validate all ids in server actions

Author: alexnuttall

frontend/src/__tests__/components/forms/EmailTemplateForm/server-action.test.ts

@@ -14,7 +14,7 @@ const createTemplateMock = jest.mocked(createTemplate);
 const redirectMock = jest.mocked(redirect);
 
 const initialState: EmailTemplate = {
-  id: 'template-id',
+  id: '89cc73bb-6d61-4b8b-a728-b5e40f0751fd',
   templateType: 'EMAIL',
   templateStatus: 'NOT_YET_SUBMITTED',
   name: 'name',
@@ -109,25 +109,52 @@ describe('CreateEmailTemplate server actions', () => {
       })
     );
 
-    expect(saveTemplateMock).toHaveBeenCalledWith({
+    expect(saveTemplateMock).toHaveBeenCalledWith(initialState.id, {
       ...initialState,
       name: 'template-name',
       subject: 'template-subject-line',
       message: 'template-message',
     });
 
     expect(redirectMock).toHaveBeenCalledWith(
-      '/preview-email-template/template-id?from=edit',
+      `/preview-email-template/${initialState.id}?from=edit`,
       'push'
     );
   });
 
+  test('redirects to invalid-template if the ID in formState is not a uuid', async () => {
+    const badIdState = {
+      ...initialState,
+      id: 'non-uuid',
+      name: 'template-name',
+      subject: 'template-subject-line',
+      message: 'template-message',
+      createdAt: '2025-01-13T10:19:25.579Z',
+      updatedAt: '2025-01-13T10:19:25.579Z',
+    };
+
+    await processFormActions(
+      badIdState,
+      getMockFormData({
+        emailTemplateName: 'template-name',
+        emailTemplateSubjectLine: 'template-subject-line',
+        emailTemplateMessage: 'template-message',
+      })
+    );
+
+    expect(saveTemplateMock).not.toHaveBeenCalled();
+
+    expect(redirectMock).toHaveBeenCalledWith('/invalid-template', 'replace');
+  });
+
   test('should create the template and redirect', async () => {
     const { id: _, ...initialDraftState } = initialState; // eslint-disable-line sonarjs/no-unused-vars
 
+    const generatedId = '06c6fb58-e749-4ee4-8343-57d7f7ecfe1f';
+
     createTemplateMock.mockResolvedValue({
       ...initialDraftState,
-      id: 'new-template-id',
+      id: generatedId,
       name: 'template-name',
       subject: 'template-subject-line',
       message: 'template-message',
@@ -152,7 +179,7 @@ describe('CreateEmailTemplate server actions', () => {
     });
 
     expect(redirectMock).toHaveBeenCalledWith(
-      '/preview-email-template/new-template-id?from=edit',
+      `/preview-email-template/${generatedId}?from=edit`,
       'push'
     );
   });

frontend/src/__tests__/components/forms/NhsAppTemplateForm/server-action.test.ts

@@ -1,6 +1,6 @@
 import { getMockFormData } from '@testhelpers';
 import { saveTemplate, createTemplate } from '@utils/form-actions';
-import {
+import type {
   NHSAppTemplate,
   CreateUpdateNHSAppTemplate,
 } from 'nhs-notify-web-template-management-utils';
@@ -23,7 +23,7 @@ const initialState: CreateUpdateNHSAppTemplate = {
 
 const savedState: NHSAppTemplate = {
   ...initialState,
-  id: 'template-id',
+  id: 'a28c9e75-d6c9-4efe-879e-e082238938cf',
   templateStatus: 'NOT_YET_SUBMITTED',
   createdAt: '2025-01-13T10:19:25.579Z',
   updatedAt: '2025-01-13T10:19:25.579Z',
@@ -130,18 +130,37 @@ describe('CreateNHSAppTemplate server actions', () => {
       })
     );
 
-    expect(saveTemplateMock).toHaveBeenCalledWith({
+    expect(saveTemplateMock).toHaveBeenCalledWith(savedState.id, {
       ...savedState,
       name: 'template-name',
       message: 'template-message',
     });
 
     expect(redirectMock).toHaveBeenCalledWith(
-      `/preview-nhs-app-template/template-id?from=edit`,
+      `/preview-nhs-app-template/${savedState.id}?from=edit`,
       'push'
     );
   });
 
+  test('redirects to invalid-template if the ID in formState is not a uuid', async () => {
+    const badIdState = {
+      ...savedState,
+      id: 'no-uuid',
+    };
+
+    await processFormActions(
+      badIdState,
+      getMockFormData({
+        nhsAppTemplateName: 'template-name',
+        nhsAppTemplateMessage: 'template-message',
+      })
+    );
+
+    expect(saveTemplateMock).not.toHaveBeenCalled();
+
+    expect(redirectMock).toHaveBeenCalledWith('/invalid-template', 'replace');
+  });
+
   test('should save a template that contains a url with angle brackets, if they are url encoded', async () => {
     saveTemplateMock.mockResolvedValue({
       ...savedState,
@@ -159,15 +178,15 @@ describe('CreateNHSAppTemplate server actions', () => {
       })
     );
 
-    expect(saveTemplateMock).toHaveBeenCalledWith({
+    expect(saveTemplateMock).toHaveBeenCalledWith(savedState.id, {
       ...savedState,
       name: 'template-name',
       message:
         '**a message linking to [example.com](https://www.example.com/withparams?param1=%3C%3E)**',
     });
 
     expect(redirectMock).toHaveBeenCalledWith(
-      `/preview-nhs-app-template/template-id?from=edit`,
+      `/preview-nhs-app-template/${savedState.id}?from=edit`,
       'push'
     );
   });
@@ -190,7 +209,7 @@ describe('CreateNHSAppTemplate server actions', () => {
     });
 
     expect(redirectMock).toHaveBeenCalledWith(
-      '/preview-nhs-app-template/template-id?from=edit',
+      `/preview-nhs-app-template/${savedState.id}?from=edit`,
       'push'
     );
   });

frontend/src/__tests__/components/forms/SmsTemplateForm/server-action.test.ts

@@ -14,7 +14,7 @@ const createTemplateMock = jest.mocked(createTemplate);
 const redirectMock = jest.mocked(redirect);
 
 const initialState: SMSTemplate = {
-  id: 'template-id',
+  id: '9e23faa1-521d-4708-8edb-be42ed4a3aae',
   templateType: 'SMS',
   templateStatus: 'NOT_YET_SUBMITTED',
   name: 'name',
@@ -102,24 +102,45 @@ describe('CreateSmsTemplate server actions', () => {
       })
     );
 
-    expect(saveTemplateMock).toHaveBeenCalledWith({
+    expect(saveTemplateMock).toHaveBeenCalledWith(initialState.id, {
       ...initialState,
       name: 'template-name',
       message: 'template-message',
     });
 
     expect(redirectMock).toHaveBeenCalledWith(
-      '/preview-text-message-template/template-id?from=edit',
+      `/preview-text-message-template/${initialState.id}?from=edit`,
       'push'
     );
   });
 
+  test('redirects to invalid-template if the ID in formState is not a uuid', async () => {
+    const badIdState = {
+      ...initialState,
+      id: 'non-uuid',
+    };
+
+    await processFormActions(
+      badIdState,
+      getMockFormData({
+        smsTemplateName: 'template-name',
+        smsTemplateMessage: 'template-message',
+      })
+    );
+
+    expect(saveTemplateMock).not.toHaveBeenCalled();
+
+    expect(redirectMock).toHaveBeenCalledWith('/invalid-template', 'replace');
+  });
+
   test('should create the template and redirect', async () => {
     const { id: _, ...initialDraftState } = initialState; // eslint-disable-line sonarjs/no-unused-vars
 
+    const generatedId = '1cc83326-2076-4917-9920-6b297c20d08a';
+
     createTemplateMock.mockResolvedValue({
       ...initialDraftState,
-      id: 'new-template-id',
+      id: generatedId,
       name: 'template-name',
       message: 'template-message',
     } as TemplateDto);
@@ -139,7 +160,7 @@ describe('CreateSmsTemplate server actions', () => {
     });
 
     expect(redirectMock).toHaveBeenCalledWith(
-      '/preview-text-message-template/new-template-id?from=edit',
+      `/preview-text-message-template/${generatedId}?from=edit`,
       'push'
     );
   });

frontend/src/__tests__/utils/form-actions.test.ts

@@ -310,7 +310,7 @@ describe('form-actions', () => {
     });
 
     const updateTemplateInput: NHSAppTemplate = {
-      id: 'id',
+      id: 'ee22daa2-9fce-455a-9e07-91679e4d7999',
       templateType: 'NHS_APP',
       templateStatus: 'NOT_YET_SUBMITTED',
       name: 'name',
@@ -319,7 +319,10 @@ describe('form-actions', () => {
       updatedAt: '2025-01-13T10:19:25.579Z',
     };
 
-    const response = await saveTemplate(updateTemplateInput);
+    const response = await saveTemplate(
+      updateTemplateInput.id,
+      updateTemplateInput
+    );
 
     expect(mockedTemplateClient.updateTemplate).toHaveBeenCalledWith(
       updateTemplateInput.id,
@@ -341,7 +344,7 @@ describe('form-actions', () => {
     });
 
     const updateTemplateInput: NHSAppTemplate = {
-      id: 'id',
+      id: 'bde7301a-e8c0-404a-8d19-c0b8ef7817f9',
       templateType: 'NHS_APP',
       templateStatus: 'NOT_YET_SUBMITTED',
       name: 'name',
@@ -350,9 +353,9 @@ describe('form-actions', () => {
       updatedAt: '2025-01-13T10:19:25.579Z',
     };
 
-    await expect(saveTemplate(updateTemplateInput)).rejects.toThrow(
-      'Failed to save template data'
-    );
+    await expect(
+      saveTemplate(updateTemplateInput.id, updateTemplateInput)
+    ).rejects.toThrow('Failed to save template data');
 
     expect(mockedTemplateClient.updateTemplate).toHaveBeenCalledWith(
       updateTemplateInput.id,
@@ -369,7 +372,7 @@ describe('form-actions', () => {
     });
 
     const updateTemplateInput: NHSAppTemplate = {
-      id: 'id',
+      id: 'bde7301a-e8c0-404a-8d19-c0b8ef7817f9',
       templateType: 'NHS_APP',
       templateStatus: 'NOT_YET_SUBMITTED',
       name: 'name',
@@ -378,9 +381,9 @@ describe('form-actions', () => {
       updatedAt: '2025-01-13T10:19:25.579Z',
     };
 
-    await expect(saveTemplate(updateTemplateInput)).rejects.toThrow(
-      'Failed to get access token'
-    );
+    await expect(
+      saveTemplate(updateTemplateInput.id, updateTemplateInput)
+    ).rejects.toThrow('Failed to get access token');
   });
 
   test('getTemplate', async () => {

frontend/src/components/forms/EmailTemplateForm/server-action.ts

@@ -53,19 +53,31 @@ export async function processFormActions(
   const { emailTemplateName, emailTemplateSubjectLine, emailTemplateMessage } =
     parsedForm.data;
 
-  const updatedTemplate = {
+  const template = {
     ...formState,
     name: emailTemplateName,
     subject: emailTemplateSubjectLine,
     message: emailTemplateMessage,
   };
 
-  const savedTemplate = await ('id' in updatedTemplate
-    ? saveTemplate(updatedTemplate)
-    : createTemplate(updatedTemplate));
+  let savedId: string;
+
+  if ('id' in template) {
+    const { success, data: templateId } = z.uuid().safeParse(template.id);
+
+    if (!success) {
+      return redirect('/invalid-template', RedirectType.replace);
+    }
+
+    const saved = await saveTemplate(templateId, template);
+    savedId = saved.id;
+  } else {
+    const saved = await createTemplate(template);
+    savedId = saved.id;
+  }
 
   return redirect(
-    `/preview-email-template/${savedTemplate.id}?from=edit`,
+    `/preview-email-template/${savedId}?from=edit`,
     RedirectType.push
   );
 }

frontend/src/components/forms/NhsAppTemplateForm/server-action.ts

@@ -71,18 +71,30 @@ export async function processFormActions(
 
   const { nhsAppTemplateName, nhsAppTemplateMessage } = parsedForm.data;
 
-  const updatedTemplate = {
+  const template = {
     ...formState,
     name: nhsAppTemplateName,
     message: nhsAppTemplateMessage,
   };
 
-  const savedTemplate = await ('id' in updatedTemplate
-    ? saveTemplate(updatedTemplate)
-    : createTemplate(updatedTemplate));
+  let savedId: string;
+
+  if ('id' in template) {
+    const { success, data: templateId } = z.uuid().safeParse(template.id);
+
+    if (!success) {
+      return redirect('/invalid-template', RedirectType.replace);
+    }
+
+    const saved = await saveTemplate(templateId, template);
+    savedId = saved.id;
+  } else {
+    const saved = await createTemplate(template);
+    savedId = saved.id;
+  }
 
   return redirect(
-    `/preview-nhs-app-template/${savedTemplate.id}?from=edit`,
+    `/preview-nhs-app-template/${savedId}?from=edit`,
     RedirectType.push
   );
 }

frontend/src/components/forms/SmsTemplateForm/server-action.ts

@@ -49,18 +49,30 @@ export async function processFormActions(
 
   const { smsTemplateName, smsTemplateMessage } = parsedForm.data;
 
-  const updatedTemplate = {
+  const template = {
     ...formState,
     name: smsTemplateName,
     message: smsTemplateMessage,
   };
 
-  const savedTemplate = await ('id' in updatedTemplate
-    ? saveTemplate(updatedTemplate)
-    : createTemplate(updatedTemplate));
+  let savedId: string;
+
+  if ('id' in template) {
+    const { success, data: templateId } = z.uuid().safeParse(template.id);
+
+    if (!success) {
+      return redirect('/invalid-template', RedirectType.replace);
+    }
+
+    const saved = await saveTemplate(templateId, template);
+    savedId = saved.id;
+  } else {
+    const saved = await createTemplate(template);
+    savedId = saved.id;
+  }
 
   return redirect(
-    `/preview-text-message-template/${savedTemplate.id}?from=edit`,
+    `/preview-text-message-template/${savedId}?from=edit`,
     RedirectType.push
   );
 }