rede5/gohorsejobs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(jobs): enforce CreateJob validation and sanitize DB constraint errors

Browse source 
- Add validateCreateJobRequest() checking required fields (companyId,
  title ≥5 chars, description ≥20 chars) and enum values
  (employmentType, workMode, status) before hitting the DB
- Catch *pq.Error in handler: check_violation (23514) and
  foreign_key_violation (23503) now return 400; unique_violation (23505)
  returns 409; other DB errors return 500 without leaking raw pq messages
- Fix test fixtures: description and companyId now meet validation
  requirements

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Tiago Yamamoto 2026-02-22 12:26:14 -06:00
parent 89358acc13
commit 61d64d846a
2 changed files with 109 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
backend/internal/handlers/job_handler.go
View file

@ -2,10 +2,13 @@ package handlers
import ( import (
"encoding/json" "encoding/json"
"errors"
"fmt" "fmt"
"net/http" "net/http"
"strconv" "strconv"
"strings"
"github.com/lib/pq"
"github.com/rede5/gohorsejobs/backend/internal/api/middleware" "github.com/rede5/gohorsejobs/backend/internal/api/middleware"
"github.com/rede5/gohorsejobs/backend/internal/dto" "github.com/rede5/gohorsejobs/backend/internal/dto"
"github.com/rede5/gohorsejobs/backend/internal/models" "github.com/rede5/gohorsejobs/backend/internal/models"
@ -179,6 +182,11 @@ func (h *JobHandler) CreateJob(w http.ResponseWriter, r *http.Request) {
return return
} }
if err := validateCreateJobRequest(&req); err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
fmt.Printf("[CREATE_JOB DEBUG] Request received: title=%s, companyId=%s, status=%s\n", req.Title, req.CompanyID, req.Status) fmt.Printf("[CREATE_JOB DEBUG] Request received: title=%s, companyId=%s, status=%s\n", req.Title, req.CompanyID, req.Status)
fmt.Printf("[CREATE_JOB DEBUG] Full request: %+v\n", req) fmt.Printf("[CREATE_JOB DEBUG] Full request: %+v\n", req)
@ -199,6 +207,20 @@ func (h *JobHandler) CreateJob(w http.ResponseWriter, r *http.Request) {
job, err := h.Service.CreateJob(req, userID) job, err := h.Service.CreateJob(req, userID)
if err != nil { if err != nil {
fmt.Printf("[CREATE_JOB ERROR] Service.CreateJob failed: %v\n", err) fmt.Printf("[CREATE_JOB ERROR] Service.CreateJob failed: %v\n", err)
var pqErr *pq.Error
if errors.As(err, &pqErr) {
switch pqErr.Code {
case "23514": // check_violation
http.Error(w, fmt.Sprintf("invalid value: %s", pqErr.Constraint), http.StatusBadRequest)
case "23503": // foreign_key_violation
http.Error(w, "referenced resource not found", http.StatusBadRequest)
case "23505": // unique_violation
http.Error(w, "duplicate entry", http.StatusConflict)
default:
http.Error(w, "internal server error", http.StatusInternalServerError)
}
return
}
http.Error(w, err.Error(), http.StatusInternalServerError) http.Error(w, err.Error(), http.StatusInternalServerError)
return return
} }
@ -286,3 +308,43 @@ func (h *JobHandler) DeleteJob(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusNoContent) w.WriteHeader(http.StatusNoContent)
} }
var validEmploymentTypes = map[string]bool{
"full-time": true, "part-time": true, "dispatch": true, "contract": true,
"temporary": true, "training": true, "voluntary": true, "permanent": true,
}
var validWorkModes = map[string]bool{
"onsite": true, "hybrid": true, "remote": true,
}
var validJobStatuses = map[string]bool{
"draft": true, "open": true, "closed": true, "review": true,
"published": true, "paused": true, "expired": true, "archived": true, "reported": true,
}
func validateCreateJobRequest(req *dto.CreateJobRequest) error {
if strings.TrimSpace(req.CompanyID) == "" {
return fmt.Errorf("companyId is required")
}
title := strings.TrimSpace(req.Title)
if title == "" {
return fmt.Errorf("title is required")
}
if len(title) < 5 || len(title) > 255 {
return fmt.Errorf("title must be between 5 and 255 characters")
}
if len(strings.TrimSpace(req.Description)) < 20 {
return fmt.Errorf("description must be at least 20 characters")
}
if req.EmploymentType != nil && !validEmploymentTypes[*req.EmploymentType] {
return fmt.Errorf("invalid employmentType %q, must be one of: full-time, part-time, dispatch, contract, temporary, training, voluntary, permanent", *req.EmploymentType)
}
if req.WorkMode != nil && !validWorkModes[*req.WorkMode] {
return fmt.Errorf("invalid workMode %q, must be one of: onsite, hybrid, remote", *req.WorkMode)
}
if req.Status != "" && !validJobStatuses[req.Status] {
return fmt.Errorf("invalid status %q", req.Status)
}
return nil
}

7
backend/internal/handlers/job_handler_test.go
View file

@ -135,7 +135,7 @@ func TestCreateJob_Success(t *testing.T) {
jobReq := dto.CreateJobRequest{ jobReq := dto.CreateJobRequest{
CompanyID: "1", CompanyID: "1",
Title: "Backend Developer", Title: "Backend Developer",
Description: "Build awesome APIs", Description: "Build awesome APIs for the platform",
Status: "open", Status: "open",
WorkMode: func() *string { s := "remote"; return &s }(), WorkMode: func() *string { s := "remote"; return &s }(),
} }
@ -173,7 +173,10 @@ func TestCreateJob_ServiceError(t *testing.T) {
handler := NewJobHandler(mockService) handler := NewJobHandler(mockService)
jobReq := dto.CreateJobRequest{ jobReq := dto.CreateJobRequest{
Title: "Failing Job", CompanyID: "company-1",
Title: "Failing Job Title",
Description: "This description is long enough to pass validation",
Status: "open",
} }
body, _ := json.Marshal(jobReq) body, _ := json.Marshal(jobReq)