Bug
validateOfferInput() checks tags.length, but it does not verify that tags is an array of strings before sanitizing.
A create-offer payload like:
{ "tags": ["valid", 123] }reaches:
tags: input.tags?.map((t) => t.trim().toLowerCase()).filter(Boolean) || []
and throws because a number does not have .trim(). Through POST /api/affiliates/offers, that can become a generic 500 instead of a validation error.
Expected
The validator should reject non-array tags and non-string tag entries with a clear 400-path validation error before sanitizing.
Bug
validateOfferInput()checkstags.length, but it does not verify thattagsis an array of strings before sanitizing.A create-offer payload like:
{ "tags": ["valid", 123] }reaches:
and throws because a number does not have
.trim(). ThroughPOST /api/affiliates/offers, that can become a generic 500 instead of a validation error.Expected
The validator should reject non-array
tagsand non-string tag entries with a clear 400-path validation error before sanitizing.