refactor: implement Zod validation for opportunityMatches query

idoshamun · idoshamun · commit 10c3211ca98f · 2025-12-09T12:31:42.000+02:00
diff --git a/__tests__/schema/opportunity.ts b/__tests__/schema/opportunity.ts
@@ -1128,7 +1128,7 @@ describe('query opportunityMatches', () => {
   it('should reject invalid status values', async () => {
     loggedUser = '1';
 
-    // 'pending' is not an allowed status for this query - validation happens at GraphQL level
+    // 'pending' is not an allowed status for this query
     await testQueryErrorCode(
       client,
       {
@@ -1139,7 +1139,7 @@ describe('query opportunityMatches', () => {
           first: 10,
         },
       },
-      'GRAPHQL_VALIDATION_FAILED',
+      'ZOD_VALIDATION_ERROR',
     );
   });
 
diff --git a/src/common/schema/opportunities.ts b/src/common/schema/opportunities.ts
@@ -3,6 +3,7 @@ import z from 'zod';
 import { organizationLinksSchema } from './organizations';
 import { fileUploadSchema, urlParseSchema } from './common';
 import { parseBigInt } from '../utils';
+import { OpportunityMatchStatus } from '../../entity/opportunities/types';
 
 export const opportunityMatchDescriptionSchema = z.object({
   reasoning: z.string(),
@@ -255,3 +256,16 @@ export const createSharedSlackChannelSchema = z.object({
       'Channel name can only contain lowercase letters, numbers, hyphens, and underscores',
     ),
 });
+
+export const opportunityMatchesQuerySchema = z.object({
+  opportunityId: z.string(),
+  status: z
+    .enum([
+      OpportunityMatchStatus.CandidateAccepted,
+      OpportunityMatchStatus.RecruiterAccepted,
+      OpportunityMatchStatus.RecruiterRejected,
+    ])
+    .optional(),
+  after: z.string().optional(),
+  first: z.number().optional(),
+});
diff --git a/src/schema/opportunity.ts b/src/schema/opportunity.ts
@@ -65,6 +65,7 @@ import {
   opportunityUpdateStateSchema,
   createSharedSlackChannelSchema,
   parseOpportunitySchema,
+  opportunityMatchesQuerySchema,
 } from '../common/schema/opportunities';
 import { OpportunityKeyword } from '../entity/OpportunityKeyword';
 import {
@@ -1070,31 +1071,26 @@ export const resolvers: IResolvers<unknown, BaseContext> = traceResolvers<
         throw new NotFoundError('Not found!');
       }
 
-      // Allowed statuses for this query
-      const allowedStatuses = [
-        OpportunityMatchStatus.CandidateAccepted,
-        OpportunityMatchStatus.RecruiterAccepted,
-        OpportunityMatchStatus.RecruiterRejected,
-      ];
-
-      // Validate status if provided
-      if (args.status && !allowedStatuses.includes(args.status)) {
-        throw new ValidationError(
-          `Invalid status. Allowed values: ${allowedStatuses.join(', ')}`,
-        );
-      }
+      // Validate and parse args using Zod schema
+      const validatedArgs = opportunityMatchesQuerySchema.parse(args);
 
       // First verify the user has access to this opportunity
       await ensureOpportunityPermissions({
         con: ctx.con.manager,
         userId: ctx.userId,
-        opportunityId: args.opportunityId,
+        opportunityId: validatedArgs.opportunityId,
         permission: OpportunityPermissions.UpdateState,
         isTeamMember: ctx.isTeamMember,
       });
 
       // If status is provided, filter by that status; otherwise use all allowed statuses
-      const statusesToFilter = args.status ? [args.status] : allowedStatuses;
+      const statusesToFilter = validatedArgs.status
+        ? [validatedArgs.status]
+        : [
+            OpportunityMatchStatus.CandidateAccepted,
+            OpportunityMatchStatus.RecruiterAccepted,
+            OpportunityMatchStatus.RecruiterRejected,
+          ];
 
       const [connection, totalCount] = await Promise.all([
         queryPaginatedByDate<GQLOpportunityMatch, 'updatedAt', typeof args>(
@@ -1105,7 +1101,7 @@ export const resolvers: IResolvers<unknown, BaseContext> = traceResolvers<
           {
             queryBuilder: (builder) => {
               builder.queryBuilder
-                .where({ opportunityId: args.opportunityId })
+                .where({ opportunityId: validatedArgs.opportunityId })
                 .andWhere(`${builder.alias}.status IN (:...statuses)`, {
                   statuses: statusesToFilter,
                 })
@@ -1130,7 +1126,7 @@ export const resolvers: IResolvers<unknown, BaseContext> = traceResolvers<
         queryReadReplica(ctx.con, ({ queryRunner }) =>
           queryRunner.manager.getRepository(OpportunityMatch).count({
             where: {
-              opportunityId: args.opportunityId,
+              opportunityId: validatedArgs.opportunityId,
               status: In(statusesToFilter),
             },
           }),
