fix: gracefully handle undefined req.body

When non-JSON content types are sent, express.json() does not parse the body, resulting in `req.body` being undefined. Trying to destructure properties directly from it causes a TypeError and crashes the server with a 500 error.

Added a fallback (`|| {}`) during destructuring to handle this case cleanly and return a 400 Bad Request instead. Also added tests to ensure this robustness.

Co-authored-by: shenald-dev <245350826+shenald-dev@users.noreply.github.com>

Author: google-labs-jules[bot]

.jules/bolt.md

@@ -27,4 +27,11 @@ Learning:
 The generic error handler in the API was returning a 500 status code but was not covered by any automated tests, leaving a gap in coverage for unexpected server-side failures.
 
 Action:
-Added a test case in `tests/api.test.js` that intentionally mocks a failure in an internal dependency (`crypto.randomUUID`) to trigger the generic error handler. The test asserts that the handler returns a 500 status code and a sanitized JSON response (`{ error: 'Internal server error' }`) without leaking stack traces. Additionally, `console.error` was temporarily suppressed during the test to keep test output clean.
+Added a test case in `tests/api.test.js` that intentionally mocks a failure in an internal dependency (`crypto.randomUUID`) to trigger the generic error handler. The test asserts that the handler returns a 500 status code and a sanitized JSON response (`{ error: 'Internal server error' }`) without leaking stack traces. Additionally, `console.error` was temporarily suppressed during the test to keep test output clean.
+## 2026-03-21 — Prevent 500 Error Crash from Undefined req.body
+
+Learning:
+In Express, when a POST request is sent with a non-JSON `Content-Type` (like `text/plain`), the `express.json()` middleware does not parse the body, resulting in `req.body` being `undefined`. Destructuring properties directly from `req.body` (e.g., `const { model, messages } = req.body;`) without a fallback will throw a `TypeError`, leading to an unhandled 500 Internal Server Error.
+
+Action:
+Modified the `/v1/chat/completions` endpoint to safely destructure using a fallback (`const { model, messages } = req.body || {};`). This ensures the endpoint gracefully catches missing parameters and correctly returns a `400 Bad Request` instead of crashing. Added a test in `tests/api_robustness.test.js` to prevent regressions.

package.json

@@ -6,7 +6,7 @@
   "scripts": {
     "start": "node src/index.js --server",
     "dev": "nodemon src/index.js --server",
-    "test": "node tests/test.js && node tests/api.test.js",
+    "test": "node tests/test.js && node tests/api.test.js && node tests/api_robustness.test.js && node tests/heavy_computation.test.js",
     "benchmark": "node benchmarks/run.js",
     "docker:build": "docker build -t shenald/one-api .",
     "docker:run": "docker run -p 3000:3000 shenald/one-api"

src/index.js

@@ -32,7 +32,7 @@ app.use((err, req, res, next) => {
 
 // API endpoints
 app.post('/v1/chat/completions', (req, res) => {
-  const { model, messages } = req.body;
+  const { model, messages } = req.body || {};
   if (!model || !messages) {
     return res.status(400).json({ error: 'Missing model or messages' });
   }

tests/api_robustness.test.js

@@ -0,0 +1,14 @@
+const { test } = require('node:test');
+const assert = require('node:assert');
+const request = require('supertest');
+const { app } = require('../src/index.js');
+
+test('POST /v1/chat/completions handles undefined req.body (e.g. non-JSON content-type)', async () => {
+  const res = await request(app)
+    .post('/v1/chat/completions')
+    .set('Content-Type', 'text/plain')
+    .send('some text');
+
+  assert.strictEqual(res.status, 400);
+  assert.strictEqual(res.body.error, 'Missing model or messages');
+});