Security/Validation
Can bypass client-side validation via devtools (remove required attribute from inputs). API routes need server-side validation.
Steps to reproduce
- Go into devtools
- Remove required property from input field
- Submit form
Solution
Add Zod schema validation to all API routes.
Routes needing validation
HIGH PRIORITY
/api/upload (POST) - year, formData, schoolCoordinates, schoolInfoData
PATCH endpoints (have manual validation, convert to Zod)
/api/projects/[id] - title, category, categoryId, division, teamProject, numStudents/api/teachers/[id] - name, email/api/schools/[name] - latitude, longitude, name, city, implementationModel, schoolType, division, year, gateway
GET query params
/api/schools - year, list, gateway/api/schools/[name] - year/api/heatmap - year/api/years-with-data - simple, school/api/yearly-totals - year
DELETE
/api/years-with-data - year
Security/Validation
Can bypass client-side validation via devtools (remove required attribute from inputs). API routes need server-side validation.
Steps to reproduce
Solution
Add Zod schema validation to all API routes.
Routes needing validation
HIGH PRIORITY
/api/upload(POST) - year, formData, schoolCoordinates, schoolInfoDataPATCH endpoints (have manual validation, convert to Zod)
/api/projects/[id]- title, category, categoryId, division, teamProject, numStudents/api/teachers/[id]- name, email/api/schools/[name]- latitude, longitude, name, city, implementationModel, schoolType, division, year, gatewayGET query params
/api/schools- year, list, gateway/api/schools/[name]- year/api/heatmap- year/api/years-with-data- simple, school/api/yearly-totals- yearDELETE
/api/years-with-data- year