fix: return 400 on invalid tag/album payload

2026-02-01 18:01:25 -08:00
parent 51aba941d6
commit e455425d2e
4 changed files with 34 additions and 2 deletions
--- a/apps/web/app/api/albums/handlers.ts
+++ b/apps/web/app/api/albums/handlers.ts
@@ -61,7 +61,15 @@ export async function handleCreateAlbum(input: {
    return { status: 401, body: { error: "admin_required" } };
  }

-  const body = createAlbumBodySchema.parse(input.body ?? {});
+  const bodyParsed = createAlbumBodySchema.safeParse(input.body ?? {});
+  if (!bodyParsed.success) {
+    return {
+      status: 400,
+      body: { error: "invalid_body", issues: bodyParsed.error.issues },
+    };
+  }
+
+  const body = bodyParsed.data;
  const db = (input.db ?? getDb()) as DbLike;
  const rows = await db<
    {
--- a/apps/web/app/api/tags/handlers.ts
+++ b/apps/web/app/api/tags/handlers.ts
@@ -50,7 +50,15 @@ export async function handleCreateTag(input: {
    return { status: 401, body: { error: "admin_required" } };
  }

-  const body = createTagBodySchema.parse(input.body ?? {});
+  const bodyParsed = createTagBodySchema.safeParse(input.body ?? {});
+  if (!bodyParsed.success) {
+    return {
+      status: 400,
+      body: { error: "invalid_body", issues: bodyParsed.error.issues },
+    };
+  }
+
+  const body = bodyParsed.data;
  const db = (input.db ?? getDb()) as DbLike;
  const rows = await db<
    {
--- a/apps/web/src/tests/albums-admin-auth.test.ts
+++ b/apps/web/src/tests/albums-admin-auth.test.ts
@@ -100,6 +100,14 @@ test("albums POST inserts and writes audit log", async () => {
  );
 });

+test("albums POST rejects invalid body", async () => {
+  const { handleCreateAlbum } = await import("../../app/api/albums/handlers");
+  const res = await handleCreateAlbum({ adminOk: true, body: { name: "" } });
+  expect(res.status).toBe(400);
+  expect(res.body).toMatchObject({ error: "invalid_body" });
+  expect(Array.isArray((res.body as { issues?: unknown }).issues)).toBe(true);
+});
+
 test("album add asset inserts and writes audit log", async () => {
  const { handleAddAlbumAsset } = await import(
    "../../app/api/albums/handlers"
--- a/apps/web/src/tests/tags-admin-auth.test.ts
+++ b/apps/web/src/tests/tags-admin-auth.test.ts
@@ -73,3 +73,11 @@ test("tags POST inserts and writes audit log", async () => {
    true,
  );
 });
+
+test("tags POST rejects invalid body", async () => {
+  const { handleCreateTag } = await import("../../app/api/tags/handlers");
+  const res = await handleCreateTag({ adminOk: true, body: { name: "" } });
+  expect(res.status).toBe(400);
+  expect(res.body).toMatchObject({ error: "invalid_body" });
+  expect(Array.isArray((res.body as { issues?: unknown }).issues)).toBe(true);
+});