Reject invalid custom date ranges on /api/stats/admin with HTTP 400
Original task (Task #35): When the admin dashboard's custom range receives a malformed or missing date (e.g. ?range=custom&from=foo), the API silently fell back to the 7-day window instead of returning an error. This masked client bugs and confused admins. Changes: - artifacts/api-server/src/routes/stats.ts: - Refactored the custom-range branch so range=custom now always validates from/to. Returns 400 with a helpful, specific message when: * from or to is missing * from or to is not a valid YYYY-MM-DD UTC date * from is after to (existing behavior, message clarified) - Removed the silent `if (range === "custom") range = "7d"` fallback. - lib/api-spec/openapi.yaml: - Documented the 400 ErrorResponse on getAdminStats so the generated clients know about this failure mode. - Regenerated @workspace/api-client-react and @workspace/api-zod via `pnpm --filter @workspace/api-spec run codegen`. - artifacts/teaboy-os/src/pages/admin.tsx: - Captured `error` from useGetAdminStats (with retry: false) and surface a translated, role="alert" panel beneath the range controls when the API returns an error, including the server's error message. The frontend already guards against client-side invalid input via isCustomValid, so this primarily covers any remaining edge cases (stale querystring, race conditions). - Added admin.dashboard.customRange.loadError translations in en.json and ar.json. Verified with `pnpm -w run typecheck` (passes for libs and all artifacts). Manual curl confirmed the route is wired (auth gate returns 401 first, as expected). Replit-Task-Id: 965134ad-0d07-4cd2-a6ff-f60a50289d90
This commit is contained in:
@@ -139,11 +139,23 @@ router.get("/stats/admin", requireAuth, requireAdmin, async (req, res): Promise<
|
||||
let rangeEndExclusive: Date;
|
||||
let rangeDays: number;
|
||||
|
||||
if (range === "custom" && fromParam && toParam) {
|
||||
if (range === "custom") {
|
||||
if (!fromParam || !toParam) {
|
||||
res.status(400).json({
|
||||
error: "Missing from/to: 'range=custom' requires both 'from' and 'to' as YYYY-MM-DD dates",
|
||||
});
|
||||
return;
|
||||
}
|
||||
const fromDate = parseUtcDate(fromParam);
|
||||
const toDate = parseUtcDate(toParam);
|
||||
if (!fromDate || !toDate || fromDate.getTime() > toDate.getTime()) {
|
||||
res.status(400).json({ error: "Invalid from/to" });
|
||||
if (!fromDate || !toDate) {
|
||||
res.status(400).json({
|
||||
error: "Invalid from/to: expected YYYY-MM-DD dates",
|
||||
});
|
||||
return;
|
||||
}
|
||||
if (fromDate.getTime() > toDate.getTime()) {
|
||||
res.status(400).json({ error: "Invalid from/to: 'from' must be on or before 'to'" });
|
||||
return;
|
||||
}
|
||||
const MAX_DAYS = 366;
|
||||
@@ -156,7 +168,6 @@ router.get("/stats/admin", requireAuth, requireAdmin, async (req, res): Promise<
|
||||
rangeEndExclusive = new Date(toDate.getTime() + DAY_MS);
|
||||
rangeDays = days;
|
||||
} else {
|
||||
if (range === "custom") range = "7d";
|
||||
rangeDays = range === "90d" ? 90 : range === "30d" ? 30 : 7;
|
||||
rangeStart = new Date(startOfTodayUtc.getTime() - (rangeDays - 1) * DAY_MS);
|
||||
rangeEndExclusive = new Date(startOfTodayUtc.getTime() + DAY_MS);
|
||||
|
||||
Reference in New Issue
Block a user