Add Zod validation to all API endpoints and remove debug test route

Adds schema-based input validation across helcim, events, members, series, admin, and updates API endpoints. Removes the peer-support debug test endpoint. Adds validation test coverage.
2026-03-01 17:04:26 +00:00 · 2026-03-01 17:04:26 +00:00 · 025c1a180f
commit 025c1a180f
parent e4813075b7
38 changed files with 1132 additions and 309 deletions
--- a/server/api/admin/series/[id].put.js
+++ b/server/api/admin/series/[id].put.js
@ -9,7 +9,7 @@ export default defineEventHandler(async (event) => {
    await connectDB()
    
    const id = getRouterParam(event, 'id')
-    const body = await readBody(event)
+    const body = await validateBody(event, adminSeriesItemUpdateSchema)
    
    if (!id) {
      throw createError({
@ -55,10 +55,11 @@ export default defineEventHandler(async (event) => {
      data: series
    }
  } catch (error) {
+    if (error.statusCode) throw error
    console.error('Error updating series:', error)
    throw createError({
      statusCode: 500,
-      statusMessage: error.message || 'Failed to update series'
+      statusMessage: 'An unexpected error occurred'
    })
  }
 })
--- a/server/api/admin/series/tickets.put.js
+++ b/server/api/admin/series/tickets.put.js
@ -8,23 +8,9 @@ export default defineEventHandler(async (event) => {
    await requireAdmin(event)
    await connectDB()

-    const body = await readBody(event)
+    const body = await validateBody(event, adminSeriesTicketsSchema)
    const { id, tickets } = body

-    if (!id) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'Series ID is required'
-      })
-    }
-
-    if (!tickets) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'Tickets configuration is required'
-      })
-    }
-
    // Find the series
    const series = await Series.findOne({ id })