Handle Idempotency-Key in requisition create/status change endpoints
All requisition create/status changes endpoints (initiate, submit, authorize, reject.. etc.) should handle an optional Idempotency-Key request header. If the Idempotency-Key is provided, the backend must validate that the request with the same key has not been used yet (in order to avoid creating or updating the resource twice). If the request with the given key has already been received we should return 409 Conflict HTTP status code with a meaningful error message. Additionally, if that request has already been completed successfully (meaning the resource was created/updated) the Location header in the response should be set to point to the created/updated resource. An Idempotency-Key should be a v4 UUID. Once used Idempotency-Key should not be available for the next 24 hours (meaning it should return 409 as specified above).
Create/Status changes endpoints (such as initiate, submit, authorize, reject, etc.) should all support optional "Idempotency-Key" request header
The Idempotency-Key request header is optional and the requests continue to work if it's not provided with the request
The Idempotency-Key is a v4 UUID
If the Idempotency-Key has already been used a 409 Conflict status code is returned with a meaningful error message
If the Idempotency-Key has already been used and the request has succeeded the Location response header is set to point to the created/updated resource
The same Idempotency-Key can only be re-used after 24 hours
An idempotency key is checked after authorization checks have passed (that is, if I don't have rights for the resource, I'm getting 403, no matter if the idempotency key has been used or not)
Consider using Redis in-memory database to manage idempotency keys (this is not a requirement)
I think that those issues are definitely not connected to this ticket, most likely there were linked because wanted to create or reset password during testing of this ticket, but those are connected to work in progress on User Details and Notification service of Mind the Gap team. I'm not sure if those issues are still relevant or they were fixed already.
Are the bugs that are linked to this ticket correctly linked? If so, then if I retest those bug scenarios should they be resolved?
I checked again and still in both instances the same request (batchReleases) is made, but now it contain the Idempotency Key, so I think everything works well for the moment.
I resumed testing the ticket and see that converting requisitions to orders and releasing them without converting them to orders works correctly but in both instances the same request is made - batchReleases - is made, and it doesn't contain the Idempotency Key header. Now, I'll check what happens when a request is not successful.
EDIT: I finished testing the ticket, and apart from the above-mentioned issue, everything works correctly.
OK, I see. I'll re-test the issues that I found in accordance with your suggestions and let you know in case I have any doubts.