fix: 🚑️ error responses for forbidden includes did not include meta information

erlendellefsen · erlendellefsen · commit 961087876e33 · 2025-09-10T13:59:56.000+02:00
diff --git a/JsonApiToolkit.Tests/Attributes/AllowedIncludesAttributeTests.cs b/JsonApiToolkit.Tests/Attributes/AllowedIncludesAttributeTests.cs
@@ -232,9 +232,8 @@ public void OnActionExecuting_MultipleForbidden_ReturnsAllInError()
         var objectResult = Assert.IsType<ObjectResult>(context.Result);
         var errorResponse = Assert.IsType<JsonApiErrorResponse>(objectResult.Value);
 
-        var errorWithMeta = errorResponse.Errors[0] as JsonApiErrorWithMeta;
-        Assert.NotNull(errorWithMeta);
-        var meta = errorWithMeta.Meta;
+        var error = errorResponse.Errors[0];
+        var meta = error.Meta;
         Assert.NotNull(meta);
 
         var forbiddenIncludes = meta["forbiddenIncludes"] as List<string>;
@@ -257,9 +256,8 @@ public void OnActionExecuting_ErrorMetadata_ContainsCorrectInfo()
         var objectResult = Assert.IsType<ObjectResult>(context.Result);
         var errorResponse = Assert.IsType<JsonApiErrorResponse>(objectResult.Value);
 
-        var errorWithMeta = errorResponse.Errors[0] as JsonApiErrorWithMeta;
-        Assert.NotNull(errorWithMeta);
-        var meta = errorWithMeta.Meta;
+        var error = errorResponse.Errors[0];
+        var meta = error.Meta;
         Assert.NotNull(meta);
 
         var requestedIncludes = meta["requestedIncludes"] as List<string>;
diff --git a/JsonApiToolkit.Tests/Attributes/AllowedIncludesAttributeWildcardTests.cs b/JsonApiToolkit.Tests/Attributes/AllowedIncludesAttributeWildcardTests.cs
@@ -132,10 +132,9 @@ public void OnActionExecuting_MixedPatterns_ForbidsNonMatching()
         Assert.Equal(403, objectResult.StatusCode);
 
         var errorResponse = Assert.IsType<JsonApiErrorResponse>(objectResult.Value);
-        var errorWithMeta = errorResponse.Errors[0] as JsonApiErrorWithMeta;
-        Assert.NotNull(errorWithMeta);
+        var error = errorResponse.Errors[0];
 
-        var forbiddenIncludes = errorWithMeta.Meta?["forbiddenIncludes"] as List<string>;
+        var forbiddenIncludes = error.Meta?["forbiddenIncludes"] as List<string>;
         Assert.NotNull(forbiddenIncludes);
         Assert.Single(forbiddenIncludes);
         Assert.Contains("tags", forbiddenIncludes);
diff --git a/JsonApiToolkit.Tests/Integration/AllowedIncludesIntegrationTests.cs b/JsonApiToolkit.Tests/Integration/AllowedIncludesIntegrationTests.cs
@@ -111,6 +111,38 @@ public async Task GetWithEmptyAttribute_ForbidsAllIncludesAsync()
         Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
     }
 
+    [Fact]
+    public async Task ForbiddenInclude_ContainsMetaInformationAsync()
+    {
+        var response = await _client.GetAsync("/api/test/with-allowed?include=forbidden,author");
+
+        Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+
+        var content = await response.Content.ReadAsStringAsync();
+
+        // Verify meta information is present
+        Assert.Contains("\"meta\":", content);
+        Assert.Contains("requestedIncludes", content);
+        Assert.Contains("forbiddenIncludes", content);
+        Assert.Contains("allowedIncludes", content);
+        Assert.Contains("forbidden", content);
+        Assert.Contains("author", content);
+    }
+
+    [Fact]
+    public async Task EmptyAllowedIncludes_ShowsCorrectErrorDetailAsync()
+    {
+        var response = await _client.GetAsync("/api/test/with-empty?include=something");
+
+        Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+
+        var content = await response.Content.ReadAsStringAsync();
+
+        // Error should mention the actual requested include, not empty string
+        Assert.Contains("something", content);
+        Assert.DoesNotContain("''", content);
+    }
+
     public void Dispose()
     {
         _client?.Dispose();
diff --git a/JsonApiToolkit/Attributes/AllowedIncludesAttribute.cs b/JsonApiToolkit/Attributes/AllowedIncludesAttribute.cs
@@ -72,7 +72,12 @@ public override void OnActionExecuting(ActionExecutingContext context)
         // Empty array means no includes allowed
         if (_allowedIncludes.Length == 0)
         {
-            ThrowForbiddenException(queryParams.Include, [], _allowedIncludes, context);
+            ThrowForbiddenException(
+                queryParams.Include,
+                queryParams.Include,
+                _allowedIncludes,
+                context
+            );
             return;
         }
 
@@ -120,7 +125,7 @@ ActionExecutingContext context
                 ? $"The requested include '{forbiddenIncludes[0]}' is not allowed for this endpoint"
                 : $"The requested includes '{string.Join(", ", forbiddenIncludes)}' are not allowed for this endpoint";
 
-        var error = new JsonApiErrorWithMeta
+        var error = new JsonApiError
         {
             Status = "403",
             Title = "Forbidden Include",
diff --git a/JsonApiToolkit/Models/Errors/JsonApiError.cs b/JsonApiToolkit/Models/Errors/JsonApiError.cs
@@ -77,4 +77,11 @@ public class JsonApiError
     [JsonPropertyName("source")]
     [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
     public ErrorSource? Source { get; set; }
+
+    /// <summary>
+    /// A meta object containing non-standard meta-information about the error.
+    /// </summary>
+    [JsonPropertyName("meta")]
+    [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    public Dictionary<string, object>? Meta { get; set; }
 }
diff --git a/JsonApiToolkit/Models/Errors/JsonApiErrorWithMeta.cs b/JsonApiToolkit/Models/Errors/JsonApiErrorWithMeta.cs
