Fixes for usage of obfuscated IDs

Author: Bart Koelman

src/Examples/JsonApiDotNetCoreExample/Controllers/PassportsController.cs

@@ -1,18 +1,50 @@
-using JsonApiDotNetCore.Configuration;
+using System.Threading.Tasks;
+using JsonApiDotNetCore.Configuration;
 using JsonApiDotNetCore.Controllers;
 using JsonApiDotNetCore.Services;
 using JsonApiDotNetCoreExample.Models;
+using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 
 namespace JsonApiDotNetCoreExample.Controllers
 {
-    public sealed class PassportsController : JsonApiController<Passport>
+    public sealed class PassportsController : BaseJsonApiController<Passport>
     {
         public PassportsController(
             IJsonApiOptions jsonApiOptions,
             ILoggerFactory loggerFactory,
             IResourceService<Passport, int> resourceService)
             : base(jsonApiOptions, loggerFactory, resourceService)
         { }
+
+        [HttpGet]
+        public override async Task<IActionResult> GetAsync() => await base.GetAsync();
+
+        [HttpGet("{id}")]
+        public async Task<IActionResult> GetAsync(string id)
+        {
+            int idValue = HexadecimalObfuscationCodec.Decode(id);
+            return await base.GetAsync(idValue);
+        }
+
+        [HttpPatch("{id}")]
+        public async Task<IActionResult> PatchAsync(string id, [FromBody] Passport entity)
+        {
+            int idValue = HexadecimalObfuscationCodec.Decode(id);
+            return await base.PatchAsync(idValue, entity);
+        }
+
+        [HttpPost]
+        public override async Task<IActionResult> PostAsync([FromBody] Passport entity)
+        {
+            return await base.PostAsync(entity);
+        }
+
+        [HttpDelete("{id}")]
+        public async Task<IActionResult> DeleteAsync(string id)
+        {
+            int idValue = HexadecimalObfuscationCodec.Decode(id);
+            return await base.DeleteAsync(idValue);
+        }
     }
 }

src/Examples/JsonApiDotNetCoreExample/HexadecimalObfuscationCodec.cs

@@ -0,0 +1,63 @@
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Text;
+
+namespace JsonApiDotNetCoreExample
+{
+    public static class HexadecimalObfuscationCodec
+    {
+        public static int Decode(string value)
+        {
+            if (string.IsNullOrEmpty(value))
+            {
+                return 0;
+            }
+
+            if (!value.StartsWith("x"))
+            {
+                throw new InvalidOperationException("Invalid obfuscated id.");
+            }
+
+            string stringValue = FromHexString(value.Substring(1));
+            return int.Parse(stringValue);
+        }
+
+        private static string FromHexString(string hexString)
+        {
+            List<byte> bytes = new List<byte>(hexString.Length / 2);
+            for (int index = 0; index < hexString.Length; index += 2)
+            {
+                var hexChar = hexString.Substring(index, 2);
+                byte bt = byte.Parse(hexChar, NumberStyles.HexNumber);
+                bytes.Add(bt);
+            }
+
+            var chars = Encoding.Unicode.GetChars(bytes.ToArray());
+            return new string(chars);
+        }
+
+        public static string Encode(object value)
+        {
+            if (value is int intValue && intValue == 0)
+            {
+                return string.Empty;
+            }
+
+            string stringValue = value.ToString();
+            return 'x' + ToHexString(stringValue);
+        }
+
+        private static string ToHexString(string value)
+        {
+            var builder = new StringBuilder();
+
+            foreach (byte bt in Encoding.Unicode.GetBytes(value))
+            {
+                builder.Append(bt.ToString("X2"));
+            }
+
+            return builder.ToString();
+        }
+    }
+}

src/Examples/JsonApiDotNetCoreExample/Models/Passport.cs

@@ -13,6 +13,16 @@ public class Passport : Identifiable
         private readonly ISystemClock _systemClock;
         private int? _socialSecurityNumber;
 
+        protected override string GetStringId(object value)
+        {
+            return HexadecimalObfuscationCodec.Encode(value);
+        }
+
+        protected override int GetTypedId(string value)
+        {
+            return HexadecimalObfuscationCodec.Decode(value);
+        }
+
         [Attr]
         public int? SocialSecurityNumber
         {

src/JsonApiDotNetCore/Extensions/TypeExtensions.cs

@@ -4,7 +4,6 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Reflection;
-using JsonApiDotNetCore.Models;
 
 namespace JsonApiDotNetCore.Extensions
 {
@@ -52,13 +51,6 @@ public static IEnumerable CopyToTypedCollection(this IEnumerable source, Type co
             return concreteCollectionInstance;
         }
 
-        public static string GetResourceStringId<TResource, TId>(TId id) where TResource : class, IIdentifiable<TId>
-        {
-            var tempResource = TypeHelper.CreateInstance<TResource>();
-            tempResource.Id = id;
-            return tempResource.StringId;
-        }
-
         /// <summary>
         /// Whether the specified source type implements or equals the specified interface.
         /// </summary>

src/JsonApiDotNetCore/Hooks/Execution/HookExecutorHelper.cs

@@ -81,7 +81,7 @@ public IEnumerable LoadDbValues(LeftType entityTypeForRepository, IEnumerable en
                     .GetMethod(nameof(GetWhereAndInclude), BindingFlags.NonPublic | BindingFlags.Instance)
                     .MakeGenericMethod(entityTypeForRepository, idType);
             var cast = ((IEnumerable<object>)entities).Cast<IIdentifiable>();
-            var ids = cast.Select(e => TypeHelper.ConvertType(e.StringId, idType)).CopyToList(idType);
+            var ids = cast.Select(TypeHelper.GetResourceTypedId).CopyToList(idType);
             var values = (IEnumerable)parameterizedGetWhere.Invoke(this, new object[] { ids, relationshipsToNextLayer });
             if (values == null) return null;
             return (IEnumerable)Activator.CreateInstance(typeof(HashSet<>).MakeGenericType(entityTypeForRepository), values.CopyToList(entityTypeForRepository));

src/JsonApiDotNetCore/Internal/TypeHelper.cs

@@ -6,7 +6,6 @@
 using System.Linq.Expressions;
 using JsonApiDotNetCore.Extensions;
 using JsonApiDotNetCore.Models;
-using Microsoft.Extensions.DependencyInjection;
 
 namespace JsonApiDotNetCore.Internal
 {
@@ -238,5 +237,25 @@ public static object CreateInstance(Type type)
                 throw new InvalidOperationException($"Failed to create an instance of '{type.FullName}' using its default constructor.", exception);
             }
         }
+
+        public static object ConvertStringIdToTypedId(Type resourceType, string stringId, IResourceFactory resourceFactory)
+        {
+            var tempResource = resourceFactory.CreateInstance(resourceType);
+            tempResource.StringId = stringId;
+            return GetResourceTypedId(tempResource);
+        }
+
+        public static object GetResourceTypedId(IIdentifiable resource)
+        {
+            PropertyInfo property = resource.GetType().GetProperty(nameof(Identifiable.Id));
+            return property.GetValue(resource);
+        }
+
+        public static string GetResourceStringId<TResource, TId>(TId id) where TResource : class, IIdentifiable<TId>
+        {
+            TResource tempResource = CreateInstance<TResource>();
+            tempResource.Id = id;
+            return tempResource.StringId;
+        }
     }
 }

src/JsonApiDotNetCore/Serialization/Common/BaseDocumentParser.cs

@@ -198,8 +198,9 @@ private void SetForeignKey(IIdentifiable entity, PropertyInfo foreignKey, HasOne
                 // For a server deserializer, it should be mapped to a BadRequest HTTP error code.
                 throw new FormatException($"Cannot set required relationship identifier '{attr.IdentifiablePropertyName}' to null because it is a non-nullable type.");
             }
-            var convertedId = TypeHelper.ConvertType(id, foreignKey.PropertyType);
-            foreignKey.SetValue(entity, convertedId);
+
+            var typedId = TypeHelper.ConvertStringIdToTypedId(attr.PropertyInfo.PropertyType, id, _resourceFactory);
+            foreignKey.SetValue(entity, typedId);
         }
 
         /// <summary>

src/JsonApiDotNetCore/Services/DefaultResourceService.cs

@@ -95,7 +95,7 @@ public virtual async Task DeleteAsync(TId id)
             var succeeded = await _repository.DeleteAsync(id);
             if (!succeeded)
             {
-                string resourceId = TypeExtensions.GetResourceStringId<TResource, TId>(id);
+                string resourceId = TypeHelper.GetResourceStringId<TResource, TId>(id);
                 throw new ResourceNotFoundException(resourceId, _currentRequestResource.ResourceName);
             }
 
@@ -149,7 +149,7 @@ public virtual async Task<TResource> GetAsync(TId id)
 
             if (entity == null)
             {
-                string resourceId = TypeExtensions.GetResourceStringId<TResource, TId>(id);
+                string resourceId = TypeHelper.GetResourceStringId<TResource, TId>(id);
                 throw new ResourceNotFoundException(resourceId, _currentRequestResource.ResourceName);
             }
 
@@ -177,7 +177,7 @@ public virtual async Task<TResource> GetRelationshipsAsync(TId id, string relati
 
             if (entity == null)
             {
-                string resourceId = TypeExtensions.GetResourceStringId<TResource, TId>(id);
+                string resourceId = TypeHelper.GetResourceStringId<TResource, TId>(id);
                 throw new ResourceNotFoundException(resourceId, _currentRequestResource.ResourceName);
             }
 
@@ -207,7 +207,7 @@ public virtual async Task<TResource> UpdateAsync(TId id, TResource requestEntity
             TResource databaseEntity = await _repository.Get(id).FirstOrDefaultAsync();
             if (databaseEntity == null)
             {
-                string resourceId = TypeExtensions.GetResourceStringId<TResource, TId>(id);
+                string resourceId = TypeHelper.GetResourceStringId<TResource, TId>(id);
                 throw new ResourceNotFoundException(resourceId, _currentRequestResource.ResourceName);
             }
 
@@ -243,7 +243,7 @@ public virtual async Task UpdateRelationshipsAsync(TId id, string relationshipNa
 
             if (entity == null)
             {
-                string resourceId = TypeExtensions.GetResourceStringId<TResource, TId>(id);
+                string resourceId = TypeHelper.GetResourceStringId<TResource, TId>(id);
                 throw new ResourceNotFoundException(resourceId, _currentRequestResource.ResourceName);
             }
 

test/JsonApiDotNetCoreExampleTests/Acceptance/ResourceDefinitions/ResourceDefinitionTests.cs

@@ -301,7 +301,7 @@ public async Task Cascade_Permission_Error_Create_ToOne_Relationship()
                     {
                         { "passport", new
                             {
-                                data = new { type = "passports", id = $"{lockedPerson.Passport.Id}" }
+                                data = new { type = "passports", id = $"{lockedPerson.Passport.StringId}" }
                             }
                         }
                     }
@@ -353,7 +353,7 @@ public async Task Cascade_Permission_Error_Updating_ToOne_Relationship()
                     {
                         { "passport", new
                             {
-                                data = new { type = "passports", id = $"{newPassport.Id}" }
+                                data = new { type = "passports", id = $"{newPassport.StringId}" }
                             }
                         }
                     }
@@ -447,7 +447,7 @@ public async Task Cascade_Permission_Error_Delete_ToOne_Relationship()
             await context.SaveChangesAsync();
 
             var httpMethod = new HttpMethod("DELETE");
-            var route = $"/api/v1/passports/{lockedPerson.PassportId}";
+            var route = $"/api/v1/passports/{lockedPerson.Passport.StringId}";
             var request = new HttpRequestMessage(httpMethod, route);
 
             // Act

test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/EagerLoadTests.cs

@@ -60,7 +60,7 @@ public async Task GetSingleResource_TopLevel_AppliesEagerLoad()
             _dbContext.SaveChanges();
 
             // Act
-            var (body, response) = await Get($"/api/v1/passports/{passport.Id}");
+            var (body, response) = await Get($"/api/v1/passports/{passport.StringId}");
 
             // Assert
             AssertEqualStatusCode(HttpStatusCode.OK, response);
@@ -182,7 +182,7 @@ public async Task PatchResource_TopLevel_AppliesEagerLoad()
             var content = serializer.Serialize(passport);
 
             // Act
-            var (body, response) = await Patch($"/api/v1/passports/{passport.Id}", content);
+            var (body, response) = await Patch($"/api/v1/passports/{passport.StringId}", content);
 
             // Assert
             AssertEqualStatusCode(HttpStatusCode.OK, response);