Add input validation for user service when updating user

services/user/src/controller/user-controller.ts

@@ -25,6 +25,7 @@ import {
     registrationSchema,
     updatePasswordSchema,
     updateUsernameAndEmailSchema,
+    updateUserSchema,
     UserValidationErrors,
 } from '../types/custom';
 
@@ -181,7 +182,7 @@ export async function updatePassword(req: Request, res: Response) {
                 err => err.message == UserValidationErrors.REQUIRED,
             );
             if (required_errors.length > 0) {
-                handleBadRequest(res, 'old password and/or new password are missing');
+                handleBadRequest(res, 'No field to update: username and email and password are all missing!');
             }
             handleBadRequest(res, 'invalid password');
         }
@@ -194,12 +195,21 @@ export async function updatePassword(req: Request, res: Response) {
 
 export async function updateUser(req: Request, res: Response) {
     try {
-        const { username, email, password } = req.body;
-        if (!(username || email || password)) {
-            handleBadRequest(res, 'No field to update: username and email and password are all missing!');
+        const parseResult = updateUserSchema.safeParse(req.body);
+        if (!parseResult.success) {
+            const required_errors = parseResult.error.errors.filter(
+                err => err.message == UserValidationErrors.REQUIRED,
+            );
+            if (required_errors.length > 0) {
+                handleBadRequest(res, 'No field to update: username and email and password are all missing!');
+                return;
+            }
+            handleBadRequest(res, 'invalid username and/or email and/or password');
             return;
         }
 
+        const { username, email, password } = req.body;
+
         const userId = req.params.id;
         if (!isValidObjectId(userId)) {
             handleNotFound(res, `User ${userId} not found`);
@@ -210,6 +220,7 @@ export async function updateUser(req: Request, res: Response) {
             handleNotFound(res, `User ${userId} not found`);
             return;
         }
+
         if (username || email) {
             const userByUsername = await _findUserByUsername(username);
             if (userByUsername && userByUsername.id !== userId) {
@@ -223,14 +234,13 @@ export async function updateUser(req: Request, res: Response) {
             }
         }
 
-        if (!password) {
-            handleBadRequest(res, 'No field to update: password is missing!');
-            return;
-        }
         const salt = bcrypt.genSaltSync(10);
-        const hashedPassword = bcrypt.hashSync(password, salt);
-
-        const updatedUser = (await _updateUserById(userId, username, email, hashedPassword)) as User;
+        const updatedUser = (await _updateUserById(
+            userId,
+            username ?? user.username, 
+            email ?? user.email, 
+            password ? bcrypt.hashSync(password, salt) : user.password
+        )) as User;
         handleSuccess(res, 200, `Updated data for user ${userId}`, formatUserResponse(updatedUser));
     } catch (err) {
         console.error(err);

services/user/src/types/custom.ts

@@ -43,6 +43,22 @@ export const registrationSchema = z.object({
     password: passwordSchema,
 });
 
+export const updateUserSchema = z.object({
+    username: usernameSchema.optional(),
+    email: emailSchema.optional(),
+    password: passwordSchema.optional(),
+}).superRefine((data, ctx) => {
+    if (!data.username && !data.email && !data.password) {
+        // If none of the variables are present, assign error to each one
+        // Granular control over which is missing is not needed
+        ctx.addIssue({
+          path: ['username', 'password', 'email'],
+          message: UserValidationErrors.REQUIRED,
+          code: z.ZodIssueCode.custom,
+        });
+      }
+});
+
 export const updateUsernameAndEmailSchema = z.object({
     username: usernameSchema,
     email: emailSchema,