Add api validations.

pages/api/users/index.ts

@@ -1,8 +1,9 @@
 import { canCreateUser, canViewUsers } from 'lib/auth';
 import { ROLES } from 'lib/constants';
 import { uuid } from 'lib/crypto';
-import { useAuth } from 'lib/middleware';
+import { useAuth, useValidate } from 'lib/middleware';
 import { NextApiRequestQueryBody, Role, SearchFilter, User, UserSearchFilterType } from 'lib/types';
+import { getFilterValidation } from 'lib/yup';
 import { NextApiResponse } from 'next';
 import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
 import { createUser, getUserByUsername, getUsers } from 'queries';
@@ -15,12 +16,31 @@ export interface UsersRequestBody {
   role?: Role;
 }
 
+import * as yup from 'yup';
+const schema = {
+  GET: yup.object().shape({
+    ...getFilterValidation(/All|Username/i),
+  }),
+  POST: yup.object().shape({
+    username: yup.string().max(255).required(),
+    password: yup.string().required(),
+    id: yup.string().uuid(),
+    role: yup
+      .string()
+      .matches(/admin|user|view-only/i)
+      .required(),
+  }),
+};
+
 export default async (
   req: NextApiRequestQueryBody<UsersRequestQuery, UsersRequestBody>,
   res: NextApiResponse<User[] | User>,
 ) => {
   await useAuth(req, res);
 
+  req.yup = schema;
+  await useValidate(req, res);
+
   if (req.method === 'GET') {
     if (!(await canViewUsers(req.auth))) {
       return unauthorized(res);
@@ -28,7 +48,7 @@ export default async (
 
     const { page, filter, pageSize } = req.query;
 
-    const users = await getUsers({ page, filter, pageSize: +pageSize || null });
+    const users = await getUsers({ page, filter, pageSize: pageSize ? +pageSize : null });
 
     return ok(res, users);
   }