Reject invalid custom date ranges on /api/stats/admin with HTTP 400

Original task (Task #35): When the admin dashboard's custom range
receives a malformed or missing date (e.g. ?range=custom&from=foo),
the API silently fell back to the 7-day window instead of returning
an error. This masked client bugs and confused admins.

Changes:
- artifacts/api-server/src/routes/stats.ts:
  - Refactored the custom-range branch so range=custom now always
    validates from/to. Returns 400 with a helpful, specific message
    when:
      * from or to is missing
      * from or to is not a valid YYYY-MM-DD UTC date
      * from is after to (existing behavior, message clarified)
  - Removed the silent `if (range === "custom") range = "7d"` fallback.
- lib/api-spec/openapi.yaml:
  - Documented the 400 ErrorResponse on getAdminStats so the generated
    clients know about this failure mode.
- Regenerated @workspace/api-client-react and @workspace/api-zod via
  `pnpm --filter @workspace/api-spec run codegen`.
- artifacts/teaboy-os/src/pages/admin.tsx:
  - Captured `error` from useGetAdminStats (with retry: false) and
    surface a translated, role="alert" panel beneath the range
    controls when the API returns an error, including the server's
    error message. The frontend already guards against client-side
    invalid input via isCustomValid, so this primarily covers any
    remaining edge cases (stale querystring, race conditions).
- Added admin.dashboard.customRange.loadError translations in
  en.json and ar.json.

Verified with `pnpm -w run typecheck` (passes for libs and all
artifacts). Manual curl confirmed the route is wired (auth gate
returns 401 first, as expected).

Replit-Task-Id: 965134ad-0d07-4cd2-a6ff-f60a50289d90
This commit is contained in:
riyadhafraa
2026-04-21 09:01:03 +00:00
parent 1e6713f531
commit 36f2872dcd
6 changed files with 50 additions and 11 deletions
+15 -4
View File
@@ -139,11 +139,23 @@ router.get("/stats/admin", requireAuth, requireAdmin, async (req, res): Promise<
let rangeEndExclusive: Date;
let rangeDays: number;
if (range === "custom" && fromParam && toParam) {
if (range === "custom") {
if (!fromParam || !toParam) {
res.status(400).json({
error: "Missing from/to: 'range=custom' requires both 'from' and 'to' as YYYY-MM-DD dates",
});
return;
}
const fromDate = parseUtcDate(fromParam);
const toDate = parseUtcDate(toParam);
if (!fromDate || !toDate || fromDate.getTime() > toDate.getTime()) {
res.status(400).json({ error: "Invalid from/to" });
if (!fromDate || !toDate) {
res.status(400).json({
error: "Invalid from/to: expected YYYY-MM-DD dates",
});
return;
}
if (fromDate.getTime() > toDate.getTime()) {
res.status(400).json({ error: "Invalid from/to: 'from' must be on or before 'to'" });
return;
}
const MAX_DAYS = 366;
@@ -156,7 +168,6 @@ router.get("/stats/admin", requireAuth, requireAdmin, async (req, res): Promise<
rangeEndExclusive = new Date(toDate.getTime() + DAY_MS);
rangeDays = days;
} else {
if (range === "custom") range = "7d";
rangeDays = range === "90d" ? 90 : range === "30d" ? 30 : 7;
rangeStart = new Date(startOfTodayUtc.getTime() - (rangeDays - 1) * DAY_MS);
rangeEndExclusive = new Date(startOfTodayUtc.getTime() + DAY_MS);