QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-04-19 03:54:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add REST API for holdings and trades (Discussion #905) (#918)

Browse Source 
* Add REST API for holdings and trades (Discussion #905)

- Trades: GET index (filter by account_id, account_ids, start_date, end_date),
  GET show, POST create (buy/sell with security_id or ticker), PATCH update,
  DELETE destroy. Create restricted to accounts that support trades (investment
  or crypto exchange). Uses existing Trade::CreateForm for creation.
- Holdings: GET index (filter by account_id, account_ids, date, start_date,
  end_date, security_id), GET show. Read-only; scoped to family.
- Auth: read scope for index/show; write scope for create/update/destroy.
- Responses: JSON via jbuilder (trade: id, date, amount, qty, price, account,
  security, category; holding: id, date, qty, price, amount, account, security,
  avg_cost). Pagination for index endpoints (page, per_page).

Co-authored-by: Cursor <cursoragent@cursor.com>

* API v1 holdings & trades: validation, docs, specs

- Holdings: validate date params, return 400 for invalid dates (parse_date!)
- Trades: validate start_date/end_date, return 422 for invalid dates
- Trades: accept buy/sell and inflow/outflow in update (trade_sell_from_type_or_nature?)
- Trades view: nil guard for trade.security
- Trades apply_filters: single join(:entry) when filtering
- OpenAPI: add Trade/TradeCollection schemas, ErrorResponse.errors
- Add spec/requests/api/v1/holdings_spec.rb and trades_spec.rb (rswag)
- Regenerate docs/api/openapi.yaml

Co-authored-by: Cursor <cursoragent@cursor.com>

* CI: fix Brakeman and test rate-limit failures

- Disable Rack::Attack in test (use existing enabled flag) so parallel
  API tests no longer hit 429 from shared api_ip throttle
- Add Brakeman ignore for trades_controller trade_params mass-assignment
  (account_id/security_id validated in create/update)
- Trades/holdings API and OpenAPI spec updates

Co-authored-by: Cursor <cursoragent@cursor.com>

* Trades: partial qty/price update fallback; fix PATCH OpenAPI schema

- Fall back to existing trade qty/price when only one is supplied so sign
  normalisation and amount recalculation always run
- OpenAPI: remove top-level qty, price, investment_activity_label,
  category_id from PATCH body; document entryable_attributes only

Co-authored-by: Cursor <cursoragent@cursor.com>

* Trades: fix update/DELETE OpenAPI and avoid sell-trade corruption

- Only run qty/price normalisation when client sends qty or price; preserve
  existing trade direction when type/nature omitted
- OpenAPI: remove duplicate PATCH path param; add 422 for PATCH; document
  DELETE 200 body (DeleteResponse)

Co-authored-by: Cursor <cursoragent@cursor.com>

* API: flat trade update params, align holdings errors, spec/OpenAPI fixes

- Trades update: accept flat params (qty, price, type, etc.), build
  entryable_attributes in build_entry_params_for_update (match transactions)
- Holdings: ArgumentError → 422 validation_failed; parse_date!(value, name)
  with safe message; extract render_validation_error, log_and_render_error
- Specs: path id required (trades, holdings); trades delete 200 DeleteResponse;
  remove holdings 500; trades update body flat; holdings 422 invalid date
- OpenAPI: PATCH trade request body flat

Co-authored-by: Cursor <cursoragent@cursor.com>

* OpenAPI: add 422 invalid date filter to holdings index

Co-authored-by: Cursor <cursoragent@cursor.com>

* API consistency and RSwag doc-only fixes

- Trades: use render_validation_error in all 4 validation paths; safe_per_page_param case/when
- Holdings: set_holding to family.holdings.find; price as Money.format in API; safe_per_page_param case/when
- Swagger: Holding qty/price descriptions (Quantity of shares held, Formatted price per share)
- RSwag: trades delete and valuations 201 use bare run_test! (documentation only, no expect)

Co-authored-by: Cursor <cursoragent@cursor.com>

* Fix index-vs-show visibility inconsistencies and preserve custom activity labels

- Add account status filter to set_holding to match index behavior
- Add visible scope to set_trade to match index behavior
- Preserve existing investment_activity_label when updating qty/price

Co-authored-by: Cursor <cursoragent@cursor.com>

* Trades: clearer validation for non-numeric qty/price

Return 'must be valid numbers' when qty or price is non-numeric (e.g. abc)
instead of misleading 'must be present and positive'.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: mkdev11 <jaysmth689+github@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
MkDev11
2026-02-08 02:22:32 -08:00
committed by GitHub
parent 24981ffd52
commit d88c2151cb
16 changed files with 1752 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

184
spec/requests/api/v1/holdings_spec.rb Normal file
View File

@@ -0,0 +1,184 @@
# frozen_string_literal: true
require 'swagger_helper'
RSpec.describe 'API V1 Holdings', type: :request do
let(:family) do
Family.create!(
name: 'API Family',
currency: 'USD',
locale: 'en',
date_format: '%m-%d-%Y'
)
end
let(:user) do
family.users.create!(
email: 'api-user@example.com',
password: 'password123',
password_confirmation: 'password123'
)
end
let(:api_key) do
key = ApiKey.generate_secure_key
ApiKey.create!(
user: user,
name: 'API Docs Key',
key: key,
scopes: %w[read_write],
source: 'web'
)
end
let(:'X-Api-Key') { api_key.plain_key }
let(:account) do
Account.create!(
family: family,
name: 'Investment Account',
balance: 50_000,
currency: 'USD',
accountable: Investment.create!
)
end
let(:security) do
Security.create!(
ticker: 'VTI',
name: 'Vanguard Total Stock Market ETF',
country_code: 'US'
)
end
let!(:holding) do
Holding.create!(
account: account,
security: security,
date: Date.current,
qty: 100,
price: 250.50,
amount: 25_050,
currency: 'USD'
)
end
path '/api/v1/holdings' do
get 'List holdings' do
tags 'Holdings'
security [ { apiKeyAuth: [] } ]
produces 'application/json'
parameter name: :page, in: :query, type: :integer, required: false,
description: 'Page number (default: 1)'
parameter name: :per_page, in: :query, type: :integer, required: false,
description: 'Items per page (default: 25, max: 100)'
parameter name: :account_id, in: :query, type: :string, required: false,
description: 'Filter by account ID'
parameter name: :account_ids, in: :query, required: false,
description: 'Filter by multiple account IDs',
schema: { type: :array, items: { type: :string } }
parameter name: :date, in: :query, required: false,
description: 'Filter by exact date',
schema: { type: :string, format: :date }
parameter name: :start_date, in: :query, required: false,
description: 'Filter holdings from this date (inclusive)',
schema: { type: :string, format: :date }
parameter name: :end_date, in: :query, required: false,
description: 'Filter holdings until this date (inclusive)',
schema: { type: :string, format: :date }
parameter name: :security_id, in: :query, type: :string, required: false,
description: 'Filter by security ID'
response '200', 'holdings listed' do
schema '$ref' => '#/components/schemas/HoldingCollection'
run_test!
end
response '200', 'holdings filtered by account' do
schema '$ref' => '#/components/schemas/HoldingCollection'
let(:account_id) { account.id }
run_test!
end
response '200', 'holdings filtered by date range' do
schema '$ref' => '#/components/schemas/HoldingCollection'
let(:start_date) { (Date.current - 7.days).to_s }
let(:end_date) { Date.current.to_s }
run_test!
end
response '200', 'holdings filtered by security' do
schema '$ref' => '#/components/schemas/HoldingCollection'
let(:security_id) { security.id }
run_test!
end
response '200', 'holdings paginated' do
schema '$ref' => '#/components/schemas/HoldingCollection'
let(:page) { 1 }
let(:per_page) { 10 }
run_test!
end
response '401', 'unauthorized' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:'X-Api-Key') { nil }
run_test!
end
response '422', 'invalid date filter' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:start_date) { 'not-a-date' }
run_test!
end
end
end
path '/api/v1/holdings/{id}' do
parameter name: :id, in: :path, type: :string, required: true, description: 'Holding ID'
get 'Retrieve holding' do
tags 'Holdings'
security [ { apiKeyAuth: [] } ]
produces 'application/json'
response '200', 'holding retrieved' do
schema '$ref' => '#/components/schemas/Holding'
let(:id) { holding.id }
run_test!
end
response '401', 'unauthorized' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:id) { holding.id }
let(:'X-Api-Key') { nil }
run_test!
end
response '404', 'holding not found' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:id) { SecureRandom.uuid }
run_test!
end
end
end
end

394
spec/requests/api/v1/trades_spec.rb Normal file
View File

@@ -0,0 +1,394 @@
# frozen_string_literal: true
require 'swagger_helper'
RSpec.describe 'API V1 Trades', type: :request do
let(:family) do
Family.create!(
name: 'API Family',
currency: 'USD',
locale: 'en',
date_format: '%m-%d-%Y'
)
end
let(:user) do
family.users.create!(
email: 'api-user@example.com',
password: 'password123',
password_confirmation: 'password123'
)
end
let(:api_key) do
key = ApiKey.generate_secure_key
ApiKey.create!(
user: user,
name: 'API Docs Key',
key: key,
scopes: %w[read_write],
source: 'web'
)
end
let(:'X-Api-Key') { api_key.plain_key }
let(:account) do
Account.create!(
family: family,
name: 'Investment Account',
balance: 50_000,
currency: 'USD',
accountable: Investment.create!
)
end
let(:security) do
Security.create!(
ticker: 'VTI',
name: 'Vanguard Total Stock Market ETF',
country_code: 'US'
)
end
let(:category) do
family.categories.create!(
name: 'Investments',
classification: 'expense',
color: '#2196F3',
lucide_icon: 'trending-up'
)
end
let!(:trade) do
trade_record = Trade.new(
security: security,
qty: 100,
price: 250.50,
currency: 'USD',
investment_activity_label: 'Buy'
)
entry = account.entries.create!(
name: 'Buy 100 shares of VTI',
date: Date.current,
amount: 25_050,
currency: 'USD',
entryable: trade_record
)
entry.entryable
end
path '/api/v1/trades' do
get 'List trades' do
tags 'Trades'
security [ { apiKeyAuth: [] } ]
produces 'application/json'
parameter name: :page, in: :query, type: :integer, required: false,
description: 'Page number (default: 1)'
parameter name: :per_page, in: :query, type: :integer, required: false,
description: 'Items per page (default: 25, max: 100)'
parameter name: :account_id, in: :query, type: :string, required: false,
description: 'Filter by account ID'
parameter name: :account_ids, in: :query, required: false,
description: 'Filter by multiple account IDs',
schema: { type: :array, items: { type: :string } }
parameter name: :start_date, in: :query, required: false,
description: 'Filter trades from this date (inclusive)',
schema: { type: :string, format: :date }
parameter name: :end_date, in: :query, required: false,
description: 'Filter trades until this date (inclusive)',
schema: { type: :string, format: :date }
response '200', 'trades listed' do
schema '$ref' => '#/components/schemas/TradeCollection'
run_test!
end
response '200', 'trades filtered by account' do
schema '$ref' => '#/components/schemas/TradeCollection'
let(:account_id) { account.id }
run_test!
end
response '200', 'trades filtered by date range' do
schema '$ref' => '#/components/schemas/TradeCollection'
let(:start_date) { (Date.current - 7.days).to_s }
let(:end_date) { Date.current.to_s }
run_test!
end
response '200', 'trades paginated' do
schema '$ref' => '#/components/schemas/TradeCollection'
let(:page) { 1 }
let(:per_page) { 10 }
run_test!
end
response '401', 'unauthorized' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:'X-Api-Key') { nil }
run_test!
end
response '422', 'invalid date filter' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:start_date) { 'not-a-date' }
run_test!
end
end
post 'Create trade' do
tags 'Trades'
security [ { apiKeyAuth: [] } ]
consumes 'application/json'
produces 'application/json'
parameter name: :body, in: :body, required: true, schema: {
type: :object,
properties: {
trade: {
type: :object,
properties: {
account_id: { type: :string, format: :uuid, description: 'Account ID (required)' },
date: { type: :string, format: :date, description: 'Trade date (required)' },
qty: { type: :number, description: 'Quantity (required)' },
price: { type: :number, description: 'Price (required)' },
type: { type: :string, enum: %w[buy sell], description: 'Trade type (required)' },
security_id: { type: :string, format: :uuid, description: 'Security ID (one of security_id, ticker, manual_ticker required)' },
ticker: { type: :string, description: 'Ticker symbol' },
manual_ticker: { type: :string, description: 'Manual ticker for offline securities' },
currency: { type: :string, description: 'Currency (defaults to account currency)' },
investment_activity_label: { type: :string, description: 'Activity label (e.g. Buy, Sell)' },
category_id: { type: :string, format: :uuid, description: 'Category ID' }
},
required: %w[account_id date qty price type]
}
},
required: %w[trade]
}
let(:body) do
{
trade: {
account_id: account.id,
date: Date.current.to_s,
qty: 50,
price: 100.00,
type: 'buy',
security_id: security.id
}
}
end
response '201', 'trade created' do
schema '$ref' => '#/components/schemas/Trade'
run_test!
end
response '422', 'account does not support trades' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:checking_account) do
Account.create!(
family: family,
name: 'Checking',
balance: 1000,
currency: 'USD',
accountable: Depository.create!
)
end
let(:body) do
{
trade: {
account_id: checking_account.id,
date: Date.current.to_s,
qty: 10,
price: 50,
type: 'buy',
security_id: security.id
}
}
end
run_test!
end
response '404', 'account not found' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:body) do
{
trade: {
account_id: SecureRandom.uuid,
date: Date.current.to_s,
qty: 10,
price: 50,
type: 'buy',
security_id: security.id
}
}
end
run_test!
end
response '422', 'validation error - missing type' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:body) do
{
trade: {
account_id: account.id,
date: Date.current.to_s,
qty: 10,
price: 50,
security_id: security.id
}
}
end
run_test!
end
response '422', 'validation error - missing security identifier' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:body) do
{
trade: {
account_id: account.id,
date: Date.current.to_s,
qty: 10,
price: 50,
type: 'buy'
}
}
end
run_test!
end
end
end
path '/api/v1/trades/{id}' do
parameter name: :id, in: :path, type: :string, required: true, description: 'Trade ID'
get 'Retrieve trade' do
tags 'Trades'
security [ { apiKeyAuth: [] } ]
produces 'application/json'
response '200', 'trade retrieved' do
schema '$ref' => '#/components/schemas/Trade'
let(:id) { trade.id }
run_test!
end
response '401', 'unauthorized' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:id) { trade.id }
let(:'X-Api-Key') { nil }
run_test!
end
response '404', 'trade not found' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:id) { SecureRandom.uuid }
run_test!
end
end
patch 'Update trade' do
tags 'Trades'
security [ { apiKeyAuth: [] } ]
consumes 'application/json'
produces 'application/json'
parameter name: :body, in: :body, required: true, schema: {
type: :object,
properties: {
trade: {
type: :object,
properties: {
date: { type: :string, format: :date },
qty: { type: :number },
price: { type: :number },
type: { type: :string, enum: %w[buy sell] },
nature: { type: :string, enum: %w[inflow outflow] },
name: { type: :string },
notes: { type: :string },
currency: { type: :string },
investment_activity_label: { type: :string },
category_id: { type: :string, format: :uuid }
}
}
}
}
let(:body) do
{
trade: {
qty: 75,
price: 255.00,
type: 'buy'
}
}
end
response '200', 'trade updated' do
schema '$ref' => '#/components/schemas/Trade'
let(:id) { trade.id }
run_test!
end
response '404', 'trade not found' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:id) { SecureRandom.uuid }
run_test!
end
end
delete 'Delete trade' do
tags 'Trades'
security [ { apiKeyAuth: [] } ]
produces 'application/json'
response '200', 'trade deleted' do
schema '$ref' => '#/components/schemas/DeleteResponse'
let(:id) { trade.id }
run_test!
end
response '404', 'trade not found' do
schema '$ref' => '#/components/schemas/ErrorResponse'
let(:id) { SecureRandom.uuid }
run_test!
end
end
end
end

9
spec/requests/api/v1/valuations_spec.rb
View File

@@ -103,14 +103,7 @@ RSpec.describe 'API V1 Valuations', type: :request do
response '201', 'valuation created' do
schema '$ref' => '#/components/schemas/Valuation'
run_test! do |response|
data = JSON.parse(response.body)
created_id = data.fetch('id')
get "/api/v1/valuations/#{created_id}", headers: { 'Authorization' => Authorization }
expect(response).to have_http_status(:ok)
fetched = JSON.parse(response.body)
expect(fetched['id']).to eq(created_id)
end
run_test!
end
response '422', 'validation error - missing account_id' do