Summary
POST /chatkit accepts @Body() body: unknown with no validation DTO. The body is JSON-stringified and passed to the ChatKit service without any shape or content validation.
Affected Endpoint
| Endpoint |
Issue |
POST /chatkit |
@Body() body: unknown — no validation, no DTO |
Source: chat-kit.controller.ts:19
Impact
- No input validation: Arbitrary JSON payloads pass through unchecked. While the service treats it as a stringified blob, there's no guarantee on shape, size, or content.
- No type safety: The controller and service lose all compile-time guarantees about what the body contains.
- Contract ambiguity: Frontend developers have no documented or enforced contract for what to send.
Implementation Notes
- Determine what fields the ChatKit SDK/service actually expects in the body (likely at minimum a
message or prompt field, and possibly a threadId).
- Create a
ChatKitRequestDto with the expected fields and appropriate validators (@IsString(), @IsOptional(), @MaxLength(), etc.).
- Replace
@Body() body: unknown with @Body() body: ChatKitRequestDto.
- If the ChatKit SDK has its own request type, the DTO can mirror its expected fields.
Acceptance Criteria
Summary
POST /chatkitaccepts@Body() body: unknownwith no validation DTO. The body is JSON-stringified and passed to the ChatKit service without any shape or content validation.Affected Endpoint
POST /chatkit@Body() body: unknown— no validation, no DTOSource:
chat-kit.controller.ts:19Impact
Implementation Notes
messageorpromptfield, and possibly athreadId).ChatKitRequestDtowith the expected fields and appropriate validators (@IsString(),@IsOptional(),@MaxLength(), etc.).@Body() body: unknownwith@Body() body: ChatKitRequestDto.Acceptance Criteria
POST /chatkituses a validated request DTO.