fix: improve validation in session listing and deletion APIs

[sujitaw]

What

• improve validation in session listing and deletion APIs

Summary by CodeRabbit

• Bug Fixes
  • Trims leading/trailing whitespace from user and session IDs in GET /:userId/sessions and DELETE /:sessionId/sessions to prevent false validation errors.
  • Standardizes error responses to “Invalid user ID” and “Invalid session ID” for clearer, consistent feedback when IDs are malformed.
  • Improves reliability of session-related requests by accepting IDs with accidental spaces.

[coderabbitai]

Walkthrough

Adds TrimStringParamPipe to trim route parameters for userId and sessionId alongside ParseUUIDPipe, updates BadRequestException messages to "Invalid user ID" (for userId) and "Invalid session ID" (for sessionId), and imports the pipe in the authz controller.

Changes

Cohort / File(s)	Summary
AuthZ controller updates apps/api-gateway/src/authz/authz.controller.ts	- Import added: TrimStringParamPipe from @credebl/common/cast.helper - Apply new TrimStringParamPipe() before new ParseUUIDPipe(...) for @Param('userId') in GET /:userId/sessions and @Param('sessionId') in DELETE /:sessionId/sessions - Standardize BadRequestException messages to "Invalid user ID" (for userId) and "Invalid session ID" (for sessionId)

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Client
  participant R as API Gateway (AuthZ Controller)
  participant P1 as TrimStringParamPipe
  participant P2 as ParseUUIDPipe
  participant S as AuthZ Service

  C->>R: GET /:userId/sessions
  activate R
  R->>P1: Trim userId
  P1-->>R: trimmed userId
  R->>P2: Validate UUID (userId)
  alt Invalid UUID
    P2-->>R: throw BadRequest("Invalid user ID")
    R-->>C: 400 Bad Request
  else Valid
    R->>S: listSessions(userId)
    S-->>R: sessions
    R-->>C: 200 OK
  end
  deactivate R

  C->>R: DELETE /:sessionId/sessions
  activate R
  R->>P1: Trim sessionId
  P1-->>R: trimmed sessionId
  R->>P2: Validate UUID (sessionId)
  alt Invalid UUID
    P2-->>R: throw BadRequest("Invalid session ID")
    R-->>C: 400 Bad Request
  else Valid
    R->>S: revokeSession(sessionId)
    S-->>R: result
    R-->>C: 200 OK
  end
  deactivate R

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I nibbled stray spaces, neat and clean,
Trimmed the IDs to a tidy sheen.
Errors now speak with one clear tone—
“Invalid user ID” and “Invalid session ID” known.
With whiskers twitching, pipes aligned,
This rabbit leaves no strings behind. 🐇✂️

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "fix: improve validation in session listing and deletion APIs" accurately and concisely summarizes the primary change in the diff — tightening validation and error messages for the session listing and deletion endpoints (e.g., adding TrimStringParamPipe and adjusting BadRequest messages) — and is a single clear sentence following conventional commit style.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/validation_for_session_add_and_delete

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 09a040c and 8547159.

📒 Files selected for processing (1)

• apps/api-gateway/src/authz/authz.controller.ts (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/api-gateway/src/authz/authz.controller.ts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

apps/api-gateway/src/authz/authz.controller.ts (1)

425-433: Validation addition looks good; consider explicitly pinning UUID version.

Trim + ParseUUIDPipe ordering is correct here. Optionally be explicit with UUID version for consistency:

-      new ParseUUIDPipe({
+      new ParseUUIDPipe({
+        version: '4',
         exceptionFactory: (): Error => {
           throw new BadRequestException(`Invalid session ID`);
         }
       })

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0900bc6 and 09a040c.

📒 Files selected for processing (1)

• apps/api-gateway/src/authz/authz.controller.ts (3 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

apps/api-gateway/src/authz/authz.controller.ts (1)

libs/common/src/cast.helper.ts (1)

• TrimStringParamPipe (167-172)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud