Skip to content

fix(j0di3): Validate troopId format before proxying#1166

Open
jeromehardaway wants to merge 2 commits into
masterfrom
fix/1066-validate-troopid
Open

fix(j0di3): Validate troopId format before proxying#1166
jeromehardaway wants to merge 2 commits into
masterfrom
fix/1066-validate-troopid

Conversation

@jeromehardaway

Copy link
Copy Markdown
Contributor

Problem

src/lib/j0di3-proxy.ts only checked if (!troopId) before injecting the troop ID into upstream J0dI3 requests. A malformed troopId (stale session, botched migration) reached the external J0dI3 API and surfaced to users as an unhelpful 4xx/5xx.

Solution

  • Established the real format from evidence: ensure-troop.ts stores data.id from the J0dI3 registration response, and prisma/schema.prisma annotates User.troopId as "J0dI3 troop UUID". No evidence pins the version to v4, so the proxy validates against a generic UUID pattern (8-4-4-4-12 hex, any version) rather than over-restricting.
  • On invalid format, dispatch returns 400 {"error": "Invalid troop profile. Please sign out and sign back in."} before any upstream call.
  • The rejected value is logged redacted via console.warn (first 4 chars + length, never the full value) so the origin can be investigated.
  • Tests: valid UUID passes through to the upstream client (existing pass-through tests now use a real UUID fixture); malformed ID returns 400 without calling the upstream client; the log line contains the redacted prefix and length but never the full value.

The second commit fixes pre-existing typecheck and Biome errors in the j0di3 route tests (unused imports, property assignment onto a Mock, banned Function type in mock signatures) that failed verification on the master baseline. No test behavior changes.

Verification

  • npm run typecheck — pass
  • npm run lint — j0di3 area clean; 19 pre-existing errors remain in unrelated files (components, containers, scripts, pages) that also fail on master and are out of scope here
  • npm test — 41 files, 386 tests passed
  • npm run build — pass

Closes #1066

A malformed troopId (stale session, botched migration) previously
reached the external J0dI3 API and surfaced as an unhelpful 4xx/5xx.
The proxy now rejects non-UUID troopIds with a 400 and a
user-actionable message before any upstream call, logging the
rejected value redacted (first 4 chars + length) so the origin can
be investigated.

Troop IDs are UUIDs per the registration response stored by
ensure-troop and the schema annotation on User.troopId. The pattern
accepts any UUID version rather than over-restricting to v4.
npm run typecheck and the staged-file Biome hook failed on master in
the j0di3 route tests: unused imports flagged by noUnusedLocals,
property assignment onto a Mock type, and the banned Function type in
proxy mock signatures. Fixed minimally so verification passes; no
test behavior changes.
@vercel

vercel Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
vets-who-code-app Ready Ready Preview, Comment Jun 11, 2026 4:49pm

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Validate J0dI3 troopId format before proxying requests

1 participant