HotFix: Simplify teamIdOrSlug schema validation (#185)

ben-fornefeld · web-flow · commit fc3b1a48b79c · 2025-11-11T22:39:44.000+01:00
The previous TeamIdOrSlugSchema regex did not match the possible slugs in the database 100% of the time.  --- > [!NOTE] > Loosens teamIdOrSlug validation, verifies UUIDs against DB to avoid slug/ID collisions, and adds structured warning logs in dashboard and team middleware. > > - **Team resolution/backend**: > - `TeamIdOrSlugSchema` now accepts any `string` (removed slug regex) alongside `uuid`. > - `getTeamIdFromSegment` verifies UUIDs against `teams` table and ensures they aren’t treated as IDs when they match a slug; retains slug lookup and uses `server-only`. > - **Logging**: > - Adds warning logs in `app/dashboard/[teamIdOrSlug]/layout.tsx` when team cannot be resolved (with serialized error). > - Adds warning logs in `withTeamIdResolution` middleware for invalid `teamIdOrSlug` and unauthorized access. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit bbb083f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>
diff --git a/src/app/dashboard/[teamIdOrSlug]/layout.tsx b/src/app/dashboard/[teamIdOrSlug]/layout.tsx
@@ -4,13 +4,15 @@ import { AUTH_URLS } from '@/configs/urls'
 import { DashboardContextProvider } from '@/features/dashboard/context'
 import DashboardLayoutView from '@/features/dashboard/layout/layout'
 import Sidebar from '@/features/dashboard/sidebar/sidebar'
+import { l } from '@/lib/clients/logger/logger'
 import { getSessionInsecure } from '@/server/auth/get-session'
 import getUserByToken from '@/server/auth/get-user-by-token'
 import { getTeam } from '@/server/team/get-team'
 import { SidebarInset, SidebarProvider } from '@/ui/primitives/sidebar'
 import { cookies } from 'next/headers'
 import { redirect, unauthorized } from 'next/navigation'
 import { Metadata } from 'next/types'
+import { serializeError } from 'serialize-error'
 
 export const metadata: Metadata = {
   title: 'Dashboard - E2B',
@@ -48,6 +50,17 @@ export default async function DashboardLayout({
   const team = teamRes?.data
 
   if (!team) {
+    l.warn(
+      {
+        key: 'dashboard_layout:team_not_resolved',
+        user_id: data.user.id,
+        error: serializeError(teamRes?.serverError),
+        context: {
+          teamIdOrSlug,
+        },
+      },
+      `dashboard_layout:team_not_resolved - team not resolved for user (${data.user.id}) when accessing team (${teamIdOrSlug}) in dashboard layout`
+    )
     throw unauthorized()
   }
 
diff --git a/src/lib/clients/action.ts b/src/lib/clients/action.ts
@@ -215,12 +215,32 @@ export const withTeamIdResolution = createMiddleware<{
   const teamId = await getTeamIdFromSegment(clientInput.teamIdOrSlug as string)
 
   if (!teamId) {
+    l.warn(
+      {
+        key: 'with_team_id_resolution:invalid_team_id_or_slug',
+        context: {
+          teamIdOrSlug: clientInput.teamIdOrSlug,
+        },
+      },
+      `with_team_id_resolution:invalid_team_id_or_slug - invalid team id or slug provided through withTeamIdResolution middleware: ${clientInput.teamIdOrSlug}`
+    )
+
     throw unauthorized()
   }
 
   const isAuthorized = await checkUserTeamAuthorization(ctx.user.id, teamId)
 
   if (!isAuthorized) {
+    l.warn(
+      {
+        key: 'with_team_id_resolution:user_not_authorized',
+        context: {
+          teamIdOrSlug: clientInput.teamIdOrSlug,
+        },
+      },
+      `with_team_id_resolution:user_not_authorized - user not authorized to access team: ${clientInput.teamIdOrSlug}`
+    )
+
     throw unauthorized()
   }
 
diff --git a/src/lib/schemas/team.ts b/src/lib/schemas/team.ts
@@ -2,10 +2,10 @@ import { z } from 'zod'
 
 export const TeamIdOrSlugSchema = z.union([
   z.uuid(),
-  z
-    .string()
-    .regex(
-      /^[a-z0-9]+(-[a-z0-9]+)*$/i,
-      'Must be a valid slug (words separated by hyphens)'
-    ),
+  z.string(),
+  // FIXME: Add correct team regex as in db slug generation
+  // .regex(
+  //   /^[a-z0-9]+(-[a-z0-9]+)*$/i,
+  //   'Must be a valid slug (words separated by hyphens)'
+  // ),
 ])
diff --git a/src/server/team/get-team-id-from-segment.ts b/src/server/team/get-team-id-from-segment.ts
@@ -1,4 +1,4 @@
-import 'server-cli-only'
+import 'server-only'
 
 import { CACHE_TAGS } from '@/configs/cache'
 import { l } from '@/lib/clients/logger/logger'
@@ -29,7 +29,16 @@ export const getTeamIdFromSegment = async (segment: string) => {
   }
 
   if (z.uuid().safeParse(segment).success) {
-    return segment
+    // make sure this uuid is a valid teamId and is not it's slug
+    const { data } = await supabaseAdmin
+      .from('teams')
+      .select('id')
+      .not('slug', 'eq', segment)
+      .eq('id', segment)
+
+    if (data?.length) {
+      return data[0]!.id
+    }
   }
 
   const { data, error } = await supabaseAdmin
