ottomata/acsm
1
0
Fork 0
Code Issues 54 Pull requests Projects 5 Releases Packages Wiki Activity Actions

Request Validation Hardening #76

New issue
Open
opened 2026-02-23 10:06:15 +00:00 by ottomata · 0 comments
ottomata commented 2026-02-23 10:06:15 +00:00
Owner
Copy link

Tasks

  • Audit all POST/PUT/PATCH handlers — ensure every field has explicit validation:
    • Required fields validated (return 400 if missing)
    • String max lengths enforced (name: 255, description: 2000, script_path: 1024)
    • UUID path params validated with a helper (parseUUID(r, "id")400 on invalid UUID)
    • Enum fields validated against allowed values
  • Create a central RespondError(w, status, message) helper used by all handlers
  • Ensure no handler ever returns raw Go error strings, DB errors, or stack traces in the response body
  • Create an internal/api/validate package with reusable validators
  • Write table-driven tests for all validators

Acceptance Criteria

  • Every endpoint with a body returns 400 with a descriptive message on invalid input
  • Invalid UUID in path param returns 400 Bad Request (not 500)
  • No DB error messages or stack traces ever appear in HTTP responses
  • All validator unit tests pass
### Tasks - [ ] Audit all `POST`/`PUT`/`PATCH` handlers — ensure every field has explicit validation: - Required fields validated (return `400` if missing) - String max lengths enforced (name: 255, description: 2000, script_path: 1024) - UUID path params validated with a helper (`parseUUID(r, "id")` → `400` on invalid UUID) - Enum fields validated against allowed values - [ ] Create a central `RespondError(w, status, message)` helper used by all handlers - [ ] Ensure no handler ever returns raw Go error strings, DB errors, or stack traces in the response body - [ ] Create an `internal/api/validate` package with reusable validators - [ ] Write table-driven tests for all validators ### Acceptance Criteria - [ ] Every endpoint with a body returns `400` with a descriptive message on invalid input - [ ] Invalid UUID in path param returns `400 Bad Request` (not `500`) - [ ] No DB error messages or stack traces ever appear in HTTP responses - [ ] All validator unit tests pass
ottomata added this to the Phase 8 project 2026-02-23 10:09:19 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Phase 8
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ottomata/acsm#76
No description provided.