From f776e359202a85432b440a746449617de1a046e7 Mon Sep 17 00:00:00 2001
From: nadavosa <nadav.nir@need4deed.org>
Date: Mon, 18 May 2026 16:09:28 +0200
Subject: [PATCH 1/2] fix(#282): validate status and type enum params before
 querying, return 400

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../volunteer/volunteer-opportunity.routes.ts     | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/server/routes/volunteer/volunteer-opportunity.routes.ts b/src/server/routes/volunteer/volunteer-opportunity.routes.ts
index 8a04a9bd..39002ea2 100644
--- a/src/server/routes/volunteer/volunteer-opportunity.routes.ts
+++ b/src/server/routes/volunteer/volunteer-opportunity.routes.ts
@@ -1,5 +1,10 @@
 import { FastifyInstance, FastifyPluginOptions } from "fastify";
-import { ApiVolunteerOpportunityGetList } from "need4deed-sdk";
+import {
+  ApiVolunteerOpportunityGetList,
+  OpportunityStatusType,
+  VolunteerStateTypeType,
+} from "need4deed-sdk";
+import { BadRequestError } from "../../../config";
 import { dtoVolunteerOpportunityGetList } from "../../../services/dto/dto-opportunity";
 import {
   responseSchema,
@@ -40,6 +45,14 @@ export default async function volunteerOpportunityRoutes(
 
       const { page, limit, ...filters } = request.query;
 
+      const { status, type } = filters as QuerystringVolunteerOpportunityGetList;
+      if (status && !Object.values(OpportunityStatusType).includes(status as OpportunityStatusType)) {
+        throw new BadRequestError(`Invalid status value: "${status}"`);
+      }
+      if (type && !Object.values(VolunteerStateTypeType).includes(type as VolunteerStateTypeType)) {
+        throw new BadRequestError(`Invalid type value: "${type}"`);
+      }
+
       const [skip, take] = getSkipTake({ page, limit });
 
       const where = Object.fromEntries(

From d7a76673a4218c0f217c6054112b6db376056c97 Mon Sep 17 00:00:00 2001
From: Nadav Nir <nadav.nir@need4deed.org>
Date: Fri, 22 May 2026 17:11:16 +0200
Subject: [PATCH 2/2] =?UTF-8?q?fix(#282):=20remove=20redundant=20manual=20?=
 =?UTF-8?q?validation=20=E2=80=94=20schema=20enums=20already=20enforce=20v?=
 =?UTF-8?q?alid=20status/type?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

AJV validates `status` and `type` against the OpportunityStatusType and
VolunteerStateTypeType enums via getRef() in volunteerOpportunityListQuerySchema,
so the manual BadRequestError guards in the route handler are redundant.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../volunteer/volunteer-opportunity.routes.ts     | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/src/server/routes/volunteer/volunteer-opportunity.routes.ts b/src/server/routes/volunteer/volunteer-opportunity.routes.ts
index 39002ea2..8a04a9bd 100644
--- a/src/server/routes/volunteer/volunteer-opportunity.routes.ts
+++ b/src/server/routes/volunteer/volunteer-opportunity.routes.ts
@@ -1,10 +1,5 @@
 import { FastifyInstance, FastifyPluginOptions } from "fastify";
-import {
-  ApiVolunteerOpportunityGetList,
-  OpportunityStatusType,
-  VolunteerStateTypeType,
-} from "need4deed-sdk";
-import { BadRequestError } from "../../../config";
+import { ApiVolunteerOpportunityGetList } from "need4deed-sdk";
 import { dtoVolunteerOpportunityGetList } from "../../../services/dto/dto-opportunity";
 import {
   responseSchema,
@@ -45,14 +40,6 @@ export default async function volunteerOpportunityRoutes(
 
       const { page, limit, ...filters } = request.query;
 
-      const { status, type } = filters as QuerystringVolunteerOpportunityGetList;
-      if (status && !Object.values(OpportunityStatusType).includes(status as OpportunityStatusType)) {
-        throw new BadRequestError(`Invalid status value: "${status}"`);
-      }
-      if (type && !Object.values(VolunteerStateTypeType).includes(type as VolunteerStateTypeType)) {
-        throw new BadRequestError(`Invalid type value: "${type}"`);
-      }
-
       const [skip, take] = getSkipTake({ page, limit });
 
       const where = Object.fromEntries(