Skip to content

fix: validate bookingId UUID in message routes (3B.2)#338

Merged
cola500 merged 1 commit into
stagingfrom
feature/3b2-bookingid-uuid-validation
May 18, 2026
Merged

fix: validate bookingId UUID in message routes (3B.2)#338
cola500 merged 1 commit into
stagingfrom
feature/3b2-bookingid-uuid-validation

Conversation

@cola500
Copy link
Copy Markdown
Owner

@cola500 cola500 commented May 18, 2026

Summary

Sprint 3-B slice 3B.2 — UUID-validera `bookingId` i alla messages-routes innan DB/storage/service-anrop. Defense-in-depth-parity med C3:s entityId-validering.

  • 4 handlers hardenade: `messages` POST + GET, `messages/read` PATCH, `messages/attachments` POST
  • Ogiltig bookingId → 400 "Ogiltigt bookingId" (fail-fast)
  • Giltig UUID som inte tillhör user → 404 (oförändrat, IDOR-skydd via `loadBookingForMessaging`)
  • Placering: efter auth + feature flag, före rate-limit och DB-anrop

Test plan

  • 7 nya regression-tester (invalid UUID + traversal-patterns per handler)
  • Befintliga fixturer (`'booking-abc-123'`, `'booking-1'`) uppdaterade till UUID v4
  • RED→GREEN verifierat: alla 7 nya tester failade som förväntat före implementation
  • 39/39 tester gröna efter implementation
  • `npm run check:all` 4/4 gröna (typecheck, test:run, lint, check:swedish)

Out of scope

  • Pre-existing lint warning `deleteMessageAttachment defined but never used` i `attachments/route.ts:20` — orelaterad till denna slice, lyfts som watch
  • 3B.3 (services-bucket ownership) — väntar på scope-klargörande

@cola500 cola500 merged commit 9e6cb2a into staging May 18, 2026
4 checks passed
@cola500 cola500 deleted the feature/3b2-bookingid-uuid-validation branch May 18, 2026 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cola500