fix(validation): address Copilot review comments

PierreBrisorgueil · PierreBrisorgueil · commit cf3a66d46fc0 · 2026-02-21T12:26:09.000+01:00
- model.js: fix typo firstname → firstName in checkError sanitizer so
  profile-update errors are correctly redacted
- user.schema.js: build min-size error message from config.zxcvbn.minSize
  instead of hardcoding 8, keeping message and config in sync
- users.routes.js: PUT /api/users now validates with UserUpdate (partial)
  instead of the full User schema, consistent with MIGRATIONS.md guidance
diff --git a/lib/middlewares/model.js b/lib/middlewares/model.js
@@ -39,9 +39,9 @@ const getResultFromZod = (body, schema) => {
  */
 const checkError = (result) => {
   if (result && result.error) {
-    if (result.error.original && (result.error.original.password || result.error.original.firstname))
+    if (result.error.original && (result.error.original.password || result.error.original.firstName))
       result.error.original = _.pick(result.error.original, config.whitelists.users.default);
-    if (result.error._original && (result.error._original.password || result.error._original.firstname))
+    if (result.error._original && (result.error._original.password || result.error._original.firstName))
       result.error._original = _.pick(result.error._original, config.whitelists.users.default);
     let description = '';
     result.error.details.forEach((err) => {
diff --git a/modules/users/models/user.schema.js b/modules/users/models/user.schema.js
@@ -30,7 +30,7 @@ const User = z.object({
       if (val === '') return; // allow empty (OAuth users / no password set)
       zodHelpers.passwordRefinement(val, ctx);
       if (val.length < config.zxcvbn.minSize) {
-        ctx.addIssue({ code: z.ZodIssueCode.custom, message: 'Password length must be at least 8 characters long' });
+        ctx.addIssue({ code: z.ZodIssueCode.custom, message: `Password length must be at least ${config.zxcvbn.minSize} characters long` });
       }
     }),
   resetPasswordToken: z.string().nullable().optional(),
diff --git a/modules/users/routes/users.routes.js b/modules/users/routes/users.routes.js
@@ -28,7 +28,7 @@ export default (app) => {
   app
     .route('/api/users')
     .all(passport.authenticate('jwt', { session: false }), policy.isAllowed)
-    .put(model.isValid(usersSchema.User), users.update)
+    .put(model.isValid(usersSchema.UserUpdate), users.update)
     .delete(users.remove);
 
   app.route('/api/users/password').post(passport.authenticate('jwt', { session: false }), policy.isAllowed, authPassword.updatePassword);

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ const User = z.object({`
`30`	`30`	`if (val === '') return; // allow empty (OAuth users / no password set)`
`31`	`31`	`zodHelpers.passwordRefinement(val, ctx);`
`32`	`32`	`if (val.length < config.zxcvbn.minSize) {`
`33`		`- ctx.addIssue({ code: z.ZodIssueCode.custom, message: 'Password length must be at least 8 characters long' });`
	`33`	+ ctx.addIssue({ code: z.ZodIssueCode.custom, message: `Password length must be at least ${config.zxcvbn.minSize} characters long` });
`34`	`34`	`}`
`35`	`35`	`}),`
`36`	`36`	`resetPasswordToken: z.string().nullable().optional(),`