From 06d56fd7116a874362a6ecd9bd619702d96fce1c Mon Sep 17 00:00:00 2001 From: KernelDeimos <7225168+KernelDeimos@users.noreply.github.com> Date: Tue, 2 Dec 2025 16:23:04 -0500 Subject: [PATCH] fix: update validation for permission endpoints Permission endpoints would trigger 500 errors in cases where the request did not have correct types for values in the request body. This migrates all of these endpoints to use the new `validate_fields` function, which is intended to make validation of fields clearer and more consistent. --- src/backend/src/routers/auth/grant-dev-app.js | 16 +++++++--------- src/backend/src/routers/auth/grant-user-app.js | 16 +++++++--------- .../src/routers/auth/grant-user-group.js | 18 +++++++----------- .../src/routers/auth/grant-user-user.js | 16 +++++++--------- 4 files changed, 28 insertions(+), 38 deletions(-) diff --git a/src/backend/src/routers/auth/grant-dev-app.js b/src/backend/src/routers/auth/grant-dev-app.js index 79f82789..df4aef77 100644 --- a/src/backend/src/routers/auth/grant-dev-app.js +++ b/src/backend/src/routers/auth/grant-dev-app.js @@ -20,6 +20,7 @@ const APIError = require('../../api/APIError'); const eggspress = require('../../api/eggspress'); const { UserActorType } = require('../../services/auth/Actor'); const { Context } = require('../../util/context'); +const { validate_fields } = require('../../util/validutil'); module.exports = eggspress('/auth/grant-dev-app', { subdomain: 'api', @@ -40,15 +41,12 @@ module.exports = eggspress('/auth/grant-dev-app', { req.body.app_uid = await svc_auth.app_uid_from_origin(req.body.origin); } - if ( ! req.body.app_uid ) { - throw APIError.create('field_missing', null, { key: 'app_uid' }); - } - - if ( ! req.body.permission ) { - throw APIError.create('field_missing', null, { - key: 'permission', - }); - } + validate_fields({ + app_uid: { type: 'string', optional: false }, + permission: { type: 'string', optional: false }, + extra: { type: 'object', optional: true }, + meta: { type: 'object', optional: true }, + }, req.body); await svc_permission.grant_dev_app_permission(actor, req.body.app_uid, req.body.permission, req.body.extra || {}, req.body.meta || {}); diff --git a/src/backend/src/routers/auth/grant-user-app.js b/src/backend/src/routers/auth/grant-user-app.js index 643e1cfc..dd78561f 100644 --- a/src/backend/src/routers/auth/grant-user-app.js +++ b/src/backend/src/routers/auth/grant-user-app.js @@ -20,6 +20,7 @@ const APIError = require('../../api/APIError'); const eggspress = require('../../api/eggspress'); const { UserActorType } = require('../../services/auth/Actor'); const { Context } = require('../../util/context'); +const { validate_fields } = require('../../util/validutil'); module.exports = eggspress('/auth/grant-user-app', { subdomain: 'api', @@ -40,15 +41,12 @@ module.exports = eggspress('/auth/grant-user-app', { req.body.app_uid = await svc_auth.app_uid_from_origin(req.body.origin); } - if ( ! req.body.app_uid ) { - throw APIError.create('field_missing', null, { key: 'app_uid' }); - } - - if ( ! req.body.permission ) { - throw APIError.create('field_missing', null, { - key: 'permission', - }); - } + validate_fields({ + app_uid: { type: 'string', optional: false }, + permission: { type: 'string', optional: false }, + extra: { type: 'object', optional: true }, + meta: { type: 'object', optional: true }, + }, req.body); await svc_permission.grant_user_app_permission(actor, req.body.app_uid, req.body.permission, req.body.extra || {}, req.body.meta || {}); diff --git a/src/backend/src/routers/auth/grant-user-group.js b/src/backend/src/routers/auth/grant-user-group.js index 4b006550..66218bb4 100644 --- a/src/backend/src/routers/auth/grant-user-group.js +++ b/src/backend/src/routers/auth/grant-user-group.js @@ -20,6 +20,7 @@ const APIError = require('../../api/APIError'); const eggspress = require('../../api/eggspress'); const { UserActorType } = require('../../services/auth/Actor'); const { Context } = require('../../util/context'); +const { validate_fields } = require('../../util/validutil'); module.exports = eggspress('/auth/grant-user-group', { subdomain: 'api', @@ -35,17 +36,12 @@ module.exports = eggspress('/auth/grant-user-group', { throw APIError.create('forbidden'); } - if ( ! req.body.group_uid ) { - throw APIError.create('field_missing', null, { - key: 'group_uid', - }); - } - - if ( ! req.body.permission ) { - throw APIError.create('field_missing', null, { - key: 'permission', - }); - } + validate_fields({ + group_uid: { type: 'string', optional: false }, + permission: { type: 'string', optional: false }, + extra: { type: 'object', optional: true }, + meta: { type: 'object', optional: true }, + }, req.body); await svc_permission.grant_user_group_permission(actor, req.body.group_uid, req.body.permission, req.body.extra || {}, req.body.meta || {}); diff --git a/src/backend/src/routers/auth/grant-user-user.js b/src/backend/src/routers/auth/grant-user-user.js index 037bee63..90a9151c 100644 --- a/src/backend/src/routers/auth/grant-user-user.js +++ b/src/backend/src/routers/auth/grant-user-user.js @@ -20,6 +20,7 @@ const APIError = require('../../api/APIError'); const eggspress = require('../../api/eggspress'); const { UserActorType } = require('../../services/auth/Actor'); const { Context } = require('../../util/context'); +const { validate_fields } = require('../../util/validutil'); module.exports = eggspress('/auth/grant-user-user', { subdomain: 'api', @@ -35,15 +36,12 @@ module.exports = eggspress('/auth/grant-user-user', { throw APIError.create('forbidden'); } - if ( ! req.body.target_username ) { - throw APIError.create('field_missing', null, { key: 'target_username' }); - } - - if ( ! req.body.permission ) { - throw APIError.create('field_missing', null, { - key: 'permission', - }); - } + validate_fields({ + target_username: { type: 'string', optional: false }, + permission: { type: 'string', optional: false }, + extra: { type: 'object', optional: true }, + meta: { type: 'object', optional: true }, + }, req.body); await svc_permission.grant_user_user_permission(actor, req.body.target_username, req.body.permission, req.body.extra || {}, req.body.meta || {});