Fix contact identify auth order and visitor ID fallback

Author: Rieranthony

apps/api/src/rest/openapi-contract.test.ts

@@ -1,6 +1,7 @@
 import { describe, expect, it } from "bun:test";
 import { readdirSync, readFileSync } from "node:fs";
 import path from "node:path";
+import { identifyContactRequestSchema } from "@cossistant/types/api/contact";
 import {
 	createConversationRequestSchema,
 	getConversationResponseSchema,
@@ -34,6 +35,7 @@ type OpenAPISchemaWithProperties = {
 		string,
 		OpenAPIMetadataSchema | OpenAPISchemaWithProperties
 	>;
+	required?: string[];
 };
 
 type OpenAPIJsonContent = {
@@ -186,4 +188,52 @@ describe("REST OpenAPI contract guards", () => {
 		expect(requestValueTypes).toEqual(["boolean", "null", "number", "string"]);
 		expect(responseValueTypes).toEqual(["boolean", "null", "number", "string"]);
 	});
+
+	it("documents contact identify visitorId precedence between body and X-Visitor-Id", () => {
+		const app = new OpenAPIHono();
+
+		app.openapi(
+			{
+				method: "post",
+				path: "/contacts/identify",
+				request: {
+					body: {
+						required: true,
+						content: {
+							"application/json": {
+								schema: identifyContactRequestSchema,
+							},
+						},
+					},
+				},
+				responses: {
+					200: {
+						description: "Contact identified",
+					},
+				},
+			},
+			(() => new Response(null)) as never
+		);
+
+		const doc = app.getOpenAPI31Document({
+			openapi: "3.1.0",
+			info: {
+				title: "OpenAPI metadata contract test",
+				version: "1.0.0",
+			},
+		});
+
+		const postPath = doc.paths?.["/contacts/identify"]?.post;
+		const requestBody = postPath?.requestBody as OpenAPIJsonContent | undefined;
+		const requestSchema = requestBody?.content?.["application/json"]?.schema as
+			| OpenAPISchemaWithProperties
+			| undefined;
+		const visitorIdSchema = requestSchema?.properties?.visitorId as
+			| OpenAPIMetadataSchema
+			| undefined;
+
+		expect(requestSchema?.required ?? []).not.toContain("visitorId");
+		expect(visitorIdSchema?.description).toContain("X-Visitor-Id");
+		expect(visitorIdSchema?.description).toContain("body value wins");
+	});
 });

apps/api/src/rest/routers/contact-auth-order.test.ts

@@ -0,0 +1,61 @@
+import { describe, expect, it } from "bun:test";
+import { readFileSync } from "node:fs";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+const contactRouterPath = new URL("./contact.ts", import.meta.url);
+
+describe("contact router auth ordering", () => {
+	it("mounts runtime routes before control routes and preserves public identify access", async () => {
+		const source = readFileSync(contactRouterPath, "utf8");
+		const runtimeRouteIndex = source.indexOf(
+			'.route("/", contactRuntimeRouter)'
+		);
+		const controlRouteIndex = source.indexOf(
+			'.route("/", contactControlRouter)'
+		);
+
+		expect(runtimeRouteIndex).toBeGreaterThan(-1);
+		expect(controlRouteIndex).toBeGreaterThan(-1);
+		expect(runtimeRouteIndex).toBeLessThan(controlRouteIndex);
+
+		const runtimeRouter = new OpenAPIHono();
+		runtimeRouter.use("/*", async (c, next) => {
+			if (!c.req.header("X-Public-Key")) {
+				return c.json(
+					{ error: "UNAUTHORIZED", message: "API key is required" },
+					401
+				);
+			}
+
+			await next();
+		});
+		runtimeRouter.post("/identify", (c) => c.json({ ok: true }, 200));
+
+		const controlRouter = new OpenAPIHono();
+		controlRouter.use("/*", async (c, next) => {
+			if (!c.req.header("Authorization")?.startsWith("Bearer ")) {
+				return c.json(
+					{ error: "UNAUTHORIZED", message: "API key is required" },
+					401
+				);
+			}
+
+			await next();
+		});
+
+		const router = new OpenAPIHono()
+			.route("/", runtimeRouter)
+			.route("/", controlRouter);
+
+		const response = await router.request(
+			new Request("http://localhost/identify", {
+				method: "POST",
+				headers: {
+					"X-Public-Key": "pk_test_123",
+				},
+			})
+		);
+
+		expect(response.status).toBe(200);
+	});
+});

apps/api/src/rest/routers/contact-identify.test.ts

@@ -1,4 +1,5 @@
 import { beforeEach, describe, expect, it, mock } from "bun:test";
+import { APIKeyType } from "@cossistant/types";
 
 const safelyExtractRequestDataMock = mock((async () => ({})) as (
 	...args: unknown[]
@@ -101,6 +102,7 @@ mock.module("@api/realtime/emitter", () => ({
 
 mock.module("../middleware", () => ({
 	protectedPublicApiKeyMiddleware: [],
+	protectedPrivateApiKeyMiddleware: [],
 }));
 
 const contactRouterModulePromise = import("./contact");
@@ -226,9 +228,135 @@ describe("contact identify route", () => {
 		expect(identifyArg.email).toBeUndefined();
 	});
 
+	it("returns 200 when visitorId is provided via X-Visitor-Id header", async () => {
+		const db = {};
+		safelyExtractRequestDataMock.mockResolvedValue({
+			db,
+			website: {
+				id: "site-1",
+				organizationId: "org-1",
+			},
+			visitorIdHeader: "visitor-header-1",
+			body: {
+				externalId: "user-123",
+				email: undefined,
+				name: "User",
+				image: undefined,
+				metadata: undefined,
+				contactOrganizationId: undefined,
+			},
+		});
+
+		const { contactRouter } = await contactRouterModulePromise;
+		const response = await contactRouter.request(
+			new Request("http://localhost/identify", {
+				method: "POST",
+			})
+		);
+		const payload = (await response.json()) as {
+			visitorId: string;
+		};
+
+		expect(response.status).toBe(200);
+		expect(findVisitorForWebsiteMock).toHaveBeenCalledWith(db, {
+			visitorId: "visitor-header-1",
+			websiteId: "site-1",
+		});
+		expect(linkVisitorToContactMock).toHaveBeenCalledWith(db, {
+			visitorId: "visitor-header-1",
+			contactId: "contact-1",
+			websiteId: "site-1",
+		});
+		expect(payload.visitorId).toBe("visitor-header-1");
+	});
+
+	it("prefers body visitorId over X-Visitor-Id header when both are provided", async () => {
+		const db = {};
+		safelyExtractRequestDataMock.mockResolvedValue({
+			db,
+			website: {
+				id: "site-1",
+				organizationId: "org-1",
+			},
+			visitorIdHeader: "visitor-header-1",
+			body: {
+				visitorId: "visitor-body-1",
+				externalId: "user-123",
+				email: undefined,
+				name: "User",
+				image: undefined,
+				metadata: undefined,
+				contactOrganizationId: undefined,
+			},
+		});
+
+		const { contactRouter } = await contactRouterModulePromise;
+		const response = await contactRouter.request(
+			new Request("http://localhost/identify", {
+				method: "POST",
+			})
+		);
+		const payload = (await response.json()) as {
+			visitorId: string;
+		};
+
+		expect(response.status).toBe(200);
+		expect(findVisitorForWebsiteMock).toHaveBeenCalledWith(db, {
+			visitorId: "visitor-body-1",
+			websiteId: "site-1",
+		});
+		expect(linkVisitorToContactMock).toHaveBeenCalledWith(db, {
+			visitorId: "visitor-body-1",
+			contactId: "contact-1",
+			websiteId: "site-1",
+		});
+		expect(payload.visitorId).toBe("visitor-body-1");
+	});
+
+	it("returns 400 when neither body nor header provides a visitorId", async () => {
+		safelyExtractRequestDataMock.mockResolvedValue({
+			db: {},
+			website: {
+				id: "site-1",
+				organizationId: "org-1",
+			},
+			visitorIdHeader: null,
+			body: {
+				externalId: "user-123",
+				email: undefined,
+				name: "User",
+				image: undefined,
+				metadata: undefined,
+				contactOrganizationId: undefined,
+			},
+		});
+
+		const { contactRouter } = await contactRouterModulePromise;
+		const response = await contactRouter.request(
+			new Request("http://localhost/identify", {
+				method: "POST",
+			})
+		);
+
+		const payload = (await response.json()) as {
+			error: string;
+			message: string;
+		};
+
+		expect(response.status).toBe(400);
+		expect(payload).toEqual({
+			error: "BAD_REQUEST",
+			message: "Visitor not found, please pass a valid visitorId",
+		});
+		expect(findVisitorForWebsiteMock).toHaveBeenCalledTimes(0);
+		expect(identifyContactMock).toHaveBeenCalledTimes(0);
+	});
+
 	it("POST /contacts returns 201 when externalId upsert creates a new contact", async () => {
 		safelyExtractRequestDataMock.mockResolvedValue({
 			db: {},
+			apiKey: { keyType: APIKeyType.PRIVATE },
+			organization: { id: "org-1" },
 			website: {
 				id: "site-1",
 				organizationId: "org-1",
@@ -272,6 +400,8 @@ describe("contact identify route", () => {
 	it("POST /contacts returns 200 when externalId upsert updates an existing contact", async () => {
 		safelyExtractRequestDataMock.mockResolvedValue({
 			db: {},
+			apiKey: { keyType: APIKeyType.PRIVATE },
+			organization: { id: "org-1" },
 			website: {
 				id: "site-1",
 				organizationId: "org-1",
@@ -307,6 +437,8 @@ describe("contact identify route", () => {
 	it("POST /contacts keeps create-only behavior when externalId is not provided", async () => {
 		safelyExtractRequestDataMock.mockResolvedValue({
 			db: {},
+			apiKey: { keyType: APIKeyType.PRIVATE },
+			organization: { id: "org-1" },
 			website: {
 				id: "site-1",
 				organizationId: "org-1",

apps/api/src/rest/routers/contact.ts

@@ -122,7 +122,7 @@ contactRuntimeRouter.openapi(
 		path: "/identify",
 		summary: "Identify a visitor",
 		description:
-			"Creates or updates a contact for a visitor. If a contact with the same externalId or email exists, it will be updated. The visitor will be linked to the contact.",
+			"Creates or updates a contact for a visitor. If a contact with the same externalId or email exists, it will be updated. The visitor will be linked to the contact. Public callers may pass the visitor ID in the request body or via X-Visitor-Id, and the body value takes precedence when both are provided.",
 		request: {
 			body: {
 				content: {
@@ -150,10 +150,8 @@ contactRuntimeRouter.openapi(
 	},
 	async (c) => {
 		try {
-			const { db, website, body } = await safelyExtractRequestData(
-				c,
-				identifyContactRequestSchema
-			);
+			const { db, website, body, visitorIdHeader } =
+				await safelyExtractRequestData(c, identifyContactRequestSchema);
 
 			if (!(website?.id && website.organizationId)) {
 				return c.json(
@@ -162,6 +160,18 @@ contactRuntimeRouter.openapi(
 				);
 			}
 
+			const resolvedVisitorId = body.visitorId ?? visitorIdHeader;
+
+			if (!resolvedVisitorId) {
+				return c.json(
+					{
+						error: "BAD_REQUEST",
+						message: "Visitor not found, please pass a valid visitorId",
+					},
+					400
+				);
+			}
+
 			const { externalId, email } = normalizeIdentifyContactIdentifiers({
 				externalId: body.externalId,
 				email: body.email,
@@ -178,7 +188,7 @@ contactRuntimeRouter.openapi(
 			}
 
 			const visitor = await findVisitorForWebsite(db, {
-				visitorId: body.visitorId,
+				visitorId: resolvedVisitorId,
 				websiteId: website.id,
 			});
 
@@ -201,13 +211,13 @@ contactRuntimeRouter.openapi(
 			});
 
 			await linkVisitorToContact(db, {
-				visitorId: body.visitorId,
+				visitorId: resolvedVisitorId,
 				contactId: contact.id,
 				websiteId: website.id,
 			});
 
 			const visitorRecord = await getCompleteVisitorWithContact(db, {
-				visitorId: body.visitorId,
+				visitorId: resolvedVisitorId,
 			});
 
 			if (visitorRecord) {
@@ -228,7 +238,7 @@ contactRuntimeRouter.openapi(
 
 			const response: IdentifyContactResponse = {
 				contact: formatContactResponse(contact),
-				visitorId: body.visitorId,
+				visitorId: resolvedVisitorId,
 			};
 
 			return c.json(
@@ -1054,6 +1064,8 @@ contactControlRouter.openapi(
 	}
 );
 
+// Mount shared runtime routes before private control routes so public requests
+// like POST /contacts/identify are not intercepted by private-only middleware.
 export const contactRouter = new OpenAPIHono<RestContext>()
-	.route("/", contactControlRouter)
-	.route("/", contactRuntimeRouter);
+	.route("/", contactRuntimeRouter)
+	.route("/", contactControlRouter);

packages/types/src/api/contact.ts

@@ -141,8 +141,9 @@ export const identifyContactRequestSchema = z.object({
 			"Optional contact ID to update when linking the visitor to an existing contact.",
 		example: "01JG000000000000000000000",
 	}),
-	visitorId: z.ulid().openapi({
-		description: "The visitor ID to link to the contact.",
+	visitorId: z.ulid().optional().openapi({
+		description:
+			"The visitor ID to link to the contact. Optional when passed via the X-Visitor-Id header. If both are provided, the body value wins.",
 		example: "01JG000000000000000000000",
 	}),
 	externalId: z