fix(backend): reject unknown fields in source config

Add "+": "reject" to all arktype schemas so undeclared keys return 400. Sources without a configSchema now reject the config field entirely at the HTTP layer. Co-authored-by: Ona <no-reply@ona.com>
2026-03-26 03:41:18 +00:00 · 2026-03-22 21:13:44 +00:00
parent 4cef7f2ea1
commit a64b035979
5 changed files with 118 additions and 20 deletions
--- a/apps/aelis-backend/src/session/user-session-manager.ts
+++ b/apps/aelis-backend/src/session/user-session-manager.ts
@@ -5,10 +5,10 @@ import merge from "lodash.merge"

 import type { Database } from "../db/index.ts"
 import type { FeedEnhancer } from "../enhancement/enhance-feed.ts"
-import { InvalidSourceConfigError, SourceNotFoundError } from "../sources/errors.ts"
-import { sources } from "../sources/user-sources.ts"
 import type { FeedSourceProvider } from "./feed-source-provider.ts"

+import { InvalidSourceConfigError, SourceNotFoundError } from "../sources/errors.ts"
+import { sources } from "../sources/user-sources.ts"
 import { UserSession } from "./user-session.ts"

 export interface UserSessionManagerConfig {
@@ -104,16 +104,14 @@ export class UserSessionManager {
 		// read stale config. Use SELECT FOR UPDATE or atomic jsonb merge if
 		// this becomes a problem.
 		let mergedConfig: Record<string, unknown> | undefined
-		if (update.config !== undefined) {
+		if (update.config !== undefined && provider.configSchema) {
 			const existing = await sources(this.db, userId).find(sourceId)
 			const existingConfig = (existing?.config ?? {}) as Record<string, unknown>
 			mergedConfig = merge({}, existingConfig, update.config)

-			if (provider.configSchema) {
-				const validated = provider.configSchema(mergedConfig)
-				if (validated instanceof type.errors) {
-					throw new InvalidSourceConfigError(sourceId, validated.summary)
-				}
+			const validated = provider.configSchema(mergedConfig)
+			if (validated instanceof type.errors) {
+				throw new InvalidSourceConfigError(sourceId, validated.summary)
 			}
 		}

@@ -148,23 +146,24 @@ export class UserSessionManager {
 	async upsertSourceConfig(
 		userId: string,
 		sourceId: string,
-		data: { enabled: boolean; config: unknown },
+		data: { enabled: boolean; config?: unknown },
 	): Promise<void> {
 		const provider = this.providers.get(sourceId)
 		if (!provider) {
 			throw new SourceNotFoundError(sourceId, userId)
 		}

-		if (provider.configSchema) {
+		if (provider.configSchema && data.config !== undefined) {
 			const validated = provider.configSchema(data.config)
 			if (validated instanceof type.errors) {
 				throw new InvalidSourceConfigError(sourceId, validated.summary)
 			}
 		}

+		const config = data.config ?? {}
 		await sources(this.db, userId).upsertConfig(sourceId, {
 			enabled: data.enabled,
-			config: data.config,
+			config,
 		})

 		const session = this.sessions.get(userId)
@@ -172,7 +171,7 @@ export class UserSessionManager {
 			if (!data.enabled) {
 				session.removeSource(sourceId)
 			} else {
-				const source = await provider.feedSourceForUser(userId, data.config)
+				const source = await provider.feedSourceForUser(userId, config)
 				if (session.hasSource(sourceId)) {
 					session.replaceSource(sourceId, source)
 				} else {