From ffdbbbd3355babf6b8d53aea0462c9ab67f80d6c Mon Sep 17 00:00:00 2001
From: "Aaron K. Clark" <akclark@thenetwerk.net>
Date: Tue, 19 May 2026 08:43:32 -0500
Subject: [PATCH] fix(schema): cap custState at 2 chars to match the DB column
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`customer.schema.js` validated `custState` as `z.string().max(255)`,
but `setup/TimeTracker.sql` (and the Sequelize column on every
deployed schema) defines the column as `character varying(2)`. The
mismatch meant any 3+ char value passed the middleware layer cleanly
and then surfaced as a 500 "Error!" at the postgres INSERT —
"value too long for type character varying(2)".

Tighten the zod schema to `.length(2)` so the validation message
identifies the actual problem (`custState must be exactly 2 chars`)
at the request boundary instead of opaque server-error noise from
the persistence layer. US state codes (NE, CA, etc.) and Canadian
province codes (AB, BC, etc.) all fit the 2-char shape; the DB
column was sized this way from day one.

No callers POSTing valid 2-char codes are affected. Callers that
were previously broken at INSERT now get a clearer 400 instead of
a 500 — strictly a UX improvement.

742 tests still pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 app/schemas/customer.schema.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/schemas/customer.schema.js b/app/schemas/customer.schema.js
index 669dbb0..9ba6be9 100644
--- a/app/schemas/customer.schema.js
+++ b/app/schemas/customer.schema.js
@@ -28,7 +28,12 @@ const createCustomerBody = z.object({
     custAddress1: z.string().max(255).optional(),
     custAddress2: z.string().max(255).optional(),
     custCity: z.string().max(255).optional(),
-    custState: z.string().max(255).optional(),
+    // custState matches the DB column: varchar(2) — US state codes
+    // ("NE", "CA", etc.) and Canadian province codes ("AB", "BC").
+    // Without this length constraint, anything ≤ 255 chars passed zod
+    // and surfaced as a 500 at the postgres INSERT layer ("value too
+    // long for type character varying(2)") instead of a clean 400.
+    custState: z.string().length(2).optional(),
     custZip: z.string().max(32).optional(),
     custPhone: z.string().max(64).optional(),
     custEmail: z.string().email().max(255).optional(),