fix: improper zod validation in action classes management API (#6084)

2025-12-30 10:19:51 -06:00 · 2025-06-26 15:51:01 +05:30
parent ce8f9de8ec
commit ce47b4c2d8
3 changed files with 16 additions and 17 deletions
--- a/apps/web/app/api/v1/management/action-classes/route.ts
+++ b/apps/web/app/api/v1/management/action-classes/route.ts
@@ -52,14 +52,6 @@ export const POST = withApiLogging(
      }

      const inputValidation = ZActionClassInput.safeParse(actionClassInput);
-      const environmentId = actionClassInput.environmentId;
-
-      if (!hasPermission(authentication.environmentPermissions, environmentId, "POST")) {
-        return {
-          response: responses.unauthorizedResponse(),
-        };
-      }
-
      if (!inputValidation.success) {
        return {
          response: responses.badRequestResponse(
@@ -70,6 +62,14 @@ export const POST = withApiLogging(
        };
      }

+      const environmentId = inputValidation.data.environmentId;
+
+      if (!hasPermission(authentication.environmentPermissions, environmentId, "POST")) {
+        return {
+          response: responses.unauthorizedResponse(),
+        };
+      }
+
      const actionClass: TActionClass = await createActionClass(environmentId, inputValidation.data);
      auditLog.targetId = actionClass.id;
      auditLog.newObject = actionClass;
--- a/docs/api-reference/openapi.json
+++ b/docs/api-reference/openapi.json
@@ -2336,13 +2336,8 @@
                "example": {
                  "description": "From API Docs (optional)",
                  "environmentId": "{{environmentId}}",
+                  "key": "my-action",
                  "name": "My Action from Postman",
-                  "noCodeConfig": {
-                    "innerHtml": {
-                      "value": "sign-up"
-                    },
-                    "type": "innerHtml"
-                  },
                  "type": "code"
                },
                "type": "object"
--- a/packages/types/action-classes.ts
+++ b/packages/types/action-classes.ts
@@ -1,4 +1,5 @@
 import { z } from "zod";
+import { ZId } from "./common";

 export const ZActionClassMatchType = z.union([
  z.literal("exactMatch"),
@@ -91,8 +92,8 @@ const ZActionClassInputBase = z.object({
    .string({ message: "Name is required" })
    .trim()
    .min(1, { message: "Name must be at least 1 character long" }),
-  description: z.string().nullable(),
-  environmentId: z.string(),
+  description: z.string().nullish(),
+  environmentId: ZId.min(1, { message: "Environment ID cannot be empty" }),
  type: ZActionClassType,
 });

@@ -108,6 +109,9 @@ const ZActionClassInputNoCode = ZActionClassInputBase.extend({
  noCodeConfig: ZActionClassNoCodeConfig.nullable(),
 });

-export const ZActionClassInput = z.union([ZActionClassInputCode, ZActionClassInputNoCode]);
+export const ZActionClassInput = z.discriminatedUnion("type", [
+  ZActionClassInputCode,
+  ZActionClassInputNoCode,
+]);

 export type TActionClassInput = z.infer<typeof ZActionClassInput>;