fix(api): add input validation to PersonNameAliasDTO

Adds @NotBlank @Size(max=255) on lastName, @NotNull on type, @Valid on controller parameter. Blank/null input now returns 400 instead of reaching the DB constraint. 2 new controller tests. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-07 13:40:43 +02:00
parent 59f593280b
commit cfb3260e0e
3 changed files with 25 additions and 4 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/controller/PersonController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/controller/PersonController.java
@@ -104,7 +104,7 @@ public class PersonController {

    @PostMapping("/{id}/aliases")
    @RequirePermission(Permission.WRITE_ALL)
-    public PersonNameAlias addAlias(@PathVariable UUID id, @RequestBody PersonNameAliasDTO dto) {
+    public PersonNameAlias addAlias(@PathVariable UUID id, @Valid @RequestBody PersonNameAliasDTO dto) {
        return personService.addAlias(id, dto);
    }

--- a/backend/src/main/java/org/raddatz/familienarchiv/dto/PersonNameAliasDTO.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/dto/PersonNameAliasDTO.java
@@ -1,9 +1,12 @@
 package org.raddatz.familienarchiv.dto;

+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Size;
 import org.raddatz.familienarchiv.model.PersonNameAliasType;

 public record PersonNameAliasDTO(
-        String lastName,
-        String firstName,
-        PersonNameAliasType type
+        @NotBlank @Size(max = 255) String lastName,
+        @Size(max = 255) String firstName,
+        @NotNull PersonNameAliasType type
 ) {}
--- a/backend/src/test/java/org/raddatz/familienarchiv/controller/PersonControllerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/controller/PersonControllerTest.java
@@ -458,4 +458,22 @@ class PersonControllerTest {
        mockMvc.perform(delete("/api/persons/{id}/aliases/{aliasId}", UUID.randomUUID(), UUID.randomUUID()))
                .andExpect(status().isForbidden());
    }
+
+    @Test
+    @WithMockUser(authorities = "WRITE_ALL")
+    void addAlias_returns400_whenLastNameIsBlank() throws Exception {
+        mockMvc.perform(post("/api/persons/{id}/aliases", UUID.randomUUID())
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content("{\"lastName\":\"\",\"type\":\"BIRTH\"}"))
+                .andExpect(status().isBadRequest());
+    }
+
+    @Test
+    @WithMockUser(authorities = "WRITE_ALL")
+    void addAlias_returns400_whenTypeIsNull() throws Exception {
+        mockMvc.perform(post("/api/persons/{id}/aliases", UUID.randomUUID())
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content("{\"lastName\":\"de Gruyter\"}"))
+                .andExpect(status().isBadRequest());
+    }
 }