Skip to content

bug: wallet withdraw API returns 500 on malformed JSON #184

Open
#185
Open
bug: wallet withdraw API returns 500 on malformed JSON#184
#185
@morganschp

Description

@morganschp
morganschp
opened on May 21, 2026

Bug description

POST /api/wallet/withdraw parses the request body with await request.json() and immediately destructures amount_sats and destination. If an authenticated client sends malformed JSON, the parse exception falls through the generic catch block and the route returns 500 { "error": "An unexpected error occurred" }.

This is a client input error and should not reach wallet lookup, rate-limit, LNURL, or payment paths.

Steps to reproduce

  1. Authenticate as a user with wallet access.
  2. Send POST /api/wallet/withdraw with Content-Type: application/json and malformed JSON such as {not valid json.
  3. The route returns 500 instead of 400.

Expected behavior

Malformed or non-object JSON request bodies should return 400 { "error": "Invalid request body" }, and no withdrawal lookup/payment logic should run.

Fix direction

Parse the withdraw request body defensively, validate it is an object, and add regression coverage for malformed JSON plus the existing valid/validation paths.

Filed for the active uGig repo testing task: https://ugig.net/gigs/4741218f-a723-46bb-82cb-6516120331ae

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions