From 06d56fd7116a874362a6ecd9bd619702d96fce1c Mon Sep 17 00:00:00 2001 From: KernelDeimos <7225168+KernelDeimos@users.noreply.github.com> Date: Tue, 2 Dec 2025 16:23:04 -0500 Subject: [PATCH] fix: update validation for permission endpoints Permission endpoints would trigger 500 errors in cases where the request did not have correct types for values in the request body. This migrates all of these endpoints to use the new `validate_fields` function, which is intended to make validation of fields clearer and more consistent. --- src/backend/src/routers/auth/grant-dev-app.js | 16 +++++++--------- src/backend/src/routers/auth/grant-user-app.js | 16 +++++++--------- .../src/routers/auth/grant-user-group.js | 18 +++++++----------- .../src/routers/auth/grant-user-user.js | 16 +++++++--------- 4 files changed, 28 insertions(+), 38 deletions(-) diff --git a/src/backend/src/routers/auth/grant-dev-app.js b/src/backend/src/routers/auth/grant-dev-app.js index 79f827894..df4aef776 100644 --- a/src/backend/src/routers/auth/grant-dev-app.js +++ b/src/backend/src/routers/auth/grant-dev-app.js @@ -20,6 +20,7 @@ const APIError = require('../../api/APIError'); const eggspress = require('../../api/eggspress'); const { UserActorType } = require('../../services/auth/Actor'); const { Context } = require('../../util/context'); +const { validate_fields } = require('../../util/validutil'); module.exports = eggspress('/auth/grant-dev-app', { subdomain: 'api', @@ -40,15 +41,12 @@ module.exports = eggspress('/auth/grant-dev-app', { req.body.app_uid = await svc_auth.app_uid_from_origin(req.body.origin); } - if ( ! req.body.app_uid ) { - throw APIError.create('field_missing', null, { key: 'app_uid' }); - } - - if ( ! req.body.permission ) { - throw APIError.create('field_missing', null, { - key: 'permission', - }); - } + validate_fields({ + app_uid: { type: 'string', optional: false }, + permission: { type: 'string', optional: false }, + extra: { type: 'object', optional: true }, + meta: { type: 'object', optional: true }, + }, req.body); await svc_permission.grant_dev_app_permission(actor, req.body.app_uid, req.body.permission, req.body.extra || {}, req.body.meta || {}); diff --git a/src/backend/src/routers/auth/grant-user-app.js b/src/backend/src/routers/auth/grant-user-app.js index 643e1cfc5..dd78561f7 100644 --- a/src/backend/src/routers/auth/grant-user-app.js +++ b/src/backend/src/routers/auth/grant-user-app.js @@ -20,6 +20,7 @@ const APIError = require('../../api/APIError'); const eggspress = require('../../api/eggspress'); const { UserActorType } = require('../../services/auth/Actor'); const { Context } = require('../../util/context'); +const { validate_fields } = require('../../util/validutil'); module.exports = eggspress('/auth/grant-user-app', { subdomain: 'api', @@ -40,15 +41,12 @@ module.exports = eggspress('/auth/grant-user-app', { req.body.app_uid = await svc_auth.app_uid_from_origin(req.body.origin); } - if ( ! req.body.app_uid ) { - throw APIError.create('field_missing', null, { key: 'app_uid' }); - } - - if ( ! req.body.permission ) { - throw APIError.create('field_missing', null, { - key: 'permission', - }); - } + validate_fields({ + app_uid: { type: 'string', optional: false }, + permission: { type: 'string', optional: false }, + extra: { type: 'object', optional: true }, + meta: { type: 'object', optional: true }, + }, req.body); await svc_permission.grant_user_app_permission(actor, req.body.app_uid, req.body.permission, req.body.extra || {}, req.body.meta || {}); diff --git a/src/backend/src/routers/auth/grant-user-group.js b/src/backend/src/routers/auth/grant-user-group.js index 4b0065509..66218bb48 100644 --- a/src/backend/src/routers/auth/grant-user-group.js +++ b/src/backend/src/routers/auth/grant-user-group.js @@ -20,6 +20,7 @@ const APIError = require('../../api/APIError'); const eggspress = require('../../api/eggspress'); const { UserActorType } = require('../../services/auth/Actor'); const { Context } = require('../../util/context'); +const { validate_fields } = require('../../util/validutil'); module.exports = eggspress('/auth/grant-user-group', { subdomain: 'api', @@ -35,17 +36,12 @@ module.exports = eggspress('/auth/grant-user-group', { throw APIError.create('forbidden'); } - if ( ! req.body.group_uid ) { - throw APIError.create('field_missing', null, { - key: 'group_uid', - }); - } - - if ( ! req.body.permission ) { - throw APIError.create('field_missing', null, { - key: 'permission', - }); - } + validate_fields({ + group_uid: { type: 'string', optional: false }, + permission: { type: 'string', optional: false }, + extra: { type: 'object', optional: true }, + meta: { type: 'object', optional: true }, + }, req.body); await svc_permission.grant_user_group_permission(actor, req.body.group_uid, req.body.permission, req.body.extra || {}, req.body.meta || {}); diff --git a/src/backend/src/routers/auth/grant-user-user.js b/src/backend/src/routers/auth/grant-user-user.js index 037bee633..90a9151c4 100644 --- a/src/backend/src/routers/auth/grant-user-user.js +++ b/src/backend/src/routers/auth/grant-user-user.js @@ -20,6 +20,7 @@ const APIError = require('../../api/APIError'); const eggspress = require('../../api/eggspress'); const { UserActorType } = require('../../services/auth/Actor'); const { Context } = require('../../util/context'); +const { validate_fields } = require('../../util/validutil'); module.exports = eggspress('/auth/grant-user-user', { subdomain: 'api', @@ -35,15 +36,12 @@ module.exports = eggspress('/auth/grant-user-user', { throw APIError.create('forbidden'); } - if ( ! req.body.target_username ) { - throw APIError.create('field_missing', null, { key: 'target_username' }); - } - - if ( ! req.body.permission ) { - throw APIError.create('field_missing', null, { - key: 'permission', - }); - } + validate_fields({ + target_username: { type: 'string', optional: false }, + permission: { type: 'string', optional: false }, + extra: { type: 'object', optional: true }, + meta: { type: 'object', optional: true }, + }, req.body); await svc_permission.grant_user_user_permission(actor, req.body.target_username, req.body.permission, req.body.extra || {}, req.body.meta || {});