fix: reject unknown fieldName in approveChangeRequest (#91)

dobby-coder[bot] · web-flow · commit 3d9e41a60920 · 2026-05-25T14:33:23.000+02:00
The admin approveChangeRequest service guarded the org UPDATE on a fieldMap lookup but still flipped the change request to approved when the lookup missed. Unknown or stale fieldName values left the request showing approved while no column had changed. Validate fieldName against a typed allowlist before any mutation, throw InvalidChangeRequestFieldError when it misses, and surface that as a 400 fail in the page action. The org write also moves from sql.raw to a typed Drizzle update, removing the fragile dynamic-column pattern flagged in repos/postguard-business/security.md. Closes #87 Co-authored-by: dobby-yivi-agent[bot] <275734547+dobby-yivi-agent[bot]@users.noreply.github.com>
diff --git a/src/lib/server/services/admin-change-requests.ts b/src/lib/server/services/admin-change-requests.ts
@@ -0,0 +1,15 @@
+export const APPROVABLE_FIELDS = ['name', 'domain', 'signingEmail', 'kvkNumber'] as const;
+export type ApprovableField = (typeof APPROVABLE_FIELDS)[number];
+
+export function isApprovableField(value: string): value is ApprovableField {
+	return (APPROVABLE_FIELDS as readonly string[]).includes(value);
+}
+
+export class InvalidChangeRequestFieldError extends Error {
+	readonly fieldName: string;
+	constructor(fieldName: string) {
+		super(`Unknown change-request fieldName: ${fieldName}`);
+		this.name = 'InvalidChangeRequestFieldError';
+		this.fieldName = fieldName;
+	}
+}
diff --git a/src/lib/server/services/admin.ts b/src/lib/server/services/admin.ts
@@ -8,7 +8,8 @@ import {
 	adminAccounts,
 	sessions
 } from '$lib/server/db/schema';
-import { eq, desc, and, isNull, or, count, sql } from 'drizzle-orm';
+import { eq, desc, and, isNull, or, count } from 'drizzle-orm';
+import { isApprovableField, InvalidChangeRequestFieldError } from './admin-change-requests';
 
 export async function logAdminAction(
 	adminId: string,
@@ -87,21 +88,15 @@ export async function approveChangeRequest(
 	if (!reqs[0]) return null;
 	const req = reqs[0];
 
-	// Apply the change to the organization
-	const fieldMap: Record<string, string> = {
-		name: 'name',
-		domain: 'domain',
-		signingEmail: 'signing_email',
-		kvkNumber: 'kvk_number'
-	};
-
-	if (fieldMap[req.fieldName]) {
-		// Use raw SQL for dynamic column update
-		await db.execute(
-			sql`UPDATE organizations SET ${sql.raw(fieldMap[req.fieldName])} = ${req.newValue}, updated_at = NOW() WHERE id = ${req.orgId}`
-		);
+	if (!isApprovableField(req.fieldName)) {
+		throw new InvalidChangeRequestFieldError(req.fieldName);
 	}
 
+	await db
+		.update(organizations)
+		.set({ [req.fieldName]: req.newValue, updatedAt: new Date() })
+		.where(eq(organizations.id, req.orgId));
+
 	await db
 		.update(changeRequests)
 		.set({
diff --git a/src/routes/(admin)/admin/organizations/[id]/+page.server.ts b/src/routes/(admin)/admin/organizations/[id]/+page.server.ts
@@ -11,6 +11,7 @@ import {
 	addUserToOrganization,
 	logAdminAction
 } from '$lib/server/services/admin';
+import { InvalidChangeRequestFieldError } from '$lib/server/services/admin-change-requests';
 import { setImpersonation } from '$lib/server/auth/session';
 import { isUniqueViolation } from '$lib/server/services/errors';
 import { isEnabled } from '$lib/feature-flags';
@@ -36,7 +37,15 @@ export const actions: Actions = {
 
 		if (!requestId) return fail(400, { error: 'Missing request ID' });
 
-		const req = await approveChangeRequest(requestId, adminId, reviewNotes);
+		let req;
+		try {
+			req = await approveChangeRequest(requestId, adminId, reviewNotes);
+		} catch (err) {
+			if (err instanceof InvalidChangeRequestFieldError) {
+				return fail(400, { error: 'invalid_field', fieldName: err.fieldName });
+			}
+			throw err;
+		}
 		if (req) {
 			await logAdminAction(
 				adminId,
diff --git a/tests/unit/admin-approve-change-request.test.ts b/tests/unit/admin-approve-change-request.test.ts
@@ -0,0 +1,173 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import {
+	isApprovableField,
+	APPROVABLE_FIELDS,
+	InvalidChangeRequestFieldError
+} from '../../src/lib/server/services/admin-change-requests';
+
+const { approveChangeRequestMock, logAdminActionMock, isEnabledMock } = vi.hoisted(() => ({
+	approveChangeRequestMock: vi.fn(),
+	logAdminActionMock: vi.fn(),
+	isEnabledMock: vi.fn()
+}));
+
+vi.mock('$lib/server/services/admin', () => ({
+	getOrganizationWithRequests: vi.fn(),
+	getOrganizationById: vi.fn(),
+	approveChangeRequest: approveChangeRequestMock,
+	rejectChangeRequest: vi.fn(),
+	deleteOrganization: vi.fn(),
+	activateOrganization: vi.fn(),
+	suspendOrganization: vi.fn(),
+	addUserToOrganization: vi.fn(),
+	logAdminAction: logAdminActionMock
+}));
+
+vi.mock('$lib/server/auth/session', () => ({
+	setImpersonation: vi.fn()
+}));
+
+vi.mock('$lib/feature-flags', () => ({
+	isEnabled: (...args: unknown[]) => isEnabledMock(...args)
+}));
+
+import { actions } from '../../src/routes/(admin)/admin/organizations/[id]/+page.server';
+
+type ApproveEvent = Parameters<NonNullable<typeof actions>['approve']>[0];
+
+function buildEvent(overrides: {
+	session?: Record<string, unknown> | null;
+	requestId?: string | null;
+	reviewNotes?: string;
+}): ApproveEvent {
+	const form = new FormData();
+	if (overrides.requestId !== null) form.set('requestId', overrides.requestId ?? 'req-id');
+	if (overrides.reviewNotes !== undefined) form.set('reviewNotes', overrides.reviewNotes);
+
+	return {
+		params: { id: 'org-id' },
+		locals: { session: overrides.session ?? null },
+		request: { formData: async () => form },
+		getClientAddress: () => '127.0.0.1'
+	} as unknown as ApproveEvent;
+}
+
+describe('isApprovableField', () => {
+	it.each([...APPROVABLE_FIELDS])('accepts the allowlist value %s', (field) => {
+		expect(isApprovableField(field)).toBe(true);
+	});
+
+	it.each(['status', 'contact_user_id', 'signing_email', 'kvk_number', '', 'NAME', 'id'])(
+		'rejects unknown field %s',
+		(field) => {
+			expect(isApprovableField(field)).toBe(false);
+		}
+	);
+});
+
+describe('InvalidChangeRequestFieldError', () => {
+	it('carries the offending fieldName', () => {
+		const err = new InvalidChangeRequestFieldError('mystery_column');
+		expect(err).toBeInstanceOf(Error);
+		expect(err.fieldName).toBe('mystery_column');
+		expect(err.message).toContain('mystery_column');
+	});
+});
+
+describe('admin approve action — invalid fieldName handling', () => {
+	beforeEach(() => {
+		approveChangeRequestMock.mockReset();
+		logAdminActionMock.mockReset();
+		isEnabledMock.mockReset();
+		isEnabledMock.mockReturnValue(true);
+	});
+
+	it('rejects when no admin session is present and never calls the service', async () => {
+		await expect(
+			actions.approve(buildEvent({ session: null, requestId: 'req-1' }))
+		).rejects.toMatchObject({ status: 401 });
+
+		expect(approveChangeRequestMock).not.toHaveBeenCalled();
+		expect(logAdminActionMock).not.toHaveBeenCalled();
+	});
+
+	it('returns 400 when the service throws InvalidChangeRequestFieldError and does not log an admin action', async () => {
+		approveChangeRequestMock.mockRejectedValueOnce(
+			new InvalidChangeRequestFieldError('mystery_column')
+		);
+
+		const result = await actions.approve(
+			buildEvent({
+				session: { adminId: 'admin-1', userType: 'admin' },
+				requestId: 'req-1',
+				reviewNotes: 'looks good'
+			})
+		);
+
+		expect(result).toMatchObject({
+			status: 400,
+			data: { error: 'invalid_field', fieldName: 'mystery_column' }
+		});
+		expect(logAdminActionMock).not.toHaveBeenCalled();
+	});
+
+	it('returns { approved: true } and logs when the service applies the change', async () => {
+		approveChangeRequestMock.mockResolvedValueOnce({
+			id: 'req-1',
+			orgId: 'org-1',
+			fieldName: 'name',
+			newValue: 'New Name'
+		});
+
+		const result = await actions.approve(
+			buildEvent({
+				session: { adminId: 'admin-1', userType: 'admin' },
+				requestId: 'req-1',
+				reviewNotes: 'ok'
+			})
+		);
+
+		expect(result).toEqual({ approved: true });
+		expect(approveChangeRequestMock).toHaveBeenCalledWith('req-1', 'admin-1', 'ok');
+		expect(logAdminActionMock).toHaveBeenCalledTimes(1);
+		expect(logAdminActionMock).toHaveBeenCalledWith(
+			'admin-1',
+			'approve_change',
+			'change_request',
+			'req-1',
+			{ fieldName: 'name', newValue: 'New Name', reviewNotes: 'ok' },
+			'127.0.0.1'
+		);
+	});
+
+	it('returns { approved: true } without logging when the service reports no matching request', async () => {
+		approveChangeRequestMock.mockResolvedValueOnce(null);
+
+		const result = await actions.approve(
+			buildEvent({
+				session: { adminId: 'admin-1', userType: 'admin' },
+				requestId: 'missing-req',
+				reviewNotes: ''
+			})
+		);
+
+		expect(result).toEqual({ approved: true });
+		expect(logAdminActionMock).not.toHaveBeenCalled();
+	});
+
+	it('re-throws unexpected errors so they surface as 500', async () => {
+		const boom = new Error('db exploded');
+		approveChangeRequestMock.mockRejectedValueOnce(boom);
+
+		await expect(
+			actions.approve(
+				buildEvent({
+					session: { adminId: 'admin-1', userType: 'admin' },
+					requestId: 'req-1'
+				})
+			)
+		).rejects.toBe(boom);
+
+		expect(logAdminActionMock).not.toHaveBeenCalled();
+	});
+});
