add parameter validator

packages/remark-lsx/src/server/index.ts

@@ -1,12 +1,11 @@
-import type { Request, Response } from 'express';
-import { query } from 'express-validator';
+import type { NextFunction, Request, Response } from 'express';
+import { query, validationResult } from 'express-validator';
 import { FilterXSS } from 'xss';
 
 import type { LsxApiOptions } from '../interfaces/api';
 
 import { listPages } from './routes/list-pages';
 
-
 const loginRequiredFallback = (req: Request, res: Response) => {
   return res.status(403).send('login required');
 };
@@ -15,8 +14,8 @@ const filterXSS = new FilterXSS();
 
 const lsxValidator = [
   query('pagePath').notEmpty().isString(),
-  query('offset').optional().isNumeric(),
-  query('limit').optional().isNumeric(),
+  query('offset').optional().isInt(),
+  query('limit').optional().isInt(),
   query('options')
     .optional()
     .customSanitizer((options) => {
@@ -36,12 +35,20 @@ const lsxValidator = [
   query('options.*').optional().isString(),
 ];
 
+const paramValidator = (req: Request, _: Response, next: NextFunction) => {
+  const errObjArray = validationResult(req);
+  if (errObjArray.isEmpty()) {
+    return next();
+  }
+  return new Error('Invalid lsx parameter');
+};
+
 // eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types, @typescript-eslint/no-explicit-any
 const middleware = (crowi: any, app: any): void => {
   const loginRequired = crowi.require('../middlewares/login-required')(crowi, true, loginRequiredFallback);
   const accessTokenParser = crowi.require('../middlewares/access-token-parser')(crowi);
 
-  app.get('/_api/lsx', accessTokenParser, loginRequired, lsxValidator, listPages);
+  app.get('/_api/lsx', accessTokenParser, loginRequired, lsxValidator, paramValidator, listPages);
 };
 
 export default middleware;

packages/remark-lsx/src/server/routes/list-pages/index.ts

@@ -4,7 +4,6 @@ import { OptionParser } from '@growi/core/dist/remark-plugins';
 import { pathUtils } from '@growi/core/dist/utils';
 import escapeStringRegexp from 'escape-string-regexp';
 import type { Request, Response } from 'express';
-import { validationResult } from 'express-validator';
 import createError, { isHttpError } from 'http-errors';
 
 import type { LsxApiParams, LsxApiResponseData } from '../../../interfaces/api';
@@ -65,19 +64,15 @@ interface IListPagesRequest extends Request<undefined, undefined, undefined, Lsx
 export const listPages = async(req: IListPagesRequest, res: Response): Promise<Response> => {
   const user = req.user;
 
-  const error = validationResult(req);
-  if (!error.isEmpty()) {
-    if (req.query.pagePath == null) {
-      return res.status(400).send("The 'pagePath' query must not be null.");
-    }
-    throw new Error('invalid query');
+  if (req.query.pagePath == null) {
+    return res.status(400).send("the 'pagepath' query must not be null.");
   }
 
   const params: LsxApiParams = {
     pagePath: removeTrailingSlash(req.query.pagePath),
-    offset: req.query?.offset != null ? req.query.offset : undefined,
-    limit: req.query?.limit != null ? req.query.limit : undefined,
-    options: req.query?.options != null ? req.query.options : {},
+    offset: req.query?.offset,
+    limit: req.query?.limit,
+    options: req.query?.options ?? {},
   };
 
   const {