add input validation and security improvements to feedback system

Author: GiselleNessi

apps/dashboard/src/app/(app)/team/[team_slug]/(team)/~/support/apis/feedback.ts

@@ -10,23 +10,39 @@ export async function submitSupportFeedback(
   data: FeedbackData,
 ): Promise<{ success: true } | { error: string }> {
   try {
-    const siwaUrl = process.env.NEXT_PUBLIC_SIWA_URL;
-
+    // Fail fast on missing configuration
+    const siwaUrl =
+      process.env.SIWA_URL ?? process.env.NEXT_PUBLIC_SIWA_URL ?? "";
     if (!siwaUrl) {
       throw new Error("SIWA URL not configured");
     }
 
+    const apiKey = process.env.SERVICE_AUTH_KEY_SIWA;
+    if (!apiKey) {
+      throw new Error("SERVICE_AUTH_KEY_SIWA not configured");
+    }
+
+    // Basic input validation/normalization
+    if (!Number.isFinite(data.rating) || data.rating < 1 || data.rating > 5) {
+      return { error: "Rating must be an integer between 1 and 5." };
+    }
+
+    const normalizedFeedback = (data.feedback ?? "")
+      .toString()
+      .trim()
+      .slice(0, 1000); // hard cap length
+
     const payload = {
-      rating: data.rating,
-      feedback: data.feedback,
+      rating: Math.round(data.rating),
+      feedback: normalizedFeedback,
       ticket_id: data.ticketId || null,
     };
 
     const response = await fetch(`${siwaUrl}/v1/csat/saveCSATFeedback`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
-        "x-service-api-key": process.env.SERVICE_AUTH_KEY_SIWA || "",
+        "x-service-api-key": apiKey,
       },
       body: JSON.stringify(payload),
     });