use zod schemes for validation

src/routes/admin/admin/+server.ts

@@ -2,64 +2,47 @@ import type { RequestHandler } from '@sveltejs/kit';
 import { Permissions } from '$lib/permissions';
 import { deleteAllUserSessions, getSession, updateAllUserSessions } from '$lib/server/session';
 import { Admin } from '$lib/server/database';
+import { AdminDeleteSchema, AdminEditSchema, AdminListSchema } from './schema';
 
 export const POST = (async ({ request, cookies }) => {
 	if (getSession(cookies, { permissions: [Permissions.AdminWrite] }) == null) {
-		return new Response(null, {
+		return new Response(null, { status: 401 });
-			status: 401
-		});
 	}
 
-	const data = await request.json();
+	const parseResult = await AdminListSchema.safeParseAsync(await request.json());
-	const username = data['username'] as string | null;
+	if (!parseResult.success) return new Response(null, { status: 400 });
-	const password = data['password'] as string | null;
+	const data = parseResult.data;
-	const permissions = data['permissions'] as number | null;
 
-	if (username == null || password == null || permissions == null) {
+	if (data.username == null || data.password == null || data.permissions == null) {
-		return new Response(null, {
+		return new Response(null, { status: 400 });
-			status: 400
-		});
 	}
 
 	const admin = await Admin.create({
-		username: username,
+		username: data.username,
-		password: password,
+		password: data.password,
-		permissions: new Permissions(permissions)
+		permissions: new Permissions(data.permissions)
 	});
 
 	delete admin.dataValues.password;
 
-	return new Response(JSON.stringify(admin), {
+	return new Response(JSON.stringify(admin), { status: 201 });
-		status: 201
-	});
 }) satisfies RequestHandler;
 
 export const PATCH = (async ({ request, cookies }) => {
 	if (getSession(cookies, { permissions: [Permissions.AdminWrite] }) == null) {
-		return new Response(null, {
+		return new Response(null, { status: 401 });
-			status: 401
-		});
 	}
 
-	const data = await request.json();
+	const parseResult = await AdminEditSchema.safeParseAsync(await request.json());
-	const id = data['id'] as string | null;
+	if (!parseResult.success) return new Response(null, { status: 400 });
+	const data = parseResult.data;
 
-	if (id == null) {
+	const user = await Admin.findOne({ where: { id: data.id } });
-		return new Response(null, {
+	if (!user) return new Response(null, { status: 400 });
-			status: 400
-		});
-	}
 
-	const user = await Admin.findOne({ where: { id: id } });
+	if (data.username) user.username = data.username;
-	if (!user) {
+	if (data.password) user.password = data.password;
-		return new Response(null, {
+	if (data.permissions) user.permissions = new Permissions(data.permissions);
-			status: 400
-		});
-	}
-
-	if (data['username']) user.username = data['username'];
-	if (data['password']) user.password = data['password'];
-	if (data['permissions']) user.permissions = new Permissions(data['permissions']);
 	await user.save();
 
 	updateAllUserSessions(user.id, { permissions: user.permissions });
@@ -69,22 +52,15 @@ export const PATCH = (async ({ request, cookies }) => {
 
 export const DELETE = (async ({ request, cookies }) => {
 	if (getSession(cookies, { permissions: [Permissions.AdminWrite] }) == null) {
-		return new Response(null, {
+		return new Response(null, { status: 401 });
-			status: 401
-		});
 	}
 
-	const data = await request.json();
+	const parseResult = await AdminDeleteSchema.safeParseAsync(await request.json());
-	const id = data['id'] as number | null;
+	if (!parseResult.success) return new Response(null, { status: 400 });
+	const data = parseResult.data;
 
-	if (id == null) {
+	await Admin.destroy({ where: { id: data.id } });
-		return new Response(null, {
+	deleteAllUserSessions(data.id);
-			status: 400
-		});
-	}
-
-	await Admin.destroy({ where: { id: id } });
-	deleteAllUserSessions(id);
 
 	return new Response();
 }) satisfies RequestHandler;

src/routes/admin/admin/schema.ts

@@ -0,0 +1,19 @@
+import { z } from 'zod';
+
+export const AdminListSchema = z.object({
+	username: z.string(),
+	password: z.string(),
+	permissions: z.number()
+});
+
+export const AdminEditSchema = z.object({
+	id: z.number(),
+
+	username: z.string().nullish(),
+	password: z.string().nullish(),
+	permissions: z.number().nullish()
+});
+
+export const AdminDeleteSchema = z.object({
+	id: z.number()
+});

src/routes/admin/login/+server.ts

@@ -4,23 +4,20 @@ import { env as publicEnv } from '$env/dynamic/public';
 import { env } from '$env/dynamic/private';
 import { addSession, sessionCookieName } from '$lib/server/session';
 import { Permissions } from '$lib/permissions';
+import { LoginSchema } from './schema';
 
 export const POST = (async ({ request, cookies }) => {
-	const data = await request.formData();
+	const parseResult = await LoginSchema.safeParseAsync(await request.json());
-	const username = data.get('username') as string | null;
+	if (!parseResult.success) {
-	const password = data.get('password') as string | null;
+		return new Response(null, { status: 400 });
-
-	if (username == null || password == null) {
-		return new Response(null, {
-			status: 401
-		});
 	}
+	const data = parseResult.data;
 
 	if (
 		env.ADMIN_USER &&
 		env.ADMIN_PASSWORD &&
-		username == env.ADMIN_USER &&
+		data.username == env.ADMIN_USER &&
-		password == env.ADMIN_PASSWORD
+		data.password == env.ADMIN_PASSWORD
 	) {
 		cookies.set(
 			sessionCookieName,
@@ -35,8 +32,8 @@ export const POST = (async ({ request, cookies }) => {
 		return new Response();
 	}
 
-	const user = await Admin.findOne({ where: { username: username } });
+	const user = await Admin.findOne({ where: { username: data.username } });
-	if (user && user.validatePassword(password)) {
+	if (user && user.validatePassword(data.password)) {
 		cookies.set(sessionCookieName, addSession(user), {
 			path: `${publicEnv.PUBLIC_BASE_PATH}/admin`,
 			maxAge: 60 * 60 * 24 * 90,
@@ -45,7 +42,7 @@ export const POST = (async ({ request, cookies }) => {
 		});
 		return new Response();
 	} else {
-		console.log(`failed login attempt for user ${username}`);
+		console.log(`failed login attempt for user ${data.username}`);
 		return new Response(null, {
 			status: 401
 		});

src/routes/admin/login/schema.ts

@@ -0,0 +1,6 @@
+import { z } from 'zod';
+
+export const LoginSchema = z.object({
+	username: z.string(),
+	password: z.string()
+});

src/routes/admin/logout/+server.ts

@@ -1,5 +1,6 @@
 import type { RequestHandler } from '@sveltejs/kit';
 import { deleteSession, getSession, sessionCookieName } from '$lib/server/session';
+import { env as publicEnv } from '$env/dynamic/public';
 
 export const POST = (async ({ cookies }) => {
 	if (getSession(cookies) == null) {
@@ -9,7 +10,7 @@ export const POST = (async ({ cookies }) => {
 	}
 
 	deleteSession(cookies);
-	cookies.delete(sessionCookieName);
+	cookies.delete(sessionCookieName, { path: `${publicEnv.PUBLIC_BASE_PATH}/admin` });
 
 	return new Response();
 }) satisfies RequestHandler;

src/routes/admin/reports/+server.ts

@@ -7,6 +7,7 @@ import { Op } from 'sequelize';
 import { env } from '$env/dynamic/private';
 import crypto from 'crypto';
 import { webhookUserReported } from '$lib/server/webhook';
+import { ReportAddSchema, ReportEditSchema, ReportListSchema } from './schema';
 
 export const POST = (async ({ request, cookies }) => {
 	if (getSession(cookies, { permissions: [Permissions.ReportRead] }) == null) {
@@ -15,21 +16,18 @@ export const POST = (async ({ request, cookies }) => {
 		});
 	}
 
-	const data: {
+	const parseResult = await ReportListSchema.safeParseAsync(await request.json());
-		limit: number | null;
+	if (!parseResult.success) {
-		from: number | null;
+		console.log(parseResult.error);
-
+		return new Response(null, {
-		draft: boolean | null;
+			status: 400
-		status: 'none' | 'review' | 'reviewed' | null;
+		});
-		reporter: string | null;
+	}
-		reported: string | null;
+	const data = parseResult.data;
-
-		hash: string | null;
-	} = await request.json();
 
 	let reportFindOptions: Attributes<Report> = {};
-	if (data.draft != null) reportFindOptions.draft = data.draft;
+	reportFindOptions.draft = data.draft;
-	reportFindOptions.status = data.status == null ? ['none', 'review'] : data.status;
+	reportFindOptions.status = data.status ?? ['none', 'review'];
 	if (data.reporter != null) {
 		const reporter_ids = await User.findAll({
 			attributes: ['id'],
@@ -97,17 +95,13 @@ export const PATCH = (async ({ request, cookies }) => {
 		});
 	}
 
-	const data: {
+	const parseResult = await ReportEditSchema.safeParseAsync(await request.json());
-		id: number;
+	if (!parseResult.success) {
-		reported: string | null;
+		return new Response(null, {
-		auditor: number;
+			status: 400
-		notice: string | null;
+		});
-		statement: string | null;
+	}
-		status: 'none' | 'review' | 'reviewed' | null;
+	const data = parseResult.data;
-		strike_reason: number | null;
-	} = await request.json();
-
-	if (data.id === null || data.auditor === null) return new Response(null, { status: 400 });
 
 	const report = await Report.findOne({ where: { id: data.id } });
 	const admin = await Admin.findOne({ where: { id: data.auditor } });
@@ -175,15 +169,13 @@ export const PUT = (async ({ request, cookies }) => {
 		});
 	}
 
-	const data: {
+	const parseResult = await ReportAddSchema.safeParseAsync(await request.json());
-		reporter: string;
+	if (!parseResult.success) {
-		reported: string | null;
+		return new Response(null, {
-		reason: string;
+			status: 400
-		body: string | null;
+		});
-	} = await request.json();
+	}
-
+	const data = parseResult.data;
-	if (data.reporter == null || data.reason == null || data.body === undefined)
-		return new Response(null, { status: 400 });
 
 	const reporter = await User.findOne({ where: { uuid: data.reporter } });
 	const reported = data.reported ? await User.findOne({ where: { uuid: data.reported } }) : null;

src/routes/admin/reports/HeaderBar.svelte

@@ -26,6 +26,5 @@
 	<Select label="Reportstatus" size="sm" bind:value={reportFilter.draft}>
 		<option value={false}>Erstellt</option>
 		<option value={true}>Entwurf</option>
-		<option value={null}>Erstellt & Entwurf</option>
 	</Select>
 </form>

src/routes/admin/reports/schema.ts

@@ -0,0 +1,30 @@
+import { z } from 'zod';
+
+export const ReportListSchema = z.object({
+	limit: z.number().nullish(),
+	from: z.number().nullish(),
+
+	status: z.enum(['none', 'review', 'reviewed']).nullish(),
+	reporter: z.string().nullish(),
+	reported: z.string().nullish(),
+	draft: z.boolean().nullish(),
+
+	hash: z.string().nullish()
+});
+
+export const ReportEditSchema = z.object({
+	id: z.number(),
+	reported: z.string().nullish(),
+	auditor: z.number(),
+	notice: z.string().nullish(),
+	statement: z.string().nullish(),
+	status: z.enum(['none', 'review', 'reviewed']).nullish(),
+	strike_reason: z.number().nullish()
+});
+
+export const ReportAddSchema = z.object({
+	reporter: z.string(),
+	reported: z.string().nullish(),
+	reason: z.string(),
+	body: z.string().nullish()
+});

src/routes/admin/users/+server.ts

@@ -4,6 +4,7 @@ import { error, type RequestHandler } from '@sveltejs/kit';
 import { User } from '$lib/server/database';
 import { type Attributes, Op } from 'sequelize';
 import { ApiError, getJavaUuid, getNoAuthUuid, UserNotFoundError } from '$lib/server/minecraft';
+import { UserAddSchema, UserDeleteSchema, UserEditSchema, UserListSchema } from './schema';
 
 export const POST = (async ({ request, cookies }) => {
 	if (getSession(cookies, { permissions: [Permissions.UserRead] }) == null) {
@@ -12,16 +13,11 @@ export const POST = (async ({ request, cookies }) => {
 		});
 	}
 
-	const data: {
+	const parseResult = await UserListSchema.safeParseAsync(await request.json());
-		limit: number | null;
+	if (!parseResult.success) {
-		from: number | null;
+		return new Response(null, { status: 400 });
-
+	}
-		name: string | null;
+	const data = parseResult.data;
-		playertype: 'java' | 'bedrock' | 'noauth' | null;
-
-		search: string | null;
-		slim: boolean | null;
-	} = await request.json();
 
 	const usersFindOptions: Attributes<User> = {};
 	if (data.name) {
@@ -60,30 +56,26 @@ export const PATCH = (async ({ request, cookies }) => {
 		});
 	}
 
-	const data = await request.json();
+	const parseResult = await UserEditSchema.safeParseAsync(await request.json());
-	const id = data['id'] as string | null;
+	if (!parseResult.success) {
-
+		return new Response(null, { status: 400 });
-	if (id == null) {
-		return new Response(null, {
-			status: 400
-		});
 	}
+	const data = parseResult.data;
 
-	const user = await User.findOne({ where: { id: id } });
+	const user = await User.findOne({ where: { id: data.id } });
 	if (!user) {
 		return new Response(null, {
 			status: 400
 		});
 	}
 
-	if (data['firstname']) user.firstname = data['firstname'];
+	if (data.firstname) user.firstname = data.firstname;
-	if (data['lastname']) user.lastname = data['lastname'];
+	if (data.lastname) user.lastname = data.lastname;
-	if (data['birthday']) user.birthday = data['birthday'];
+	if (data.birthday) user.birthday = data.birthday;
-	if (data['telephone']) user.telephone = data['telephone'];
+	if (data.telephone) user.telephone = data.telephone;
-	if (data['username']) user.username = data['username'];
+	if (data.username) user.username = data.username;
-	if (data['playertype']) user.playertype = data['playertype'];
+	if (data.playertype) user.playertype = data.playertype;
-	if (data['password']) user.password = data['password'];
+	if (data.uuid) user.uuid = data.uuid;
-	if (data['uuid']) user.uuid = data['uuid'];
 	await user.save();
 
 	return new Response();
@@ -96,26 +88,11 @@ export const PUT = (async ({ request, cookies }) => {
 		});
 	}
 
-	const data: {
+	const parseResult = await UserAddSchema.safeParseAsync(await request.json());
-		firstname: string;
+	if (!parseResult.success) {
-		lastname: string;
-
-		birthday: string;
-		telephone: string;
-
-		username: string;
-		playertype: string;
-	} = await request.json();
-
-	if (
-		data.firstname == null ||
-		data.lastname == null ||
-		data.birthday == null ||
-		data.username == null ||
-		data.playertype == null
-	) {
 		return new Response(null, { status: 400 });
 	}
+	const data = parseResult.data;
 
 	let uuid: string | null;
 	try {
@@ -180,16 +157,13 @@ export const DELETE = (async ({ request, cookies }) => {
 		});
 	}
 
-	const data = await request.json();
+	const parseResult = await UserDeleteSchema.safeParseAsync(await request.json());
-	const id = (data['id'] as number) || null;
+	if (!parseResult.success) {
-
+		return new Response(null, { status: 400 });
-	if (id == null) {
-		return new Response(null, {
-			status: 400
-		});
 	}
+	const data = parseResult.data;
 
-	await User.destroy({ where: { id: id } });
+	await User.destroy({ where: { id: data.id } });
 
 	return new Response();
 }) satisfies RequestHandler;

src/routes/admin/users/schema.ts

@@ -0,0 +1,36 @@
+import { z } from 'zod';
+
+export const UserListSchema = z.object({
+	limit: z.number().nullish(),
+	from: z.number().nullish(),
+
+	name: z.string().nullish(),
+	playertype: z.enum(['java', 'bedrock', 'noauth']).nullish(),
+
+	search: z.string().nullish(),
+	slim: z.boolean().nullish()
+});
+
+export const UserEditSchema = z.object({
+	id: z.number(),
+	firstname: z.string().nullish(),
+	lastname: z.string().nullish(),
+	birthday: z.coerce.date().nullish(),
+	telephone: z.string().nullish(),
+	username: z.string().nullish(),
+	playertype: z.enum(['java', 'bedrock', 'noauth']).nullish(),
+	uuid: z.string().nullish()
+});
+
+export const UserAddSchema = z.object({
+	firstname: z.string(),
+	lastname: z.string(),
+	birthday: z.coerce.date(),
+	telephone: z.string().nullish(),
+	username: z.string(),
+	playertype: z.enum(['java', 'bedrock', 'noauth'])
+});
+
+export const UserDeleteSchema = z.object({
+	id: z.number()
+});

src/routes/api/report/+server.ts

@@ -3,14 +3,17 @@ import { Report, User } from '$lib/server/database';
 import * as crypto from 'crypto';
 import { env as public_env } from '$env/dynamic/public';
 import { env } from '$env/dynamic/private';
+import { ReportAddSchema } from './schema';
 
 export const POST = (async ({ request, url }) => {
 	if (env.REPORT_SECRET && url.searchParams.get('secret') !== env.REPORT_SECRET)
 		return new Response(null, { status: 401 });
 
-	const data: { reporter: string; reported: string | null; reason: string } = await request.json();
+	const parseResult = await ReportAddSchema.safeParseAsync(await request.json());
-
+	if (!parseResult.success) {
-	if (data.reporter == null || data.reason == null) return new Response(null, { status: 400 });
+		return new Response(null, { status: 400 });
+	}
+	const data = parseResult.data;
 
 	const reporter = await User.findOne({ where: { uuid: data.reporter } });
 	const reported = data.reported

src/routes/api/report/schema.ts

@@ -0,0 +1,7 @@
+import { z } from 'zod';
+
+export const ReportAddSchema = z.object({
+	reporter: z.string(),
+	reported: z.string().nullish(),
+	reason: z.string()
+});