Stan
36 lines
1.1 KiB
JavaScript
36 lines
1.1 KiB
JavaScript
/*
|
|
* Parameter validation middleware. Each route parameter is checked against
|
|
* a safe pattern to prevent unexpected input from reaching database queries.
|
|
* The whitelist approach rejects obviously invalid identifiers early, keeping
|
|
* service-layer code cleaner.
|
|
*/
|
|
|
|
const SAFE_CODE_PATTERN = /^[a-zA-Z0-9_-]{1,100}$/;
|
|
const SAFE_UUID_PATTERN = /^[a-f0-9-]{36}$/;
|
|
|
|
export function validateParam(paramName, { pattern = null } = {}) {
|
|
const resolvedPattern = pattern || (paramName.toLowerCase().includes('id') ? SAFE_UUID_PATTERN : SAFE_CODE_PATTERN);
|
|
|
|
return (req, res, next) => {
|
|
const value = req.params[paramName];
|
|
|
|
if (!value || !resolvedPattern.test(value)) {
|
|
return res.status(400).json({ message: `Invalid parameter: ${paramName}` });
|
|
}
|
|
|
|
next();
|
|
};
|
|
}
|
|
|
|
export function validateNumericParam(paramName) {
|
|
return (req, res, next) => {
|
|
const value = Number(req.params[paramName]);
|
|
|
|
if (!Number.isFinite(value) || value < 0) {
|
|
return res.status(400).json({ message: `Invalid numeric parameter: ${paramName}` });
|
|
}
|
|
|
|
next();
|
|
};
|
|
}
|