ferro-rs 0.2.55

A Laravel-inspired web framework for Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294

//! Defensive mapping of DB UNIQUE-constraint violations to field-level
//! [`ValidationError`]s.
//!
//! A [`ConstraintMap`] is registered at the call site with the constraint names
//! and corresponding field/message pairs. When an [`sea_orm::DbErr`] is a UNIQUE
//! violation that matches a registered entry, [`ConstraintMap::try_map`] returns
//! `Ok(ValidationError)` carrying the entry's field and message. Any
//! non-matching `DbErr` — including non-UNIQUE errors and unregistered UNIQUE
//! violations — is returned as `Err(original_dberr)` unchanged so the caller's
//! `?` reaches the existing [`From<sea_orm::DbErr> for ActionError`] passthrough.
//!
//! All constraint/field/message strings are consumer-owned. The `framework`
//! crate holds no application-specific literals.
//!
//! # Example
//!
//! ```rust,ignore
//! use ferro_rs::{ConstraintMap, MapConstraintExt};
//!
//! let map = ConstraintMap::new()
//!     .on("pages_slug_unique", "slug", "has already been taken")
//!     .sqlite("pages.slug");
//!
//! // In a handler:
//! let page = new_page.insert(db).await
//!     .map_constraint(&map, &data, "/pages/new")?;
//! ```

use sea_orm::error::SqlErr;
use sea_orm::{DbErr, RuntimeErr, SqlxError};

use crate::validation::error::ValidationError;

/// A single registered mapping entry.
#[derive(Clone)]
struct ConstraintEntry {
    /// Postgres structured constraint name — primary `.on()` key.
    pg_name: String,
    /// SQLite `table.column` discriminator (set via `.sqlite()`).
    sqlite_key: Option<String>,
    /// Logical field the error attaches to.
    field: String,
    /// User-visible message.
    message: String,
}

/// Consumer-registered map from DB UNIQUE-constraint violations to field-level
/// validation errors. Construct per call site (cheap; no global state).
///
/// # First-match semantics
///
/// Entries are matched in registration order. The first entry whose Postgres
/// constraint name or SQLite `table.column` key matches the violation wins.
/// Register the most specific entries first when multiple UNIQUE constraints
/// exist on one table.
///
/// # Postgres vs SQLite identity
///
/// - **Postgres:** matched by constraint name via the `DatabaseError::constraint()`
///   trait method (protocol field `'n'`). No message-string parsing.
/// - **SQLite:** matched by `table.column` extracted from the error message
///   (`"UNIQUE constraint failed: table.column"`). SQLite does not expose
///   structured constraint names so the message token is the reliable identifier.
///
/// A single registration can cover both backends by chaining `.sqlite("t.c")`
/// after `.on(...)`.
#[derive(Clone, Default)]
pub struct ConstraintMap {
    entries: Vec<ConstraintEntry>,
}

impl ConstraintMap {
    /// Create an empty `ConstraintMap`.
    pub fn new() -> Self {
        Self::default()
    }

    /// Register a UNIQUE constraint name → field/message mapping.
    ///
    /// `pg_constraint` is the Postgres constraint name (the structured value
    /// in the DB error protocol, e.g. `"pages_slug_unique"`). It is also used
    /// as the logical entry key when chaining `.sqlite(...)`.
    ///
    /// Optionally chain `.sqlite("table.column")` immediately after to add a
    /// SQLite discriminator to the same entry so one registration covers both
    /// backends.
    ///
    /// # Example
    ///
    /// ```rust,ignore
    /// ConstraintMap::new()
    ///     .on("pages_slug_unique", "slug", "has already been taken")
    ///     .sqlite("pages.slug");
    /// ```
    pub fn on(
        mut self,
        pg_constraint: impl Into<String>,
        field: impl Into<String>,
        message: impl Into<String>,
    ) -> Self {
        self.entries.push(ConstraintEntry {
            pg_name: pg_constraint.into(),
            sqlite_key: None,
            field: field.into(),
            message: message.into(),
        });
        self
    }

    /// Add a SQLite `table.column` discriminator to the LAST registered entry.
    ///
    /// Must be chained immediately after `.on(...)`. No-op when called without
    /// a prior `.on()` call on this map.
    ///
    /// SQLite does not expose structured constraint names; the `table.column`
    /// token parsed from the error message is the reliable identifier for SQLite
    /// backends (dev/CI environments).
    pub fn sqlite(mut self, table_col: impl Into<String>) -> Self {
        if let Some(last) = self.entries.last_mut() {
            last.sqlite_key = Some(table_col.into());
        }
        self
    }

    /// Map a DB UNIQUE-constraint violation to a field-level [`ValidationError`].
    ///
    /// Returns `Ok(ValidationError)` when `err` is a UNIQUE violation that
    /// matches a registered entry. Returns `Err(err)` **unchanged** (by move)
    /// when:
    /// - `err` is not a UNIQUE violation, or
    /// - `err` is a UNIQUE violation but no registered entry matches.
    ///
    /// The returned `ValidationError` carries the entry's `field` and `message`
    /// and composes with `.with_old_input(&data).into_action_error(url)` exactly
    /// like a Phase 190 async-rule failure.
    ///
    /// # Safety contract (SC2)
    ///
    /// This method NEVER swallows a `DbErr`. A non-matching error is returned
    /// unchanged so the caller's `?` reaches `From<DbErr> for ActionError`.
    pub fn try_map(&self, err: DbErr) -> Result<ValidationError, DbErr> {
        // Step 1: portable violation-type gate (borrows err, does NOT consume it).
        // All non-UNIQUE DbErr variants fall through immediately unchanged.
        if !matches!(err.sql_err(), Some(SqlErr::UniqueConstraintViolation(_))) {
            return Err(err);
        }

        // Step 2a: Postgres constraint name via the DatabaseError trait method.
        // `e.constraint()` dispatches to PgDatabaseError::constraint() at runtime
        // (returns protocol field 'n'). No downcast, no #[cfg] guard needed.
        let pg_name: Option<String> = match &err {
            DbErr::Exec(RuntimeErr::SqlxError(SqlxError::Database(e)))
            | DbErr::Query(RuntimeErr::SqlxError(SqlxError::Database(e))) => {
                e.constraint().map(ToOwned::to_owned)
            }
            _ => None,
        };

        // Step 2b: SQLite table.column from message string.
        // sql_err() borrows err again — legal because err has not been moved.
        // Defensive parse: split on ": " and take token after it; None on any
        // unexpected format (never panics — T-191-01 mitigation).
        let sqlite_key: Option<String> = match err.sql_err() {
            Some(SqlErr::UniqueConstraintViolation(msg)) => {
                // "UNIQUE constraint failed: table.column" → "table.column"
                msg.split(": ").nth(1).map(|s| s.trim().to_owned())
            }
            _ => None,
        };

        // Step 3: first-match entry lookup.
        for entry in &self.entries {
            let pg_hit = pg_name
                .as_deref()
                .map(|c| c == entry.pg_name)
                .unwrap_or(false);
            let sqlite_hit = sqlite_key
                .as_deref()
                .zip(entry.sqlite_key.as_deref())
                .map(|(k, r)| k == r)
                .unwrap_or(false);
            if pg_hit || sqlite_hit {
                let mut ve = ValidationError::new();
                ve.add(&entry.field, &entry.message);
                return Ok(ve);
            }
        }

        // Step 4: no entry matched — fall through unchanged (SC2).
        Err(err)
    }
}

/// Extension trait on `Result<T, DbErr>` for ergonomic call-site mapping.
///
/// Eliminates closure ladders at the write site: instead of chaining
/// `.map_err(|e| map.try_map(e).map(...).unwrap_or_else(...))`, use:
///
/// ```rust,ignore
/// let page = new_page.insert(db).await
///     .map_constraint(&map, &data, "/pages/new")?;
/// ```
///
/// On a matching UNIQUE violation the `ValidationError` is flashed into the
/// session and an [`crate::http::action::ActionError`] configured to redirect
/// to `url` is returned (identical to the Phase 190 surfacing chain).
///
/// On any non-matching error, `From<DbErr> for ActionError` is applied —
/// the existing passthrough — so no error is ever swallowed.
pub trait MapConstraintExt<T> {
    /// Map a DB UNIQUE-constraint violation to a field-level error and redirect.
    ///
    /// See the trait documentation for full semantics.
    fn map_constraint(
        self,
        map: &ConstraintMap,
        data: &serde_json::Value,
        url: impl Into<String>,
    ) -> Result<T, crate::http::action::ActionError>;
}

impl<T> MapConstraintExt<T> for Result<T, DbErr> {
    fn map_constraint(
        self,
        map: &ConstraintMap,
        data: &serde_json::Value,
        url: impl Into<String>,
    ) -> Result<T, crate::http::action::ActionError> {
        self.map_err(|err| match map.try_map(err) {
            Ok(ve) => ve.with_old_input(data).into_action_error(url),
            Err(original) => crate::http::action::ActionError::from(original),
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    // Non-DB unit tests — no DB singleton needed, no #[serial] required.
    // These cover SC2 (passthrough contract) and builder correctness.
    // DB-backed SQLite identity and TOCTOU simulation tests live in
    // framework/tests/constraint_map_integration.rs (Plan 02).

    #[test]
    fn non_unique_dberr_passes_through_unchanged() {
        // SC2: a non-UNIQUE DbErr must be returned UNCHANGED.
        let map = ConstraintMap::new()
            .on("some_constraint", "field", "message")
            .sqlite("t.col");
        let err = DbErr::Custom("boom".to_string());
        match map.try_map(err) {
            Err(DbErr::Custom(msg)) => assert_eq!(msg, "boom"),
            other => panic!("expected Err(DbErr::Custom(\"boom\")), got {other:?}"),
        }
    }

    #[test]
    fn empty_map_passes_through_any_dberr_unchanged() {
        // An empty ConstraintMap must never swallow any error.
        let map = ConstraintMap::new();
        let err = DbErr::Custom("any error".to_string());
        match map.try_map(err) {
            Err(DbErr::Custom(msg)) => assert_eq!(msg, "any error"),
            other => panic!("expected Err(DbErr::Custom), got {other:?}"),
        }
    }

    #[test]
    fn builder_chains_on_and_sqlite_without_panic() {
        // Verify .on(...).sqlite(...) builds without panic and the map is reusable.
        let map = ConstraintMap::new()
            .on("a_constraint", "field_a", "msg a")
            .sqlite("table_a.col_a")
            .on("b_constraint", "field_b", "msg b");

        // Two entries registered; passing a non-UNIQUE error exercises the code
        // path without needing a DB connection.
        let err = DbErr::Custom("test".to_string());
        assert!(map.try_map(err).is_err(), "non-UNIQUE must fall through");

        // Clone the map to verify Clone is derived correctly.
        let map2 = map.clone();
        let err2 = DbErr::Custom("test2".to_string());
        assert!(map2.try_map(err2).is_err());
    }

    #[test]
    fn sqlite_no_op_without_prior_on() {
        // .sqlite() without a prior .on() must be a no-op (not panic).
        let map = ConstraintMap::new().sqlite("table.col");
        assert!(map.entries.is_empty());
    }
}