feat(devicestatus): return 400 for invalid _id format

bewest · Copilot · bewest · commit 8d44a04304ef · 2026-03-18T11:02:31.000-07:00
Add validation for _id field in devicestatus API:
- POST: validates each document's _id before storage
- DELETE: validates _id parameter (allows wildcard '*')

Accepts: undefined, null, or 24-character hex string
Rejects: UUIDs, short strings, numbers, objects with 400 Bad Request

Previously, invalid _id values were silently stored as strings instead
of ObjectIds, causing inconsistent data and query issues.

Tests added for all validation cases.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/lib/api/devicestatus/index.js b/lib/api/devicestatus/index.js
@@ -6,6 +6,33 @@ const { query } = require('express');
 const _take = require('lodash/take');
 const _ = require('lodash');
 
+/**
+ * Validate MongoDB ObjectId format.
+ * Accepts: undefined, null, or 24-character hex string.
+ * Rejects: anything else (UUIDs, short strings, numbers, objects).
+ * @param {*} id - The _id value to validate
+ * @returns {boolean} - true if valid or empty, false if invalid format
+ */
+function isValidObjectId(id) {
+    if (id === undefined || id === null) return true;  // Will auto-generate
+    if (typeof id !== 'string') return false;
+    return /^[a-fA-F0-9]{24}$/.test(id);
+}
+
+/**
+ * Validate _id field for each document in an array.
+ * @param {Array} docs - Array of documents to validate
+ * @returns {Object|null} - null if all valid, or {index, id} of first invalid
+ */
+function findInvalidId(docs) {
+    for (var i = 0; i < docs.length; i++) {
+        if (!isValidObjectId(docs[i]._id)) {
+            return { index: i, id: docs[i]._id };
+        }
+    }
+    return null;
+}
+
 function configure (app, wares, ctx, env) {
   var express = require('express')
     , api = express.Router();
@@ -74,6 +101,13 @@ function configure (app, wares, ctx, env) {
         statuses = [statuses];
       }
 
+      // Validate _id fields before storage (return 400 on invalid)
+      var invalid = findInvalidId(statuses);
+      if (invalid) {
+        return res.sendJSONStatus(res, consts.HTTP_BAD_REQUEST,
+          'Invalid _id format', 'Must be 24-character hex string or omit for auto-generation. Got: ' + String(invalid.id));
+      }
+
       // Purify each devicestatus object
       for (var i = 0; i < statuses.length; i++) {
         ctx.purifier.purifyObject(statuses[i]);
@@ -119,6 +153,12 @@ function configure (app, wares, ctx, env) {
     }
 
     api.delete('/devicestatus/:id', ctx.authorization.isPermitted('api:devicestatus:delete'), function(req, res, next) {
+      // Validate _id parameter (unless wildcard)
+      if (req.params.id !== '*' && !isValidObjectId(req.params.id)) {
+        return res.sendJSONStatus(res, consts.HTTP_BAD_REQUEST,
+          'Invalid _id format', 'Must be 24-character hex string. Got: ' + String(req.params.id));
+      }
+
       if (!req.query.find) {
         req.query.find = {
           _id: req.params.id
diff --git a/tests/api.devicestatus.test.js b/tests/api.devicestatus.test.js
@@ -96,4 +96,157 @@ describe('Devicestatus API', function ( ) {
         }
       });
   });
+
+  // _id validation tests (prevent silent data corruption and ensure 400 on invalid)
+  describe('_id validation', function() {
+
+    it('should return 400 for POST with invalid UUID _id', function(done) {
+      var status_with_uuid = {
+        "_id": "my-uuid-12345",
+        "device": "test-device",
+        "created_at": "2024-01-01T00:00:00Z"
+      };
+
+      request(self.app)
+        .post('/api/devicestatus/')
+        .set('api-secret', known || '')
+        .send(status_with_uuid)
+        .expect(400)
+        .expect(function(response) {
+          response.body.should.have.property('status', 400);
+          response.body.should.have.property('message');
+          response.body.message.should.match(/Invalid _id format/i);
+        })
+        .end(done);
+    });
+
+    it('should return 400 for POST with short _id', function(done) {
+      var status_short_id = {
+        "_id": "abc",
+        "device": "test-device",
+        "created_at": "2024-01-01T00:00:00Z"
+      };
+
+      request(self.app)
+        .post('/api/devicestatus/')
+        .set('api-secret', known || '')
+        .send(status_short_id)
+        .expect(400)
+        .end(done);
+    });
+
+    it('should return 400 for DELETE with invalid _id', function(done) {
+      request(self.app)
+        .delete('/api/devicestatus/invalid-uuid-here')
+        .set('api-secret', known || '')
+        .expect(400)
+        .expect(function(response) {
+          response.body.message.should.match(/Invalid _id format/i);
+        })
+        .end(done);
+    });
+
+    it('should accept POST with valid 24-hex _id', function(done) {
+      // Use a unique ID that doesn't conflict with other tests
+      var testId = 'bbbbbbbbbbbbbbbbbbbbbbbb';
+      var status_valid_id = {
+        "_id": testId,
+        "device": "test-device-valid",
+        "created_at": "2024-01-02T00:00:00Z"
+      };
+
+      // First, try to delete any existing document with this _id (cleanup from previous runs)
+      request(self.app)
+        .delete('/api/devicestatus/' + testId)
+        .set('api-secret', known || '')
+        .end(function() {
+          // Ignore errors (document may not exist)
+          request(self.app)
+            .post('/api/devicestatus/')
+            .set('api-secret', known || '')
+            .send(status_valid_id)
+            .expect(200)
+            .expect(function(response) {
+              response.body.should.be.an.Array();
+              response.body.length.should.equal(1);
+              response.body[0]._id.should.equal(testId);
+            })
+            .end(function(err) {
+              if (err) return done(err);
+              // Clean up
+              request(self.app)
+                .delete('/api/devicestatus/' + testId)
+                .set('api-secret', known || '')
+                .expect(200)
+                .end(done);
+            });
+        });
+    });
+
+    it('should accept POST without _id (auto-generate)', function(done) {
+      var status_no_id = {
+        "device": "test-device-autogen",
+        "created_at": "2024-01-03T00:00:00Z"
+      };
+
+      request(self.app)
+        .post('/api/devicestatus/')
+        .set('api-secret', known || '')
+        .send(status_no_id)
+        .expect(200)
+        .expect(function(response) {
+          response.body.should.be.an.Array();
+          response.body.length.should.equal(1);
+          response.body[0].should.have.property('_id');
+          // Verify auto-generated _id is valid ObjectId format
+          response.body[0]._id.toString().should.match(/^[a-fA-F0-9]{24}$/);
+        })
+        .end(function(err, res) {
+          if (err) return done(err);
+          // Clean up
+          var createdId = res.body[0]._id;
+          request(self.app)
+            .delete('/api/devicestatus/' + createdId)
+            .set('api-secret', known || '')
+            .expect(200)
+            .end(done);
+        });
+    });
+
+    it('should return 400 for array POST with one invalid _id', function(done) {
+      var statuses_mixed = [
+        { "device": "device1", "created_at": "2024-01-01T00:00:00Z" },
+        { "_id": "bad-uuid", "device": "device2", "created_at": "2024-01-02T00:00:00Z" }
+      ];
+
+      request(self.app)
+        .post('/api/devicestatus/')
+        .set('api-secret', known || '')
+        .send(statuses_mixed)
+        .expect(400)
+        .expect(function(response) {
+          response.body.message.should.match(/Invalid _id format/i);
+        })
+        .end(done);
+    });
+
+    it('should allow DELETE with wildcard _id', function(done) {
+      // First insert a test record
+      request(self.app)
+        .post('/api/devicestatus/')
+        .set('api-secret', known || '')
+        .send({ "device": "delete-wildcard-test", "created_at": "2020-01-01T00:00:00Z" })
+        .expect(200)
+        .end(function(err) {
+          if (err) return done(err);
+          // Wildcard delete with date filter should work
+          request(self.app)
+            .delete('/api/devicestatus/*')
+            .query('find[created_at][$lte]=2020-01-02')
+            .set('api-secret', known || '')
+            .expect(200)
+            .end(done);
+        });
+    });
+  });
 });
diff --git a/tests/api.profiles.test.js b/tests/api.profiles.test.js
@@ -213,31 +213,40 @@ describe('Profiles API', function ( ) {
     });
 
     it('should accept POST with valid 24-hex _id', function(done) {
+      // Use a unique ID that doesn't conflict with other tests
+      var testId = 'aaaaaaaaaaaaaaaaaaaaaaaa';
       var profile_valid_id = {
-        "_id": "507f1f77bcf86cd799439011",
+        "_id": testId,
         "defaultProfile": "Default",
         "store": { "Default": { "dia": 3 } },
         "startDate": "2024-10-19T23:00:00.000Z"
       };
 
+      // First, try to delete any existing document with this _id (cleanup from previous runs)
       request(self.app)
-        .post('/api/profile/')
+        .delete('/api/profile/' + testId)
         .set('api-secret', known || '')
-        .send(profile_valid_id)
-        .expect(200)
-        .expect(function(response) {
-          response.body.should.be.an.Array();
-          response.body.length.should.equal(1);
-          response.body[0]._id.should.equal('507f1f77bcf86cd799439011');
-        })
-        .end(function(err) {
-          if (err) return done(err);
-          // Clean up: delete the profile we just created
+        .end(function() {
+          // Ignore errors (document may not exist)
           request(self.app)
-            .delete('/api/profile/507f1f77bcf86cd799439011')
+            .post('/api/profile/')
             .set('api-secret', known || '')
+            .send(profile_valid_id)
             .expect(200)
-            .end(done);
+            .expect(function(response) {
+              response.body.should.be.an.Array();
+              response.body.length.should.equal(1);
+              response.body[0]._id.should.equal(testId);
+            })
+            .end(function(err) {
+              if (err) return done(err);
+              // Clean up: delete the profile we just created
+              request(self.app)
+                .delete('/api/profile/' + testId)
+                .set('api-secret', known || '')
+                .expect(200)
+                .end(done);
+            });
         });
     });
 
