add some templateId validation in form server actions to see if it resolves security alerts

alexnuttall · alexnuttall · commit a51dd20206df · 2025-10-10T12:47:09.000+01:00
diff --git a/frontend/src/__tests__/components/forms/RequestProof/server-action.test.ts b/frontend/src/__tests__/components/forms/RequestProof/server-action.test.ts
@@ -15,29 +15,30 @@ const redirectMock = jest.mocked(redirect);
 const getTemplateMock = jest.mocked(getTemplate);
 const requestTemplateProofMock = jest.mocked(requestTemplateProof);
 
-const mockLetterTemplate = {
-  templateType: 'LETTER',
-  templateStatus: 'NOT_YET_SUBMITTED',
-  name: 'name',
-  id: '1',
-  createdAt: '2025-01-13T10:19:25.579Z',
-  updatedAt: '2025-01-13T10:19:25.579Z',
-  letterType: 'x0',
-  language: 'en',
-  files: {
-    pdfTemplate: {
-      currentVersion: 'a',
-      virusScanStatus: 'PASSED',
-      fileName: 'a.pdf',
+const mockLetterTemplate = (id: string) =>
+  ({
+    templateType: 'LETTER',
+    templateStatus: 'NOT_YET_SUBMITTED',
+    name: 'name',
+    id,
+    createdAt: '2025-01-13T10:19:25.579Z',
+    updatedAt: '2025-01-13T10:19:25.579Z',
+    letterType: 'x0',
+    language: 'en',
+    files: {
+      pdfTemplate: {
+        currentVersion: 'a',
+        virusScanStatus: 'PASSED',
+        fileName: 'a.pdf',
+      },
     },
-  },
-} satisfies TemplateDto;
+  }) satisfies TemplateDto;
 
 describe('requestProof', () => {
   beforeEach(jest.resetAllMocks);
 
   it('should redirect when templateId from form is invalid', async () => {
-    const formData = getMockFormData({});
+    const formData = getMockFormData({ templateId: 'not-uuid' });
 
     await requestProof('LETTER', formData);
 
@@ -49,7 +50,9 @@ describe('requestProof', () => {
   it('should redirect when template is not found in the DB', async () => {
     getTemplateMock.mockResolvedValueOnce(undefined);
 
-    const formData = getMockFormData({ templateId: '1' });
+    const formData = getMockFormData({
+      templateId: '2abc25f0-7e59-4d53-b20c-7547ef983789',
+    });
 
     await requestProof('LETTER', formData);
 
@@ -61,22 +64,26 @@ describe('requestProof', () => {
       id: 'template-id',
     } as unknown as TemplateDto);
 
-    const formData = getMockFormData({ templateId: '1' });
+    const formData = getMockFormData({
+      templateId: '992fe769-f8b3-43a9-84f1-6e10d0480bb6',
+    });
 
     await requestProof('LETTER', formData);
 
     expect(redirectMock).toHaveBeenCalledWith('/invalid-template', 'replace');
   });
 
   it('should handle error when failing to save template', async () => {
-    getTemplateMock.mockResolvedValueOnce(mockLetterTemplate);
+    const templateId = '14216f4b-d01b-401c-8351-1356809174d9';
+
+    getTemplateMock.mockResolvedValueOnce(mockLetterTemplate(templateId));
 
     requestTemplateProofMock.mockImplementationOnce(() => {
       throw new Error('failed to save template');
     });
 
     const formData = getMockFormData({
-      templateId: '1',
+      templateId: '14216f4b-d01b-401c-8351-1356809174d9',
     });
 
     await expect(requestProof('LETTER', formData)).rejects.toThrow(
@@ -85,18 +92,20 @@ describe('requestProof', () => {
   });
 
   it('should redirect when successfully submitted', async () => {
-    getTemplateMock.mockResolvedValueOnce(mockLetterTemplate);
+    const templateId = '465eecc3-2ab8-4291-a898-ee6edcb03d33';
+
+    getTemplateMock.mockResolvedValueOnce(mockLetterTemplate(templateId));
 
     const formData = getMockFormData({
-      templateId: '1',
+      templateId,
     });
 
     await requestProof('LETTER', formData);
 
-    expect(requestTemplateProofMock).toHaveBeenCalledWith('1');
+    expect(requestTemplateProofMock).toHaveBeenCalledWith(templateId);
 
     expect(redirectMock).toHaveBeenCalledWith(
-      '/preview-letter-template/1',
+      `/preview-letter-template/${templateId}`,
       'push'
     );
   });
diff --git a/frontend/src/__tests__/components/forms/SubmitTemplate/server-action.test.ts b/frontend/src/__tests__/components/forms/SubmitTemplate/server-action.test.ts
@@ -15,23 +15,24 @@ const redirectMock = jest.mocked(redirect);
 const getTemplateMock = jest.mocked(getTemplate);
 const setTemplateToSubmittedMock = jest.mocked(setTemplateToSubmitted);
 
-const mockNhsAppTemplate = {
-  templateType: 'NHS_APP',
-  templateStatus: 'NOT_YET_SUBMITTED',
-  name: 'name',
-  message: 'body',
-  id: '1',
-  createdAt: '2025-01-13T10:19:25.579Z',
-  updatedAt: '2025-01-13T10:19:25.579Z',
-} satisfies TemplateDto;
+const mockNhsAppTemplate = (id: string) =>
+  ({
+    templateType: 'NHS_APP',
+    templateStatus: 'NOT_YET_SUBMITTED',
+    name: 'name',
+    message: 'body',
+    id,
+    createdAt: '2025-01-13T10:19:25.579Z',
+    updatedAt: '2025-01-13T10:19:25.579Z',
+  }) satisfies TemplateDto;
 
 describe('submitTemplate', () => {
   beforeEach(() => {
     jest.resetAllMocks();
   });
 
   it('should redirect when templateId from form is invalid', async () => {
-    const formData = getMockFormData({});
+    const formData = getMockFormData({ templateId: 'non-uuid' });
 
     await submitTemplate('NHS_APP', formData);
 
@@ -43,7 +44,9 @@ describe('submitTemplate', () => {
   it('should redirect when template is not found in the DB', async () => {
     getTemplateMock.mockResolvedValueOnce(undefined);
 
-    const formData = getMockFormData({ templateId: '1' });
+    const formData = getMockFormData({
+      templateId: '7bc9fac0-ad5e-4559-b614-ad10a59295aa',
+    });
 
     await submitTemplate('EMAIL', formData);
 
@@ -55,22 +58,26 @@ describe('submitTemplate', () => {
       id: 'template-id',
     } as unknown as TemplateDto);
 
-    const formData = getMockFormData({ templateId: '1' });
+    const formData = getMockFormData({
+      templateId: 'ff32550d-6832-4837-ada0-b6dd5c09e7b8',
+    });
 
     await submitTemplate('EMAIL', formData);
 
     expect(redirectMock).toHaveBeenCalledWith('/invalid-template', 'replace');
   });
 
   it('should handle error when failing to save template', async () => {
-    getTemplateMock.mockResolvedValueOnce(mockNhsAppTemplate);
+    const templateId = '32b5005c-bfbb-4435-ae59-b4d54b225eb4';
+
+    getTemplateMock.mockResolvedValueOnce(mockNhsAppTemplate(templateId));
 
     setTemplateToSubmittedMock.mockImplementationOnce(() => {
       throw new Error('failed to save template');
     });
 
     const formData = getMockFormData({
-      templateId: '1',
+      templateId,
     });
 
     await expect(submitTemplate('SMS', formData)).rejects.toThrow(
@@ -79,18 +86,20 @@ describe('submitTemplate', () => {
   });
 
   it('should redirect when successfully submitted', async () => {
-    getTemplateMock.mockResolvedValueOnce(mockNhsAppTemplate);
+    const templateId = '7bc9fac0-ad5e-4559-b614-ad10a59295aa';
+
+    getTemplateMock.mockResolvedValueOnce(mockNhsAppTemplate(templateId));
 
     const formData = getMockFormData({
-      templateId: '1',
+      templateId,
     });
 
     await submitTemplate('SMS', formData);
 
-    expect(setTemplateToSubmittedMock).toHaveBeenCalledWith('1');
+    expect(setTemplateToSubmittedMock).toHaveBeenCalledWith(templateId);
 
     expect(redirectMock).toHaveBeenCalledWith(
-      '/text-message-template-submitted/1',
+      `/text-message-template-submitted/${templateId}`,
       'push'
     );
   });
diff --git a/frontend/src/components/forms/RequestProof/server-action.ts b/frontend/src/components/forms/RequestProof/server-action.ts
@@ -12,7 +12,7 @@ import { TemplateType } from 'nhs-notify-backend-client';
 
 export async function requestProof(channel: TemplateType, formData: FormData) {
   const { success, data: templateId } = z
-    .string()
+    .uuid()
     .safeParse(formData.get('templateId'));
 
   if (!success) {
diff --git a/frontend/src/components/forms/SubmitTemplate/server-action.ts b/frontend/src/components/forms/SubmitTemplate/server-action.ts
@@ -15,7 +15,7 @@ export async function submitTemplate(
   formData: FormData
 ) {
   const { success, data: templateId } = z
-    .string()
+    .uuid()
     .safeParse(formData.get('templateId'));
 
   if (!success) {
