Update batch API endpoint, openapi documentation and add batch test

[xkello]

Work on ticket: https://github.com/MerginMaps/server-private/issues/3155
-from parent: https://github.com/MerginMaps/product/issues/86

[coveralls]

Pull Request Test Coverage Report for Build 21747665867

Details

• 139 of 141 (98.58%) changed or added relevant lines in 9 files are covered.
• 21 unchanged lines in 2 files lost coverage.
• Overall coverage increased (+0.03%) to 94.436%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
server/mergin/sync/public_api_v2_controller.py	19	21	90.48%

Files with Coverage Reduction	New Missed Lines	%
server/mergin/tests/test_utils.py	1	99.01%
server/mergin/utils.py	20	67.5%

Totals
Change from base Build 21353134513:	0.03%
Covered Lines:	8231
Relevant Lines:	8716

---

💛 - Coveralls

[MarcelGeo]

Nice 🎉

• we need to double check if 404 is ok if you have empty projects list or return error: 404

• check def get_projects_by_uuids(uuids) method in project_api_controller.py if everything with permissions is ok here

[harminius]

Very good job!

I think two things need to be discussed (to fulfill clients' requirements):
1, Shall all (valid) uuids coming from the request be part of the response or can we skip them as suggested here?
2, Do we need to differentiate between 404 and 403 here with the expose flag? I tend to make things easier by keeping only 404 error.

[harminius]

@xkello Although your approach returns a correct response, I think we need to slightly change the approach.
You can keep the require_project_by_many_uuids() function, but when making the response, I would compare the incoming uuids with ones we have found projects for. All the rest should get the error code.
That's how I understand this requirement: https://github.com/MerginMaps/server-private/issues/3155#issuecomment-3804048237

[harminius]

Great job, we're almost there! 👍

I have only one major comment.
I have doubts about the usefulness of require_project_by_many_uuids(). At least it should return a list of projects, and the rest (by_id dict creation) should be done in the controller. However, since this function needs to list even removed projects, it doesn't seem reusable.
The idea of the help function is that it can be used in a different use case, while this function is designed for this specific usecase.

[harminius]

The last concern is about logged out users not able to list their projects
Otherwise 💚

[xkello]

Responses are based on table from the parent ticket (https://github.com/MerginMaps/product/issues/86):

F1 - Logged in	F2 - Have access	F3 - Public project	Response
Y	Y	N	Project detail ✅
Y	Y	Y	Project detail ✅
Y	N	Y	Project detail ✅ - reader only!
N	-	Y	Project detail ✅ - reader only!
Y	N	N	Error, 403 ❌
N	-	N	Error, 404 ❌ (intentionally 404 here, for security reasons)

There is also a custom error BatchLimiExceeded with response 400, which is used when user requests more than 100 uuids in request body.

Requests body expects structure based on parent ticket:

POST /v2/projects/batch

BODY
{
  "ids": [
    "uuid1",
    "uuid2",
    "uuid3",
    ...
  ]
}

Response body has following structure based on parent ticket:

RESPONSE BODY
{
  "projects": [
    { project1 - simple structure }, // project that I can access
    {  // project that I can not access
      "id": "uuid", 
      "error": 404 
    }
  ]
}