Skip to content

Handle malformed login request bodies#191

Merged
ralyodio merged 1 commit into
profullstack:masterfrom
morganschp:fix-auth-login-invalid-json
May 23, 2026
Merged

Handle malformed login request bodies#191
ralyodio merged 1 commit into
profullstack:masterfrom
morganschp:fix-auth-login-invalid-json

Conversation

@morganschp
Copy link
Copy Markdown
Contributor

@morganschp morganschp commented May 21, 2026

Summary

  • parse login request bodies with the existing safe JSON helper
  • return 400 Invalid request body for malformed, empty, or non-object JSON
  • add a regression test proving malformed JSON does not call Supabase sign-in

Fixes #190

uGig task

Submitted for the active uGig repo testing task: https://ugig.net/gigs/4741218f-a723-46bb-82cb-6516120331ae

No payout details included; those can be provided after acceptance.

Tests

  • ./node_modules/.bin/vitest run src/app/api/auth/login/route.test.ts
  • ./node_modules/.bin/eslint src/app/api/auth/login/route.ts src/app/api/auth/login/route.test.ts
  • ./node_modules/.bin/tsc --noEmit
  • git diff --check -- src/app/api/auth/login/route.ts src/app/api/auth/login/route.test.ts

@morganschp morganschp mentioned this pull request May 21, 2026
Closed
@ralyodio ralyodio closed this May 23, 2026
@ralyodio ralyodio reopened this May 23, 2026
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented May 23, 2026
edited
Loading

Greptile Summary

This PR fixes a crash/unexpected error path in the login route by replacing the bare request.json() call with the existing safeParseBody helper, which returns null for malformed, empty, or non-object JSON bodies. A targeted regression test ensures Supabase signInWithPassword is never reached when the body cannot be parsed.

  • route.ts: Swaps request.json() for safeParseBody(request) and returns a 400 { error: "Invalid request body" } response when the result is null, before any schema validation or Supabase calls occur.
  • route.test.ts: Adds makeRawRequest helper and a test case that sends "{not valid json" and asserts a 400 response with the correct error message and no Supabase interaction.

Confidence Score: 5/5

Safe to merge — the change is a narrow, well-tested guard that stops invalid request bodies before they reach Supabase.

The only modification to the login route is swapping one line (request.json()) for an already-proven helper (safeParseBody) that exists elsewhere in the codebase, plus a null guard. The regression test directly covers the failure scenario, and the rest of the auth flow is unchanged.

No files require special attention.

Important Files Changed

Filename Overview
src/app/api/auth/login/route.ts Replaces bare request.json() with safeParseBody and adds a null-guard returning 400 before any schema validation or Supabase calls; change is minimal and correct.
src/app/api/auth/login/route.test.ts Adds makeRawRequest helper and a regression test for malformed JSON that asserts 400 status, correct error message, and no Supabase sign-in call.

Sequence Diagram

sequenceDiagram
    participant Client
    participant LoginRoute as POST /api/auth/login
    participant RateLimit as Rate Limiter
    participant SafeParse as safeParseBody
    participant Schema as loginSchema
    participant Supabase

    Client->>LoginRoute: POST (body)
    LoginRoute->>RateLimit: checkRateLimit(identifier)
    alt Rate limit exceeded
        RateLimit-->>LoginRoute: allowed: false
        LoginRoute-->>Client: 429 Rate Limited
    else Rate limit OK
        RateLimit-->>LoginRoute: allowed: true
        LoginRoute->>SafeParse: safeParseBody(request)
        alt Malformed / empty / non-object JSON
            SafeParse-->>LoginRoute: null
            LoginRoute-->>Client: 400 Invalid request body
        else Valid JSON object
            SafeParse-->>LoginRoute: parsed body
            LoginRoute->>Schema: safeParse(body)
            alt Schema invalid
                Schema-->>LoginRoute: error
                LoginRoute-->>Client: 400 validation error
            else Schema valid
                Schema-->>LoginRoute: "{ email, password }"
                LoginRoute->>Supabase: signInWithPassword(email, password)
                alt Auth error
                    Supabase-->>LoginRoute: error
                    LoginRoute-->>Client: 401 Unauthorized
                else Unconfirmed email
                    Supabase-->>LoginRoute: user (no email_confirmed_at)
                    LoginRoute->>Supabase: signOut()
                    LoginRoute-->>Client: 403 EMAIL_NOT_CONFIRMED
                else Success
                    Supabase-->>LoginRoute: user + session
                    LoginRoute-->>Client: 200 Login successful
                end
            end
        end
    end
Loading

Reviews (2): Last reviewed commit: "Handle malformed login bodies" | Re-trigger Greptile

@ralyodio ralyodio closed this May 23, 2026
@ralyodio ralyodio reopened this May 23, 2026
@ralyodio ralyodio merged commit 3ca2e7a into profullstack:master May 23, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: login API returns 500 on malformed JSON

2 participants

@morganschp @ralyodio