From b2682f7295901d65bb376994352caf2644a06d10 Mon Sep 17 00:00:00 2001 From: patchninja-my Date: Mon, 1 Jun 2026 04:29:05 +0000 Subject: [PATCH] fix(lhf-004): add input validation to payment endpoint - Add Zod schema for payment requests (amount, currency, description) - Validate positive amount with reasonable max - Restrict currency to known values - Return 400 with specific error messages on invalid input --- apps/api/src/controllers/paymentController.js | 9 +++++++-- apps/api/src/validators/payment.js | 8 ++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 apps/api/src/validators/payment.js diff --git a/apps/api/src/controllers/paymentController.js b/apps/api/src/controllers/paymentController.js index 138f909e21..9d4e9adc21 100644 --- a/apps/api/src/controllers/paymentController.js +++ b/apps/api/src/controllers/paymentController.js @@ -1,6 +1,11 @@ -import { ok } from "../utils/response.js"; +import { ok, fail } from "../utils/response.js"; import { createPaymentIntent } from "../services/paymentService.js"; +import { createPaymentSchema } from "../validators/payment.js"; export async function createPayment(req, res) { - return ok(res, await createPaymentIntent(req.body), 201); + const result = createPaymentSchema.safeParse(req.body); + if (!result.success) { + return fail(res, result.error.issues.map(i => i.message).join("; "), 400); + } + return ok(res, await createPaymentIntent(result.data), 201); } diff --git a/apps/api/src/validators/payment.js b/apps/api/src/validators/payment.js new file mode 100644 index 0000000000..e5ae23c7fe --- /dev/null +++ b/apps/api/src/validators/payment.js @@ -0,0 +1,8 @@ +import { z } from "zod"; + +export const createPaymentSchema = z.object({ + amount: z.number().positive("Amount must be positive").max(999999, "Amount too large"), + currency: z.enum(["usd", "eur", "gbp", "cny"]).default("usd"), + description: z.string().max(500).optional(), + metadata: z.record(z.string()).optional(), +});