fix(portal): GRO-2203 validate petId as UUID before PATCH lookup (500→404) #177

Merged

Flea Flicker merged 1 commits from fix/gro-2203-portal-pet-patch-uuid-validation into dev 2026-06-08 17:03:45 +00:00

Conversation 0 Commits 1 Files Changed 3

+26

Flea Flicker commented 2026-06-08 17:01:49 +00:00

Member

Copy Link

Copy Source

GRO-2203 — Portal PATCH /api/portal/pets/:petId returns 500 on malformed (non-UUID) petId

Problem

portalRouter.patch("/pets/:petId", …) passed the raw petId param straight into where(eq(pets.id, petId)). A non-UUID string made Postgres throw invalid input syntax for type uuid, surfacing as an unhandled 500 Internal Server Error. Expected a clean typed error (400/404).

Fix

Validate petId with z.string().uuid() before the DB lookup and return the existing 404 {"error":"Not found"} for malformed ids. This mirrors the established GRO-2014 guard in src/routes/pets.ts. The valid-UUID-not-found case already returned 404, so the malformed case now matches it.

Changes

• src/routes/portal.ts — UUID guard in the PATCH handler before db.select().
• src/__tests__/portalPets.test.ts — regression test: non-UUID petId → 404, no mutation persisted.
• UAT_PLAYBOOK.md — added §8 TC-API-8.16 (malformed petId → 404).

Verification

• vitest run src/__tests__/portalPets.test.ts → 10/10 pass (new test included).
• npm run typecheck → clean.
• npm run lint → 0 errors (7 pre-existing warnings, none in touched files).

Severity

Low robustness/hardening item. Requires an authenticated portal session; web client only sends real UUIDs, so no happy-path impact. No data leak in the prior 500 body.

Closes GRO-2203.

Co-Authored-By: Paperclip noreply@paperclip.ing

## GRO-2203 — Portal PATCH `/api/portal/pets/:petId` returns 500 on malformed (non-UUID) petId ### Problem `portalRouter.patch("/pets/:petId", …)` passed the raw `petId` param straight into `where(eq(pets.id, petId))`. A non-UUID string made Postgres throw `invalid input syntax for type uuid`, surfacing as an unhandled **500 Internal Server Error**. Expected a clean typed error (400/404). ### Fix Validate `petId` with `z.string().uuid()` before the DB lookup and return the existing `404 {"error":"Not found"}` for malformed ids. This mirrors the established GRO-2014 guard in `src/routes/pets.ts`. The valid-UUID-not-found case already returned 404, so the malformed case now matches it. ### Changes - `src/routes/portal.ts` — UUID guard in the PATCH handler before `db.select()`. - `src/__tests__/portalPets.test.ts` — regression test: non-UUID `petId` → 404, no mutation persisted. - `UAT_PLAYBOOK.md` — added **§8 TC-API-8.16** (malformed petId → 404). ### Verification - `vitest run src/__tests__/portalPets.test.ts` → 10/10 pass (new test included). - `npm run typecheck` → clean. - `npm run lint` → 0 errors (7 pre-existing warnings, none in touched files). ### Severity Low robustness/hardening item. Requires an authenticated portal session; web client only sends real UUIDs, so no happy-path impact. No data leak in the prior 500 body. Closes GRO-2203. Co-Authored-By: Paperclip <noreply@paperclip.ing>

Flea Flicker added 1 commit 2026-06-08 17:01:50 +00:00

fix(portal): GRO-2203 validate petId as UUID before PATCH lookup (500→404) ... bd9866520b

A non-UUID :petId passed straight into where(eq(pets.id, petId)) made
Postgres throw "invalid input syntax for type uuid", surfacing as an
unhandled 500. Guard the param with z.string().uuid() and return the
existing 404 {"error":"Not found"} for malformed ids, mirroring the
GRO-2014 fix in pets.ts. Valid-UUID-not-found already returned 404.

- Add regression test (non-UUID petId → 404, no mutation)
- Update UAT_PLAYBOOK.md §8 (TC-API-8.16)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Flea Flicker merged commit b842237425 into dev 2026-06-08 17:03:45 +00:00

Flea Flicker referenced this pull request 2026-06-08 17:04:14 +00:00

dev → uat: GRO-2203 portal pet PATCH malformed-petId 500→404 #178

Flea Flicker referenced this pull request 2026-06-08 18:08:37 +00:00

Promote dev → uat: GRO-2156 route travel buffer + reorder (Phase 2.2) #181

Flea Flicker referenced this pull request 2026-06-08 19:18:33 +00:00

Promote dev → uat: GRO-2155/2156/2203/2211/2163 + GRO-2234 (cumulative batch) #182

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/api#177