fix(#810): validate ratePerSecond/depositedAmount before BigInt coercion#983
Open
BernardOnuh wants to merge 1 commit into
Open
fix(#810): validate ratePerSecond/depositedAmount before BigInt coercion#983BernardOnuh wants to merge 1 commit into
BernardOnuh wants to merge 1 commit into
Conversation
…Int coercion createStream called BigInt() on ratePerSecond/depositedAmount before validation. Non-numeric input threw SyntaxError and missing input threw TypeError, but only RangeError was mapped to 400 — everything else fell through to 500. Adds presence + format validation before coercion. Closes LabsCrypt#810
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes a validation bug in
createStream:BigInt(ratePerSecond)andBigInt(depositedAmount)were called before any presence/format validation. A non-numeric value throwsSyntaxErrorand a missing value throwsTypeError, but the surrounding catch block only mappedRangeErrorto 400 — every other conversion failure fell through to the generic 500 handler.Type of Change
Related Issues
Closes #810
Changes Made
parseRequiredBigIntField()instream.controller.ts: validates a field is present (notundefined/null/'') before attemptingBigInt()coercion, and wraps the coercion itself in try/catch so any conversion failure (SyntaxError,TypeError, etc.) is normalized into aStreamValidationError.createStreamnow validatesratePerSecondanddepositedAmountpresence/format before the<= 0nchecks, and maps anyStreamValidationErrorto a400response with a descriptive message instead of letting it fall through to500.stream.controller.test.ts:ratePerSecond→ 400 with a validation error (not 500)depositedAmount→ 400 with a validation error (not 500)ratePerSecond→ 400, not 500depositedAmount→ 400, not 500Testing
Test Coverage
Test Steps
cd backend && npx prisma generate && npx vitest run tests/stream.controller.test.tsstream.controller.test.tspass (7 in thecreateStreamblock)500against the old (buggy) code, then re-confirming they pass with the fix appliedBreaking Changes
None. Response bodies for already-valid requests are unchanged; only previously-500 responses for malformed/missing numeric fields now correctly return 400.
Checklist
Additional Notes
Scope limited to
backend/src/controllers/stream.controller.tsper the issue's "Files to touch." Stellar address format validation (sender/recipient/tokenAddress) is explicitly out of scope per the issue and tracked separately.