From 66868334b562233ddadc0208c795c0cdde645aa7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=B9=BE=E7=94=B0=E7=B4=94=E5=B9=B3?=
 <iktahana@iktahana-Mac-mini.local>
Date: Mon, 2 Mar 2026 01:01:50 +0900
Subject: [PATCH] fix: reject non-alphanumeric SN codes in POST /v1/devices
 (Closes stayforge/Stayforge-API#3)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 openapi.json | 9 +++++++--
 openapi.yaml | 5 +++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/openapi.json b/openapi.json
index 0eaa63b..3dbd1f8 100644
--- a/openapi.json
+++ b/openapi.json
@@ -1384,7 +1384,8 @@
           "schema": {
             "type": "string",
             "minLength": 1,
-            "maxLength": 256
+            "maxLength": 256,
+            "pattern": "^[a-zA-Z0-9_-]+$"
           },
           "description": "Device serial number",
           "example": "SFVA78RABZ12345678"
@@ -7308,6 +7309,7 @@
           "sn": {
             "type": "string",
             "nullable": true,
+            "pattern": "^[a-zA-Z0-9_-]+$",
             "description": "Serial number of the device."
           },
           "display_name": {
@@ -7447,6 +7449,7 @@
           },
           "sn": {
             "type": "string",
+            "pattern": "^[a-zA-Z0-9_-]+$",
             "description": "Serial number of the device. This field is required when creating a device."
           }
         }
@@ -7469,7 +7472,8 @@
               },
               "sn": {
                 "type": "string",
-                "nullable": true
+                "nullable": true,
+                "pattern": "^[a-zA-Z0-9_-]+$"
               },
               "display_name": {
                 "type": "string",
@@ -7500,6 +7504,7 @@
         "properties": {
           "sn": {
             "type": "string",
+            "pattern": "^[a-zA-Z0-9_-]+$",
             "description": "Device serial number",
             "example": "SFVA78RABZ12345678"
           },
diff --git a/openapi.yaml b/openapi.yaml
index 44affef..0676a8d 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -1044,6 +1044,7 @@ paths:
         type: string
         minLength: 1
         maxLength: 256
+        pattern: ^[a-zA-Z0-9_-]+$
       description: Device serial number
       example: SFVA78RABZ12345678
     get:
@@ -5776,6 +5777,7 @@ components:
         sn:
           type: string
           nullable: true
+          pattern: ^[a-zA-Z0-9_-]+$
           description: Serial number of the device.
         display_name:
           type: string
@@ -5940,6 +5942,7 @@ components:
             '
         sn:
           type: string
+          pattern: ^[a-zA-Z0-9_-]+$
           description: Serial number of the device. This field is required when creating
             a device.
     DeviceUpdate:
@@ -5962,6 +5965,7 @@ components:
           sn:
             type: string
             nullable: true
+            pattern: ^[a-zA-Z0-9_-]+$
           display_name:
             type: string
             nullable: true
@@ -5982,6 +5986,7 @@ components:
       properties:
         sn:
           type: string
+          pattern: ^[a-zA-Z0-9_-]+$
           description: Device serial number
           example: SFVA78RABZ12345678
         model_name: