Ensure CreateMessageDto['safeAppId'] is an integer (safe-global#1553)

Increases the strictness of message creation validation to only allow `null`, `0` or positive integers:

- Increase strictness of `CreateMessageDtoSchema['safeAppId']` and add appropriate test coverage
- Mirror strictness in `createMessageDtoBuilder`

Author: Aaron Cook

src/routes/messages/entities/__tests__/create-message.dto.builder.ts

@@ -5,6 +5,6 @@ import { CreateMessageDto } from '@/routes/messages/entities/create-message.dto.
 export function createMessageDtoBuilder(): IBuilder<CreateMessageDto> {
   return new Builder<CreateMessageDto>()
     .with('message', faker.word.words({ count: { min: 1, max: 5 } }))
-    .with('safeAppId', faker.number.int())
+    .with('safeAppId', faker.number.int({ min: 0 }))
     .with('signature', faker.string.hexadecimal({ length: 32 }));
 }

src/routes/messages/entities/schemas/__tests__/create-message.dto.schema.spec.ts

@@ -5,98 +5,167 @@ import { faker } from '@faker-js/faker';
 import { ZodError } from 'zod';
 
 describe('CreateMessageDtoSchema', () => {
-  it('should validate a valid record message', () => {
-    const createMessageDto = createMessageDtoBuilder()
-      .with('message', JSON.parse(fakeJson()))
-      .build();
+  describe('message', () => {
+    it('should validate a valid record message', () => {
+      const createMessageDto = createMessageDtoBuilder()
+        .with('message', JSON.parse(fakeJson()))
+        .build();
 
-    const result = CreateMessageDtoSchema.safeParse(createMessageDto);
+      const result = CreateMessageDtoSchema.safeParse(createMessageDto);
 
-    expect(result.success).toBe(true);
-  });
+      expect(result.success).toBe(true);
+    });
 
-  it('should validate a valid string message', () => {
-    const createMessageDto = createMessageDtoBuilder()
-      .with('message', faker.word.words())
-      .build();
+    it('should validate a valid string message', () => {
+      const createMessageDto = createMessageDtoBuilder()
+        .with('message', faker.word.words())
+        .build();
 
-    const result = CreateMessageDtoSchema.safeParse(createMessageDto);
+      const result = CreateMessageDtoSchema.safeParse(createMessageDto);
 
-    expect(result.success).toBe(true);
-  });
+      expect(result.success).toBe(true);
+    });
 
-  it('should allow optional safeAppId, defaulting to null', () => {
-    const createMessageDto = createMessageDtoBuilder().build();
-    // @ts-expect-error - inferred type doesn't allow optional properties
-    delete createMessageDto.safeAppId;
+    it('should not validate without a message', () => {
+      const createMessageDto = createMessageDtoBuilder().build();
+      // @ts-expect-error - inferred type doesn't allow optional properties
+      delete createMessageDto.message;
 
-    const result = CreateMessageDtoSchema.safeParse(createMessageDto);
+      const result = CreateMessageDtoSchema.safeParse(createMessageDto);
 
-    expect(result.success && result.data.safeAppId).toBe(null);
+      expect(!result.success && result.error).toStrictEqual(
+        new ZodError([
+          {
+            code: 'invalid_union',
+            unionErrors: [
+              // @ts-expect-error - inferred type doesn't allow optional properties
+              {
+                issues: [
+                  {
+                    code: 'invalid_type',
+                    expected: 'object',
+                    received: 'undefined',
+                    path: ['message'],
+                    message: 'Required',
+                  },
+                ],
+                name: 'ZodError',
+              },
+              // @ts-expect-error - inferred type doesn't allow optional properties
+              {
+                issues: [
+                  {
+                    code: 'invalid_type',
+                    expected: 'string',
+                    received: 'undefined',
+                    path: ['message'],
+                    message: 'Required',
+                  },
+                ],
+                name: 'ZodError',
+              },
+            ],
+            path: ['message'],
+            message: 'Invalid input',
+          },
+        ]),
+      );
+    });
   });
 
-  it('should not validated without a message', () => {
-    const createMessageDto = createMessageDtoBuilder().build();
-    // @ts-expect-error - inferred type doesn't allow optional properties
-    delete createMessageDto.message;
-
-    const result = CreateMessageDtoSchema.safeParse(createMessageDto);
-
-    expect(!result.success && result.error).toStrictEqual(
-      new ZodError([
-        {
-          code: 'invalid_union',
-          unionErrors: [
-            // @ts-expect-error - inferred type doesn't allow optional properties
-            {
-              issues: [
-                {
-                  code: 'invalid_type',
-                  expected: 'object',
-                  received: 'undefined',
-                  path: ['message'],
-                  message: 'Required',
-                },
-              ],
-              name: 'ZodError',
-            },
-            // @ts-expect-error - inferred type doesn't allow optional properties
-            {
-              issues: [
-                {
-                  code: 'invalid_type',
-                  expected: 'string',
-                  received: 'undefined',
-                  path: ['message'],
-                  message: 'Required',
-                },
-              ],
-              name: 'ZodError',
-            },
-          ],
-          path: ['message'],
-          message: 'Invalid input',
-        },
-      ]),
-    );
+  describe('safeAppId', () => {
+    it('should validate a safeAppId of 0', () => {
+      const createMessageDto = createMessageDtoBuilder()
+        .with('safeAppId', 0)
+        .build();
+
+      const result = CreateMessageDtoSchema.safeParse(createMessageDto);
+
+      expect(result.success).toBe(true);
+    });
+
+    it('should validate a positive integer safeAppId', () => {
+      const createMessageDto = createMessageDtoBuilder()
+        .with('safeAppId', faker.number.int({ min: 1 }))
+        .build();
+
+      const result = CreateMessageDtoSchema.safeParse(createMessageDto);
+
+      expect(result.success).toBe(true);
+    });
+
+    it('should not validate a negative safeAppId', () => {
+      const createMessageDto = createMessageDtoBuilder()
+        .with('safeAppId', -1)
+        .build();
+
+      const result = CreateMessageDtoSchema.safeParse(createMessageDto);
+
+      expect(!result.success && result.error).toStrictEqual(
+        new ZodError([
+          {
+            code: 'too_small',
+            minimum: 0,
+            type: 'number',
+            inclusive: true,
+            exact: false,
+            message: 'Number must be greater than or equal to 0',
+            path: ['safeAppId'],
+          },
+        ]),
+      );
+    });
+
+    it('should not validate a float safeAppId', () => {
+      const createMessageDto = createMessageDtoBuilder()
+        .with('safeAppId', faker.number.float())
+        .build();
+
+      const result = CreateMessageDtoSchema.safeParse(createMessageDto);
+
+      expect(!result.success && result.error).toStrictEqual(
+        new ZodError([
+          {
+            code: 'invalid_type',
+            expected: 'integer',
+            received: 'float',
+            message: 'Expected integer, received float',
+            path: ['safeAppId'],
+          },
+        ]),
+      );
+    });
+
+    it('should validate without safeAppId, defaulting to null', () => {
+      const createMessageDto = createMessageDtoBuilder().build();
+      // @ts-expect-error - inferred type doesn't allow optional properties
+      delete createMessageDto.safeAppId;
+
+      const result = CreateMessageDtoSchema.safeParse(createMessageDto);
+
+      expect(result.success && result.data.safeAppId).toBe(null);
+    });
   });
-  it('should not validated without a signature', () => {
-    const createMessageDto = createMessageDtoBuilder().build();
-    // @ts-expect-error - inferred type doesn't allow optional properties
-    delete createMessageDto.signature;
-
-    const result = CreateMessageDtoSchema.safeParse(createMessageDto);
-
-    expect(!result.success && result.error).toStrictEqual(
-      new ZodError([
-        {
-          code: 'invalid_type',
-          expected: 'string',
-          received: 'undefined',
-          path: ['signature'],
-          message: 'Required',
-        },
-      ]),
-    );
+
+  describe('signature', () => {
+    it('should not validate without a signature', () => {
+      const createMessageDto = createMessageDtoBuilder().build();
+      // @ts-expect-error - inferred type doesn't allow optional properties
+      delete createMessageDto.signature;
+
+      const result = CreateMessageDtoSchema.safeParse(createMessageDto);
+
+      expect(!result.success && result.error).toStrictEqual(
+        new ZodError([
+          {
+            code: 'invalid_type',
+            expected: 'string',
+            received: 'undefined',
+            path: ['signature'],
+            message: 'Required',
+          },
+        ]),
+      );
+    });
   });
 });

src/routes/messages/entities/schemas/create-message.dto.schema.ts

@@ -2,6 +2,6 @@ import { z } from 'zod';
 
 export const CreateMessageDtoSchema = z.object({
   message: z.union([z.record(z.unknown()), z.string()]),
-  safeAppId: z.number().nullish().default(null),
+  safeAppId: z.number().int().gte(0).nullish().default(null),
   signature: z.string(),
 });