From 609ce1d0d319348c92429728e2785af7e81af39f Mon Sep 17 00:00:00 2001 From: user Date: Tue, 10 Mar 2026 17:42:50 -0700 Subject: [PATCH] fix: remove dead DeleteEnvVarsByAppID and add empty-key 400 test - Remove DeleteEnvVarsByAppID() which became dead code after ReplaceEnvVarsByAppID() was introduced (handles deletion internally within its transaction). - Add TestHandleEnvVarSaveEmptyKeyRejected to verify that POSTing a JSON array with an empty key returns 400 Bad Request. Addresses review advisories on PR #158. --- internal/handlers/handlers_test.go | 26 ++++++++++++++++++++++++++ internal/models/env_var.go | 11 ----------- 2 files changed, 26 insertions(+), 11 deletions(-) diff --git a/internal/handlers/handlers_test.go b/internal/handlers/handlers_test.go index 54a3631..a7636f0 100644 --- a/internal/handlers/handlers_test.go +++ b/internal/handlers/handlers_test.go @@ -638,6 +638,32 @@ func TestHandleEnvVarSaveAppNotFound(t *testing.T) { assert.Equal(t, http.StatusNotFound, recorder.Code) } +// TestHandleEnvVarSaveEmptyKeyRejected verifies that submitting a JSON +// array containing an entry with an empty key returns 400. +func TestHandleEnvVarSaveEmptyKeyRejected(t *testing.T) { + t.Parallel() + + testCtx := setupTestHandlers(t) + createdApp := createTestApp(t, testCtx, "envvar-emptykey-app") + + body := `[{"key":"VALID_KEY","value":"ok"},{"key":"","value":"bad"}]` + + r := chi.NewRouter() + r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave()) + + request := httptest.NewRequest( + http.MethodPost, + "/apps/"+createdApp.ID+"/env", + strings.NewReader(body), + ) + request.Header.Set("Content-Type", "application/json") + + recorder := httptest.NewRecorder() + r.ServeHTTP(recorder, request) + + assert.Equal(t, http.StatusBadRequest, recorder.Code) +} + // TestDeleteLabelOwnershipVerification tests that deleting a label // via another app's URL path returns 404 (IDOR prevention). func TestDeleteLabelOwnershipVerification(t *testing.T) { diff --git a/internal/models/env_var.go b/internal/models/env_var.go index e800cc8..a6967b9 100644 --- a/internal/models/env_var.go +++ b/internal/models/env_var.go @@ -128,17 +128,6 @@ func FindEnvVarsByAppID( return envVars, rows.Err() } -// DeleteEnvVarsByAppID deletes all env vars for an app. -func DeleteEnvVarsByAppID( - ctx context.Context, - db *database.Database, - appID string, -) error { - _, err := db.Exec(ctx, "DELETE FROM app_env_vars WHERE app_id = ?", appID) - - return err -} - // EnvVarPair is a key-value pair for bulk env var operations. type EnvVarPair struct { Key string