feat(search): reject invalid dir parameter with 400

Previously any value other than ASC/DESC silently defaulted to DESC with no feedback. Now returns 400 Bad Request. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-06 16:34:38 +02:00
parent 6ac3f6b176
commit 1c1ab0c72a
2 changed files with 12 additions and 0 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java
@@ -41,6 +41,8 @@ import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RequestPart;
+import org.springframework.web.server.ResponseStatusException;
+import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.multipart.MultipartFile;

@@ -199,6 +201,9 @@ public class DocumentController {
            @Parameter(description = "Filter by document status") @RequestParam(required = false) DocumentStatus status,
            @Parameter(description = "Sort field") @RequestParam(required = false) DocumentSort sort,
            @Parameter(description = "Sort direction: ASC or DESC") @RequestParam(required = false, defaultValue = "DESC") String dir) {
+        if (!"ASC".equalsIgnoreCase(dir) && !"DESC".equalsIgnoreCase(dir)) {
+            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "dir must be ASC or DESC");
+        }
        List<Document> results = documentService.searchDocuments(q, from, to, senderId, receiverId, tags, tagQ, status, sort, dir);
        return ResponseEntity.ok(DocumentSearchResult.of(results));
    }
--- a/backend/src/test/java/org/raddatz/familienarchiv/controller/DocumentControllerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/controller/DocumentControllerTest.java
@@ -84,6 +84,13 @@ class DocumentControllerTest {
                .andExpect(status().isBadRequest());
    }

+    @Test
+    @WithMockUser
+    void search_withInvalidDir_returns400() throws Exception {
+        mockMvc.perform(get("/api/documents/search").param("dir", "INVALID"))
+                .andExpect(status().isBadRequest());
+    }
+
    @Test
    @WithMockUser
    void search_withInvalidSort_returns400() throws Exception {