Add api validations.

2026-02-09 23:27:12 +01:00 · 2023-08-19 22:23:15 -07:00 · 2023-08-19 22:23:15 -07:00 · 7a7233ead4
commit 7a7233ead4
parent 7d5a24044a
41 changed files with 690 additions and 180 deletions
--- a/pages/api/users/index.ts
+++ b/pages/api/users/index.ts
@ -1,8 +1,9 @@
 import { canCreateUser, canViewUsers } from 'lib/auth';
 import { ROLES } from 'lib/constants';
 import { uuid } from 'lib/crypto';
-import { useAuth } from 'lib/middleware';
+import { useAuth, useValidate } from 'lib/middleware';
 import { NextApiRequestQueryBody, Role, SearchFilter, User, UserSearchFilterType } from 'lib/types';
+import { getFilterValidation } from 'lib/yup';
 import { NextApiResponse } from 'next';
 import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { createUser, getUserByUsername, getUsers } from 'queries';
@ -15,12 +16,31 @@ export interface UsersRequestBody {
  role?: Role;
 }

+import * as yup from 'yup';
+const schema = {
+  GET: yup.object().shape({
+    ...getFilterValidation(/All|Username/i),
+  }),
+  POST: yup.object().shape({
+    username: yup.string().max(255).required(),
+    password: yup.string().required(),
+    id: yup.string().uuid(),
+    role: yup
+      .string()
+      .matches(/admin|user|view-only/i)
+      .required(),
+  }),
+};
+
 export default async (
  req: NextApiRequestQueryBody<UsersRequestQuery, UsersRequestBody>,
  res: NextApiResponse<User[] | User>,
 ) => {
  await useAuth(req, res);

+  req.yup = schema;
+  await useValidate(req, res);
+
  if (req.method === 'GET') {
    if (!(await canViewUsers(req.auth))) {
      return unauthorized(res);
@ -28,7 +48,7 @@ export default async (

    const { page, filter, pageSize } = req.query;

-    const users = await getUsers({ page, filter, pageSize: +pageSize || null });
+    const users = await getUsers({ page, filter, pageSize: pageSize ? +pageSize : null });

    return ok(res, users);
  }