Fix: Implement slug validation in TeamIdOrSlugSchema (resolves FIXME) #257
Description
Summary
TeamIdOrSlugSchema in src/lib/schemas/team.ts accepts any arbitrary string as a team slug. The code has a commented-out regex with a FIXME noting this needs to match the DB's slug generation.
Actual behavior
export const TeamIdOrSlugSchema = z.union([
z.uuid(),
z.string(),
// FIXME: Add correct team regex as in db slug generation
])Any string passes validation — including special characters, path traversal attempts (../../etc/passwd), uppercase, spaces, etc. These would ultimately fail at the DB query level, but they shouldn't pass schema validation.
Expected behavior
The slug branch of the union should only accept strings matching the DB's generate_team_slug output: lowercase alphanumeric characters separated by single hyphens (e.g., acme-inc, my-team-a3f2).
Suggested fix
export const TeamIdOrSlugSchema = z.union([
z.uuid(),
z.string().regex(
/^[a-z0-9]+(-[a-z0-9]+)*$/,
'Must be a valid team slug (lowercase alphanumeric, separated by hyphens)'
),
])This matches the DB migration in migrations/20250205180205.sql which generates slugs via generate_team_slug(): lowercase, unaccented, special chars removed, spaces replaced with hyphens.