feat(auth): add request validation for utility endpoints#576
feat(auth): add request validation for utility endpoints#576Chaitanya-970 wants to merge 2 commits into
Conversation
|
@Chaitanya-970 is attempting to deploy a commit to the Prashantkumar Khatri's projects Team on Vercel. A member of the Team first needs to authorize it. |
github-actions
Bot
added
backend
gssoc:approved
|
Hi @Chaitanya-970, Thanks for opening this pull request. This PR has been automatically classified based on the files modified. Applied Labels
Primary Review Area
Reviewer@Harxhit has been identified as the primary reviewer for this pull request. If you have any questions regarding the affected area or implementation details, feel free to reach out to the assigned reviewer. Thank you for your contribution! |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds request-body validation to selected auth endpoints using Zod, with accompanying tests to ensure invalid payloads are rejected.
Changes:
- Introduced Zod schemas for
/mobile/exchangeand/refreshrequest bodies - Added runtime validation in the corresponding Fastify route handlers
- Added Vitest coverage for invalid request bodies and missing refresh tokens
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| apps/backend/src/validations/auth.validation.ts | Adds Zod schemas for auth-related request bodies |
| apps/backend/src/routes/auth.ts | Applies schema validation to /refresh and /mobile/exchange routes |
| apps/backend/src/tests/auth-util.test.ts | Adds tests asserting 400/401 responses for invalid/missing inputs |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
CI — All Checks PassedBackend — PASS
Mobile — SKIP
Web — SKIP
Last updated: |
|
@Chaitanya-970 Which issue does it closes ? |
|
… On Sun, 14 Jun 2026, 11:55 pm Harshit Singh Parihar, < ***@***.***> wrote:
*Harxhit* left a comment (Dev-Card/DevCard#576)
<#576 (comment)>
@Chaitanya-970 <https://github.com/Chaitanya-970> Which issue does it
closes ?
—
Reply to this email directly, view it on GitHub
<#576?email_source=notifications&email_token=ASZ5GSVLUT33BQ2NI2ANMM3473U2HA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINZQGI3DINJZGI42M4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJLDGN5XXIZLSL5RWY2LDNM#issuecomment-4702645929>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASZ5GSS5POFIAOPTMG6DO6D473U2HAVCNFSNUABGKJSXA33TNF2G64TZHMYTCNZZHA3DMNRUGU5US43TOVSTWNBWGU4TSNBQGIYDTILWAI>
.
Triage notifications, keep track of coding agent tasks and review pull
requests on the go with GitHub Mobile for iOS
<https://github.com/notifications/mobile/ios/ASZ5GSTNGXBTJUU42ERQWFD473U2HA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINZQGI3DINJZGI42M4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJKTGN5XXIZLSL5UW64Y>
and Android
<https://github.com/notifications/mobile/android/ASZ5GSRE336R54P2D7AC5CL473U2HA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINZQGI3DINJZGI42M4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJLTGN5XXIZLSL5QW4ZDSN5UWI>.
Download it today!
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Please mention that in pr description also address copilot suggestions please. |
Harxhit
left a comment
Harxhit
left a comment
There was a problem hiding this comment.
Checked this out and tested locally. The validation does what it says — malformed payloads on /auth/mobile/exchange and /auth/refresh now get a clean 400 instead of falling through, and valid requests are unaffected.
Verified ✅
- Typecheck:
npm run typecheckpasses clean. - Tests:
npx vitest run src/__tests__/auth-validation.test.ts→ 6/6 passing. Good coverage of the rejection cases (missing / empty / non-string). - Lint:
eslinton the three changed files → 0 errors. - Schemas are correct:
mobileExchangeSchemaandrefreshTokenSchemaboth.trim().min(1), so empty/whitespace-only strings are rejected, with usefulrequired_error/invalid_type_errormessages. - Valid input still passes (checked directly):
{ code: 'abc123' }parses fine,{ code: ' abc ' }trims toabc. Happy path not broken. - The
/refreshcookie path is preserved: validation only runs whenrefresh_tokenis present in the body, so normal cookie-based refresh (no body) is untouched — and{ refresh_token: '' }is correctly caught. Nice handling of the dual cookie/body source.
Suggestions
- [low] Missing happy-path test. All 6 tests assert rejections. Worth adding one valid-payload test per endpoint that asserts it gets past validation (e.g.
/mobile/exchangewith a mockedredis.getdelreturning a payload → 200), to guard against a future schema tweak silently breaking valid requests. - [low]
/mobile/exchangenow looks up the trimmed code. Lookup usesparsed.data.code(post-.trim()). Since exchange codes are server-generated this is safe and arguably more correct, but if the generation side ever stores an untrimmed value the keys won't match. Just flagging the coupling. - [nit] Lint warning in the test file.
buildTestApptrips@typescript-eslint/explicit-function-return-type(warning). Adding: Promise<FastifyInstance>clears it. - [nit] Out-of-scope but adjacent. The GitHub/Google
/callbackhandlers still have//TODO: Add zod validation here. A natural follow-up to fold those querystrings into the same validation module. - [nit] PR description references
auth-util.test.ts— the actual file added isauth-validation.test.ts. Harmless mismatch.
Solid, well-scoped change. Items above are all optional polish.
Reviewed locally — ran typecheck + the new vitest suite + eslint, and verified schema parse behavior on both valid and invalid input.
Closes #540
Copilot suggestions resolved
This fixes the assigned issue where the auth utility endpoints were accepting payloads without validation.
I added Zod schemas for the /auth/mobile/exchange and /auth/refresh routes. Now, if someone sends an empty or badly formatted request body, the API returns a 400 error instead of trying to process it.
Changes:
Added mobileExchangeSchema and refreshTokenSchema in auth.validation.ts
Wired up the schemas in the auth.ts route handlers
Wrote tests in auth-util.test.ts to verify that missing, empty, and non-string inputs are rejected properly
The new tests pass locally and the linter is green.