WPB-21294: Add fields to apps: category, description, creator; WPB-21295: Add "get app" endpoint

[eyeinsky]

• WPB-21294: Add new fields to apps (category, description, creator)
• WPB-21295: Add "get app" endpoint

Doing the two together as then the fields set can then be tested by getting the app.

Questions/notes:

• should create and get double-dip on the NewApp data type, or is a second one needed? NewApp wraps GetApp now
• restrict text length for description and author, perhaps on type level? (do we have anything already available for this?)
• where should make postgres-schema be added? If I understand PR guidelines then into the checklist below, so did that.

Checklist

• Add a new entry in an appropriate subdirectory of changelog.d
• Read and follow the PR guidelines

[Copilot]

Pull request overview

This PR adds new fields (category, description, author) to the apps feature and implements a GET endpoint to retrieve app details. The changes span from API definitions through database schema to integration tests, introducing password verification for app creation and restructuring the NewApp/GetApp types.

Key Changes:

• Restructured NewApp to wrap GetApp with password authentication, adding category, description, and author fields
• Added GET /teams/:tid/apps/:id endpoint for retrieving app details
• Implemented password verification in the app creation flow using verifyUserPasswordError

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
libs/wire-api/src/Wire/API/App.hs	Defines new Category enum and restructures types: NewApp now wraps GetApp with password; adds category, description, author fields
libs/wire-api/src/Wire/API/Routes/Public/Brig.hs	Adds GET endpoint definition for retrieving apps
services/brig/src/Brig/API/Public.hs	Wires up the new getApp handler to the API routes
libs/wire-subsystems/src/Wire/AppSubsystem.hs	Updates subsystem interface to include GetApp operation and adds AppSubsystemErrorNoAppUser error type
libs/wire-subsystems/src/Wire/AppSubsystem/Interpreter.hs	Implements getAppImpl to retrieve apps, adds ensureTeamMember helper, and integrates password verification into app creation
libs/wire-subsystems/src/Wire/AppStore.hs	Extends StoredApp with new fields and updates marshalling/unmarshalling instances
libs/wire-subsystems/src/Wire/AppStore/Postgres.hs	Updates SQL statements to include new columns in INSERT and SELECT operations
postgres-schema.sql	Adds category, description, author columns to apps table
libs/wire-subsystems/postgres-migrations/20251127115917-app-fields-category-description-author.sql	Migration to add new columns to existing apps table
integration/test/Test/Apps.hs	Adds tests for app retrieval and category validation
integration/test/API/Brig.hs	Updates test helper to include new fields and password in createApp requests, adds getApp helper
changelog.d/1-api-changes/add-get-app-endpoint	Documents new GET endpoint
changelog.d/1-api-changes/add-app-fields-category-description-author	Documents new app fields

Comments suppressed due to low confidence (1)

libs/wire-subsystems/src/Wire/AppSubsystem/Interpreter.hs:152

• Security issue: getAppImpl does not verify that the requested app belongs to the team (tid) before returning its data. This means a team member can retrieve apps from other teams by providing any uid, as long as they are a member of the team specified in tid.

Compare with refreshAppCookieImpl (lines 176-180) which correctly validates:

app <- Store.getApp appId >>= note AppSubsystemErrorNoApp
note AppSubsystemErrorNoApp $ guard (app.teamId == tid)

Add a similar check after line 151:

note AppSubsystemErrorNoApp $ guard (storedApp.teamId == tid)

  storedApp <- Store.getApp uid >>= note AppSubsystemErrorNoApp
  u <- Store.getUser uid >>= note AppSubsystemErrorNoAppUser

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The integration test only verifies that bob (a team member) can retrieve the app. There's no test coverage for:

1. Whether users outside the team are properly blocked from accessing the app
2. Whether retrieving an app from a different team is properly blocked (related to the security issue in getAppImpl)

Consider adding test cases:

-- user outside team should not be able to get app
charlie <- randomUser OwnDomain def
bindResponse (getApp charlie tid appId) $ \resp -> do
  resp.status `shouldMatchInt` 403

-- team member should not be able to get app from different team
(alice2, tid2, _) <- createTeam domain 1
bindResponse (getApp alice2 tid appId) $ \resp -> do
  resp.status `shouldMatchInt` 404  -- or 403

[Copilot]

The description and author fields lack proper length validation. The comments indicate max lengths (300 and 255 respectively), but no validation is enforced at the type level. Consider using Range types similar to other fields in the codebase:

description :: Range 1 300 Text,
author :: Range 1 255 Text

This pattern is used throughout the codebase (e.g., Name uses Range 1 128 Text, TextStatus uses Range 1 256 Text) to ensure validation happens at deserialization time rather than allowing invalid data to propagate through the system.

Suggested change

	description :: Text, -- max 300
	author :: Text -- max 255, same as handle
	description :: Range 1 300 Text, -- max 300
	author :: Range 1 255 Text -- max 255, same as handle

[Copilot]

The categoryFromText function has an inefficient and potentially fragile implementation. It converts Text → JSON → Either, which is unnecessarily complex.

Consider implementing a direct pattern match:

categoryFromText :: Text -> Either Text Category
categoryFromText = \case
  "security" -> Right Security
  "collaboration" -> Right Collaboration
  "productivity" -> Right Productivity
  "automation" -> Right Automation
  "files" -> Right Files
  "ai" -> Right AI
  "developer" -> Right Developer
  "support" -> Right Support
  "finance" -> Right Finance
  "hr" -> Right HR
  "integration" -> Right Integration
  "compliance" -> Right Compliance
  "other" -> Right Other
  t -> Left $ "Invalid category: " <> t

This is more efficient and clearer in intent.

Suggested change

	categoryFromText = either (Left . TS.pack) Right . A.eitherDecode . A.encode . A.String
	categoryFromText = \case
	"security" -> Right Security
	"collaboration" -> Right Collaboration
	"productivity" -> Right Productivity
	"automation" -> Right Automation
	"files" -> Right Files
	"ai" -> Right AI
	"developer" -> Right Developer
	"support" -> Right Support
	"finance" -> Right Finance
	"hr" -> Right HR
	"integration" -> Right Integration
	"compliance" -> Right Compliance
	"other" -> Right Other
	t -> Left $ "Invalid category: " <> t

[Copilot]

[nitpick] Using error in pure code (line 74) is not ideal for error handling. This can cause runtime crashes that are difficult to debug. While this is labeled as "impossible", it's better to use a safer pattern.

Consider using fromJust with a comment explaining why it's safe, or better yet, use a total function:

categoryToText :: Category -> Text
categoryToText a = case A.toJSON a of
  A.String t -> t
  v -> error $ "BUG: Category should serialize to JSON string, got: " <> show v

Alternatively, match on the Category constructor directly to ensure totality.

Suggested change

	categoryToText a = case A.toJSON a of
	A.String t -> t
	_ ->
	error $
	"wire-api:Wire/API/App.hs: The impossible happened, Category should serialize to JSON string: "
	<> show a
	categoryToText Security = "security"
	categoryToText Collaboration = "collaboration"
	categoryToText Productivity = "productivity"
	categoryToText Automation = "automation"
	categoryToText Files = "files"
	categoryToText AI = "ai"
	categoryToText Developer = "developer"
	categoryToText Support = "support"
	categoryToText Finance = "finance"
	categoryToText HR = "hr"
	categoryToText Integration = "integration"
	categoryToText Compliance = "compliance"
	categoryToText Other = "other"

[Copilot]

getAppImpl authorizes the caller only by checking ensureTeamMember lusr tid, but then fetches the app by uid without verifying that the app belongs to the requested team (storedApp.teamId == tid). This allows any member of team tid to read app details for any app/user ID across all teams. Enforce team scoping by verifying the fetched app’s teamId matches tid, or by fetching via (user_id, team_id):

storedApp <- Store.getAppByTeam uid tid >>= note AppSubsystemErrorNoApp
when (storedApp.teamId /= tid) (throw AppSubsystemErrorNoPerm)

Suggested change

	storedApp <- Store.getApp uid >>= note AppSubsystemErrorNoApp
	storedApp <- Store.getApp uid >>= note AppSubsystemErrorNoApp
	when (storedApp.teamId /= tid) (throw AppSubsystemErrorNoPerm)

[Copilot]

getAppImpl SQL selects from apps only by user_id (where user_id = ($1 :: uuid)), ignoring the captured tid. A caller who is a member of any team can provide a uid for an app in another team and receive its details. Scope the query to the team by including team_id = $2 and adjust marshalling accordingly:

select (user_id :: uuid), (team_id :: uuid), (metadata :: json), (category :: text), (description :: text), (author :: text)
from apps where user_id = ($1 :: uuid) and team_id = ($2 :: uuid)

[Copilot]

Pull request overview

Copilot reviewed 15 out of 15 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

[nitpick] The comment "The user used to 'enact' the app not found" is unclear. Consider rewording to be more precise, such as: "The user record associated with the app not found (data inconsistency)"

Suggested change

	| AppSubsystemErrorNoAppUser -- The user used to "enact" the app not found
	| AppSubsystemErrorNoAppUser -- The user record associated with the app not found (data inconsistency)

[eyeinsky]

Renamed the error to AppSubsystemErrorAppUserNotFound 3d495ff, kept the comment (the improved comment is not clearer IMO).

[Copilot]

This check is redundant because Store.getApp appId tid on line 180 already filters by tid, so app.teamId will always equal tid. This line can be removed.

Suggested change

note AppSubsystemErrorNoApp $ guard (app.teamId == tid)

[eyeinsky]

Yup! 6d7b62d

[Copilot]

This check is redundant because Store.getApp uid tid on line 151 already filters by tid, so storedApp.teamId will always equal tid. This line can be removed.

Suggested change

when (storedApp.teamId /= tid) $ throw AppSubsystemErrorNoPerm

[eyeinsky]

4d34ce1

[Copilot]

The migration adds columns category, description, and author as nullable (text), but the code expects non-null values. For existing apps in the database, these columns will be NULL after migration, which will cause failures when trying to retrieve them using getApp.

The migration should either:

1. Add default values: ADD COLUMN category text DEFAULT 'other', etc., or
2. Update existing rows to set default values after adding the columns, or
3. Change the code to handle NULL values (make the fields Maybe Text or similar in the Haskell types)

Option 1 is recommended for consistency with the API schema which requires these fields.

Suggested change

	ADD COLUMN category text,
	ADD COLUMN description text,
	ADD COLUMN author text;
	ADD COLUMN category text DEFAULT 'other' NOT NULL,
	ADD COLUMN description text DEFAULT '' NOT NULL,
	ADD COLUMN author text DEFAULT '' NOT NULL;

[eyeinsky]

2988ba2: added the above for category and description.

The author field type will change and there will possibly be a team_id field, both UUID, change incoming.

[eyeinsky]

All the Copilot comments should be addressed (though feel free to run it again).

The originating Jira ticket had a minor change: originally it had the author field in the POST payload, but now we call it creator and fill it in in the backend, We currently just save it in the database and don't return it in the "get app" API endpoint. (The "get app" endpoint is also preliminary, it's there to help writing tests. A more fitting shape for the frontend will be specified in a future ticket.)

[fisx]

LGTM + 2 nit-picks.

I think we're still missing golden and roundtrip tests for apps in wire-api (not this PR's problem, arguably).

[fisx]

are these case insensitive? the ticket doesn't say so, and capitalizes the O here.

[eyeinsky]

So I double checked this, lower case is desirable: https://wearezeta.atlassian.net/browse/WPB-21294?focusedCommentId=148085

[fisx]

this works, but we usually add this deriving clause to the data type:

  deriving (FromJSON, ToJSON, S.ToSchema) via (Schema Category)

[eyeinsky]

👍 , a284adc

[fisx]

off topic for this PR, but shouldn't this belong into Wire.AppStore.Postgres?

[eyeinsky]

I agree with this, but the instances for StoredApp would then turn out to be orphans in the Postgres module, so an {-# OPTIONS_GHC -Wno-orphans #-} would be required there. I'm assuming that is why they are defined here in the current module (@pcapriotti).

[fisx]

then maybe you can add a comment explaining this? but as i said, it's not really your job in this PR :)

[eyeinsky]

Did that too ;) edca279

[eyeinsky]

@fisx Ready for another round!

[fisx]

perfect! :-)