refactor: extract escapeRegex and validateTagSlugs server utils

Deduplicate tag validation and regex escaping into shared auto-imported
utils. Add tag validation to wiki patch/batch-tag routes. Remove
duplicate tags field from event schema.

server/api/admin/events.post.js

@@ -1,5 +1,4 @@
 import Event from "../../models/event.js";
-import Tag from "../../models/tag.js";
 import { connectDB } from "../../utils/mongoose.js";
 import { requireAdmin } from "../../utils/auth.js";
 import { validateBody } from "../../utils/validateBody.js";
@@ -13,18 +12,7 @@ export default defineEventHandler(async (event) => {
 
     await connectDB();
 
-    // Validate tag slugs against Tag collection
+    await validateTagSlugs(body.tags);
-    if (body.tags && body.tags.length > 0) {
-      const foundTags = await Tag.find({ slug: { $in: body.tags } });
-      const foundSlugs = new Set(foundTags.map((t) => t.slug));
-      const invalid = body.tags.filter((s) => !foundSlugs.has(s));
-      if (invalid.length > 0) {
-        throw createError({
-          statusCode: 400,
-          statusMessage: `Unknown tag slugs: ${invalid.join(", ")}`,
-        });
-      }
-    }
 
     const eventData = {
       ...body,

server/api/admin/events/[id].put.js

@@ -1,5 +1,4 @@
 import Event from '../../../models/event.js'
-import Tag from '../../../models/tag.js'
 import { connectDB } from '../../../utils/mongoose.js'
 import { requireAdmin } from '../../../utils/auth.js'
 
@@ -12,18 +11,7 @@ export default defineEventHandler(async (event) => {
 
     await connectDB()
 
-    // Validate tag slugs against Tag collection
+    await validateTagSlugs(body.tags)
-    if (body.tags && body.tags.length > 0) {
-      const foundTags = await Tag.find({ slug: { $in: body.tags } })
-      const foundSlugs = new Set(foundTags.map(t => t.slug))
-      const invalid = body.tags.filter(s => !foundSlugs.has(s))
-      if (invalid.length > 0) {
-        throw createError({
-          statusCode: 400,
-          statusMessage: `Unknown tag slugs: ${invalid.join(', ')}`
-        })
-      }
-    }
 
     const updateData = {
       ...body,

server/api/admin/wiki/[id].patch.js

@@ -14,6 +14,8 @@ export default defineEventHandler(async (event) => {
 
   await connectDB()
 
+  await validateTagSlugs(body.tags)
+
   const article = await WikiArticle.findByIdAndUpdate(
     id,
     { tags: body.tags },

server/api/admin/wiki/batch-tag.post.js

@@ -30,6 +30,8 @@ export default defineEventHandler(async (event) => {
 
   await connectDB()
 
+  await validateTagSlugs([...(body.addTags || []), ...(body.removeTags || [])])
+
   const filter = body.articleIds
     ? { _id: { $in: body.articleIds } }
     : { collection: body.collection }

server/api/admin/wiki/index.get.js

@@ -12,7 +12,7 @@ export default defineEventHandler(async (event) => {
     filter.collection = collection
   }
   if (search) {
-    filter.title = { $regex: search, $options: 'i' }
+    filter.title = { $regex: escapeRegex(search), $options: 'i' }
   }
 
   const articles = await WikiArticle.find(filter)

server/api/members/directory.get.js

@@ -42,8 +42,7 @@ export default defineEventHandler(async (event) => {
   }
 
   if (search) {
-    // Escape regex metacharacters to prevent ReDoS
+    const escaped = escapeRegex(search);
-    const escaped = search.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
     andConditions.push({
       $or: [
         { name: { $regex: escaped, $options: "i" } },

server/models/event.js

@@ -183,7 +183,6 @@ const eventSchema = new mongoose.Schema({
       refundAmount: Number,
     },
   ],
-  tags: [{ type: String }],
   createdBy: { type: String, required: true },
   createdAt: { type: Date, default: Date.now },
   updatedAt: { type: Date, default: Date.now },

server/utils/escapeRegex.js

@@ -0,0 +1,3 @@
+export function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+}

server/utils/validateTagSlugs.js

@@ -0,0 +1,14 @@
+import Tag from '../models/tag.js'
+
+export async function validateTagSlugs(slugs) {
+  if (!slugs?.length) return
+  const foundTags = await Tag.find({ slug: { $in: slugs } })
+  const foundSlugs = new Set(foundTags.map(t => t.slug))
+  const invalid = slugs.filter(s => !foundSlugs.has(s))
+  if (invalid.length > 0) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: `Unknown tag slugs: ${invalid.join(', ')}`
+    })
+  }
+}

tests/server/api/event-tags.test.js

@@ -29,6 +29,7 @@ vi.mock('../../../server/utils/schemas.js', () => ({
 
 import Tag from '../../../server/models/tag.js'
 import { validateBody } from '../../../server/utils/validateBody.js'
+import { validateTagSlugs } from '../../../server/utils/validateTagSlugs.js'
 import createHandler from '../../../server/api/admin/events.post.js'
 import updateHandler from '../../../server/api/admin/events/[id].put.js'
 import { createMockEvent } from '../helpers/createMockEvent.js'
@@ -51,8 +52,9 @@ const validEventBody = {
 describe('Event tag validation', () => {
   beforeEach(() => {
     vi.clearAllMocks()
-    // Override the global validateBody stub (from setup.js) to use our mock
+    // Override global stubs (from setup.js) to use the real/mocked implementations
     globalThis.validateBody = validateBody
+    globalThis.validateTagSlugs = validateTagSlugs
   })
 
   describe('create route (events.post)', () => {

tests/server/setup.js

@@ -41,3 +41,8 @@ vi.stubGlobal('requireAuth', vi.fn())
 vi.stubGlobal('requireAdmin', vi.fn())
 vi.stubGlobal('validateBody', vi.fn(async (event) => readBody(event)))
 vi.stubGlobal('logActivity', vi.fn())
+vi.stubGlobal('validateTagSlugs', vi.fn())
+
+// Real server/utils that are safe to use as-is in tests
+import { escapeRegex } from '../../server/utils/escapeRegex.js'
+vi.stubGlobal('escapeRegex', escapeRegex)