fix: validate route ID parameters, return 400 for invalid IDs

Adds parseId helper in src/server/lib/params.ts and applies it across all route files so non-positive-integer IDs return 400 instead of silently passing NaN to services. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 15:34:06 +02:00
parent 3016eb1a1a
commit ecff58500e
6 changed files with 56 additions and 22 deletions
--- a/src/server/lib/params.ts
+++ b/src/server/lib/params.ts
@@ -0,0 +1,9 @@
+/**
+ * Parse a route parameter as a positive integer ID.
+ * Returns the number if valid, or null if the string is not a positive integer.
+ */
+export function parseId(raw: string): number | null {
+	const id = Number(raw);
+	if (!Number.isInteger(id) || id <= 0) return null;
+	return id;
+}