From 61d64d846a4f7b48cd8b241b4d1ca0852769bee4 Mon Sep 17 00:00:00 2001 From: Tiago Yamamoto Date: Sun, 22 Feb 2026 12:26:14 -0600 Subject: [PATCH] fix(jobs): enforce CreateJob validation and sanitize DB constraint errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add validateCreateJobRequest() checking required fields (companyId, title ≥5 chars, description ≥20 chars) and enum values (employmentType, workMode, status) before hitting the DB - Catch *pq.Error in handler: check_violation (23514) and foreign_key_violation (23503) now return 400; unique_violation (23505) returns 409; other DB errors return 500 without leaking raw pq messages - Fix test fixtures: description and companyId now meet validation requirements Co-Authored-By: Claude Sonnet 4.6 --- backend/internal/handlers/job_handler.go | 146 +++++++++++++----- backend/internal/handlers/job_handler_test.go | 7 +- 2 files changed, 109 insertions(+), 44 deletions(-) diff --git a/backend/internal/handlers/job_handler.go b/backend/internal/handlers/job_handler.go index 051371e..8f14914 100755 --- a/backend/internal/handlers/job_handler.go +++ b/backend/internal/handlers/job_handler.go @@ -2,10 +2,13 @@ package handlers import ( "encoding/json" + "errors" "fmt" "net/http" "strconv" + "strings" + "github.com/lib/pq" "github.com/rede5/gohorsejobs/backend/internal/api/middleware" "github.com/rede5/gohorsejobs/backend/internal/dto" "github.com/rede5/gohorsejobs/backend/internal/models" @@ -28,30 +31,30 @@ func NewJobHandler(service JobServiceInterface) *JobHandler { return &JobHandler{Service: service} } -// GetJobs godoc -// @Summary List all jobs -// @Description Get a paginated list of job postings with optional filters -// @Tags Jobs -// @Accept json -// @Produce json -// @Param page query int false "Page number (default: 1)" -// @Param limit query int false "Items per page (default: 10, max: 100)" -// @Param companyId query string false "Filter by company ID" -// @Param featured query bool false "Filter by featured status" -// @Param search query string false "Full-text search query" -// @Param s query string false "Search query (Careerjet-style)" -// @Param employmentType query string false "Filter by employment type" -// @Param workMode query string false "Filter by work mode (onsite, hybrid, remote)" -// @Param location query string false "Filter by location text" -// @Param l query string false "Location (Careerjet-style)" -// @Param salaryMin query number false "Minimum salary filter" -// @Param salaryMax query number false "Maximum salary filter" -// @Param datePosted query string false "Date posted filter (24h, 7d, 30d)" -// @Param sortBy query string false "Sort by: date, salary, relevance" -// @Param sortOrder query string false "Sort order: asc, desc" -// @Success 200 {object} dto.PaginatedResponse -// @Failure 500 {string} string "Internal Server Error" -// @Router /api/v1/jobs [get] +// GetJobs godoc +// @Summary List all jobs +// @Description Get a paginated list of job postings with optional filters +// @Tags Jobs +// @Accept json +// @Produce json +// @Param page query int false "Page number (default: 1)" +// @Param limit query int false "Items per page (default: 10, max: 100)" +// @Param companyId query string false "Filter by company ID" +// @Param featured query bool false "Filter by featured status" +// @Param search query string false "Full-text search query" +// @Param s query string false "Search query (Careerjet-style)" +// @Param employmentType query string false "Filter by employment type" +// @Param workMode query string false "Filter by work mode (onsite, hybrid, remote)" +// @Param location query string false "Filter by location text" +// @Param l query string false "Location (Careerjet-style)" +// @Param salaryMin query number false "Minimum salary filter" +// @Param salaryMax query number false "Maximum salary filter" +// @Param datePosted query string false "Date posted filter (24h, 7d, 30d)" +// @Param sortBy query string false "Sort by: date, salary, relevance" +// @Param sortOrder query string false "Sort order: asc, desc" +// @Success 200 {object} dto.PaginatedResponse +// @Failure 500 {string} string "Internal Server Error" +// @Router /api/v1/jobs [get] func (h *JobHandler) GetJobs(w http.ResponseWriter, r *http.Request) { page, _ := strconv.Atoi(r.URL.Query().Get("page")) limit, _ := strconv.Atoi(r.URL.Query().Get("limit")) @@ -77,16 +80,16 @@ func (h *JobHandler) GetJobs(w http.ResponseWriter, r *http.Request) { if location == "" { location = r.URL.Query().Get("l") // Careerjet-style alias (Where) } - salaryMinStr := r.URL.Query().Get("salaryMin") - salaryMaxStr := r.URL.Query().Get("salaryMax") - sortBy := r.URL.Query().Get("sortBy") - sortOrder := r.URL.Query().Get("sortOrder") - - // Date Posted filter (Careerjet-style: 24h, 7d, 30d) - datePosted := r.URL.Query().Get("datePosted") - if datePosted == "" { - datePosted = r.URL.Query().Get("date") // Alternative alias - } + salaryMinStr := r.URL.Query().Get("salaryMin") + salaryMaxStr := r.URL.Query().Get("salaryMax") + sortBy := r.URL.Query().Get("sortBy") + sortOrder := r.URL.Query().Get("sortOrder") + + // Date Posted filter (Careerjet-style: 24h, 7d, 30d) + datePosted := r.URL.Query().Get("datePosted") + if datePosted == "" { + datePosted = r.URL.Query().Get("date") // Alternative alias + } filter := dto.JobFilterQuery{ PaginationQuery: dto.PaginationQuery{ @@ -122,14 +125,14 @@ func (h *JobHandler) GetJobs(w http.ResponseWriter, r *http.Request) { filter.SalaryMin = &val } } - if salaryMaxStr != "" { - if val, err := strconv.ParseFloat(salaryMaxStr, 64); err == nil { - filter.SalaryMax = &val - } - } - if datePosted != "" { - filter.DatePosted = &datePosted - } + if salaryMaxStr != "" { + if val, err := strconv.ParseFloat(salaryMaxStr, 64); err == nil { + filter.SalaryMax = &val + } + } + if datePosted != "" { + filter.DatePosted = &datePosted + } jobs, total, err := h.Service.GetJobs(filter) if err != nil { @@ -179,6 +182,11 @@ func (h *JobHandler) CreateJob(w http.ResponseWriter, r *http.Request) { return } + if err := validateCreateJobRequest(&req); err != nil { + http.Error(w, err.Error(), http.StatusBadRequest) + return + } + fmt.Printf("[CREATE_JOB DEBUG] Request received: title=%s, companyId=%s, status=%s\n", req.Title, req.CompanyID, req.Status) fmt.Printf("[CREATE_JOB DEBUG] Full request: %+v\n", req) @@ -199,6 +207,20 @@ func (h *JobHandler) CreateJob(w http.ResponseWriter, r *http.Request) { job, err := h.Service.CreateJob(req, userID) if err != nil { fmt.Printf("[CREATE_JOB ERROR] Service.CreateJob failed: %v\n", err) + var pqErr *pq.Error + if errors.As(err, &pqErr) { + switch pqErr.Code { + case "23514": // check_violation + http.Error(w, fmt.Sprintf("invalid value: %s", pqErr.Constraint), http.StatusBadRequest) + case "23503": // foreign_key_violation + http.Error(w, "referenced resource not found", http.StatusBadRequest) + case "23505": // unique_violation + http.Error(w, "duplicate entry", http.StatusConflict) + default: + http.Error(w, "internal server error", http.StatusInternalServerError) + } + return + } http.Error(w, err.Error(), http.StatusInternalServerError) return } @@ -286,3 +308,43 @@ func (h *JobHandler) DeleteJob(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusNoContent) } + +var validEmploymentTypes = map[string]bool{ + "full-time": true, "part-time": true, "dispatch": true, "contract": true, + "temporary": true, "training": true, "voluntary": true, "permanent": true, +} + +var validWorkModes = map[string]bool{ + "onsite": true, "hybrid": true, "remote": true, +} + +var validJobStatuses = map[string]bool{ + "draft": true, "open": true, "closed": true, "review": true, + "published": true, "paused": true, "expired": true, "archived": true, "reported": true, +} + +func validateCreateJobRequest(req *dto.CreateJobRequest) error { + if strings.TrimSpace(req.CompanyID) == "" { + return fmt.Errorf("companyId is required") + } + title := strings.TrimSpace(req.Title) + if title == "" { + return fmt.Errorf("title is required") + } + if len(title) < 5 || len(title) > 255 { + return fmt.Errorf("title must be between 5 and 255 characters") + } + if len(strings.TrimSpace(req.Description)) < 20 { + return fmt.Errorf("description must be at least 20 characters") + } + if req.EmploymentType != nil && !validEmploymentTypes[*req.EmploymentType] { + return fmt.Errorf("invalid employmentType %q, must be one of: full-time, part-time, dispatch, contract, temporary, training, voluntary, permanent", *req.EmploymentType) + } + if req.WorkMode != nil && !validWorkModes[*req.WorkMode] { + return fmt.Errorf("invalid workMode %q, must be one of: onsite, hybrid, remote", *req.WorkMode) + } + if req.Status != "" && !validJobStatuses[req.Status] { + return fmt.Errorf("invalid status %q", req.Status) + } + return nil +} diff --git a/backend/internal/handlers/job_handler_test.go b/backend/internal/handlers/job_handler_test.go index edad2bd..f78e62b 100644 --- a/backend/internal/handlers/job_handler_test.go +++ b/backend/internal/handlers/job_handler_test.go @@ -135,7 +135,7 @@ func TestCreateJob_Success(t *testing.T) { jobReq := dto.CreateJobRequest{ CompanyID: "1", Title: "Backend Developer", - Description: "Build awesome APIs", + Description: "Build awesome APIs for the platform", Status: "open", WorkMode: func() *string { s := "remote"; return &s }(), } @@ -173,7 +173,10 @@ func TestCreateJob_ServiceError(t *testing.T) { handler := NewJobHandler(mockService) jobReq := dto.CreateJobRequest{ - Title: "Failing Job", + CompanyID: "company-1", + Title: "Failing Job Title", + Description: "This description is long enough to pass validation", + Status: "open", } body, _ := json.Marshal(jobReq)