refactor(utm): simplify UTM parameter handling by removing sanitization and directly validating parameters

Dobrunia · Dobrunia · commit e67f815c1432 · 2025-08-13T19:50:14.000+03:00
diff --git a/src/models/usersFactory.ts b/src/models/usersFactory.ts
@@ -76,12 +76,9 @@ export default class UsersFactory extends AbstractModelFactory<UserDBScheme, Use
       email,
       password: hashedPassword,
       notifications: UserModel.generateDefaultNotificationsSettings(email),
+      utm: utm,
     };
 
-    if (utm && Object.keys(utm).length > 0) {
-      userData.utm = utm;
-    }
-
     const userId = (await this.collection.insertOne(userData)).insertedId;
 
     const user = new UserModel({
diff --git a/src/resolvers/user.ts b/src/resolvers/user.ts
@@ -11,8 +11,7 @@ import { dateFromObjectId } from '../utils/dates';
 import { UserDBScheme } from '@hawk.so/types';
 import * as telegram from '../utils/telegram';
 import { MongoError } from 'mongodb';
-import { validateUtmParams, sanitizeUtmParams } from '../utils/utm/utm';
-import HawkCatcher from '@hawk.so/nodejs';
+import { validateUtmParams } from '../utils/utm/utm';
 
 /**
  * See all types and fields here {@see ../typeDefs/user.graphql}
@@ -47,36 +46,13 @@ export default {
       { email, utm }: { email: string; utm?: UserDBScheme['utm'] },
       { factories }: ResolverContextBase
     ): Promise<boolean | string> {
-      // Validate and sanitize UTM parameters
-      let sanitizedUtm;
-      if (utm) {
-        const validationResult = validateUtmParams(utm);
-
-        // Always try to sanitize valid keys (if any)
-        if (validationResult.validKeys.length > 0) {
-          sanitizedUtm = sanitizeUtmParams(utm, validationResult);
-        }
 
-        // Log invalid keys for monitoring (if any)
-        if (validationResult.invalidKeys.length > 0) {
-          const errorMessage =
-            validationResult.validKeys.length > 0
-              ? 'Some UTM parameters are invalid'
-              : 'All UTM parameters are invalid';
-
-          HawkCatcher.send(new Error(errorMessage), {
-            email,
-            utm,
-            invalidKeys: JSON.stringify(validationResult.invalidKeys),
-            validKeys: JSON.stringify(validationResult.validKeys),
-          });
-        }
-      }
+      const validatedUtm = validateUtmParams(utm);
 
       let user;
 
       try {
-        user = await factories.usersFactory.create(email, undefined, sanitizedUtm);
+        user = await factories.usersFactory.create(email, undefined, validatedUtm);
 
         const password = user.generatedPassword!;
 
diff --git a/src/utils/utm/utm.ts b/src/utils/utm/utm.ts
@@ -1,5 +1,3 @@
-import { UserDBScheme } from '@hawk.so/types';
-
 /**
  * Valid UTM parameter keys
  */
@@ -11,131 +9,44 @@ const VALID_UTM_KEYS = ['source', 'medium', 'campaign', 'content', 'term'];
  */
 const VALID_UTM_CHARACTERS = /^[a-zA-Z0-9\s\-_.]+$/;
 
-/**
- * Regular expression for invalid UTM characters (inverse of VALID_UTM_CHARACTERS)
- * Used for cleaning/sanitizing values
- */
-const INVALID_UTM_CHARACTERS = /[^a-zA-Z0-9\s\-_.]/g;
-
 /**
  * Maximum allowed length for UTM parameter values
  */
-const MAX_UTM_VALUE_LENGTH = 200;
+const MAX_UTM_VALUE_LENGTH = 50;
 
 /**
- * Validates UTM parameters per key
- * @param utm - Data form where user went to sign up. Used for analytics purposes
- * @returns object with validation results per key and overall validity
+ * Validates and filters UTM parameters
+ * @param {Object} utm - UTM parameters to validate
+ * @returns {Object} - filtered valid UTM parameters
  */
-export function validateUtmParams(utm: UserDBScheme['utm']): {
-  isValid: boolean;
-  validKeys: string[];
-  invalidKeys: string[];
-} {
-  if (!utm) {
-    return {
-      isValid: true,
-      validKeys: [],
-      invalidKeys: [],
-    };
-  }
-
-  // Check if utm is an object
-  if (typeof utm !== 'object' || Array.isArray(utm)) {
-    return {
-      isValid: false,
-      validKeys: [],
-      invalidKeys: [ '_structure' ],
-    };
-  }
-
-  const providedKeys = Object.keys(utm);
-
-  // Check if utm object is not empty
-  if (providedKeys.length === 0) {
-    return {
-      isValid: true,
-      validKeys: [],
-      invalidKeys: [],
-    };
+export function validateUtmParams(utm: any): Record<string, string> {
+  if (!utm || typeof utm !== 'object' || Array.isArray(utm)) {
+    return {};
   }
 
-  const validKeys: string[] = [];
-  const invalidKeys: string[] = [];
+  const result: Record<string, string> = {};
 
   for (const [key, value] of Object.entries(utm)) {
-    // Check if key is valid UTM key
+    // 1) Remove keys that are not VALID_UTM_KEYS
     if (!VALID_UTM_KEYS.includes(key)) {
-      invalidKeys.push(key);
       continue;
     }
 
-    // Check if value is valid
-    if (value !== undefined && value !== null) {
-      if (typeof value !== 'string') {
-        invalidKeys.push(key);
-        continue;
-      }
-
-      // Check length
-      if (value.length === 0 || value.length > MAX_UTM_VALUE_LENGTH) {
-        invalidKeys.push(key);
-        continue;
-      }
-
-      // Check for valid characters
-      if (!VALID_UTM_CHARACTERS.test(value)) {
-        invalidKeys.push(key);
-        continue;
-      }
+    // 2) Check each condition separately
+    if (!value || typeof value !== 'string') {
+      continue;
     }
 
-    validKeys.push(key);
-  }
-
-  return {
-    isValid: invalidKeys.length === 0,
-    validKeys,
-    invalidKeys,
-  };
-}
-
-/**
- * Sanitizes UTM parameters by keeping only valid keys and cleaning values
- * @param utm - Data form where user went to sign up. Used for analytics purposes
- * @param validationResult - Optional validation result to use valid keys from
- * @returns sanitized UTM parameters or undefined if no valid data
- */
-export function sanitizeUtmParams(
-  utm: UserDBScheme['utm'],
-  validationResult?: { validKeys: string[]; invalidKeys: string[] }
-): UserDBScheme['utm'] {
-  if (!utm) {
-    return undefined;
-  }
-
-  const sanitized: UserDBScheme['utm'] = {};
-
-  // Use validation result if provided, otherwise validate inline
-  const keysToProcess = validationResult
-    ? validationResult.validKeys
-    : Object.keys(utm).filter((key) => VALID_UTM_KEYS.includes(key));
-
-  for (const key of keysToProcess) {
-    const value = (utm as any)[key];
-
-    if (value && typeof value === 'string') {
-      // Sanitize value: keep only allowed characters and limit length
-      const cleanValue = value
-        .replace(INVALID_UTM_CHARACTERS, '')
-        .trim()
-        .substring(0, MAX_UTM_VALUE_LENGTH);
+    if (value.length === 0 || value.length > MAX_UTM_VALUE_LENGTH) {
+      continue;
+    }
 
-      if (cleanValue.length > 0) {
-        (sanitized as any)[key] = cleanValue;
-      }
+    if (!VALID_UTM_CHARACTERS.test(value)) {
+      continue;
     }
+
+    result[key] = value;
   }
 
-  return Object.keys(sanitized).length > 0 ? sanitized : undefined;
+  return result;
 }
diff --git a/test/utils/utm.test.ts b/test/utils/utm.test.ts
