feat(database-ui): use zod for parsing responses

Author: franklinfollis

packages/cli/src/db-studio/api/http/schemas.ts

@@ -1,4 +1,4 @@
-import { z } from "zod";
+import { z } from "zod/v3";
 
 /**
  * Foreign key reference information
@@ -125,6 +125,17 @@ export type Filter = {
   value?: string | number | null | string[] // undefined for is_null/is_not_null, array for 'in'
 }
 
+/**
+ * Filter schema for runtime validation
+ */
+export const FilterSchema = z.object({
+  column: z.string().min(1, "Column name cannot be empty"),
+  operator: z.enum(['eq', 'neq', 'gt', 'gte', 'lt', 'lte', 'like', 'not_like', 'in', 'is_null', 'is_not_null']),
+  value: z.union([z.string(), z.number(), z.null(), z.array(z.string())]).optional(),
+});
+
+export const FiltersArraySchema = z.array(FilterSchema);
+
 /**
  * Delete rows request schema
  * Expects an array of primary key objects
@@ -145,3 +156,43 @@ export const DeleteRowsResponseSchema = z.object({
 
 export type DeleteRowsResponse = z.infer<typeof DeleteRowsResponseSchema>;
 
+/**
+ * Execute query request schema
+ */
+export const ExecuteQueryRequestSchema = z.object({
+  sql: z.string().min(1, "SQL query cannot be empty"),
+  params: z.array(z.unknown()).optional(),
+});
+
+export type ExecuteQueryRequest = z.infer<typeof ExecuteQueryRequestSchema>;
+
+/**
+ * Create table column schema
+ */
+export const CreateTableColumnSchema = z.object({
+  name: z.string().min(1, "Column name cannot be empty"),
+  type: z.string().min(1, "Column type cannot be empty"),
+  constraints: z.string().optional(),
+});
+
+/**
+ * Create table request schema
+ */
+export const CreateTableRequestSchema = z.object({
+  name: z.string().min(1, "Table name cannot be empty"),
+  schema: z.array(CreateTableColumnSchema).min(1, "Schema must contain at least one column"),
+});
+
+export type CreateTableRequest = z.infer<typeof CreateTableRequestSchema>;
+
+/**
+ * Drop table request schema
+ */
+export const DropTableRequestSchema = z.object({
+  confirm: z.literal(true, {
+    errorMap: () => ({ message: "Must set 'confirm: true' to drop table (safety check)" }),
+  }),
+});
+
+export type DropTableRequest = z.infer<typeof DropTableRequestSchema>;
+

packages/cli/src/db-studio/api/routes/query.ts

@@ -2,20 +2,24 @@ import { jsonResponse, handleSQLError, errorResponse } from "../http/responses.t
 import { withDatabase } from "../http/middleware.ts";
 import { parseRequestBody } from "../utils/request.ts";
 import { executeQuery } from "../database.ts";
+import { ExecuteQueryRequestSchema } from "../http/schemas.ts";
 
 /**
  * Execute a raw SQL query with rich metadata
  */
 export const executeQueryRoute = withDatabase(async (context) => {
   const { db, body } = context;
   const data = parseRequestBody(body);
-  const sql = data.sql as string | undefined;
-  const queryParams = data.params as unknown[] | undefined;
+  const result = ExecuteQueryRequestSchema.safeParse(data);
 
-  if (!sql) {
-    return errorResponse("Request body must contain 'sql' string", 400);
+  if (!result.success) {
+    return errorResponse(
+      `Invalid request body: ${result.error.errors.map(e => e.message).join(", ")}`,
+      400
+    );
   }
 
+  const { sql, params: queryParams } = result.data;
   const trimmedSql = sql.trim();
   const startTime = performance.now();
 

packages/cli/src/db-studio/api/routes/rows.ts

@@ -18,18 +18,18 @@ export const deleteRowsRoute = withDatabase(async (context) => {
   if (tableNameError) return tableNameError;
 
   // Parse and validate request body
-  const g = DeleteRowsRequestSchema.safeParse(body);
-  console.log(g)
   const data = parseRequestBody(body);
-  const primaryKeys = data.primaryKeys as Array<Record<string, unknown>> | undefined;
+  const result = DeleteRowsRequestSchema.safeParse(data);
 
-  if (!primaryKeys || !Array.isArray(primaryKeys) || primaryKeys.length === 0) {
+  if (!result.success) {
     return errorResponse(
-      "Request body must contain 'primaryKeys' array with at least one primary key",
+      `Invalid request body: ${result.error.errors.map(e => e.message).join(", ")}`,
       400
     );
   }
 
+  const { primaryKeys } = result.data;
+
   try {
     const result = deleteRows(db, params.tableName, primaryKeys);
     return jsonResponse({

packages/cli/src/db-studio/api/routes/tables.ts

@@ -4,6 +4,7 @@ import { requireTableName } from "../utils/validation.ts";
 import { parseRequestBody, parseQueryParams } from "../utils/request.ts";
 import { getTables, getTableData } from "../database.ts";
 import type { Filter } from "../http/schemas.ts";
+import { CreateTableRequestSchema, DropTableRequestSchema, FiltersArraySchema } from "../http/schemas.ts";
 
 /**
  * Get list of tables in a database
@@ -61,14 +62,17 @@ export const getTableDataRoute = withDatabase(async (context) => {
     try {
       const decodedWhere = decodeURIComponent(whereParam);
       const parsedWhere = JSON.parse(decodedWhere);
-      
-      // Validate that it's an array
-      if (!Array.isArray(parsedWhere)) {
-        return errorResponse("Invalid where parameter: must be a JSON array of filters", 400);
+
+      // Validate using zod schema
+      const result = FiltersArraySchema.safeParse(parsedWhere);
+      if (!result.success) {
+        return errorResponse(
+          `Invalid where parameter: ${result.error.errors.map(e => e.message).join(", ")}`,
+          400
+        );
       }
 
-      // Type cast - rely on compile-time types rather than runtime validation
-      filters = parsedWhere as Filter[];
+      filters = result.data;
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : "Unknown error";
       return errorResponse(
@@ -93,16 +97,16 @@ export const getTableDataRoute = withDatabase(async (context) => {
 export const createTableRoute = withDatabase(async (context) => {
   const { db, body } = context;
   const data = parseRequestBody(body);
-  const tableName = data.name as string | undefined;
-  const schema = data.schema as Array<{ name: string; type: string; constraints?: string }> | undefined;
+  const result = CreateTableRequestSchema.safeParse(data);
 
-  if (!tableName) {
-    return errorResponse("Request body must contain 'name' for the table", 400);
+  if (!result.success) {
+    return errorResponse(
+      `Invalid request body: ${result.error.errors.map(e => e.message).join(", ")}`,
+      400
+    );
   }
 
-  if (!schema || !Array.isArray(schema) || schema.length === 0) {
-    return errorResponse("Request body must contain 'schema' array with at least one column", 400);
-  }
+  const { name: tableName, schema } = result.data;
 
   const columns = schema.map(col => {
     const constraints = col.constraints ? ` ${col.constraints}` : "";
@@ -129,10 +133,13 @@ export const dropTableRoute = withDatabase(async (context) => {
   if (tableNameError) return tableNameError;
 
   const data = parseRequestBody(body);
-  const confirm = data.confirm as boolean | undefined;
+  const result = DropTableRequestSchema.safeParse(data);
 
-  if (!confirm) {
-    return errorResponse("Must set 'confirm: true' in request body to drop table (safety check)", 400);
+  if (!result.success) {
+    return errorResponse(
+      `Invalid request body: ${result.error.errors.map(e => e.message).join(", ")}`,
+      400
+    );
   }
 
   const sql = `DROP TABLE "${params.tableName}"`;