chore(web): validate /api/avatar query params with Zod

brendan-kellam · claude · brendan-kellam · commit 9cd30800fb34 · 2026-04-29T15:45:02.000-07:00
Replaces the manual `searchParams.get('email')` + plain-text 400 response
with the Zod safeParse + queryParamsSchemaValidationError pattern used
elsewhere in the API. Errors now return structured JSON consistent with
the rest of the public API surface.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,7 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added `/api/blame` to the public API to fetch per-line blame information for a file at a given revision. [#1158](https://github.com/sourcebot-dev/sourcebot/pull/1158)
 
 ### Changed
-- `UserAvatar` now resolves profile pictures via a new `/api/avatar` endpoint, automatically displaying a user's profile image when their email matches a Sourcebot user. Falls back to a minidenticon otherwise. [#1159](https://github.com/sourcebot-dev/sourcebot/pull/1159)
+- Added `/api/avatar` to resolve user profile pictures. [#1159](https://github.com/sourcebot-dev/sourcebot/pull/1159)
 
 ### Fixed
 - Bumped `postcss` to `8.5.10`. [#1155](https://github.com/sourcebot-dev/sourcebot/pull/1155)
diff --git a/packages/web/src/app/api/(server)/avatar/route.ts b/packages/web/src/app/api/(server)/avatar/route.ts
@@ -2,22 +2,39 @@
 
 import { minidenticon } from 'minidenticons';
 import { NextRequest } from 'next/server';
+import { z } from 'zod';
 import { apiHandler } from '@/lib/apiHandler';
+import { queryParamsSchemaValidationError, serviceErrorResponse } from '@/lib/serviceError';
 import { isServiceError } from '@/lib/utils';
 import { withOptionalAuth } from '@/middleware/withAuth';
 
+const queryParamsSchema = z.object({
+    email: z.string().min(1),
+});
+
 // Resolves an email to an avatar image. If the email belongs to a Sourcebot
 // user in the requester's org and that user has a profile image set, the
 // request is redirected to that URL. Otherwise a minidenticon SVG is returned.
 //
 // We never 4xx on this endpoint — even if the requester is unauthenticated or
 // the user isn't found, we serve the identicon so the avatar visually renders.
 export const GET = apiHandler(async (request: NextRequest) => {
-    const email = request.nextUrl.searchParams.get('email');
-    if (!email) {
-        return new Response('Missing email parameter', { status: 400 });
+    const rawParams = Object.fromEntries(
+        Object.keys(queryParamsSchema.shape).map(key => [
+            key,
+            request.nextUrl.searchParams.get(key) ?? undefined,
+        ])
+    );
+    const parsed = queryParamsSchema.safeParse(rawParams);
+
+    if (!parsed.success) {
+        return serviceErrorResponse(
+            queryParamsSchemaValidationError(parsed.error)
+        );
     }
 
+    const { email } = parsed.data;
+
     const lookup = await withOptionalAuth(async ({ org, prisma }) => {
         return prisma.user.findFirst({
             where: {
