Add Zod validation to all API endpoints and remove debug test route

Adds schema-based input validation across helcim, events, members, series, admin, and updates API endpoints. Removes the peer-support debug test endpoint. Adds validation test coverage.
2026-03-01 17:04:26 +00:00 · 2026-03-01 17:04:26 +00:00 · 025c1a180f
commit 025c1a180f
parent e4813075b7
38 changed files with 1132 additions and 309 deletions
--- a/server/api/admin/events/[id].put.js
+++ b/server/api/admin/events/[id].put.js
@ -7,15 +7,7 @@ export default defineEventHandler(async (event) => {
    await requireAdmin(event)

    const eventId = getRouterParam(event, 'id')
-    const body = await readBody(event)
-
-    // Validate required fields
-    if (!body.title || !body.description || !body.startDate || !body.endDate) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'Missing required fields'
-      })
-    }
+    const body = await validateBody(event, adminEventUpdateSchema)

    await connectDB()

@ -63,7 +55,7 @@ export default defineEventHandler(async (event) => {
    console.error('Error updating event:', error)
    throw createError({
      statusCode: 500,
-      statusMessage: error.message || 'Failed to update event'
+      statusMessage: 'An unexpected error occurred'
    })
  }
 })
--- a/server/api/admin/members.post.js
+++ b/server/api/admin/members.post.js
@ -6,15 +6,7 @@ export default defineEventHandler(async (event) => {
  try {
    await requireAdmin(event)

-    const body = await readBody(event)
-
-    // Validate required fields
-    if (!body.name || !body.email || !body.circle || !body.contributionTier) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'Missing required fields'
-      })
-    }
+    const body = await validateBody(event, adminMemberCreateSchema)

    await connectDB()

--- a/server/api/admin/series.post.js
+++ b/server/api/admin/series.post.js
@ -7,15 +7,7 @@ export default defineEventHandler(async (event) => {
    const admin = await requireAdmin(event)
    await connectDB()

-    const body = await readBody(event)
-
-    // Validate required fields
-    if (!body.id || !body.title || !body.description) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'Series ID, title, and description are required'
-      })
-    }
+    const body = await validateBody(event, adminSeriesCreateSchema)

    // Create new series
    const newSeries = new Series({
@ -43,9 +35,10 @@ export default defineEventHandler(async (event) => {
      })
    }
    
+    if (error.statusCode) throw error
    throw createError({
      statusCode: 500,
-      statusMessage: error.message || 'Failed to create series'
+      statusMessage: 'An unexpected error occurred'
    })
  }
 })
--- a/server/api/admin/series.put.js
+++ b/server/api/admin/series.put.js
@ -8,16 +8,9 @@ export default defineEventHandler(async (event) => {
    await requireAdmin(event)
    await connectDB()

-    const body = await readBody(event)
+    const body = await validateBody(event, adminSeriesUpdateSchema)
    const { id, title, description, type, totalEvents } = body

-    if (!id || !title) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'Series ID and title are required'
-      })
-    }
-
    // Update the series record
    const updatedSeries = await Series.findOneAndUpdate(
      { id },
@ -55,10 +48,11 @@ export default defineEventHandler(async (event) => {

    return updatedSeries
  } catch (error) {
+    if (error.statusCode) throw error
    console.error('Error updating series:', error)
    throw createError({
      statusCode: 500,
-      statusMessage: 'Failed to update series'
+      statusMessage: 'An unexpected error occurred'
    })
  }
 })
--- a/server/api/admin/series/[id].put.js
+++ b/server/api/admin/series/[id].put.js
@ -9,7 +9,7 @@ export default defineEventHandler(async (event) => {
    await connectDB()
    
    const id = getRouterParam(event, 'id')
-    const body = await readBody(event)
+    const body = await validateBody(event, adminSeriesItemUpdateSchema)
    
    if (!id) {
      throw createError({
@ -55,10 +55,11 @@ export default defineEventHandler(async (event) => {
      data: series
    }
  } catch (error) {
+    if (error.statusCode) throw error
    console.error('Error updating series:', error)
    throw createError({
      statusCode: 500,
-      statusMessage: error.message || 'Failed to update series'
+      statusMessage: 'An unexpected error occurred'
    })
  }
 })
--- a/server/api/admin/series/tickets.put.js
+++ b/server/api/admin/series/tickets.put.js
@ -8,23 +8,9 @@ export default defineEventHandler(async (event) => {
    await requireAdmin(event)
    await connectDB()

-    const body = await readBody(event)
+    const body = await validateBody(event, adminSeriesTicketsSchema)
    const { id, tickets } = body

-    if (!id) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'Series ID is required'
-      })
-    }
-
-    if (!tickets) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'Tickets configuration is required'
-      })
-    }
-
    // Find the series
    const series = await Series.findOne({ id })