fix: add Zod validation and tests for discover endpoint

sidneyswift · sidneyswift · commit 65a78d0a689b · 2026-04-06T00:10:27.000-04:00
- Created validateDiscoverQuery.ts with Zod schema for country (2-letter),
  genre, sort, limit (1-100), and sp_monthly_listeners min/max
- Refactored getResearchDiscoverHandler to use validated params
- Added 6 tests: auth failure, invalid country, negative limit, happy path,
  sp_ml range, and proxy failure

Made-with: Cursor
diff --git a/lib/research/__tests__/getResearchDiscoverHandler.test.ts b/lib/research/__tests__/getResearchDiscoverHandler.test.ts
@@ -0,0 +1,138 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { NextRequest, NextResponse } from "next/server";
+
+import { getResearchDiscoverHandler } from "../getResearchDiscoverHandler";
+import { validateAuthContext } from "@/lib/auth/validateAuthContext";
+import { proxyToChartmetric } from "@/lib/research/proxyToChartmetric";
+
+vi.mock("@/lib/networking/getCorsHeaders", () => ({
+  getCorsHeaders: vi.fn(() => ({ "Access-Control-Allow-Origin": "*" })),
+}));
+
+vi.mock("@/lib/auth/validateAuthContext", () => ({
+  validateAuthContext: vi.fn(),
+}));
+
+vi.mock("@/lib/research/proxyToChartmetric", () => ({
+  proxyToChartmetric: vi.fn(),
+}));
+
+vi.mock("@/lib/credits/deductCredits", () => ({
+  deductCredits: vi.fn(),
+}));
+
+describe("getResearchDiscoverHandler", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("returns 401 when auth fails", async () => {
+    const errorResponse = NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    vi.mocked(validateAuthContext).mockResolvedValue(errorResponse);
+
+    const req = new NextRequest("http://localhost/api/research/discover?country=US");
+    const res = await getResearchDiscoverHandler(req);
+    expect(res.status).toBe(401);
+  });
+
+  it("returns 400 when country is not 2 letters", async () => {
+    vi.mocked(validateAuthContext).mockResolvedValue({
+      accountId: "test-id",
+      orgId: null,
+      authToken: "tok",
+    } as ReturnType<typeof validateAuthContext> extends Promise<infer T>
+      ? Exclude<T, NextResponse>
+      : never);
+
+    const req = new NextRequest("http://localhost/api/research/discover?country=USA");
+    const res = await getResearchDiscoverHandler(req);
+    expect(res.status).toBe(400);
+    const body = await res.json();
+    expect(body.status).toBe("error");
+    expect(body.error).toContain("2-letter");
+  });
+
+  it("returns 400 when limit is negative", async () => {
+    vi.mocked(validateAuthContext).mockResolvedValue({
+      accountId: "test-id",
+      orgId: null,
+      authToken: "tok",
+    } as ReturnType<typeof validateAuthContext> extends Promise<infer T>
+      ? Exclude<T, NextResponse>
+      : never);
+
+    const req = new NextRequest("http://localhost/api/research/discover?limit=-5");
+    const res = await getResearchDiscoverHandler(req);
+    expect(res.status).toBe(400);
+  });
+
+  it("returns artists on success", async () => {
+    vi.mocked(validateAuthContext).mockResolvedValue({
+      accountId: "test-id",
+      orgId: null,
+      authToken: "tok",
+    } as ReturnType<typeof validateAuthContext> extends Promise<infer T>
+      ? Exclude<T, NextResponse>
+      : never);
+
+    vi.mocked(proxyToChartmetric).mockResolvedValue({
+      data: [
+        { name: "Artist A", sp_monthly_listeners: 100000 },
+        { name: "Artist B", sp_monthly_listeners: 200000 },
+      ],
+      status: 200,
+    });
+
+    const req = new NextRequest("http://localhost/api/research/discover?country=US&limit=10");
+    const res = await getResearchDiscoverHandler(req);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.status).toBe("success");
+    expect(body.artists).toHaveLength(2);
+    expect(body.artists[0].name).toBe("Artist A");
+  });
+
+  it("passes sp_ml range when both min and max provided", async () => {
+    vi.mocked(validateAuthContext).mockResolvedValue({
+      accountId: "test-id",
+      orgId: null,
+      authToken: "tok",
+    } as ReturnType<typeof validateAuthContext> extends Promise<infer T>
+      ? Exclude<T, NextResponse>
+      : never);
+
+    vi.mocked(proxyToChartmetric).mockResolvedValue({
+      data: [],
+      status: 200,
+    });
+
+    const req = new NextRequest(
+      "http://localhost/api/research/discover?sp_monthly_listeners_min=50000&sp_monthly_listeners_max=200000",
+    );
+    await getResearchDiscoverHandler(req);
+
+    expect(proxyToChartmetric).toHaveBeenCalledWith(
+      "/artist/list/filter",
+      expect.objectContaining({ "sp_ml[]": "50000,200000" }),
+    );
+  });
+
+  it("returns empty array when proxy fails", async () => {
+    vi.mocked(validateAuthContext).mockResolvedValue({
+      accountId: "test-id",
+      orgId: null,
+      authToken: "tok",
+    } as ReturnType<typeof validateAuthContext> extends Promise<infer T>
+      ? Exclude<T, NextResponse>
+      : never);
+
+    vi.mocked(proxyToChartmetric).mockResolvedValue({
+      data: null,
+      status: 500,
+    });
+
+    const req = new NextRequest("http://localhost/api/research/discover?country=US");
+    const res = await getResearchDiscoverHandler(req);
+    expect(res.status).toBe(500);
+  });
+});
diff --git a/lib/research/getResearchDiscoverHandler.ts b/lib/research/getResearchDiscoverHandler.ts
@@ -1,5 +1,7 @@
-import { type NextRequest } from "next/server";
+import { type NextRequest, NextResponse } from "next/server";
 import { handleResearchRequest } from "@/lib/research/handleResearchRequest";
+import { validateDiscoverQuery } from "@/lib/research/validateDiscoverQuery";
+import { getCorsHeaders } from "@/lib/networking/getCorsHeaders";
 
 /**
  * Discover handler — filters artists by country, genre, listener ranges, growth rate.
@@ -8,27 +10,30 @@ import { handleResearchRequest } from "@/lib/research/handleResearchRequest";
  * @returns JSON artist list or error
  */
 export async function getResearchDiscoverHandler(request: NextRequest) {
+  const { searchParams } = new URL(request.url);
+  const validated = validateDiscoverQuery(searchParams);
+
+  if (validated instanceof NextResponse) return validated;
+
   return handleResearchRequest(
     request,
     () => "/artist/list/filter",
-    sp => {
+    () => {
       const params: Record<string, string> = {};
-      const country = sp.get("country");
-      if (country) params.code2 = country;
-      const genre = sp.get("genre");
-      if (genre) params.tagId = genre;
-      const sort = sp.get("sort");
-      if (sort) params.sortColumn = sort;
-      const limit = sp.get("limit");
-      if (limit) params.limit = limit;
-      const mlMin = sp.get("sp_monthly_listeners_min");
-      const mlMax = sp.get("sp_monthly_listeners_max");
-      if (mlMin && mlMax) {
-        params["sp_ml[]"] = `${mlMin},${mlMax}`;
-      } else if (mlMin) {
-        params["sp_ml[]"] = mlMin;
-      } else if (mlMax) {
-        params["sp_ml[]"] = mlMax;
+      if (validated.country) params.code2 = validated.country;
+      if (validated.genre) params.tagId = validated.genre;
+      if (validated.sort) params.sortColumn = validated.sort;
+      if (validated.limit) params.limit = String(validated.limit);
+      if (
+        validated.sp_monthly_listeners_min !== undefined &&
+        validated.sp_monthly_listeners_max !== undefined
+      ) {
+        params["sp_ml[]"] =
+          `${validated.sp_monthly_listeners_min},${validated.sp_monthly_listeners_max}`;
+      } else if (validated.sp_monthly_listeners_min !== undefined) {
+        params["sp_ml[]"] = String(validated.sp_monthly_listeners_min);
+      } else if (validated.sp_monthly_listeners_max !== undefined) {
+        params["sp_ml[]"] = String(validated.sp_monthly_listeners_max);
       }
       return params;
     },
diff --git a/lib/research/validateDiscoverQuery.ts b/lib/research/validateDiscoverQuery.ts
@@ -0,0 +1,47 @@
+import { NextResponse } from "next/server";
+import { getCorsHeaders } from "@/lib/networking/getCorsHeaders";
+import { z } from "zod";
+
+export const discoverQuerySchema = z.object({
+  country: z.string().length(2, "country must be a 2-letter ISO code").optional(),
+  genre: z.string().optional(),
+  sort: z.string().optional(),
+  limit: z.coerce.number().int().min(1).max(100).optional(),
+  sp_monthly_listeners_min: z.coerce.number().int().min(0).optional(),
+  sp_monthly_listeners_max: z.coerce.number().int().min(0).optional(),
+});
+
+export type DiscoverQuery = z.infer<typeof discoverQuerySchema>;
+
+/**
+ * Validates query params for GET /api/research/discover.
+ */
+export function validateDiscoverQuery(searchParams: URLSearchParams): NextResponse | DiscoverQuery {
+  const raw: Record<string, string> = {};
+  for (const key of [
+    "country",
+    "genre",
+    "sort",
+    "limit",
+    "sp_monthly_listeners_min",
+    "sp_monthly_listeners_max",
+  ]) {
+    const val = searchParams.get(key);
+    if (val) raw[key] = val;
+  }
+
+  const result = discoverQuerySchema.safeParse(raw);
+
+  if (!result.success) {
+    const firstError = result.error.issues[0];
+    return NextResponse.json(
+      {
+        status: "error",
+        error: firstError.message,
+      },
+      { status: 400, headers: getCorsHeaders() },
+    );
+  }
+
+  return result.data;
+}
