diff --git a/src/makeline-service/go.mod b/src/makeline-service/go.mod index 4ff38fed..43f78e68 100644 --- a/src/makeline-service/go.mod +++ b/src/makeline-service/go.mod @@ -21,7 +21,7 @@ require ( github.com/gin-contrib/sse v0.1.0 // indirect github.com/go-playground/locales v0.14.1 // indirect github.com/go-playground/universal-translator v0.18.1 // indirect - github.com/go-playground/validator/v10 v10.14.0 // indirect + github.com/go-playground/validator/v10 v10.16.0 // indirect github.com/goccy/go-json v0.10.2 // indirect github.com/gofrs/uuid/v5 v5.0.0 // indirect github.com/golang/snappy v0.0.1 // indirect diff --git a/src/makeline-service/go.sum b/src/makeline-service/go.sum index 3927435b..f9ea26b1 100644 --- a/src/makeline-service/go.sum +++ b/src/makeline-service/go.sum @@ -47,6 +47,8 @@ github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91 github.com/go-playground/validator/v10 v10.10.0/go.mod h1:74x4gJWsvQexRdW8Pn3dXSGrTK4nAUsbPlLADvpJkos= github.com/go-playground/validator/v10 v10.14.0 h1:vgvQWe3XCz3gIeFDm/HnTIbj6UGmg/+t63MyGU2n5js= github.com/go-playground/validator/v10 v10.14.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU= +github.com/go-playground/validator/v10 v10.16.0 h1:x+plE831WK4vaKHO/jpgUGsvLKIqRRkz6M78GuJAfGE= +github.com/go-playground/validator/v10 v10.16.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU= github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= diff --git a/src/makeline-service/main.go b/src/makeline-service/main.go index 74271739..418c7758 100644 --- a/src/makeline-service/main.go +++ b/src/makeline-service/main.go @@ -4,11 +4,15 @@ import ( "log" "net/http" "os" + "strconv" "github.com/gin-contrib/cors" "github.com/gin-gonic/gin" + "github.com/go-playground/validator/v10" ) +var validate *validator.Validate + // Valid database API types const ( AZURE_COSMOS_DB_SQL_API = "cosmosdbsql" @@ -101,7 +105,23 @@ func getOrder(c *gin.Context) { return } - order, err := client.repo.GetOrder(c.Param("id")) + err := validate.Var(c.Param("id"), "required,numeric") + if err != nil { + log.Printf("Failed to validate order id: %s", err) + c.AbortWithStatus(http.StatusBadRequest) + return + } + + id, err := strconv.Atoi(c.Param("id")) + if err != nil { + log.Printf("Failed to convert order id to int: %s", err) + c.AbortWithStatus(http.StatusBadRequest) + return + } + + orderId := strconv.FormatInt(int64(id), 10) + + order, err := client.repo.GetOrder(orderId) if err != nil { log.Printf("Failed to get order from database: %s", err) c.AbortWithStatus(http.StatusInternalServerError) @@ -128,7 +148,37 @@ func updateOrder(c *gin.Context) { return } - err := client.repo.UpdateOrder(order) + err := validate.Struct(order) + validationErrors := err.(validator.ValidationErrors) + if err != nil { + log.Printf("Failed to validate order: %s", validationErrors) + c.AbortWithStatus(http.StatusBadRequest) + return + } + err = validate.Var(order.OrderID, "required,numeric") + if err != nil { + log.Printf("Failed to validate order id: %s", err) + c.AbortWithStatus(http.StatusBadRequest) + return + } + + id, err := strconv.Atoi(c.Param("id")) + if err != nil { + log.Printf("Failed to convert order id to int: %s", err) + c.AbortWithStatus(http.StatusBadRequest) + return + } + + sanitizedOrderId := strconv.FormatInt(int64(id), 10) + + sanitizedOrder := Order{ + OrderID: sanitizedOrderId, + CustomerID: order.CustomerID, + Items: order.Items, + Status: order.Status, + } + + err = client.repo.UpdateOrder(sanitizedOrder) if err != nil { log.Printf("Failed to update order status: %s", err) c.AbortWithStatus(http.StatusInternalServerError) diff --git a/src/makeline-service/mongodb.go b/src/makeline-service/mongodb.go index 0f2f8cfc..8bc8f439 100644 --- a/src/makeline-service/mongodb.go +++ b/src/makeline-service/mongodb.go @@ -86,7 +86,10 @@ func (r *MongoDBOrderRepo) GetPendingOrders() ([]Order, error) { func (r *MongoDBOrderRepo) GetOrder(id string) (Order, error) { var ctx = context.TODO() - singleResult := r.db.FindOne(ctx, bson.M{"orderid": id}) + filter := bson.D{{Key: "orderid", Value: bson.D{{Key: "$eq", Value: id}}}} + + singleResult := r.db.FindOne(ctx, filter) + var order Order err := singleResult.Decode(&order) if err != nil { @@ -123,12 +126,13 @@ func (r *MongoDBOrderRepo) InsertOrders(orders []Order) error { func (r *MongoDBOrderRepo) UpdateOrder(order Order) error { var ctx = context.TODO() - log.Printf("Updating order: %v", order) + filter := bson.D{{Key: "orderid", Value: bson.D{{Key: "$eq", Value: order.OrderID}}}} // Update the order + log.Printf("Updating order: %v", order) updateResult, err := r.db.UpdateMany( ctx, - bson.M{"orderid": order.OrderID}, + filter, bson.D{ {Key: "$set", Value: bson.D{{Key: "status", Value: order.Status}}}, },