## What
This PR updates the `paramToBool` function to first check whether the
incoming argument is a boolean. This fixes the bug where using `true` or
`false` (e.g. `Strategies=false`) in the query would cause the server to
crash.
I've also added a test case to check for these values.
## Why
While working on the import/export API docs, I noticed that using
`false` in an export request caused the server to crash.
As we want to allow `true` and `false` (and use these values in the
documentation), we should ensure that they work as expected.
## Background
It's likely that this bug was introduced when we added the new OpenAPI
query parameters to the export endpoint. Because of the way that the
OpenAPI service we use does conversion, we now get `true` and `false`
converted to actual boolean values instead of strings. The `paramToBool`
function didn't account for that previously, which is why it caused the
server to crash.
## What
This change updates the availability notice and the code samples in the
import/export docs.
Specifically, the code samples have been moved to using the ApiRequest
component (and thus get examples in HTTP, cURL, and HTTPie), and the
import code sample now says which version it's using (version 3).
## Why
The import code sample didn't say which version of the data it used, so
Unleash would assume it was version 1 if you tried to run it. However,
the actual data was incompatible with the v1 data format, so you'd get
an error if you tried to actually import it.
While fixing this, I figured it'd also be alright to add some other
minor updates to bring the docs a bit more up to recent standards.
## What
This PR fixes a bug where fetching a feature toggle via the
`/api/admin/projects/:projectId/features/:featureName` endpoint doesn't
validate that the feature belongs to the provided project. The same
thing applies to the archive functionality. This has also been fixed.
In doing so, it also adds corresponding tests to check for edge cases,
updates the 403 error response we use to provide clearer steps for the
user, and adds more error responses to the OpenAPI documentation.
## Why
As mentioned in #2337, it's unexpected that the provided project
shouldn't matter at all, and after discussions internally, it was also
discovered that this was never intended to be the case.
## Discussion points
It might be worth rethinking this for Unleash v5. Why does the features
API need the projects part at all when features are unique across the
entire instance? Would it be worth reverting to a simpler feature API
later or would that introduce issues with regards to how different
projects can have different active environments and so on?
### Further improvements
I have _not_ provided schemas for the error responses for the endpoints
at this time. I considered it, but because it would introduce new schema
code, more tests, etc, I decided to leave it for later. There's a
thorough OpenAPI walkthrough coming up, so I think it makes sense to do
it as part of that work instead. I am happy to be challenged on this,
however, and will implement it if you think it's better.
### Why 403 when the project is wrong?
We could also have used the 404 status code for when the feature exists
but doesn't belong to this project, but this would require more (and
more complex) code. We also already use 403 for cases like this for
post, patch, and put. Finally, the [HTTP spec's section on the 403
status code](https://httpwg.org/specs/rfc9110.html#status.403) says the
following (emphasis mine):
> The 403 (Forbidden) status code indicates that the server
**_understood the request but refuses to fulfill it_**. A server that
wishes to make public why the request has been forbidden can describe
that reason in the response content (if any).
>
> If authentication credentials were provided in the request, the server
considers them insufficient to grant access. The client SHOULD NOT
automatically repeat the request with the same credentials. The client
MAY repeat the request with new or different credentials. However, **_a
request might be forbidden for reasons unrelated to the credentials_**.
As such, I think using 403 makes sense in this case.
---
Closes#2337.
* Fixes a memory leak where events would trigger the data polling to restart. Any event would setup another polling interval, which would strain our database. Separated the logic for fetching the data and the polling, and made sure that the polling was only initialized once.
* fix: limit total of PATs a user can have
* increase PAT limit to 10
* Update src/lib/services/pat-service.ts
Co-authored-by: Simon Hornby <liquidwicked64@gmail.com>
* disable button on the front-end when PAT limit is reached
* import from server instead of repeating ourselves
Co-authored-by: Simon Hornby <liquidwicked64@gmail.com>