fixes #125, address remaining review issues from PR #124

[tirth1356]

fixed #125

This PR addresses the follow-up tasks from PR #124, improving error sanitization, increasing test coverage, resolving SDK type mismatches, and cleaning up test execution noise.

Changes Summary:

1. Error Sanitization: Replaced raw DB/Mongoose error message leaks inside the mail template endpoints of apps/dashboard-api/src/controllers/project.controller.js with a generic "Internal server error" message, only exposing details in development mode.
2. Added Test Coverage: Wrote comprehensive unit tests inside apps/public-api/src/__tests__/mail.controller.test.js to verify:
   • Successful resolution of project-scoped mail templates.
   • Successful fallback to global/system mail templates when a project-scoped one is not found.
3. Resolved SDK Type Mismatch: Updated the sendMailSchema Zod definition for the to field in packages/common/src/utils/input.validation.js to natively accept both a single email string and an array of email strings (z.union([z.string().email(), z.array(z.string().email())])), matching the SDK's definitions.
4. Test Noise Elimination: Silenced expected error/debug console output generated by positive & negative testing assertions in:
   • apps/dashboard-api/src/middlewares/authMiddleware.js
   • apps/public-api/src/controllers/data.controller.js
   • packages/common/src/queues/publicEmailQueue.js

🛠️ Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📝 Documentation update
• 🎨 UI/UX improvement (Frontend only)
• ⚙️ Refactor / Chore

🧪 Testing & Validation

Backend Verification:

• I have run npm test or the local Jest runner inside the monorepo directories and all tests passed cleanly.
• New unit tests have been added for the mail template resolution paths.

✅ Checklist

• My code follows the code style of this project.
• I have performed a self-review of my code.
• My changes generate no new warnings or errors.
• Test runs are clean and free of unnecessary error outputs.

Summary by CodeRabbit

• New Features

  • Mail sending now accepts multiple recipients (single email or array of emails).

• Bug Fixes

  • Standardized error responses for mail template API endpoints.

• Tests

  • Added tests for mail template rendering and fallback logic with database-backed templates.
  • Improved error logging behavior during test execution across multiple endpoints.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR standardizes error responses across mail-template endpoints, suppresses test-run logging noise across multiple services, and extends mail-template functionality to support multi-recipient emails and database-backed template lookup with project/global scoping.

Changes

Test environment logging and mail template enhancements

Layer / File(s)	Summary
Test environment logging suppression apps/dashboard-api/src/middlewares/authMiddleware.js, apps/public-api/src/controllers/data.controller.js, packages/common/src/queues/publicEmailQueue.js	JWT verification errors, data controller catch blocks, and email queue failures now conditionally log only when NODE_ENV !== 'test', reducing test output noise.
Mail template endpoint error standardization apps/dashboard-api/src/controllers/project.controller.js	All six mail-template operations (listMailTemplates, listGlobalMailTemplates, getMailTemplate, createMailTemplate, updateMailTemplate, deleteMailTemplate) now return a consistent 500 response structure: { error: "Internal server error", details: ... } with details only in development mode.
Mail template multi-recipient and database lookup packages/common/src/utils/input.validation.js, apps/public-api/src/__tests__/mail.controller.test.js	sendMailSchema.to now accepts either a single email string or a non-empty array of recipient strings; two new tests verify that mailController.sendMail selects a project-scoped template from the database, or falls back to a global template when the project template does not exist.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• geturbackend/urBackend#125: Directly addresses concerns regarding mail-template error standardization, MailTemplate-backed test coverage, and multi-recipient schema support.
• geturbackend/urBackend#126: Implements the three requested fixes: standardized 500 responses for mail templates, MailTemplate lookup tests for project and global scopes, and string|string[] validation for the to field.

Possibly related PRs

• geturbackend/urBackend#30: Also modifies data.controller catch-block error handling; this PR adds conditional logging gates during test runs to the same location.
• geturbackend/urBackend#128: The mail template rendering tests in this PR depend on plan-limit gating logic from that PR's mailController.sendMail changes.
• geturbackend/urBackend#157: Both PRs modify publicEmailQueue worker failed event behavior; this PR adds logging suppression to that handler.

Suggested labels

backend, intermediete-advance, level-3

Suggested reviewers

• yash-pouranik

Poem

🐰 A rabbit hops through test files bright,
Silencing logs that clutter the night,
Mail templates now speak with one voice clear,
Multi-recipients and DB lookups here!
Tests pass faster, cleaner, and neat! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references fixing issue #125 and addressing review issues from PR #124, which aligns with the PR's objectives of implementing fixes and follow-up tasks. However, the title is overly broad and doesn't clearly convey the main technical changes (error sanitization, test coverage, validation updates, test logging suppression).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch fix/mail-template-issues

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/public-api/src/controllers/data.controller.js (1)

87-99: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Stop leaking raw internal errors from controller catch paths

Several touched catch blocks still send raw err.message/details to clients (e.g., Line 94, Line 98, Line 370, Line 444, Line 509, Line 513, Line 575), which leaks internal DB/runtime details and breaks the controller response contract. Return a sanitized message and keep detailed error info server-side only.

Suggested pattern

- return res.status(500).json({ error: err.message });
+ return next(new AppError("Internal server error", 500));

- return res.status(409).json({
-   error: "Duplicate value violates unique constraint.",
-   details: err.message,
- });
+ return next(new AppError("Duplicate value violates unique constraint.", 409));

- return res.status(500).json({
-   success: false,
-   data: {},
-   message: err.message || "Failed to execute aggregation.",
- });
+ return next(new AppError("Failed to execute aggregation.", 500));

As per coding guidelines, "**/src/controllers/**/*.{js,ts}: All API endpoints return: { success: bool, data: {}, message: "" }. Use AppError class for errors — never raw throw, never expose MongoDB errors to client."

Also applies to: 178-189, 367-371, 429-446, 502-514, 572-576

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/public-api/src/controllers/data.controller.js` around lines 87 - 99, The
controller currently returns raw internal error messages (e.g., using
err.message and details in the catch path around isDuplicateKeyError) which
leaks DB/runtime internals and violates the response contract; update the catch
blocks in apps/public-api/src/controllers/data.controller.js to stop sending
err.message or err details to clients, instead log the full error server-side
(console.error or logger) and return a sanitized response shaped as { success:
false, data: {}, message: "<user-friendly message>" } using the AppError
pattern; for duplicate-key errors detected by isDuplicateKeyError(err) return a
409 with a generic message like "Conflict: duplicate value" (no DB details), for
other errors return a 500 with a generic message like "Internal server error",
and ensure any thrown errors in this controller use the AppError class rather
than raw error objects.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/dashboard-api/src/controllers/project.controller.js`:
- Around line 1598-1601: Several catch blocks in project.controller.js currently
return res.status(500).json({ error, details: ... }) and leak backend error
text; update each of these catch blocks (the ones that call
res.status(500).json(...) for 500 responses) to follow the controller response
contract by returning res.status(500).json({ success: false, data: {}, message:
"Internal server error" }) and remove any use of err.message or a details field
so no MongoDB/backend error text is exposed to clients; apply the same change to
all six occurrences that currently return the { error, details } payload.

In `@apps/public-api/src/__tests__/mail.controller.test.js`:
- Around line 176-231: The test currently only asserts output while mocking
MailTemplate.findOne loosely, which can hide regressions in lookup order/scope;
after invoking mailController.sendMail add assertions on MailTemplate.findOne
calls to ensure the first call queried the project-scoped template and the
second called the global fallback (e.g.,
expect(MailTemplate.findOne).toHaveBeenNthCalledWith(1,
expect.objectContaining({ name: 'welcome', projectId: 'proj_1' })) and
expect(MailTemplate.findOne).toHaveBeenNthCalledWith(2,
expect.objectContaining({ name: 'welcome', projectId: null })) so the test fails
if the controller no longer queries project-first then global).

---

Outside diff comments:
In `@apps/public-api/src/controllers/data.controller.js`:
- Around line 87-99: The controller currently returns raw internal error
messages (e.g., using err.message and details in the catch path around
isDuplicateKeyError) which leaks DB/runtime internals and violates the response
contract; update the catch blocks in
apps/public-api/src/controllers/data.controller.js to stop sending err.message
or err details to clients, instead log the full error server-side (console.error
or logger) and return a sanitized response shaped as { success: false, data: {},
message: "<user-friendly message>" } using the AppError pattern; for
duplicate-key errors detected by isDuplicateKeyError(err) return a 409 with a
generic message like "Conflict: duplicate value" (no DB details), for other
errors return a 500 with a generic message like "Internal server error", and
ensure any thrown errors in this controller use the AppError class rather than
raw error objects.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0682ec95-9843-4f9a-b91e-96cdf8e88a6d

📥 Commits

Reviewing files that changed from the base of the PR and between dd7bebd and a325fc1.

📒 Files selected for processing (6)

• apps/dashboard-api/src/controllers/project.controller.js
• apps/dashboard-api/src/middlewares/authMiddleware.js
• apps/public-api/src/__tests__/mail.controller.test.js
• apps/public-api/src/controllers/data.controller.js
• packages/common/src/queues/publicEmailQueue.js
• packages/common/src/utils/input.validation.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use the controller response contract for 500s and stop returning details to clients.

On Line 1598, Line 1636, Line 1702, Line 1770, Line 1859, and Line 1889, the new error payload shape ({ error, details }) breaks this controller contract and can leak backend error text in development responses.

Suggested fix pattern for all six catch blocks

- return res.status(500).json({
-   error: "Internal server error",
-   details: process.env.NODE_ENV === "development" ? err.message : undefined,
- });
+ return res.status(500).json({
+   success: false,
+   data: {},
+   message: "Internal server error",
+ });

As per coding guidelines, **/src/controllers/**/*.{js,ts} must return { success: bool, data: {}, message: "" } and must “never expose MongoDB errors to client.”

Also applies to: 1636-1639, 1702-1705, 1770-1773, 1859-1862, 1889-1892

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/dashboard-api/src/controllers/project.controller.js` around lines 1598 -
1601, Several catch blocks in project.controller.js currently return
res.status(500).json({ error, details: ... }) and leak backend error text;
update each of these catch blocks (the ones that call res.status(500).json(...)
for 500 responses) to follow the controller response contract by returning
res.status(500).json({ success: false, data: {}, message: "Internal server
error" }) and remove any use of err.message or a details field so no
MongoDB/backend error text is exposed to clients; apply the same change to all
six occurrences that currently return the { error, details } payload.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Assert MailTemplate.findOne query scope/order to avoid false-positive passes.

These tests currently verify output only. Since findOne is a loose mock, they can still pass if lookup order/filtering regresses (e.g., not actually querying project scope first, then global fallback).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/public-api/src/__tests__/mail.controller.test.js` around lines 176 -
231, The test currently only asserts output while mocking MailTemplate.findOne
loosely, which can hide regressions in lookup order/scope; after invoking
mailController.sendMail add assertions on MailTemplate.findOne calls to ensure
the first call queried the project-scoped template and the second called the
global fallback (e.g., expect(MailTemplate.findOne).toHaveBeenNthCalledWith(1,
expect.objectContaining({ name: 'welcome', projectId: 'proj_1' })) and
expect(MailTemplate.findOne).toHaveBeenNthCalledWith(2,
expect.objectContaining({ name: 'welcome', projectId: null })) so the test fails
if the controller no longer queries project-first then global).

[yash-pouranik]

Hello @tirth1356
Thank you for the PR
Can u please resolve this merge conflicts and fix the issue shared by coderabbitai?

[yash-pouranik]

@tirth1356
r u there???