contain the configured base-route. So, this needs to be
+                // removed before performing a subsequent GET request.
+                string path = response.Headers.Location.AbsolutePath;
+                string completeUrl = path.Substring(baseRoute.Length);
+
+                HttpRequestMessage followUpRequest = new(HttpMethod.Get, completeUrl);
+                HttpResponseMessage followUpResponse = await client.SendAsync(followUpRequest);
+                Assert.AreEqual(HttpStatusCode.OK, followUpResponse.StatusCode);
+
+                // Delete the new record created as part of this test
+                if (entityType is EntitySourceType.Table)
+                {
+                    HttpRequestMessage cleanupRequest = new(HttpMethod.Delete, completeUrl);
+                    await client.SendAsync(cleanupRequest);
+                }
+
+            }
+        }
+
         /// <summary>
         /// Engine supports config with some views that do not have keyfields specified in the config for MsSQL.
         /// This Test validates that support. It creates a custom config with a view and no keyfields specified.
diff --git a/src/Service.Tests/SqlTests/RestApiTests/Insert/MsSqlInsertApiTests.cs b/src/Service.Tests/SqlTests/RestApiTests/Insert/MsSqlInsertApiTests.cs
@@ -297,7 +297,7 @@ await SetupAndRunRestApiTest(
                 operationType: EntityActionOperation.Execute,
                 requestBody: requestBody,
                 expectedStatusCode: HttpStatusCode.Created,
-                expectedLocationHeader: _integrationProcedureInsertOneAndDisplay_EntityName,
+                expectedLocationHeader: string.Empty,
                 expectJson: expectJson
             );
         }
diff --git a/src/Service/Controllers/RestController.cs b/src/Service/Controllers/RestController.cs
@@ -224,16 +224,21 @@ private async Task<IActionResult> HandleOperation(
 
                 if (result is CreatedResult)
                 {
-                    // Location is made up of two parts, the first being constructed
-                    // from the HttpRequest found in the HttpContext. The other part
-                    // is the primary key route, which has already been saved in the
+                    // Location is made up of three parts, the first being constructed
+                    // from the Host property found in the HttpContext.Request. The second part being the
+                    // base route configured in the config file.
+                    // The third part is the primary key route, which has already been saved in the
                     // Location of the created result. So we form the entire location
-                    // from appending the primary key route  already stored in the
+                    // from appending the base route and the primary key route  already stored in the
                     // created result to the url constructed from the HttpRequest. We
                     // then update the Location of the created result to this value.
                     CreatedResult createdResult = (result as CreatedResult)!;
-                    string location = UriHelper.GetEncodedUrl(HttpContext.Request) + "/" + createdResult.Location;
-                    createdResult.Location = location;
+                    string locationURL = UriHelper.BuildAbsolute(
+                                        scheme: HttpContext.Request.Scheme,
+                                        host: HttpContext.Request.Host,
+                                        pathBase: _restService.GetBaseRouteFromConfig(),
+                                        path: HttpContext.Request.Path);
+                    createdResult.Location = locationURL.EndsWith('/') ? locationURL + createdResult.Location : locationURL + "/" + createdResult.Location;
                     result = createdResult;
                 }
 

Original file line number	Diff line number	Diff line change
`@@ -253,13 +253,16 @@ await _queryExecutor.ExecuteQueryAsync(`
`253`	`253`	`{`
`254`	`254`	`using (JsonDocument jsonDocument = JsonDocument.Parse(resultArray.ToJsonString()))`
`255`	`255`	`{`
`256`		`- return new CreatedResult(location: context.EntityName, OkMutationResponse(jsonDocument.RootElement.Clone()).Value);`
	`256`	`+ // The final location header for stored procedures should be of the form ../api/<SP-Entity-Name>`
	`257`	`+ // Location header is constructed using the base URL, base-route and the set location value.`
	`258`	`+ // Since, SP-Entity-Name is already available in the base URL, location is set as an empty string.`
	`259`	`+ return new CreatedResult(location: string.Empty, OkMutationResponse(jsonDocument.RootElement.Clone()).Value);`
`257`	`260`	`}`
`258`	`261`	`}`
`259`	`262`	`else`
`260`	`263`	`{ // If no result set returned, just return a 201 Created with empty array instead of array with single null value`
`261`	`264`	`return new CreatedResult(`
`262`		`- location: context.EntityName,`
	`265`	`+ location: string.Empty,`
`263`	`266`	`value: new`
`264`	`267`	`{`
`265`	`268`	`value = JsonDocument.Parse("[]").RootElement.Clone()`
Original file line number	Diff line number	Diff line change
`@@ -297,7 +297,7 @@ await SetupAndRunRestApiTest(`
`297`	`297`	`operationType: EntityActionOperation.Execute,`
`298`	`298`	`requestBody: requestBody,`
`299`	`299`	`expectedStatusCode: HttpStatusCode.Created,`
`300`		`- expectedLocationHeader: _integrationProcedureInsertOneAndDisplay_EntityName,`
	`300`	`+ expectedLocationHeader: string.Empty,`
`301`	`301`	`expectJson: expectJson`
`302`	`302`	`);`
`303`	`303`	`}`