Potential fix for code scanning alert no. 83: Database query built from user-controlled sources

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: JamieSlome

src/db/mongo/pushes.js

@@ -57,7 +57,7 @@ const writeAudit = async (action) => {
   const options = { upsert: true };
   const collection = await connect(cnName);
   delete data._id;
-  await collection.updateOne({ id: data.id }, { $set: data }, options);
+  await collection.updateOne({ id: { $eq: data.id } }, { $set: data }, options);
   return action;
 };
 

src/service/routes/push.js

@@ -91,6 +91,10 @@ router.post('/:id/authorise', async (req, res) => {
 
   if (req.user && attestationComplete) {
     const id = req.params.id;
+    if (typeof id !== "string") {
+      res.status(400).send({ message: "Invalid ID format" });
+      return;
+    }
     console.log({ id });
 
     // Get the push request