CCM-11602: Add validation for limit parameter

Author: simonlabarere

lambdas/api-handler/src/handlers/__tests__/get-letters.test.ts

@@ -76,6 +76,36 @@ describe('API Lambda handler', () => {
     });
   });
 
+  it("returns 400 if the limit parameter is not a number", async () => {
+    const event = makeApiGwEvent({
+      path: "/letters",
+      queryStringParameters: { limit: "1%" },
+    });
+    const context = mockDeep<Context>();
+    const callback = jest.fn();
+    const result = await getLetters(event, context, callback);
+
+    expect(result).toEqual({
+      statusCode: 400,
+      body: "Bad Request: limit parameter is not a number",
+    });
+  });
+
+  it("returns 400 if the limit parameter is not positive", async () => {
+    const event = makeApiGwEvent({
+      path: "/letters",
+      queryStringParameters: { limit: "-1" },
+    });
+    const context = mockDeep<Context>();
+    const callback = jest.fn();
+    const result = await getLetters(event, context, callback);
+
+    expect(result).toEqual({
+      statusCode: 400,
+      body: "Bad Request: limit parameter is not positive",
+    });
+  });
+
   it('returns 400 for missing supplier ID (empty headers)', async () => {
     const event = makeApiGwEvent({ path: "/letters", headers: {} });
     const context = mockDeep<Context>();

lambdas/api-handler/src/handlers/get-letters.ts

@@ -30,10 +30,34 @@ export const getLetters: APIGatewayProxyHandler = async (event) => {
       limit = "10";
     }
 
+    let limitNumber = Number(limit);
+
+    if (isNaN(limitNumber)) {
+      log.info({
+        description: "limit parameter is not a number",
+        limit,
+      });
+      return {
+        statusCode: 400,
+        body: "Bad Request: limit parameter is not a number",
+      };
+    }
+
+    if (limitNumber < 0) {
+      log.info({
+        description: "limit parameter is not positive",
+        limit,
+      });
+      return {
+        statusCode: 400,
+        body: "Bad Request: limit parameter is not positive",
+      };
+    }
+
     const letters = await getLettersForSupplier(
       supplierId,
       status,
-      Number(limit),
+      limitNumber,
       letterRepo,
     );