fix: validate route ID parameters, return 400 for invalid IDs

Adds parseId helper in src/server/lib/params.ts and applies it across all route files so non-positive-integer IDs return 400 instead of silently passing NaN to services. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-03 15:34:06 +02:00
parent 3016eb1a1a
commit ecff58500e
6 changed files with 56 additions and 22 deletions
--- a/src/server/routes/setups.ts
+++ b/src/server/routes/setups.ts
@@ -6,6 +6,7 @@ import {
 	updateClassificationSchema,
 	updateSetupSchema,
 } from "../../shared/schemas.ts";
+import { parseId } from "../lib/params.ts";
 import {
 	createSetup,
 	deleteSetup,
@@ -38,7 +39,8 @@ app.post("/", zValidator("json", createSetupSchema), (c) => {

 app.get("/:id", (c) => {
 	const db = c.get("db");
-	const id = Number(c.req.param("id"));
+	const id = parseId(c.req.param("id"));
+	if (!id) return c.json({ error: "Invalid setup ID" }, 400);
 	const setup = getSetupWithItems(db, id);
 	if (!setup) return c.json({ error: "Setup not found" }, 404);
 	return c.json(setup);
@@ -46,7 +48,8 @@ app.get("/:id", (c) => {

 app.put("/:id", zValidator("json", updateSetupSchema), (c) => {
 	const db = c.get("db");
-	const id = Number(c.req.param("id"));
+	const id = parseId(c.req.param("id"));
+	if (!id) return c.json({ error: "Invalid setup ID" }, 400);
 	const data = c.req.valid("json");
 	const setup = updateSetup(db, id, data);
 	if (!setup) return c.json({ error: "Setup not found" }, 404);
@@ -55,7 +58,8 @@ app.put("/:id", zValidator("json", updateSetupSchema), (c) => {

 app.delete("/:id", (c) => {
 	const db = c.get("db");
-	const id = Number(c.req.param("id"));
+	const id = parseId(c.req.param("id"));
+	if (!id) return c.json({ error: "Invalid setup ID" }, 400);
 	const deleted = deleteSetup(db, id);
 	if (!deleted) return c.json({ error: "Setup not found" }, 404);
 	return c.json({ success: true });
@@ -65,7 +69,8 @@ app.delete("/:id", (c) => {

 app.put("/:id/items", zValidator("json", syncSetupItemsSchema), (c) => {
 	const db = c.get("db");
-	const id = Number(c.req.param("id"));
+	const id = parseId(c.req.param("id"));
+	if (!id) return c.json({ error: "Invalid setup ID" }, 400);
 	const { itemIds } = c.req.valid("json");

 	const setup = getSetupWithItems(db, id);
@@ -80,8 +85,9 @@ app.patch(
 	zValidator("json", updateClassificationSchema),
 	(c) => {
 		const db = c.get("db");
-		const setupId = Number(c.req.param("id"));
-		const itemId = Number(c.req.param("itemId"));
+		const setupId = parseId(c.req.param("id"));
+		const itemId = parseId(c.req.param("itemId"));
+		if (!setupId || !itemId) return c.json({ error: "Invalid ID" }, 400);
 		const { classification } = c.req.valid("json");
 		updateItemClassification(db, setupId, itemId, classification);
 		return c.json({ success: true });
@@ -90,8 +96,9 @@ app.patch(

 app.delete("/:id/items/:itemId", (c) => {
 	const db = c.get("db");
-	const setupId = Number(c.req.param("id"));
-	const itemId = Number(c.req.param("itemId"));
+	const setupId = parseId(c.req.param("id"));
+	const itemId = parseId(c.req.param("itemId"));
+	if (!setupId || !itemId) return c.json({ error: "Invalid ID" }, 400);
 	removeSetupItem(db, setupId, itemId);
 	return c.json({ success: true });
 });