feat: add zod validation to internal and external endpoints#612
Open
ECWireless wants to merge 6 commits intomainfrom
Open
feat: add zod validation to internal and external endpoints#612ECWireless wants to merge 6 commits intomainfrom
ECWireless wants to merge 6 commits intomainfrom
Conversation
… (#521) * feat: add account-balance zod validation * feat: add ens name validation * feat: add score and pending stake validation * feat: add ens-data image validation * feat: add ens-data index validation * feat: add pipelines validation * feat: add regions validation * feat: add treasury proposal state validation * feat: add proposal vote by address validation * feat: add treasury votes validation * feat: add score validation * feat: add changefeed validation * feat: add contract validation * feat: add current-round validation * feat: add generateProof validation * feat: add totalTokenSupply validation * feat: add upload ipfs validation * refactor: refactor usage validation * feat: add external validation for ens image * refactor: refactor ens schema * feat: add external checks for score endpoint * fix: add guard for projectBySlugs * refactor: refactor schemas * feat: add defense checks to usage endpoint * feat: add getEnsForAddress validation --------- Co-authored-by: ECWireless <40322776+ECWireless@users.noreply.github.com>
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces centralized Zod schemas and validation helpers, then applies them across multiple Next.js API routes to harden user-input handling and upstream-response parsing.
Changes:
- Added reusable Zod schema modules under
lib/api/schemas/*plus shared validation helpers inlib/api/errors.ts. - Updated a broad set of API routes to validate request inputs, external API responses, and/or endpoint outputs before returning JSON.
- Added a new
/api/totalTokenSupplyendpoint backed by a subgraph query with response validation.
Reviewed changes
Copilot reviewed 37 out of 38 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| pages/api/usage.tsx | Uses centralized usage schemas and validates output; adds guardrails for insufficient data. |
| pages/api/upload-ipfs.tsx | Validates POST body and Pinata response; validates output shape. |
| pages/api/treasury/votes/[address]/registered.tsx | Validates address input and response output for registered-to-vote. |
| pages/api/treasury/votes/[address]/index.tsx | Validates address input and voting power output. |
| pages/api/treasury/proposal/[proposalId]/votes/[address].tsx | Validates proposalId/address inputs and voting-power output. |
| pages/api/treasury/proposal/[proposalId]/state.tsx | Validates proposalId input and proposal-state output. |
| pages/api/totalTokenSupply.tsx | New endpoint querying subgraph totalSupply with schema validation. |
| pages/api/score/index.tsx | Validates query params and upstream responses; adds output validation. |
| pages/api/score/[address].tsx | Validates address input, upstream responses, and performance-metrics output. |
| pages/api/regions/index.ts | Validates upstream regions payloads and validates merged output. |
| pages/api/pipelines/index.tsx | Validates region query param and upstream pipelines payload. |
| pages/api/pending-stake/[address].tsx | Validates address input and pending-stake output. |
| pages/api/l1-delegator/[address].tsx | Validates address input and L1 delegator output. |
| pages/api/generateProof.tsx | Validates POST body and proof output. |
| pages/api/ens-data/index.tsx | Validates subgraph response + addresses and validates ENS identities output. |
| pages/api/ens-data/image/[name].tsx | Validates ENS name and avatar result; adds URL validation before fetch. |
| pages/api/ens-data/[address].tsx | Validates address input (including blacklist) and ENS identity output. |
| pages/api/current-round.tsx | Validates subgraph result and current-round output. |
| pages/api/contracts.tsx | Validates contracts-info output shape. |
| pages/api/changefeed.tsx | Validates GraphQL envelope and changefeed response output. |
| pages/api/account-balance/[address].tsx | Validates address input and account-balance output. |
| lib/api/schemas/usage.ts | New Zod schemas for /api/usage input/output structures. |
| lib/api/schemas/upload-ipfs.ts | New Zod schemas for IPFS upload input + Pinata response + output. |
| lib/api/schemas/treasury.ts | New Zod schemas for treasury proposal/voting responses. |
| lib/api/schemas/total-token-supply.ts | New Zod schemas for total supply subgraph response and output. |
| lib/api/schemas/subgraph.ts | New Zod schemas for common subgraph envelopes and specific queries. |
| lib/api/schemas/staking.ts | New Zod schemas for staking-related endpoint outputs. |
| lib/api/schemas/performance.ts | New Zod schemas for metrics/score-related endpoints. |
| lib/api/schemas/index.ts | Central barrel export for the new schema modules. |
| lib/api/schemas/generate-proof.ts | New Zod schemas for generateProof input/output. |
| lib/api/schemas/ens.ts | New Zod schemas for ENS identity/name/address and provider responses. |
| lib/api/schemas/current-round.ts | New Zod schema for current-round endpoint output. |
| lib/api/schemas/contracts.ts | New Zod schema for contracts endpoint output. |
| lib/api/schemas/common.ts | New shared primitives (Address, URL, handles, regions, etc.). |
| lib/api/schemas/changefeed.ts | New Zod schemas for changefeed GraphQL/envelope response validation. |
| lib/api/errors.ts | Adds validateInput, validateOutput, validateExternalResponse helpers. |
| lib/api/ens.ts | Validates ENS resolver/provider results with graceful fallbacks. |
| .gitignore | Ignores *.tsbuildinfo. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See #521 for all details. Original PR created by @Roaring30s .