Skip to content

Add input validation to REST API request DTOs#206

Open
devin-ai-integration[bot] wants to merge 2 commits intomasterfrom
devin/1777652473-add-dto-input-validation
Open

Add input validation to REST API request DTOs#206
devin-ai-integration[bot] wants to merge 2 commits intomasterfrom
devin/1777652473-add-dto-input-validation

Conversation

@devin-ai-integration
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot commented May 1, 2026
edited
Loading

Summary

Adds javax.validation annotations to all REST API request DTOs and enables validation enforcement via @Valid on controller @RequestBody parameters. Invalid requests now return a structured 400 Bad Request response with field-level error details.

Changes

Request DTOs validated:

  • CreateOrderRequest@Positive on consumerId/restaurantId, @NotEmpty/@Valid on lineItems
  • CreateOrderRequest.LineItem@NotBlank on menuItemId, @Min(1) on quantity
  • ReviseOrderRequest@NotEmpty on revisedLineItemQuantities
  • OrderAcceptance@NotNull/@FutureOrPresent on readyBy
  • CreateConsumerRequest@NotNull/@Valid on name
  • CreateRestaurantRequest@NotBlank on name, @NotNull/@Valid on menu/address
  • CreateCourierRequest@NotNull/@Valid on name/address
  • CourierLocationUpdate@DecimalMin/@DecimalMax for lat (-90..90) and lng (-180..180)

Shared DTOs validated (cascading via @Valid):

  • PersonName@NotBlank on firstName/lastName
  • Address@NotBlank on street1/city/state/zip
  • RestaurantMenuDTO@NotEmpty/@Valid on menuItems
  • MenuItemDTO@NotBlank on id/name, @NotNull on price

Controllers updated with @Valid:

  • OrderControllercreate, revise, accept
  • ConsumerControllercreate
  • RestaurantControllercreate
  • CourierControllercreate, updateCourierLocation, updateLocation

Error handling:

  • Added MethodArgumentNotValidException handler to GlobalExceptionHandler returning 400 with field-level validation error messages

Dependency:

  • Added hibernate-validator:6.2.5.Final to ftgo-common/build.gradle

Review & Testing Checklist for Human

  • Verify validation error responses return correct 400 status with field-level messages (e.g. POST /orders with empty body)
  • Verify valid requests still succeed without regression (e.g. create order, create restaurant)
  • Check that nested validation cascades correctly (e.g. CreateRestaurantRequestAddressstreet1 blank triggers error)

Notes

  • Pre-existing test failures in OrderControllerTest due to Mockito/JDK 21 incompatibility (project targets Java 8 but env runs JDK 21) — not introduced by this PR
  • CourierAvailability was intentionally left without validation since boolean available defaults to false which is a valid state

Link to Devin session: https://app.devin.ai/sessions/8dc58d00626f43a1a3281cd5d02372ca
Requested by: @WesternConcrete

Devin Review

Status Commit
⚪ Not started

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

Open in Devin Review (Staging)
Open in Devin Review

@devin-ai-integration @WesternConcrete
Add input validation to REST API request DTOs
adf856c 
- Add javax.validation annotations to all request DTOs:
  - CreateOrderRequest: @positive on IDs, @NotEmpty/@Valid on lineItems
  - CreateOrderRequest.LineItem: @notblank on menuItemId, @min(1) on quantity
  - ReviseOrderRequest: @notempty on revisedLineItemQuantities
  - OrderAcceptance: @NotNull/@FutureOrPresent on readyBy
  - CreateConsumerRequest: @NotNull/@Valid on name
  - CreateRestaurantRequest: @notblank on name, @NotNull/@Valid on menu/address
  - CreateCourierRequest: @NotNull/@Valid on name/address
  - CourierLocationUpdate: @DecimalMin/@DecimalMax for lat/lng ranges

- Add validation to shared DTOs:
  - PersonName: @notblank on firstName/lastName
  - Address: @notblank on street1/city/state/zip
  - RestaurantMenuDTO: @NotEmpty/@Valid on menuItems
  - MenuItemDTO: @notblank on id/name, @NotNull on price

- Add @Valid to all controller @RequestBody parameters
- Add MethodArgumentNotValidException handler in GlobalExceptionHandler
- Add hibernate-validator dependency to ftgo-common

Co-Authored-By: Wes Convery <2wconvery@gmail.com>
@devin-ai-integration
Copy link
Copy Markdown
Author

devin-ai-integration Bot commented May 1, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@devin-ai-integration @WesternConcrete
Upgrade hibernate-validator to 6.2.5.Final for security fixes
d66169d 
Co-Authored-By: Wes Convery <2wconvery@gmail.com>
devin-ai-integration[bot]
devin-ai-integration Bot commented May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Author

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.

Open in Devin Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@WesternConcrete WesternConcrete

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@WesternConcrete