diff --git a/modules/ask_va_api/app/controllers/ask_va_api/v0/inquiries_controller.rb b/modules/ask_va_api/app/controllers/ask_va_api/v0/inquiries_controller.rb index 12860b01335..5297fbb74c5 100644 --- a/modules/ask_va_api/app/controllers/ask_va_api/v0/inquiries_controller.rb +++ b/modules/ask_va_api/app/controllers/ask_va_api/v0/inquiries_controller.rb @@ -109,13 +109,13 @@ def require_loa3! raise Common::Exceptions::Unauthorized unless current_user&.loa&.fetch(:current, nil) == 3 end - INQUIRY_ID_FORMAT = /\AA-[0-9]{8}-[0-9]{6,7}\z/ + INQUIRY_ID_FORMAT = /\AA-[0-9]{8}-[0-9]{5,10}\z/ - # Validates that params[:id] follows the known inquiry ID format "A-YYYYMMDD-NNNNNN". + # Validates that params[:id] follows the known inquiry ID format "A-<8-digit date>-<5-10 digit number>". def validate_inquiry_id_format - unless params[:id].match?(INQUIRY_ID_FORMAT) - render json: { error: 'Invalid inquiry ID format. Expected format: A-YYYYMMDD-NNNNNN.' }, status: :bad_request - end + msg = 'Invalid inquiry ID format. Expected: A-<8-digit date>-<5-10 digit number> (e.g., A-20260416-1234567).' + + render json: { error: msg }, status: :bad_request unless params[:id].match?(INQUIRY_ID_FORMAT) end class InvalidAttachmentError < StandardError; end diff --git a/modules/ask_va_api/spec/requests/ask_va_api/v0/inquiries_spec.rb b/modules/ask_va_api/spec/requests/ask_va_api/v0/inquiries_spec.rb index 757f2685d4c..c3795295665 100644 --- a/modules/ask_va_api/spec/requests/ask_va_api/v0/inquiries_spec.rb +++ b/modules/ask_va_api/spec/requests/ask_va_api/v0/inquiries_spec.rb @@ -491,7 +491,8 @@ end context 'when the id format is invalid' do - %w[invalid 12345 A-1234567-123456 A-12345678-12345 A-12345678-12345678 A12345678123456].each do |bad_id| + %w[invalid 12345 A-1234567-123456 A-12345678-1234 A-12345678-12345678901 A-12345678-12L4567 + A12345678123456].each do |bad_id| it "returns bad_request for '#{bad_id}'" do get "/ask_va_api/v0/inquiries/#{bad_id}/status" expect(response).to have_http_status(:bad_request)