From 0aafe98be98c3b78fab69d254aedd305c9f1fef3 Mon Sep 17 00:00:00 2001
From: Phil Dominguez <142051477+phildominguez-gsa@users.noreply.github.com>
Date: Thu, 5 Sep 2024 12:29:17 -0400
Subject: [PATCH 1/2] Handling emails with invalid characters (#4245)

* Handling bad emails for user roles page

* Filling in name/email inputs

* Creating get_user_role_management_context

* Lint

* Removing duplicate code

* Validating emails for step 3

* Lint

* Fixing unit test

* Email validation for gen form

* Fixing unit test

* Adding 'scroll down' messages

* Remembering auditee and auditor step 3 info

* Fixing some field values

* Lint

* Forgot to add this
---
 backend/api/views.py                          | 22 +++++-
 .../manage-submission-change-access.html      | 23 +++---
 .../audit/views/manage_submission_access.py   | 77 ++++++++++++-------
 backend/report_submission/forms.py            |  4 +-
 .../templates/report_submission/step-3.html   | 35 +++++++--
 backend/report_submission/test_views.py       |  5 +-
 backend/report_submission/views.py            | 13 ++--
 7 files changed, 122 insertions(+), 57 deletions(-)

diff --git a/backend/api/views.py b/backend/api/views.py
index 43f5c10ee1..275328a1f6 100644
--- a/backend/api/views.py
+++ b/backend/api/views.py
@@ -183,7 +183,27 @@ def access_and_submission_check(user, data):
 
         return {"report_id": sac.report_id, "next": "TBD"}
 
-    return {"errors": serializer.errors}
+    return {
+        "errors": serializer.errors,
+        "certifying_auditee_contact_fullname": data.get(
+            "certifying_auditee_contact_fullname"
+        ),
+        "certifying_auditee_contact_email": data.get(
+            "certifying_auditee_contact_email"
+        ),
+        "certifying_auditee_contact_re_email": data.get(
+            "certifying_auditee_contact_re_email"
+        ),
+        "certifying_auditor_contact_fullname": data.get(
+            "certifying_auditor_contact_fullname"
+        ),
+        "certifying_auditor_contact_email": data.get(
+            "certifying_auditor_contact_email"
+        ),
+        "certifying_auditor_contact_re_email": data.get(
+            "certifying_auditor_contact_re_email"
+        ),
+    }
 
 
 class Sprite(generic.View):
diff --git a/backend/audit/templates/audit/manage-submission-change-access.html b/backend/audit/templates/audit/manage-submission-change-access.html
index 61216e7ddc..ad07e07967 100644
--- a/backend/audit/templates/audit/manage-submission-change-access.html
+++ b/backend/audit/templates/audit/manage-submission-change-access.html
@@ -31,23 +31,26 @@ <h1 id="role-management">Add Audit Editor</h1>
                             For the changes to take effect, users must log out and log back in to their account.
                         </p>
                     {% endif %}
-                    
-                    <hr />
-                    
                     {% if errors %}
-                        <ul>
-                            {% for error in errors %}<li class="usa-error-message">{{ error }}</li>{% endfor %}
-                        </ul>
+                        <span class="usa-error-message" role="alert">There were errors when attempting to submit the form. Scroll down for more details.</span>
                     {% endif %}
-                    
+
+                    <hr />
+
                     <label class="usa-label" for="fullname">New name:</label>
-                    <input class="usa-input" id="name" name="fullname" placeholder="[name]" />
-                    
+                    <input class="usa-input"
+                           id="name"
+                           name="fullname"
+                           placeholder="[name]"
+                           value="{{ certifier_name }}"/>
+
                     <label class="usa-label" for="email">New email address:</label>
                     <input class="usa-input"
                            id="email"
                            name="email"
-                           placeholder="[email address]" />
+                           placeholder="[email address]"
+                           value="{{ email }}"/>
+                    <span class="usa-error-message" id="email-error-message" role="alert">{{ errors.email }}</span>
                 </fieldset>
                 <button class="usa-button margin-top-5" id="continue">Submit</button>
                 <a class="usa-button usa-button--unstyled margin-left-2"
diff --git a/backend/audit/views/manage_submission_access.py b/backend/audit/views/manage_submission_access.py
index 397b8c9c3e..fc24a62879 100644
--- a/backend/audit/views/manage_submission_access.py
+++ b/backend/audit/views/manage_submission_access.py
@@ -1,3 +1,4 @@
+import logging
 from types import SimpleNamespace
 from django import forms
 from django.db import transaction
@@ -13,6 +14,8 @@
     SingleAuditChecklist,
 )
 
+logger = logging.getLogger(__name__)
+
 
 def _get_friendly_role(role):
     return dict(ACCESS_ROLES)[role]
@@ -54,29 +57,7 @@ def get(self, request, *args, **kwargs):
         """
         report_id = kwargs["report_id"]
         sac = SingleAuditChecklist.objects.get(report_id=report_id)
-        context = {
-            "role": self.role,
-            "friendly_role": None,
-            "auditee_uei": sac.general_information["auditee_uei"],
-            "auditee_name": sac.general_information.get("auditee_name"),
-            "certifier_name": None,
-            "email": None,
-            "report_id": report_id,
-            "errors": [],
-        }
-        if self.role != "editor":
-            try:
-                access = Access.objects.get(sac=sac, role=self.role)
-            except Access.DoesNotExist:
-                access = SimpleNamespace(
-                    fullname="UNASSIGNED ROLE", email="UNASSIGNED ROLE", role=self.role
-                )
-
-            context = context | {
-                "friendly_role": _get_friendly_role(access.role),
-                "certifier_name": access.fullname,
-                "email": access.email,
-            }
+        context = self.get_user_role_management_context(sac)
 
         return render(request, self.template, context)
 
@@ -88,7 +69,23 @@ def post(self, request, *args, **kwargs):
         report_id = kwargs["report_id"]
         sac = SingleAuditChecklist.objects.get(report_id=report_id)
         form = ChangeAccessForm(request.POST)
+        context = self.get_user_role_management_context(sac)
+
         form.full_clean()
+        if not form.is_valid():
+            context = (
+                context
+                | form.cleaned_data
+                | {
+                    "errors": form.errors,
+                }
+            )
+
+            for field, errors in form.errors.items():
+                logger.warning(f"Error {field}: {errors}")
+
+            return render(request, self.template, context, status=400)
+
         url = reverse("audit:ManageSubmission", kwargs={"report_id": report_id})
         fullname = form.cleaned_data["fullname"]
         email = form.cleaned_data["email"]
@@ -122,9 +119,9 @@ def post(self, request, *args, **kwargs):
                 "certifier_name": access.fullname,
                 "email": access.email,
                 "report_id": report_id,
-                "errors": [
-                    "Cannot use the same email address for both certifying officials."
-                ],
+                "errors": {
+                    "email": "Cannot use the same email address for both certifying officials."
+                },
             }
             return render(request, self.template, context, status=400)
 
@@ -141,6 +138,34 @@ def post(self, request, *args, **kwargs):
 
         return redirect(url)
 
+    def get_user_role_management_context(self, sac):
+        context = {
+            "role": self.role,
+            "friendly_role": None,
+            "auditee_uei": sac.general_information["auditee_uei"],
+            "auditee_name": sac.general_information.get("auditee_name"),
+            "certifier_name": None,
+            "email": None,
+            "report_id": sac.report_id,
+            "errors": [],
+        }
+
+        if self.role != "editor":
+            try:
+                access = Access.objects.get(sac=sac, role=self.role)
+            except Access.DoesNotExist:
+                access = SimpleNamespace(
+                    fullname="UNASSIGNED ROLE", email="UNASSIGNED ROLE", role=self.role
+                )
+
+            context = context | {
+                "friendly_role": _get_friendly_role(access.role),
+                "certifier_name": access.fullname,
+                "email": access.email,
+            }
+
+        return context
+
 
 class ChangeAuditorCertifyingOfficialView(ChangeOrAddRoleView):
     """
diff --git a/backend/report_submission/forms.py b/backend/report_submission/forms.py
index 7873a22c27..590f5c5714 100644
--- a/backend/report_submission/forms.py
+++ b/backend/report_submission/forms.py
@@ -127,7 +127,7 @@ class GeneralInformationForm(forms.Form):
         required=False,
     )
     auditee_phone = forms.CharField(required=False, validators=[phone_validator])
-    auditee_email = forms.CharField(
+    auditee_email = forms.EmailField(
         min_length=CHARACTER_LIMITS_GENERAL["auditee_email"]["min"],
         max_length=CHARACTER_LIMITS_GENERAL["auditee_email"]["max"],
         required=False,
@@ -172,7 +172,7 @@ class GeneralInformationForm(forms.Form):
         required=False,
     )
     auditor_phone = forms.CharField(required=False, validators=[phone_validator])
-    auditor_email = forms.CharField(
+    auditor_email = forms.EmailField(
         min_length=CHARACTER_LIMITS_GENERAL["auditor_email"]["min"],
         max_length=CHARACTER_LIMITS_GENERAL["auditor_email"]["max"],
         required=False,
diff --git a/backend/report_submission/templates/report_submission/step-3.html b/backend/report_submission/templates/report_submission/step-3.html
index 42913bc7dd..d284b37e6f 100644
--- a/backend/report_submission/templates/report_submission/step-3.html
+++ b/backend/report_submission/templates/report_submission/step-3.html
@@ -18,6 +18,9 @@
                     <p class="required-explanation">
                         <abbr title="required" class="usa-hint usa-hint--required">*</abbr> Indicates a required field.
                     </p>
+                    {% if errors %}
+                        <span class="usa-error-message" role="alert">There were errors when attempting to submit the form. Scroll down for more details.</span>
+                    {% endif %}
                     <fieldset class="usa-fieldset question"
                               aria-labelledby="certifying_auditee_contact_legend certifying_auditee_contact_instruction">
                         <legend id="certifying_auditee_contact_legend" class="usa-legend">
@@ -46,7 +49,8 @@
                                            aria-required="true"
                                            required
                                            data-validate-not-null=""
-                                           data-validate-length="<= 100 >= 2"/>
+                                           data-validate-length="<= 100 >= 2"
+                                           value="{{ certifying_auditee_contact_fullname | default_if_none:'' }}" />
                                 </div>
                             </div>
                             <div class="grid-row grid-gap">
@@ -74,7 +78,8 @@
                                                data-validate-not-null=""
                                                data-validate-email=""
                                                data-validate-must-not-match="certifying_auditor_contact_email"
-                                               data-validate-length="<= 340 >= 6"/>
+                                               data-validate-length="<= 340 >= 6"
+                                               value="{{ certifying_auditee_contact_email | default_if_none:'' }}" />
                                     </div>
                                 </div>
                                 <div class="tablet:grid-col-fill">
@@ -95,10 +100,14 @@
                                                aria-required="true"
                                                required
                                                data-validate-must-match="certifying_auditee_contact_email"
-                                               data-validate-length="<= 340 >= 6"/>
+                                               data-validate-length="<= 340 >= 6"
+                                               value="{{ certifying_auditee_contact_re_email | default_if_none:'' }}" />
                                     </div>
                                 </div>
                             </div>
+                            {% if errors.certifying_auditee_contact_email %}
+                            <span class="usa-error-message" id="certifying_auditee_contact_email-error-message" role="alert">Enter a valid email address.</span>
+                            {% endif %}
                         </div>
                     </fieldset>
 
@@ -130,7 +139,8 @@
                                            aria-required="true"
                                            required
                                            data-validate-not-null=""
-                                           data-validate-length="<= 100 >= 2"/>
+                                           data-validate-length="<= 100 >= 2"
+                                           value="{{ certifying_auditor_contact_fullname | default_if_none:'' }}" />
                                 </div>
                             </div>
                             <div class="grid-row grid-gap">
@@ -158,7 +168,8 @@
                                                data-validate-not-null=""
                                                data-validate-email=""
                                                data-validate-must-not-match="certifying_auditee_contact_email"
-                                               data-validate-length="<= 340 >= 6"/>
+                                               data-validate-length="<= 340 >= 6"
+                                               value="{{ certifying_auditor_contact_email | default_if_none:'' }}" />
                                     </div>
                                 </div>
                                 <div class="tablet:grid-col-fill">
@@ -179,13 +190,17 @@
                                                aria-required="true"
                                                required
                                                data-validate-must-match="certifying_auditor_contact_email"
-                                               data-validate-length="<= 340 >= 6"/>
+                                               data-validate-length="<= 340 >= 6"
+                                               value="{{ certifying_auditor_contact_re_email | default_if_none:'' }}" />
                                     </div>
                                 </div>
                             </div>
+                            {% if errors.certifying_auditor_contact_email %}
+                            <span class="usa-error-message" id="certifying_auditor_contact_email-error-message" role="alert">Enter a valid email address.</span>
+                            {% endif %}
                         </div>
                     </fieldset>
-                    
+
                     <fieldset class="usa-fieldset question"
                               aria-labelledby="auditee_contacts_legend dynamic_fieldset_instruction_auditee">
                         <legend id="auditee_contacts_legend" class="usa-legend">
@@ -255,6 +270,9 @@
                                     </div>
                                 </div>
                             </div>
+                            {% if errors.auditee_contacts_email %}
+                            <span class="usa-error-message" id="auditee_contacts_email-error-message" role="alert">Enter a valid email address.</span>
+                            {% endif %}
                         </div>
                         <template id="auditee_contacts-template">
                             <div id="auditee_contacts" class="grid-container auditee_contacts additional_contacts">
@@ -406,6 +424,9 @@
                                     </div>
                                 </div>
                             </div>
+                            {% if errors.auditor_contacts_email %}
+                            <span class="usa-error-message" id="auditor_contacts_email-error-message" role="alert">Enter a valid email address.</span>
+                            {% endif %}
                         </div>
                         <template id="auditor_contacts-template">
                             <div id="auditor_contacts" class="grid-container auditor_contacts additional_contacts">
diff --git a/backend/report_submission/test_views.py b/backend/report_submission/test_views.py
index d7b1c6d3ee..46f8d3fb25 100644
--- a/backend/report_submission/test_views.py
+++ b/backend/report_submission/test_views.py
@@ -385,8 +385,7 @@ def test_step_three_accessandsubmission_submission_fail(self):
 
         data = {}
         response = self.client.post(url, data=data)
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, "/report_submission/accessandsubmission/")
+        self.assertEqual(response.status_code, 400)
 
     def test_reportsubmissionredirectview_get_redirects(self):
         url = reverse("report_submission:report_submission")
@@ -777,7 +776,7 @@ def test_post_gsa_migration_error(self):
 
         self.assertIn("errors", response.context)
         self.assertIn(
-            "GSA_MIGRATION not permitted outside of migrations",
+            "Enter a valid email address.",
             response.context["errors"],
         )
 
diff --git a/backend/report_submission/views.py b/backend/report_submission/views.py
index 9cb23569d4..fcb2f53859 100644
--- a/backend/report_submission/views.py
+++ b/backend/report_submission/views.py
@@ -114,20 +114,17 @@ def get(self, request):
             args["step"] = 3
             return render(request, "report_submission/step-3.html", args)
 
-    # render access-submission form
-
-    # gather/save step 3 info, redirect to step ...4?
-    def post(self, post_request):
-        result = api.views.access_and_submission_check(
-            post_request.user, post_request.POST
-        )
+    def post(self, request):
+        result = api.views.access_and_submission_check(request.user, request.POST)
 
         report_id = result.get("report_id")
 
         if report_id:
             return redirect(f"/report_submission/general-information/{report_id}")
         else:
-            return redirect(reverse("report_submission:accessandsubmission"))
+            return render(
+                request, "report_submission/step-3.html", context=result, status=400
+            )
 
 
 class GeneralInformationFormView(LoginRequiredMixin, View):

From deb03cb1fb7238672af910df4993e6468a51f989 Mon Sep 17 00:00:00 2001
From: Bobby Novak <176936850+rnovak338@users.noreply.github.com>
Date: Thu, 5 Sep 2024 15:00:45 -0400
Subject: [PATCH 2/2] Convert new Admin API emails to lowercase (#4225)

* Update create_functions.sql

This SQL script either gets or inserts a user for the admin API depending on a few parameters. This proposed change ensures new users have their email reduced to lowercase, and the prior verification transforms both the table and the parameter when checking if the user exists.

* Cleaning edge cases

Converting all email checks and "insertions" to lowercase when doing the following:
- Creating a new admin in the Admin API.
- Retrieving an existing admin in the Admin API.
- Removing Tribal API key access for a specified email.
- Adding read access to the Tribal API for a specified email.
- Removing Tribal access emails.
- Adding Tribal access emails.

* Admin API local testing documentation

Added a first draft of how to start using the admin API for local dev to `/docs/testing.md` .
---
 .../api/admin_api_v1_1_0/create_functions.sql | 32 +++++++++----------
 docs/testing.md                               | 28 ++++++++++++++++
 2 files changed, 44 insertions(+), 16 deletions(-)

diff --git a/backend/support/api/admin_api_v1_1_0/create_functions.sql b/backend/support/api/admin_api_v1_1_0/create_functions.sql
index 336b2e2ccf..b89b001186 100644
--- a/backend/support/api/admin_api_v1_1_0/create_functions.sql
+++ b/backend/support/api/admin_api_v1_1_0/create_functions.sql
@@ -126,7 +126,7 @@ BEGIN
         -- Are they already in the table?
         SELECT count(up.email) 
             FROM public.users_userpermission as up
-            WHERE email = params->>'email' INTO already_exists;
+            WHERE LOWER(email) = LOWER(params->>'email') INTO already_exists;
 
         -- If they are, we're going to exit.
         IF already_exists <> 0
@@ -146,11 +146,11 @@ BEGIN
             -- Can we make the 1 not magic... do a select into.
             INSERT INTO public.users_userpermission
                 (email, permission_id, user_id)
-                VALUES (params->>'email', read_tribal_id, null);
+                VALUES (LOWER(params->>'email'), read_tribal_id, null);
 
-            RAISE INFO 'ADMIN_API add_tribal_access_email OK %', params->>'email';
+            RAISE INFO 'ADMIN_API add_tribal_access_email OK %', LOWER(params->>'email');
             RETURN admin_api_v1_1_0_functions.log_admin_api_event('tribal-access-email-added', 
-                                                        json_build_object('email', params->>'email'));
+                                                        json_build_object('email', LOWER(params->>'email')));
         END IF;
     ELSE
         RETURN 0;
@@ -222,7 +222,7 @@ BEGIN
     THEN 
         -- Delete rows where the email address matches
         DELETE FROM public.users_userpermission as up
-            WHERE up.email = params->>'email';
+            WHERE LOWER(up.email) = LOWER(params->>'email');
         -- This is the Postgres way to find out how many rows
         -- were affected by a DELETE.
         GET DIAGNOSTICS affected_rows = ROW_COUNT;
@@ -230,7 +230,7 @@ BEGIN
         IF affected_rows > 0
         THEN
             RETURN admin_api_v1_1_0_functions.log_admin_api_event('tribal-access-email-removed', 
-                                                        json_build_object('email', params->>'email'));
+                                                        json_build_object('email', LOWER(params->>'email')));
         ELSE
             RETURN 0;
         END IF;
@@ -297,14 +297,14 @@ BEGIN
         SELECT EXISTS (
             SELECT 1 
             FROM public.dissemination_TribalApiAccessKeyIds
-            WHERE email = params->>'email'
+            WHERE LOWER(email) = LOWER(params->>'email')
         )
         INTO user_exists;
 
         -- If the user already exists, it means they have access.
         -- For purposes of this function, lets call that "succses", and return true.
         IF user_exists THEN
-            RAISE INFO 'ADMIN_API add_tribal_api_key_access ALREADY_EXISTS %', params->>'email';
+            RAISE INFO 'ADMIN_API add_tribal_api_key_access ALREADY_EXISTS %', LOWER(params->>'email');
             RETURN json_build_object(
                 'result', 'success',
                 'message', 'User with this key already exists')::JSON;
@@ -313,8 +313,8 @@ BEGIN
 
         -- If the user does not exist, add a new record
         INSERT INTO public.dissemination_TribalApiAccessKeyIds (email, key_id, date_added)
-        VALUES (params->>'email', params->>'key_id', CURRENT_TIMESTAMP);
-        RAISE INFO 'ADMIN_API add_tribal_api_key_access ACCESS_GRANTED % %', params->>'email', params->>'key_id';
+        VALUES (LOWER(params->>'email'), params->>'key_id', CURRENT_TIMESTAMP);
+        RAISE INFO 'ADMIN_API add_tribal_api_key_access ACCESS_GRANTED % %', LOWER(params->>'email'), params->>'key_id';
         RETURN json_build_object(
             'result', 'success', 
             'message', 'User access granted')::JSON;
@@ -328,7 +328,7 @@ BEGIN
     END IF;
 
     -- Return false by default.
-    RAISE INFO 'ADMIN_API add_tribal_api_key_access WAT %', params->>'email';
+    RAISE INFO 'ADMIN_API add_tribal_api_key_access WAT %', LOWER(params->>'email');
     RETURN json_build_object(
         'result', 'failure', 
         'message', 'Unknown error in access addition')::JSON;
@@ -352,20 +352,20 @@ BEGIN
         SELECT EXISTS (
             SELECT 1 
             FROM public.dissemination_TribalApiAccessKeyIds
-            WHERE email = params->>'email'
+            WHERE LOWER(email) = LOWER(params->>'email')
         )
         INTO user_exists;
 
         -- If the user exists, remove the record
         IF user_exists THEN
             DELETE FROM public.dissemination_TribalApiAccessKeyIds
-            WHERE email = params->>'email';
-            RAISE INFO 'ADMIN_API remove_tribal_api_key_access ACCESS_REMOVED %', params->>'email';
+            WHERE LOWER(email) = LOWER(params->>'email');
+            RAISE INFO 'ADMIN_API remove_tribal_api_key_access ACCESS_REMOVED %', LOWER(params->>'email');
             RETURN json_build_object(
                 'result', 'success', 
                 'message', 'Removed record')::JSON; 
         ELSE
-            RAISE INFO 'ADMIN_API remove_tribal_api_key_access DID_NOT_EXIST %', params->>'email';
+            RAISE INFO 'ADMIN_API remove_tribal_api_key_access DID_NOT_EXIST %', LOWER(params->>'email');
             RETURN json_build_object(
                 'result', 'failure', 
                 'message', 'User did not exist in table')::JSON;
@@ -376,7 +376,7 @@ BEGIN
             'result', 'failure', 
             'message', 'Admin user lacks DELETE permissions')::JSON; -- Return false if the API user doesn't have read permissions
     END IF;
-    RAISE INFO 'ADMIN_API add_tribal_api_key_access WAT %', params->>'email';
+    RAISE INFO 'ADMIN_API add_tribal_api_key_access WAT %', LOWER(params->>'email');
     RETURN json_build_object(
         'result', 'failure', 
         'message', 'Uknown error in access removal')::JSON;
diff --git a/docs/testing.md b/docs/testing.md
index d480e1dd3f..43f56f3391 100644
--- a/docs/testing.md
+++ b/docs/testing.md
@@ -17,6 +17,7 @@ We use [Django's test execution framework](https://docs.djangoproject.com/en/4.0
   - [Linting](#linting)
 - [End-to-end testing](#end-to-end-testing)
   - [Testing behind Login.gov](#testing-behind-logingov)
+- [Admin API testing](#admin-api-testing)
 
 ## Packages
  - [model_bakery](https://model-bakery.readthedocs.io/en/latest/), to help create data and instances within our tests
@@ -184,3 +185,30 @@ in files in [backend/cypress/e2e/](/backend/cypress/e2e). To run these tests:
  Github repository. To use them in a Github Actions workflow, use the [Github
  Actions secrets
  store](https://docs.github.com/en/actions/security-guides/encrypted-secrets)
+
+# Admin API Testing
+For interfacing the admin API locally, we will need to account for a few things.
+
+## Resources
+
+For communicating with the Postgrest API, you could use one of the following extensions if you are using Visual Studio Code:
+- [REST Client](https://marketplace.visualstudio.com/items?itemName=humao.rest-client)
+- [Postman](https://marketplace.visualstudio.com/items?itemName=Postman.postman-for-vscode)
+
+Though keep in mind you should be able to use whatever API service you prefer to run.
+
+## Checklist
+
+1. When running `docker compose up`, make sure the `web-1` service completes the startup procedures.
+    - E.G., `STARTUP STARTUP_CHECK seed_cog_baseline PASS` should be one of the last startup logs. If this passes, then the API tables are up.
+2. Make sure you prepare your request headers with the following:
+    - `Authorization: Bearer {JWT}` is important for authenticating your requests.
+    - `x-api-user-id: {uuid}` should be populated with a user ID from the `support_administrative_key_uuids` table. You can create your own row in this table for local testing purposes.
+    - `x-api-key: {key}`
+    - `content-profile: {api-version}` is required for POST requests.
+    - `accept-profile: {api-version}` is required for GET requests.
+    - `Prefer: params=single-object` is needed for the API to read your payload. In most if not all cases, it is set to `params=single-object`.
+
+## "Cheat-sheet" for testing
+
+We have a `.rest` file in `/backend/support/api/admin_api_vX_X_X` that contains many of the admin API endpoints, as well the headers/parameters/payload that are needed to run it successfully.