[Bug]: PUT /api/profile has no Zod input validation — only mutation endpoint without validateBody()

[vipul674]

Fix

Added updateProfileSchema Zod schema and applied validateBody() middleware to PUT /api/profile, consistent with all other mutation endpoints.

Changes

backend/api/src/validation/requestSchemas.js (lines 137-142)

• New updateProfileSchema with validated fields: full_name, language, dark_mode, is_online

backend/api/src/routes/profileRoutes.js (line 11, 125)

• Imported validateBody and updateProfileSchema
• Added validateBody(updateProfileSchema) to the PUT route middleware chain

Closes #740

Summary by CodeRabbit

• Bug Fixes
  • Profile updates now validate incoming data before saving changes, helping prevent invalid profile information from being accepted.
  • The update form now supports only the expected profile fields and rejects extra properties.

[vipul674]

@KanishJebaMathewM I have submitted the fix. Please let me know if any changes are needed!

[github-actions]

🎉 Thank you for your contribution! Your pull request has been received and will be reviewed shortly.

If you enjoy the project, please consider giving the repository a ⭐. You can also follow my GitHub profile to stay updated on future open-source projects.

Thanks for being part of the community! 🚀

[coderabbitai]

📝 Walkthrough

Walkthrough

A new Zod schema updateProfileSchema is added to requestSchemas.js with optional, bounded fields for full_name, language, dark_mode, and is_online under .strict(). The PUT '/' route in profileRoutes.js imports and applies validateBody(updateProfileSchema) as middleware before existing handlers.

Changes

Profile Update Input Validation

Layer / File(s)	Summary
Schema definition and route middleware wiring backend/api/src/validation/requestSchemas.js, backend/api/src/routes/profileRoutes.js	updateProfileSchema Zod object is defined with optional full_name, language, dark_mode, and is_online fields under .strict(); profileRoutes.js imports validateBody and updateProfileSchema, then inserts validateBody(updateProfileSchema) into the PUT '/' middleware chain so invalid bodies are rejected before the update logic executes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related issues

• #740 — This PR directly implements the fix described in the issue: adding a Zod schema and validateBody middleware to PUT /api/profile.
• #808 — Describes the same updateProfileSchema + validateBody(updateProfileSchema) fix for PUT /api/profiles.
• #749 — Also targets the exact same missing Zod validation on PUT /api/profile with the same schema and wiring approach.

Suggested labels

backend, type:api

🐇 Hoppity hop, the data must fit,
No rogue strings or numbers shall slip through a bit.
Strict schema says "nope!" to each unknown key,
The profile route now validates — hip hip hooray!
🥕 Zod guards the burrow; the carrots are safe!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title matches the main change: adding Zod validation to PUT /api/profile.
Linked Issues check	✅ Passed	The PR adds updateProfileSchema and applies validateBody(updateProfileSchema) to the profile update route as requested.
Out of Scope Changes check	✅ Passed	The changes stay focused on profile update validation and do not introduce unrelated scope.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/api/src/validation/requestSchemas.js`:
- Around line 137-142: The updateProfileSchema still accepts an empty object,
which lets empty profile updates reach the handler and fail as a server error.
Update the z.object definition for updateProfileSchema to require at least one
of the updatable fields so {} is rejected as a client-side validation error,
using the schema’s existing full_name, language, dark_mode, and is_online fields
as the reference point.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6d049270-d1c8-403e-bc82-fe0f30fa174f

📥 Commits

Reviewing files that changed from the base of the PR and between 5bf5e07 and c7181cf.

📒 Files selected for processing (2)

• backend/api/src/routes/profileRoutes.js
• backend/api/src/validation/requestSchemas.js

[coderabbitai]

🚀 Performance & Scalability | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

What does Supabase supabase-js .update({}) with an empty object do — no-op or error?

💡 Result:

When using the Supabase JavaScript client (supabase-js), calling.update({}) with an empty object will generally result in a runtime error from the underlying database (PostgreSQL), not a no-op [1][2]. The update method expects an object containing the column names and values to be updated [3]. When an empty object is passed, the generated SQL statement typically attempts to perform an update without providing any SET clauses, which is syntactically invalid in SQL [1]. Specifically, the underlying postgrest-js library sends this request to the Supabase API (PostgREST), which will reject the invalid update request, returning an error [1][2]. For example, performing an update like: const { error } = await supabase.from('table_name').update({}).eq('id', 1); will cause the request to fail because the database cannot execute an UPDATE statement that does not specify any columns to modify. Therefore, you should always provide at least one valid column-value pair within the object to ensure the update operation is valid [3][2].

Citations:

• 1: TypeScript: insert()/update()/upsert() argument type too permissive supabase/supabase-js#1636
• 2: fix(postgrest): reject excess properties in insert, update, and upsert supabase/supabase-js#2186
• 3: https://supabase.com/docs/reference/javascript/update

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate the relevant files and show the surrounding code with line numbers.
git ls-files 'backend/api/src/validation/requestSchemas.js' 'backend/api/src/routes/profileRoutes.js'

echo '--- requestSchemas.js ---'
sed -n '120,170p' backend/api/src/validation/requestSchemas.js | cat -n

echo '--- profileRoutes.js ---'
sed -n '1,220p' backend/api/src/routes/profileRoutes.js | cat -n

Repository: KanishJebaMathewM/Truxify

Length of output: 10140

---

Reject empty profile updates The schema still allows {}, and the handler turns that into an empty Supabase update, which fails and returns a 500 instead of a client error. Require at least one updatable field so empty requests are rejected with 400.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/api/src/validation/requestSchemas.js` around lines 137 - 142, The
updateProfileSchema still accepts an empty object, which lets empty profile
updates reach the handler and fail as a server error. Update the z.object
definition for updateProfileSchema to require at least one of the updatable
fields so {} is rejected as a client-side validation error, using the schema’s
existing full_name, language, dark_mode, and is_online fields as the reference
point.

[github-actions]

🎉 Thank you for your contribution!

Your pull request has been merged successfully. We appreciate your work and look forward to your future contributions. 🚀