refactor: extract escapeRegex and validateTagSlugs server utils

Deduplicate tag validation and regex escaping into shared auto-imported utils. Add tag validation to wiki patch/batch-tag routes. Remove duplicate tags field from event schema.
2026-04-09 23:51:56 +01:00 · 2026-04-09 23:51:56 +01:00 · a516f172fb
commit a516f172fb
parent f585fabf21
11 changed files with 33 additions and 31 deletions
--- a/server/api/admin/events.post.js
+++ b/server/api/admin/events.post.js
@ -1,5 +1,4 @@
 import Event from "../../models/event.js";
-import Tag from "../../models/tag.js";
 import { connectDB } from "../../utils/mongoose.js";
 import { requireAdmin } from "../../utils/auth.js";
 import { validateBody } from "../../utils/validateBody.js";
@ -13,18 +12,7 @@ export default defineEventHandler(async (event) => {

    await connectDB();

-    // Validate tag slugs against Tag collection
-    if (body.tags && body.tags.length > 0) {
-      const foundTags = await Tag.find({ slug: { $in: body.tags } });
-      const foundSlugs = new Set(foundTags.map((t) => t.slug));
-      const invalid = body.tags.filter((s) => !foundSlugs.has(s));
-      if (invalid.length > 0) {
-        throw createError({
-          statusCode: 400,
-          statusMessage: `Unknown tag slugs: ${invalid.join(", ")}`,
-        });
-      }
-    }
+    await validateTagSlugs(body.tags);

    const eventData = {
      ...body,
--- a/server/api/admin/events/[id].put.js
+++ b/server/api/admin/events/[id].put.js
@ -1,5 +1,4 @@
 import Event from '../../../models/event.js'
-import Tag from '../../../models/tag.js'
 import { connectDB } from '../../../utils/mongoose.js'
 import { requireAdmin } from '../../../utils/auth.js'

@ -12,18 +11,7 @@ export default defineEventHandler(async (event) => {

    await connectDB()

-    // Validate tag slugs against Tag collection
-    if (body.tags && body.tags.length > 0) {
-      const foundTags = await Tag.find({ slug: { $in: body.tags } })
-      const foundSlugs = new Set(foundTags.map(t => t.slug))
-      const invalid = body.tags.filter(s => !foundSlugs.has(s))
-      if (invalid.length > 0) {
-        throw createError({
-          statusCode: 400,
-          statusMessage: `Unknown tag slugs: ${invalid.join(', ')}`
-        })
-      }
-    }
+    await validateTagSlugs(body.tags)

    const updateData = {
      ...body,
--- a/server/api/admin/wiki/[id].patch.js
+++ b/server/api/admin/wiki/[id].patch.js
@ -14,6 +14,8 @@ export default defineEventHandler(async (event) => {

  await connectDB()

+  await validateTagSlugs(body.tags)
+
  const article = await WikiArticle.findByIdAndUpdate(
    id,
    { tags: body.tags },
--- a/server/api/admin/wiki/batch-tag.post.js
+++ b/server/api/admin/wiki/batch-tag.post.js
@ -30,6 +30,8 @@ export default defineEventHandler(async (event) => {

  await connectDB()

+  await validateTagSlugs([...(body.addTags || []), ...(body.removeTags || [])])
+
  const filter = body.articleIds
    ? { _id: { $in: body.articleIds } }
    : { collection: body.collection }
--- a/server/api/admin/wiki/index.get.js
+++ b/server/api/admin/wiki/index.get.js
@ -12,7 +12,7 @@ export default defineEventHandler(async (event) => {
    filter.collection = collection
  }
  if (search) {
-    filter.title = { $regex: search, $options: 'i' }
+    filter.title = { $regex: escapeRegex(search), $options: 'i' }
  }

  const articles = await WikiArticle.find(filter)
--- a/server/api/members/directory.get.js
+++ b/server/api/members/directory.get.js
@ -42,8 +42,7 @@ export default defineEventHandler(async (event) => {
  }

  if (search) {
-    // Escape regex metacharacters to prevent ReDoS
-    const escaped = search.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const escaped = escapeRegex(search);
    andConditions.push({
      $or: [
        { name: { $regex: escaped, $options: "i" } },
--- a/server/models/event.js
+++ b/server/models/event.js
@ -183,7 +183,6 @@ const eventSchema = new mongoose.Schema({
      refundAmount: Number,
    },
  ],
-  tags: [{ type: String }],
  createdBy: { type: String, required: true },
  createdAt: { type: Date, default: Date.now },
  updatedAt: { type: Date, default: Date.now },
--- a/server/utils/escapeRegex.js
+++ b/server/utils/escapeRegex.js
@ -0,0 +1,3 @@
+export function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+}
--- a/server/utils/validateTagSlugs.js
+++ b/server/utils/validateTagSlugs.js
@ -0,0 +1,14 @@
+import Tag from '../models/tag.js'
+
+export async function validateTagSlugs(slugs) {
+  if (!slugs?.length) return
+  const foundTags = await Tag.find({ slug: { $in: slugs } })
+  const foundSlugs = new Set(foundTags.map(t => t.slug))
+  const invalid = slugs.filter(s => !foundSlugs.has(s))
+  if (invalid.length > 0) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: `Unknown tag slugs: ${invalid.join(', ')}`
+    })
+  }
+}