fix(jobs): enforce CreateJob validation and sanitize DB constraint errors

- Add validateCreateJobRequest() checking required fields (companyId, title ≥5 chars, description ≥20 chars) and enum values (employmentType, workMode, status) before hitting the DB - Catch *pq.Error in handler: check_violation (23514) and foreign_key_violation (23503) now return 400; unique_violation (23505) returns 409; other DB errors return 500 without leaking raw pq messages - Fix test fixtures: description and companyId now meet validation requirements Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 12:26:14 -06:00 · 2026-02-22 12:26:14 -06:00 · 61d64d846a
commit 61d64d846a
parent 89358acc13
2 changed files with 109 additions and 44 deletions
--- a/backend/internal/handlers/job_handler.go
+++ b/backend/internal/handlers/job_handler.go
@ -2,10 +2,13 @@ package handlers

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"strconv"
+	"strings"

+	"github.com/lib/pq"
 	"github.com/rede5/gohorsejobs/backend/internal/api/middleware"
 	"github.com/rede5/gohorsejobs/backend/internal/dto"
 	"github.com/rede5/gohorsejobs/backend/internal/models"
@ -28,30 +31,30 @@ func NewJobHandler(service JobServiceInterface) *JobHandler {
 	return &JobHandler{Service: service}
 }

-// GetJobs godoc
-// @Summary      List all jobs
-// @Description  Get a paginated list of job postings with optional filters
-// @Tags         Jobs
-// @Accept       json
-// @Produce      json
-// @Param        page          query    int      false  "Page number (default: 1)"
-// @Param        limit         query    int      false  "Items per page (default: 10, max: 100)"
-// @Param        companyId     query    string   false  "Filter by company ID"
-// @Param        featured      query    bool     false  "Filter by featured status"
-// @Param        search        query    string   false  "Full-text search query"
-// @Param        s             query    string   false  "Search query (Careerjet-style)"
-// @Param        employmentType query   string   false  "Filter by employment type"
-// @Param        workMode      query    string   false  "Filter by work mode (onsite, hybrid, remote)"
-// @Param        location      query    string   false  "Filter by location text"
-// @Param        l             query    string   false  "Location (Careerjet-style)"
-// @Param        salaryMin     query    number   false  "Minimum salary filter"
-// @Param        salaryMax     query    number   false  "Maximum salary filter"
-// @Param        datePosted    query    string   false  "Date posted filter (24h, 7d, 30d)"
-// @Param        sortBy        query    string   false  "Sort by: date, salary, relevance"
-// @Param        sortOrder     query    string   false  "Sort order: asc, desc"
-// @Success      200  {object}  dto.PaginatedResponse
-// @Failure      500  {string}  string  "Internal Server Error"
-// @Router       /api/v1/jobs [get]
+// GetJobs godoc
+// @Summary      List all jobs
+// @Description  Get a paginated list of job postings with optional filters
+// @Tags         Jobs
+// @Accept       json
+// @Produce      json
+// @Param        page          query    int      false  "Page number (default: 1)"
+// @Param        limit         query    int      false  "Items per page (default: 10, max: 100)"
+// @Param        companyId     query    string   false  "Filter by company ID"
+// @Param        featured      query    bool     false  "Filter by featured status"
+// @Param        search        query    string   false  "Full-text search query"
+// @Param        s             query    string   false  "Search query (Careerjet-style)"
+// @Param        employmentType query   string   false  "Filter by employment type"
+// @Param        workMode      query    string   false  "Filter by work mode (onsite, hybrid, remote)"
+// @Param        location      query    string   false  "Filter by location text"
+// @Param        l             query    string   false  "Location (Careerjet-style)"
+// @Param        salaryMin     query    number   false  "Minimum salary filter"
+// @Param        salaryMax     query    number   false  "Maximum salary filter"
+// @Param        datePosted    query    string   false  "Date posted filter (24h, 7d, 30d)"
+// @Param        sortBy        query    string   false  "Sort by: date, salary, relevance"
+// @Param        sortOrder     query    string   false  "Sort order: asc, desc"
+// @Success      200  {object}  dto.PaginatedResponse
+// @Failure      500  {string}  string  "Internal Server Error"
+// @Router       /api/v1/jobs [get]
 func (h *JobHandler) GetJobs(w http.ResponseWriter, r *http.Request) {
 	page, _ := strconv.Atoi(r.URL.Query().Get("page"))
 	limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
@ -77,16 +80,16 @@ func (h *JobHandler) GetJobs(w http.ResponseWriter, r *http.Request) {
 	if location == "" {
 		location = r.URL.Query().Get("l") // Careerjet-style alias (Where)
 	}
-	salaryMinStr := r.URL.Query().Get("salaryMin")
-	salaryMaxStr := r.URL.Query().Get("salaryMax")
-	sortBy := r.URL.Query().Get("sortBy")
-	sortOrder := r.URL.Query().Get("sortOrder")
-
-	// Date Posted filter (Careerjet-style: 24h, 7d, 30d)
-	datePosted := r.URL.Query().Get("datePosted")
-	if datePosted == "" {
-		datePosted = r.URL.Query().Get("date") // Alternative alias
-	}
+	salaryMinStr := r.URL.Query().Get("salaryMin")
+	salaryMaxStr := r.URL.Query().Get("salaryMax")
+	sortBy := r.URL.Query().Get("sortBy")
+	sortOrder := r.URL.Query().Get("sortOrder")
+
+	// Date Posted filter (Careerjet-style: 24h, 7d, 30d)
+	datePosted := r.URL.Query().Get("datePosted")
+	if datePosted == "" {
+		datePosted = r.URL.Query().Get("date") // Alternative alias
+	}

 	filter := dto.JobFilterQuery{
 		PaginationQuery: dto.PaginationQuery{
@ -122,14 +125,14 @@ func (h *JobHandler) GetJobs(w http.ResponseWriter, r *http.Request) {
 			filter.SalaryMin = &val
 		}
 	}
-	if salaryMaxStr != "" {
-		if val, err := strconv.ParseFloat(salaryMaxStr, 64); err == nil {
-			filter.SalaryMax = &val
-		}
-	}
-	if datePosted != "" {
-		filter.DatePosted = &datePosted
-	}
+	if salaryMaxStr != "" {
+		if val, err := strconv.ParseFloat(salaryMaxStr, 64); err == nil {
+			filter.SalaryMax = &val
+		}
+	}
+	if datePosted != "" {
+		filter.DatePosted = &datePosted
+	}

 	jobs, total, err := h.Service.GetJobs(filter)
 	if err != nil {
@ -179,6 +182,11 @@ func (h *JobHandler) CreateJob(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if err := validateCreateJobRequest(&req); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
 	fmt.Printf("[CREATE_JOB DEBUG] Request received: title=%s, companyId=%s, status=%s\n", req.Title, req.CompanyID, req.Status)
 	fmt.Printf("[CREATE_JOB DEBUG] Full request: %+v\n", req)

@ -199,6 +207,20 @@ func (h *JobHandler) CreateJob(w http.ResponseWriter, r *http.Request) {
 	job, err := h.Service.CreateJob(req, userID)
 	if err != nil {
 		fmt.Printf("[CREATE_JOB ERROR] Service.CreateJob failed: %v\n", err)
+		var pqErr *pq.Error
+		if errors.As(err, &pqErr) {
+			switch pqErr.Code {
+			case "23514": // check_violation
+				http.Error(w, fmt.Sprintf("invalid value: %s", pqErr.Constraint), http.StatusBadRequest)
+			case "23503": // foreign_key_violation
+				http.Error(w, "referenced resource not found", http.StatusBadRequest)
+			case "23505": // unique_violation
+				http.Error(w, "duplicate entry", http.StatusConflict)
+			default:
+				http.Error(w, "internal server error", http.StatusInternalServerError)
+			}
+			return
+		}
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
@ -286,3 +308,43 @@ func (h *JobHandler) DeleteJob(w http.ResponseWriter, r *http.Request) {

 	w.WriteHeader(http.StatusNoContent)
 }
+
+var validEmploymentTypes = map[string]bool{
+	"full-time": true, "part-time": true, "dispatch": true, "contract": true,
+	"temporary": true, "training": true, "voluntary": true, "permanent": true,
+}
+
+var validWorkModes = map[string]bool{
+	"onsite": true, "hybrid": true, "remote": true,
+}
+
+var validJobStatuses = map[string]bool{
+	"draft": true, "open": true, "closed": true, "review": true,
+	"published": true, "paused": true, "expired": true, "archived": true, "reported": true,
+}
+
+func validateCreateJobRequest(req *dto.CreateJobRequest) error {
+	if strings.TrimSpace(req.CompanyID) == "" {
+		return fmt.Errorf("companyId is required")
+	}
+	title := strings.TrimSpace(req.Title)
+	if title == "" {
+		return fmt.Errorf("title is required")
+	}
+	if len(title) < 5 || len(title) > 255 {
+		return fmt.Errorf("title must be between 5 and 255 characters")
+	}
+	if len(strings.TrimSpace(req.Description)) < 20 {
+		return fmt.Errorf("description must be at least 20 characters")
+	}
+	if req.EmploymentType != nil && !validEmploymentTypes[*req.EmploymentType] {
+		return fmt.Errorf("invalid employmentType %q, must be one of: full-time, part-time, dispatch, contract, temporary, training, voluntary, permanent", *req.EmploymentType)
+	}
+	if req.WorkMode != nil && !validWorkModes[*req.WorkMode] {
+		return fmt.Errorf("invalid workMode %q, must be one of: onsite, hybrid, remote", *req.WorkMode)
+	}
+	if req.Status != "" && !validJobStatuses[req.Status] {
+		return fmt.Errorf("invalid status %q", req.Status)
+	}
+	return nil
+}
--- a/backend/internal/handlers/job_handler_test.go
+++ b/backend/internal/handlers/job_handler_test.go
@ -135,7 +135,7 @@ func TestCreateJob_Success(t *testing.T) {
 	jobReq := dto.CreateJobRequest{
 		CompanyID:   "1",
 		Title:       "Backend Developer",
-		Description: "Build awesome APIs",
+		Description: "Build awesome APIs for the platform",
 		Status:      "open",
 		WorkMode:    func() *string { s := "remote"; return &s }(),
 	}
@ -173,7 +173,10 @@ func TestCreateJob_ServiceError(t *testing.T) {
 	handler := NewJobHandler(mockService)

 	jobReq := dto.CreateJobRequest{
-		Title: "Failing Job",
+		CompanyID:   "company-1",
+		Title:       "Failing Job Title",
+		Description: "This description is long enough to pass validation",
+		Status:      "open",
 	}
 	body, _ := json.Marshal(jobReq)