Add Zod validation to all API endpoints and remove debug test route

Adds schema-based input validation across helcim, events, members, series, admin, and updates API endpoints. Removes the peer-support debug test endpoint. Adds validation test coverage.
2026-03-01 17:04:26 +00:00 · 2026-03-01 17:04:26 +00:00 · 025c1a180f
commit 025c1a180f
parent e4813075b7
38 changed files with 1132 additions and 309 deletions
--- a/tests/server/api/helcim-auth.test.js
+++ b/tests/server/api/helcim-auth.test.js
@ -0,0 +1,52 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+// Test that the three Helcim admin endpoints require admin auth.
+// We verify the handler files import/call requireAdmin by checking
+// the module source, and we test that requireAdmin rejects properly
+// via the existing auth.test.js infrastructure.
+
+// We test the schema + handler wiring by reading the file and
+// confirming requireAdmin is the first call in the handler.
+
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+
+const serverDir = resolve(import.meta.dirname, '../../../server/api/helcim')
+
+describe('Helcim admin endpoint auth guards', () => {
+  const files = [
+    'create-plan.post.js',
+    'plans.get.js',
+    'subscriptions.get.js'
+  ]
+
+  for (const file of files) {
+    describe(file, () => {
+      const source = readFileSync(resolve(serverDir, file), 'utf-8')
+
+      it('calls requireAdmin', () => {
+        expect(source).toContain('requireAdmin(event)')
+      })
+
+      it('calls requireAdmin before any business logic', () => {
+        const adminIndex = source.indexOf('requireAdmin(event)')
+        const readBodyIndex = source.indexOf('readBody(event)')
+        const validateBodyIndex = source.indexOf('validateBody(event')
+        const fetchIndex = source.indexOf('fetch(')
+
+        expect(adminIndex).toBeGreaterThan(-1)
+
+        // requireAdmin must come before readBody/validateBody/fetch
+        if (readBodyIndex > -1) {
+          expect(adminIndex).toBeLessThan(readBodyIndex)
+        }
+        if (validateBodyIndex > -1) {
+          expect(adminIndex).toBeLessThan(validateBodyIndex)
+        }
+        if (fetchIndex > -1) {
+          expect(adminIndex).toBeLessThan(fetchIndex)
+        }
+      })
+    })
+  }
+})