fix: add Zod validation schema for user creation endpoint

kejuunuy · kejuunuy · commit 192105a7bba3 · 2026-05-30T22:34:02.000+08:00
Add createUserSchema with email, name, and role validation to POST /api/users endpoint to prevent arbitrary data storage. Fixes #2160
diff --git a/apps/api/src/controllers/userController.js b/apps/api/src/controllers/userController.js
@@ -1,10 +1,12 @@
 import { ok } from "../utils/response.js";
 import { createUser, listUsers } from "../services/userService.js";
+import { createUserSchema } from "../validators/user.js";
 
 export async function getUsers(req, res) {
   return ok(res, await listUsers());
 }
 
 export async function postUser(req, res) {
-  return ok(res, await createUser(req.body), 201);
+  const payload = createUserSchema.parse(req.body);
+  return ok(res, await createUser(payload), 201);
 }
diff --git a/apps/api/src/validators/user.js b/apps/api/src/validators/user.js
@@ -0,0 +1,9 @@
+import { z } from "zod";
+
+export const createUserSchema = z.object({
+  email: z.string().email(),
+  name: z.string().min(1).max(100),
+  role: z.enum(["client", "freelancer", "admin"]).default("client")
+});
+
+export const updateUserSchema = createUserSchema.partial();

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,12 @@`
`1`	`1`	`import { ok } from "../utils/response.js";`
`2`	`2`	`import { createUser, listUsers } from "../services/userService.js";`
	`3`	`+import { createUserSchema } from "../validators/user.js";`
`3`	`4`
`4`	`5`	`export async function getUsers(req, res) {`
`5`	`6`	`return ok(res, await listUsers());`
`6`	`7`	`}`
`7`	`8`
`8`	`9`	`export async function postUser(req, res) {`
`9`		`- return ok(res, await createUser(req.body), 201);`
	`10`	`+ const payload = createUserSchema.parse(req.body);`
	`11`	`+ return ok(res, await createUser(payload), 201);`
`10`	`12`	`}`