feat: add Zod schema validation to predict API route

- Add CandleSchema validating time, open, high, low, close (number) and optional volume - Add PredictRequestSchema validating pair (non-empty string), timeframe (non-empty string), candles array - Use safeParse() and return HTTP 400 with error details on invalid input - Forward only validated data to the inference service - Mark task 4.1 as done in tasks.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-18 11:11:58 +01:00 · 2026-02-18 11:11:58 +01:00 · 3361236d3f
commit 3361236d3f
parent c023702644
2 changed files with 28 additions and 2 deletions
--- a/openspec/changes/code-review-fix/tasks.md
+++ b/openspec/changes/code-review-fix/tasks.md
@ -26,7 +26,7 @@

 ## 4. API Route Hardening (Next.js)

- [ ] 4.1 `[sonnet]` Add Zod schema validation to `src/app/api/predict/route.ts` (validate pair, timeframe, candles array)
+- [x] 4.1 `[sonnet]` Add Zod schema validation to `src/app/api/predict/route.ts` (validate pair, timeframe, candles array)
 - [ ] 4.2 `[sonnet]` Add Zod schema validation to `src/app/api/predict/batch/route.ts` (validate pair, timeframe, start_date, end_date)
 - [ ] 4.3 `[sonnet]` Add Zod schema validation to `src/app/api/model/load/route.ts` (validate run_id)
 - [ ] 4.4 `[sonnet]` Add Zod schema validation to `src/app/api/training/start/route.ts` (validate model_type)
--- a/src/app/api/predict/route.ts
+++ b/src/app/api/predict/route.ts
@ -1,12 +1,38 @@
 import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';

 const INFERENCE_API_URL = process.env.INFERENCE_API_URL || 'http://localhost:8001';
 const INFERENCE_API_TIMEOUT = parseInt(process.env.INFERENCE_API_TIMEOUT || '30000', 10);

+const CandleSchema = z.object({
+  time: z.number(),
+  open: z.number(),
+  high: z.number(),
+  low: z.number(),
+  close: z.number(),
+  volume: z.number().optional(),
+});
+
+const PredictRequestSchema = z.object({
+  pair: z.string().min(1),
+  timeframe: z.string().min(1),
+  candles: z.array(CandleSchema),
+});
+
 export async function POST(request: NextRequest) {
  try {
    const body = await request.json();

+    const result = PredictRequestSchema.safeParse(body);
+    if (!result.success) {
+      return NextResponse.json(
+        { error: 'Invalid request', details: result.error.flatten() },
+        { status: 400 }
+      );
+    }
+
+    const validatedBody = result.data;
+
    // Forward request to Python inference service
    const controller = new AbortController();
    const timeoutId = setTimeout(() => controller.abort(), INFERENCE_API_TIMEOUT);
@ -18,7 +44,7 @@ export async function POST(request: NextRequest) {
          'Content-Type': 'application/json',
          'X-API-Key': process.env.API_KEY || '',
        },
-        body: JSON.stringify(body),
+        body: JSON.stringify(validatedBody),
        signal: controller.signal,
      });