feat(invoice): reject inverted invDate/invDueDate at the schema layer#146
Merged
Merged
Conversation
`createInvoiceBody` and `updateInvoiceBody` accepted any combination of `invDate` and `invDueDate` strings. There was no check that the due date was on or after the issue date, so an operator could persist an invoice that was "due" before it was issued — bookkeeping nonsense the controller had no recourse to reject. Same shape as the timeentry `teEndedAt >= teStartedAt` refinement from #130: add a zod `.refine()` that fires on both the single- and bulk-create paths, and on PATCH when both bounds appear in the same body. Equality stays allowed — `Due on Receipt` is a real billing term. String comparison is safe here because `isoDate` is the strict `^\d{4}-\d{2}-\d{2}$` regex above; lexicographic order on that shape matches chronological order for every valid input. No need to parse to Date objects (timeentry uses `new Date()` because `isoDatetime` has timezone offsets in play; isoDate does not). The bulk-create path inherits the refinement automatically because `bulkInvoiceBody` wraps `createInvoiceBody` in `z.array(...)` and zod runs each element's refinements during array validation — so an attacker can't bypass the check by wrapping the bad entry in a bulk envelope. Single-bound PATCH (only invDueDate or only invDate) is intentionally NOT rejected — the schema doesn't see the existing row's other half. That's a controller-layer follow-up. Five new tests cover: inverted single CREATE → 400, equality CREATE → schema-pass, inverted both-bound PATCH → 400, single- bound PATCH → schema-pass, inverted bulk entry → 400 (with the `invoices.0.invDueDate` issue path). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #145.
Summary
createInvoiceBodyandupdateInvoiceBodyaccepted any combination ofinvDateandinvDueDatestrings without a cross-field check. An invoice could be persisted with the due date BEFORE the issue date — bookkeeping nonsense the controller had no recourse to reject. Same shape as #129/#130 for timeentry.Add a zod
.refine()cross-field check that fires on both single and PATCH paths. Equality stays allowed (Due on Receipt is a real term). The bulk-create path inherits the refinement automatically viaz.array(createInvoiceBody)— an attacker can't bypass it by wrapping the bad entry in a bulk envelope.String comparison is safe because
isoDateis the strict^\d{4}-\d{2}-\d{2}$regex — lexicographic order matches chronological order for any valid input.Single-bound PATCH (only
invDueDateor onlyinvDate) is intentionally not rejected — the schema can't see the row's other half. Controller-layer enforcement is a follow-up.Test plan
npm run lint— cleannpm test— 520 passed (was 515 + 5 new), 15 skippedinvoices.0.invDueDateissue path)Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/