refactor: AbstractEntityMiddleware base class + complete middleware consolidation (phase 2) (#8169)

## Summary

Follows up on #8166, extending the middleware consolidation pattern
across all remaining routes.

- **`AbstractEntityMiddleware`** — new abstract base class encapsulating
the entity-loading pattern (get route param → 412, ORM query → 404,
`withAttribute`) used by all entity middleware. Each subclass only
implements `getRouteParamName()`, `getAttributeName()`, and
`loadEntity()`
- **`GroupMiddleware`, `DepositMiddleware`, `CalendarMiddleware`,
`KioskDeviceMiddleware`** — all refactored to extend
`AbstractEntityMiddleware`; also fixes a bug in `GroupMiddleware` that
was returning 412 instead of 404 for not-found entities
- **Route files** — entity-loading middleware wired to 17 routes across
5 files, removing all inline ORM loads and null guards from handlers
- **`InputSanitizationMiddleware`** — wired to every write route that
accepts text input; found and fixed a gap: `POST /{groupID}/roles`
(`roleName`) was missing sanitization
- **Bug fix** — `getEventSecondaryContact` had an inverted condition
(`!empty`) that threw 404 when the contact *was* found; fixed to `empty`

## Files changed

| Action | File |
|--------|------|
| **New** |
`src/ChurchCRM/Slim/Middleware/Api/AbstractEntityMiddleware.php` |
| **New** | `src/ChurchCRM/Slim/Middleware/Api/CalendarMiddleware.php` |
| **New** | `src/ChurchCRM/Slim/Middleware/Api/DepositMiddleware.php` |
| **New** |
`src/ChurchCRM/Slim/Middleware/Api/KioskDeviceMiddleware.php` |
| **Modified** | `src/ChurchCRM/Slim/Middleware/Api/GroupMiddleware.php`
|
| **Modified** | `src/api/routes/calendar/calendar.php` |
| **Modified** | `src/api/routes/calendar/events.php` |
| **Modified** | `src/api/routes/finance/finance-deposits.php` |
| **Modified** | `src/api/routes/people/people-groups.php` |
| **Modified** | `src/kiosk/routes/api/kiosks.php` |

## Middleware ordering

Slim 4 is LIFO:
`->add(InputSanitizationMiddleware)->add(EntityMiddleware)` runs
entity-loading first (outermost), then sanitizes the body, then calls
the handler. This is the correct order — no wasteful sanitization on
requests that will 404.

## Test plan

- [ ] Existing Cypress suite passes (behavior is unchanged — same auth,
same 404/412 responses, same handler logic)
- [ ] `GET /groups/999999` → 404 (GroupMiddleware now returns 404, was
412)
- [ ] `GET /deposits/999999` → 404
- [ ] `GET /api/calendars/999999` → 404
- [ ] `POST /kiosk/api/devices/999999/reload` → 404
- [ ] `POST /groups/{id}/roles` with XSS in `roleName` → name sanitized
in DB

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: DawoudIO

cypress/e2e/api/private/standard/private.people.groups.spec.js

@@ -203,30 +203,30 @@ describe("API Private Group Operations", () => {
     });
 
     describe("Middleware Validation Tests", () => {
-        it("Returns 412 when updating a non-existent group", () => {
+        it("Returns 404 when updating a non-existent group", () => {
             cy.makePrivateAdminAPICall(
                 "POST",
                 `/api/groups/999999`,
                 { groupName: "Ghost Group", groupType: 0, description: "" },
-                412
+                404
             );
         });
 
-        it("Returns 412 when deleting a non-existent group", () => {
+        it("Returns 404 when deleting a non-existent group", () => {
             cy.makePrivateAdminAPICall(
                 "DELETE",
                 `/api/groups/999999`,
                 null,
-                412
+                404
             );
         });
 
-        it("Returns 412 when adding a person to a non-existent group", () => {
+        it("Returns 404 when adding a person to a non-existent group", () => {
             cy.makePrivateAdminAPICall(
                 "POST",
                 `/api/groups/999999/addperson/1`,
                 { RoleID: 1 },
-                412
+                404
             );
         });
 

src/ChurchCRM/Slim/Middleware/Api/AbstractEntityMiddleware.php

@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ChurchCRM\Slim\Middleware\Api;
+
+use ChurchCRM\Slim\SlimUtils;
+use Laminas\Diactoros\Response;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+abstract class AbstractEntityMiddleware implements MiddlewareInterface
+{
+    abstract protected function getRouteParamName(): string;
+
+    abstract protected function getAttributeName(): string;
+
+    abstract protected function loadEntity(string $id): mixed;
+
+    protected function getNotFoundMessage(): string
+    {
+        return ucfirst($this->getAttributeName()) . ' ' . gettext('not found');
+    }
+
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $response = new Response();
+        $id = SlimUtils::getRouteArgument($request, $this->getRouteParamName());
+
+        if (empty(trim($id))) {
+            return SlimUtils::renderErrorJSON($response, gettext('Missing') . ' ' . $this->getRouteParamName(), [], 412);
+        }
+
+        $entity = $this->loadEntity($id);
+
+        if (empty($entity)) {
+            return SlimUtils::renderErrorJSON($response, $this->getNotFoundMessage(), [], 404);
+        }
+
+        return $handler->handle($request->withAttribute($this->getAttributeName(), $entity));
+    }
+}

src/ChurchCRM/Slim/Middleware/Api/CalendarMiddleware.php

@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ChurchCRM\Slim\Middleware\Api;
+
+use ChurchCRM\model\ChurchCRM\CalendarQuery;
+
+class CalendarMiddleware extends AbstractEntityMiddleware
+{
+    protected function getRouteParamName(): string
+    {
+        return 'id';
+    }
+
+    protected function getAttributeName(): string
+    {
+        return 'calendar';
+    }
+
+    protected function loadEntity(string $id): mixed
+    {
+        return CalendarQuery::create()->findOneById($id);
+    }
+
+    protected function getNotFoundMessage(): string
+    {
+        return gettext('Calendar not found');
+    }
+}

src/ChurchCRM/Slim/Middleware/Api/DepositMiddleware.php

@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ChurchCRM\Slim\Middleware\Api;
+
+use ChurchCRM\model\ChurchCRM\DepositQuery;
+
+class DepositMiddleware extends AbstractEntityMiddleware
+{
+    protected function getRouteParamName(): string
+    {
+        return 'id';
+    }
+
+    protected function getAttributeName(): string
+    {
+        return 'deposit';
+    }
+
+    protected function loadEntity(string $id): mixed
+    {
+        return DepositQuery::create()->findOneById($id);
+    }
+
+    protected function getNotFoundMessage(): string
+    {
+        return gettext('Deposit not found');
+    }
+}

src/ChurchCRM/Slim/Middleware/Api/GroupMiddleware.php

@@ -1,33 +1,30 @@
 <?php
 
+declare(strict_types=1);
+
 namespace ChurchCRM\Slim\Middleware\Api;
 
 use ChurchCRM\model\ChurchCRM\GroupQuery;
-use ChurchCRM\Slim\SlimUtils;
-
-use Laminas\Diactoros\Response;
-use Psr\Http\Message\ServerRequestInterface;
-use Psr\Http\Server\RequestHandlerInterface;
-use Psr\Http\Server\MiddlewareInterface;
-use Psr\Http\Message\ResponseInterface;
 
-class GroupMiddleware implements MiddlewareInterface
+class GroupMiddleware extends AbstractEntityMiddleware
 {
-    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    protected function getRouteParamName(): string
     {
-        $response = new Response();
-        $groupId = SlimUtils::getRouteArgument($request, 'groupID');
-        if (empty(trim($groupId))) {
-            return SlimUtils::renderErrorJSON($response, gettext('Missing') . ' GroupId', [], 412);
-        }
+        return 'groupID';
+    }
 
-        $group = GroupQuery::create()->findPk($groupId);
-        if (empty($group)) {
-            return SlimUtils::renderErrorJSON($response, 'GroupId: ' . $groupId . ' ' . gettext('not found'), [], 412);
-        }
+    protected function getAttributeName(): string
+    {
+        return 'group';
+    }
 
-        $request = $request->withAttribute('group', $group);
+    protected function loadEntity(string $id): mixed
+    {
+        return GroupQuery::create()->findPk($id);
+    }
 
-        return $handler->handle($request);
+    protected function getNotFoundMessage(): string
+    {
+        return gettext('Group not found');
     }
 }

src/ChurchCRM/Slim/Middleware/Api/KioskDeviceMiddleware.php

@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ChurchCRM\Slim\Middleware\Api;
+
+use ChurchCRM\model\ChurchCRM\KioskDeviceQuery;
+
+class KioskDeviceMiddleware extends AbstractEntityMiddleware
+{
+    protected function getRouteParamName(): string
+    {
+        return 'kioskId';
+    }
+
+    protected function getAttributeName(): string
+    {
+        return 'kioskDevice';
+    }
+
+    protected function loadEntity(string $id): mixed
+    {
+        return KioskDeviceQuery::create()->findOneById($id);
+    }
+
+    protected function getNotFoundMessage(): string
+    {
+        return gettext('Kiosk not found');
+    }
+}

src/api/routes/calendar/calendar.php

@@ -6,13 +6,13 @@
 use ChurchCRM\model\ChurchCRM\Calendar;
 use ChurchCRM\model\ChurchCRM\CalendarQuery;
 use ChurchCRM\model\ChurchCRM\EventQuery;
+use ChurchCRM\Slim\Middleware\Api\CalendarMiddleware;
+use ChurchCRM\Slim\Middleware\InputSanitizationMiddleware;
 use ChurchCRM\Slim\Middleware\Request\Auth\AddEventsRoleAuthMiddleware;
 use ChurchCRM\Slim\SlimUtils;
-use ChurchCRM\Utils\InputUtils;
 use Propel\Runtime\Collection\ObjectCollection;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
-use Slim\Exception\HttpBadRequestException;
 use Slim\Exception\HttpNotFoundException;
 use Slim\Routing\RouteCollectorProxy;
 
@@ -22,15 +22,15 @@
 
 $app->group('/calendars', function (RouteCollectorProxy $group): void {
     $group->get('', 'getUserCalendars');
-    $group->post('', 'NewCalendar')->add(AddEventsRoleAuthMiddleware::class);
+    $group->post('', 'NewCalendar')->add(new InputSanitizationMiddleware(['Name' => 'text']))->add(AddEventsRoleAuthMiddleware::class);
     $group->get('/', 'getUserCalendars');
-    $group->post('/', 'NewCalendar')->add(AddEventsRoleAuthMiddleware::class);
+    $group->post('/', 'NewCalendar')->add(new InputSanitizationMiddleware(['Name' => 'text']))->add(AddEventsRoleAuthMiddleware::class);
     $group->get('/{id}', 'getUserCalendars');
-    $group->delete('/{id}', 'deleteUserCalendar');
-    $group->get('/{id}/events', 'getUserCalendarEvents');
-    $group->get('/{id}/fullcalendar', 'getUserCalendarFullCalendarEvents');
-    $group->post('/{id}/NewAccessToken', 'NewAccessToken')->add(AddEventsRoleAuthMiddleware::class);
-    $group->delete('/{id}/AccessToken', 'DeleteAccessToken')->add(AddEventsRoleAuthMiddleware::class);
+    $group->delete('/{id}', 'deleteUserCalendar')->add(CalendarMiddleware::class);
+    $group->get('/{id}/events', 'getUserCalendarEvents')->add(CalendarMiddleware::class);
+    $group->get('/{id}/fullcalendar', 'getUserCalendarFullCalendarEvents')->add(CalendarMiddleware::class);
+    $group->post('/{id}/NewAccessToken', 'NewAccessToken')->add(CalendarMiddleware::class)->add(AddEventsRoleAuthMiddleware::class);
+    $group->delete('/{id}/AccessToken', 'DeleteAccessToken')->add(CalendarMiddleware::class)->add(AddEventsRoleAuthMiddleware::class);
 });
 
 $app->group('/systemcalendars', function (RouteCollectorProxy $group): void {
@@ -211,12 +211,7 @@ function getUserCalendars(Request $request, Response $response, array $args): Re
  */
 function getUserCalendarFullCalendarEvents(Request $request, Response $response, array $args): Response
 {
-    $CalendarID = $args['id'];
-    $calendar = CalendarQuery::create()
-        ->findOneById($CalendarID);
-    if (!$calendar) {
-        throw new HttpNotFoundException($request, 'Calendar ID not found!');
-    }
+    $calendar = $request->getAttribute('calendar');
     $start = $request->getQueryParams()['start'];
     $end = $request->getQueryParams()['end'];
     $Events = EventQuery::create()
@@ -248,12 +243,7 @@ function getUserCalendarFullCalendarEvents(Request $request, Response $response,
  */
 function getUserCalendarEvents(Request $request, Response $response, array $args): Response
 {
-    $CalendarID = $args['id'];
-    $calendar = CalendarQuery::create()
-        ->findOneById($CalendarID);
-    if (!$calendar) {
-        throw new HttpNotFoundException($request, 'Calendar ID not found!');
-    }
+    $calendar = $request->getAttribute('calendar');
     $start = $request->getQueryParams()['start'] ?? '';
     $end = $request->getQueryParams()['end'] ?? '';
 
@@ -289,14 +279,7 @@ function EventsObjectCollectionToFullCalendar(ObjectCollection $events, Calendar
  */
 function NewAccessToken(Request $request, Response $response, array $args): Response
 {
-    if (!isset($args['id'])) {
-        throw new HttpBadRequestException($request, gettext('Invalid request: Missing calendar id'));
-    }
-    $Calendar = CalendarQuery::create()
-        ->findOneById($args['id']);
-    if (!$Calendar) {
-        throw new HttpBadRequestException($request, gettext('Not Found: Unknown calendar id') . ': ' . $args['id']);
-    }
+    $Calendar = $request->getAttribute('calendar');
     $Calendar->setAccessToken(ChurchCRM\Utils\MiscUtils::randomToken());
     $Calendar->save();
 
@@ -319,14 +302,7 @@ function NewAccessToken(Request $request, Response $response, array $args): Resp
  */
 function DeleteAccessToken(Request $request, Response $response, array $args): Response
 {
-    if (!isset($args['id'])) {
-        throw new HttpBadRequestException($request, gettext('Invalid request: Missing calendar id'));
-    }
-    $Calendar = CalendarQuery::create()
-        ->findOneById($args['id']);
-    if (!$Calendar) {
-        throw new HttpBadRequestException($request, gettext('Not Found: Unknown calendar id') . ': ' . $args['id']);
-    }
+    $Calendar = $request->getAttribute('calendar');
     $Calendar->setAccessToken(null);
     $Calendar->save();
 
@@ -355,7 +331,7 @@ function NewCalendar(Request $request, Response $response, $args): Response
 {
     $input = $request->getParsedBody();
     $Calendar = new Calendar();
-    $Calendar->setName(InputUtils::sanitizeText($input['Name']));
+    $Calendar->setName($input['Name']);
     $Calendar->setForegroundColor($input['ForegroundColor']);
     $Calendar->setBackgroundColor($input['BackgroundColor']);
     $Calendar->save();
@@ -380,15 +356,7 @@ function NewCalendar(Request $request, Response $response, $args): Response
  */
 function deleteUserCalendar(Request $request, Response $response, array $args): Response
 {
-    if (!isset($args['id'])) {
-        throw new HttpBadRequestException($request, gettext('Invalid request: Missing calendar id'));
-    }
-    $Calendar = CalendarQuery::create()
-        ->findOneById($args['id']);
-    if (!$Calendar) {
-        throw new HttpBadRequestException($request, gettext('Not Found: Unknown calendar id') . ': ' . $args['id']);
-    }
-    $Calendar->delete();
+    $request->getAttribute('calendar')->delete();
 
     return SlimUtils::renderSuccessJSON($response);
 }