fix(api): return 400 instead of 500 for hostname validation errors#343
Merged
fix(api): return 400 instead of 500 for hostname validation errors#343
Conversation
37 handler endpoints across 10 domains incorrectly returned HTTP 500 for hostname validation failures. These are client errors (bad input) and should be 400. Added 400 response definitions to all affected OpenAPI specs, regenerated code, and updated handlers and tests. Also adds missing HTTP wiring test cases for body validation in service create and update endpoints. Domains fixed: certificate, log, ntp, package, process, schedule, service, sysctl, timezone, user. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
❌ Your patch status has failed because the patch coverage (97.05%) is below the target coverage (100.00%). You can increase the patch coverage or adjust the target coverage. @@ Coverage Diff @@
## main #343 +/- ##
=======================================
Coverage 99.91% 99.91%
=======================================
Files 438 438
Lines 21239 21268 +29
=======================================
+ Hits 21220 21249 +29
Misses 11 11
Partials 8 8
Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
Add HTTP wiring tests that send invalid body payloads through the full Echo middleware stack for 6 endpoints: - certificate PUT update (missing object) - user POST create group (missing name) - user POST set password (missing password) - schedule/cron PUT update (invalid cron expression) - user PUT update group (defense-in-depth, all optional) - user PUT update user (defense-in-depth, all optional) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Add x-oapi-codegen-extra-tags with validate: tags to all request body properties and query parameters that were missing them: - docker: name, auto_start, working_dir - user: uid, gid, home, shell, password, system, lock (across create/update user and group requests) - log: since and priority query params with oneof constraint for systemd priority levels - file: name and content_type on multipart upload (documentation) Add validation.Struct() calls to log query and unit handlers, and defense-in-depth call to user update handler. Add unit and HTTP wiring tests for invalid priority on log endpoints. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
PUT endpoints for group, user, and cron update now return 400 with "at least one field must be provided" when the request body has no fields set. Previously, empty bodies were silently accepted — for group update this was destructive (cleared all members via gpasswd). 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Replace manual nil-check blocks in update handlers with validation.AtLeastOneField(), a reflect-based helper that rejects empty update bodies through the validation framework. Add input validation section to development.md documenting the validation patterns: required vs omitempty tags, AtLeastOneField for update endpoints, and defense-in-depth for action endpoints. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove manual limit capping in job list handler — the OpenAPI spec already validates limit via min=1,max=100 tag. Remove stale defense-in-depth comments where validation is now meaningful (user update with AtLeastOneField). Fix garbled comment in file upload handler. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
400response definitions to all affected OpenAPI specs and regenerated codevalidate:tags to 25+ request body properties and query parameters across docker, user, log, and file specsvalidation.AtLeastOneField()helper to reject empty update bodies (group, user, cron) — prevents silent destructive behavior (e.g., clearing group members)validation.Struct()calls to log query/unit handlers and user update handlerdevelopment.mddocumenting validation patternsDomains fixed (500→400)
certificate, log, ntp, package, process, schedule, service, sysctl, timezone, user
Test plan
500JSONResponsefor hostname validation pathsAtLeastOneFieldhas 13 test cases🤖 Generated with Claude Code