POST /api/notifications currently forwards req.body directly into createNotification. The service creates { id: ntf_..., read: false, ...payload }, so clients can submit incomplete notification records and override server-owned fields like id and read.
Expected behavior:
- require schema-backed
userId, title, and body values before creating a notification
- reject missing, blank, or incorrectly typed notification payloads with HTTP 400
- preserve server-owned
id and read values even when the request body tries to override them
This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.
POST /api/notifications currently forwards req.body directly into createNotification. The service creates
{ id: ntf_..., read: false, ...payload }, so clients can submit incomplete notification records and override server-owned fields likeidandread.Expected behavior:
userId,title, andbodyvalues before creating a notificationidandreadvalues even when the request body tries to override themThis issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.