more validation

Joshua Zhou · Joshua Zhou · commit 2229ad1d89f4 · 2026-01-13T19:17:46.000-05:00
diff --git a/constants/checkin-options.js b/constants/checkin-options.js
@@ -0,0 +1,37 @@
+// Team checkin form constants for Mchacks 13
+"use strict";
+
+const PRIZE_CATEGORIES = [
+    "Best Beginner Hack",
+    "Best Design",
+    "Chaotic Evil",
+    "Best Use of AI or AI Agents"
+];
+
+const SPONSOR_CHALLENGES = [
+    "HoloRay",
+    "Athena AI",
+    "Gumloop",
+    "National Bank",
+    "Tail'ed",
+    "BassiliChat AI",
+    "Dobson Center",
+    "Desjardins",
+    "NOVA",
+    "CSUS"
+];
+
+const MLH_CHALLENGES = [
+    "Best Use of ElevenLabs",
+    "Best Use of Gemini API",
+    "Best Use of MongoDB Atlas",
+    "Best Use of DigitalOcean",
+    "Best Use of Solana",
+    "Best Use of Auth0"
+];
+
+module.exports = {
+    PRIZE_CATEGORIES,
+    SPONSOR_CHALLENGES,
+    MLH_CHALLENGES
+};
diff --git a/controllers/checkin.controller.js b/controllers/checkin.controller.js
@@ -74,6 +74,7 @@ async function submitCheckin(req, res) {
             teamMember4: teamMemberEmails[3] || '',
             prizeCategories: req.body.formData.prizeCategories,
             sponsorChallenges: req.body.formData.sponsorChallenges,
+            mlhChallenges: req.body.formData.mlhChallenges,
             // workshopsAttended: req.body.formData.workshopsAttended,
             discordTag: req.body.formData.discordTag,
             devpostLink: req.body.formData.devpostLink,
diff --git a/middlewares/validators/checkin.validator.js b/middlewares/validators/checkin.validator.js
@@ -1,16 +1,58 @@
 "use strict";
 
 const { body } = require('express-validator');
+const {
+    PRIZE_CATEGORIES,
+    SPONSOR_CHALLENGES,
+    MLH_CHALLENGES
+} = require('../../constants/checkin-options');
 
 /**
  * Validator for check-in form submission
  */
 const checkinValidator = [
-    body('formData.prizeCategories').isArray().withMessage('Prize categories must be an array'),
-    body('formData.sponsorChallenges').isArray().withMessage('Sponsor challenges must be an array'),
+    body('formData.prizeCategories')
+        .isArray()
+        .withMessage('Prize categories must be an array')
+        .custom((values) =>
+            Array.isArray(values) &&
+            values.every((value) => typeof value === 'string' && PRIZE_CATEGORIES.includes(value))
+        )
+        .withMessage('Prize categories contain invalid selections'),
+    body('formData.sponsorChallenges')
+        .isArray()
+        .withMessage('Sponsor challenges must be an array')
+        .custom((values) =>
+            Array.isArray(values) &&
+            values.every((value) => typeof value === 'string' && SPONSOR_CHALLENGES.includes(value))
+        )
+        .withMessage('Sponsor challenges contain invalid selections'),
+    body('formData.mlhChallenges')
+        .isArray()
+        .withMessage('MLH challenges must be an array')
+        .custom((values) =>
+            Array.isArray(values) &&
+            values.every((value) => typeof value === 'string' && MLH_CHALLENGES.includes(value))
+        )
+        .withMessage('MLH challenges contain invalid selections'),
     // body('formData.workshopsAttended').isArray().withMessage('Workshops attended must be an array'),
     body('formData.discordTag').notEmpty().withMessage('Discord tag is required'),
-    body('formData.devpostLink').notEmpty().withMessage('Devpost link is required')
+    body('formData.devpostLink')
+        .notEmpty()
+        .withMessage('Devpost link is required')
+        .bail()
+        .isURL({ require_protocol: true, protocols: ['http', 'https'] })
+        .withMessage('Devpost link must be a valid URL')
+        .bail()
+        .custom((value) => {
+            try {
+                const url = new URL(value);
+                return url.hostname === 'devpost.com' || url.hostname.endsWith('.devpost.com');
+            } catch (error) {
+                return false;
+            }
+        })
+        .withMessage('Devpost link must be a devpost.com URL')
 ];
 
 module.exports = checkinValidator; 
diff --git a/routes/api/checkin.js b/routes/api/checkin.js
@@ -26,6 +26,7 @@ const Middleware = {
  * @apiParam {Object} formData The check-in form data
  * @apiParam {String[]} formData.prizeCategories Array of prize categories
  * @apiParam {String[]} formData.sponsorChallenges Array of sponsor challenges
+ * @apiParam {String[]} formData.mlhChallenges Array of MLH challenges
  * @apiParam {String[]} formData.workshopsAttended Array of workshops attended
  *
  * @apiSuccess {String} message Success message
diff --git a/services/sheets.service.js b/services/sheets.service.js
@@ -27,6 +27,31 @@ class SheetsService {
         });
     }
 
+    sanitizeForSheet(value) {
+        if (typeof value !== 'string') {
+            return value;
+        }
+        if (
+            value.startsWith('=') ||
+            value.startsWith('+') ||
+            value.startsWith('-') ||
+            value.startsWith('@')
+        ) {
+            return `'${value}`;
+        }
+        return value;
+    }
+
+    sanitizeArrayForSheet(values) {
+        if (!Array.isArray(values)) {
+            return '';
+        }
+        return values
+            .filter((value) => typeof value === 'string')
+            .map((value) => this.sanitizeForSheet(value))
+            .join(', ');
+    }
+
     /**
      * Append check-in data to the spreadsheet
      * @param {Object} formData The check-in form data
@@ -49,16 +74,17 @@ class SheetsService {
             // Format the data for the spreadsheet
             const values = [[
                 new Date().toISOString(),
-                formData.teamMember1 || '',
-                formData.teamMember2 || '',
-                formData.teamMember3 || '',
-                formData.teamMember4 || '',
-                Array.isArray(formData.prizeCategories) ? formData.prizeCategories.join(', ') : '',
-                Array.isArray(formData.sponsorChallenges) ? formData.sponsorChallenges.join(', ') : '',
+                this.sanitizeForSheet(formData.teamMember1 || ''),
+                this.sanitizeForSheet(formData.teamMember2 || ''),
+                this.sanitizeForSheet(formData.teamMember3 || ''),
+                this.sanitizeForSheet(formData.teamMember4 || ''),
+                this.sanitizeArrayForSheet(formData.prizeCategories),
+                this.sanitizeArrayForSheet(formData.sponsorChallenges),
+                this.sanitizeArrayForSheet(formData.mlhChallenges),
                 // Array.isArray(formData.workshopsAttended) ? formData.workshopsAttended.join(', ') : '',
-                formData.discordTag || '',
-                formData.devpostLink || '',
-                formData.teamId || '' // Add teamId at the 'K' column
+                this.sanitizeForSheet(formData.discordTag || ''),
+                this.sanitizeForSheet(formData.devpostLink || ''),
+                this.sanitizeForSheet(formData.teamId || '') // Add teamId at the 'K' column
             ]];
 
             Logger.info('Formatted data for spreadsheet:', values);

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ const Middleware = {`
`26`	`26`	`* @apiParam {Object} formData The check-in form data`
`27`	`27`	`* @apiParam {String[]} formData.prizeCategories Array of prize categories`
`28`	`28`	`* @apiParam {String[]} formData.sponsorChallenges Array of sponsor challenges`
	`29`	`+ * @apiParam {String[]} formData.mlhChallenges Array of MLH challenges`
`29`	`30`	`* @apiParam {String[]} formData.workshopsAttended Array of workshops attended`
`30`	`31`	`*`
`31`	`32`	`* @apiSuccess {String} message Success message`