Validate event date formats before hitting Postgres

plc · claude · plc · commit 6101aa8e6b02 · 2026-02-14T13:28:51.000-07:00
Garbage dates like "not-a-date" previously passed through to Postgres,
which rejected them with a 500. Now caught at the app layer with a
clean 400 for both POST and PATCH on non-all_day events.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/routes/events.js b/src/routes/events.js
@@ -234,6 +234,12 @@ function normalizeBody(body) {
 
 const DATE_ONLY_RE = /^\d{4}-\d{2}-\d{2}$/;
 
+function isValidDatetime(str) {
+  if (typeof str !== 'string') return false;
+  const d = new Date(str);
+  return !isNaN(d.getTime());
+}
+
 /**
  * Normalize start/end for all-day events.
  * Input: inclusive dates like "2025-03-15" (start) and "2025-03-15" (end = same day).
@@ -299,6 +305,13 @@ router.post('/:id/events', async (req, res) => {
         return res.status(400).json({ error: 'start date must not be after end date' });
       }
       ({ startTime, endTime } = normalizeAllDay(start, end));
+    } else {
+      if (!isValidDatetime(start)) {
+        return res.status(400).json({ error: 'start must be a valid ISO 8601 datetime' });
+      }
+      if (!isValidDatetime(end)) {
+        return res.status(400).json({ error: 'end must be a valid ISO 8601 datetime' });
+      }
     }
 
     const id = eventId();
@@ -560,6 +573,13 @@ router.patch('/:id/events/:event_id', async (req, res) => {
       if (DATE_ONLY_RE.test(s) && DATE_ONLY_RE.test(e)) {
         ({ startTime, endTime } = normalizeAllDay(s, e));
       }
+    } else {
+      if (start !== undefined && !isValidDatetime(start)) {
+        return res.status(400).json({ error: 'start must be a valid ISO 8601 datetime' });
+      }
+      if (end !== undefined && !isValidDatetime(end)) {
+        return res.status(400).json({ error: 'end must be a valid ISO 8601 datetime' });
+      }
     }
 
     // ---- Case A: Patching an instance (has parent_event_id) ----
diff --git a/tests/api.test.js b/tests/api.test.js
@@ -1174,6 +1174,40 @@ describe('Input validation', { concurrency: 1 }, () => {
     await api('DELETE', `/calendars/${valCalId}/events/${created.id}`, { token: state.apiKey });
   });
 
+  it('rejects invalid start datetime on POST', async () => {
+    const { status, data } = await api('POST', `/calendars/${valCalId}/events`, {
+      token: state.apiKey,
+      body: { title: 'Bad date', start: 'not-a-date', end: futureDate(2) },
+    });
+    assert.equal(status, 400);
+    assert.ok(data.error.includes('start'));
+  });
+
+  it('rejects invalid end datetime on POST', async () => {
+    const { status, data } = await api('POST', `/calendars/${valCalId}/events`, {
+      token: state.apiKey,
+      body: { title: 'Bad date', start: futureDate(1), end: 'garbage' },
+    });
+    assert.equal(status, 400);
+    assert.ok(data.error.includes('end'));
+  });
+
+  it('rejects invalid start datetime on PATCH', async () => {
+    const { data: created } = await api('POST', `/calendars/${valCalId}/events`, {
+      token: state.apiKey,
+      body: { title: 'Temp', start: futureDate(1), end: futureDate(2) },
+    });
+
+    const { status, data } = await api('PATCH', `/calendars/${valCalId}/events/${created.id}`, {
+      token: state.apiKey,
+      body: { start: 'not-a-date' },
+    });
+    assert.equal(status, 400);
+    assert.ok(data.error.includes('start'));
+
+    await api('DELETE', `/calendars/${valCalId}/events/${created.id}`, { token: state.apiKey });
+  });
+
   it('rejects FREQ=MINUTELY', async () => {
     const { status, data } = await api('POST', `/calendars/${valCalId}/events`, {
       token: state.apiKey,
