Add Input Validation Middleware to ATS Score Endpoint

[aarjav812]

🐛 Problem

The /api/ats-score endpoint (added in recent updates) lacks proper input validation middleware, creating several security and consistency issues:

1. Security Vulnerability: No max length validation allows potential DoS attacks

   • Attackers could send 1GB+ text causing excessive CPU usage in TF-IDF calculations
   • No protection against resource exhaustion

2. Inconsistency: Unlike /api/compile and /api/optimize endpoints which use validation middleware, this endpoint uses manual validation inside the handler

3. Missing Type Checks: No validation for data types (could send objects/arrays instead of strings)

4. Poor Error Messages: Manual validation provides less detailed error feedback

✅ Solution

• Added validateATSScore middleware in backend/middleware/validation.js

  • Validates resumeText: required, string, 1-50,000 characters
  • Validates jobDescription: required, string, 10-10,000 characters
  • Uses express-validator for consistent validation patterns

• Applied validation to endpoint in backend/app.js

  • Added validateATSScore to middleware chain
  • Removed redundant manual validation code
  • Now consistent with other endpoints

🧪 Testing

Created comprehensive test suite with 8 test cases - all passing ✅

Test Results:

✓ PASS - Missing resumeText validation
✓ PASS - Missing jobDescription validation  
✓ PASS - Empty resumeText validation
✓ PASS - Short jobDescription validation (< 10 chars)
✓ PASS - Oversized input validation (> 50,000 chars)
✓ PASS - Invalid data type validation (non-string)
✓ PASS - Valid input processing
✓ PASS - Error response structure

Passed: 8/8 (100%)

What Was Tested:

1. Missing fields - Correctly rejects requests missing required fields
2. Empty values - Validates non-empty strings
3. Length limits - Enforces min/max character limits
4. Type safety - Rejects non-string types (numbers, arrays, objects)
5. Valid input - Allows properly formatted requests
6. Error structure - Returns consistent error format with field names

📝 Changes

backend/middleware/validation.js

/**
 * Validation rules for /api/ats-score endpoint
 */
export const validateATSScore = [
  body('resumeText')
    .exists().withMessage('Resume text is required')
    .isString().withMessage('Resume text must be a string')
    .notEmpty().withMessage('Resume text cannot be empty')
    .isLength({ min: 1, max: 50000 }).withMessage('Resume text must be between 1 and 50000 characters'),
  
  body('jobDescription')
    .exists().withMessage('Job description is required')
    .isString().withMessage('Job description must be a string')
    .notEmpty().withMessage('Job description cannot be empty')
    .isLength({ min: 10, max: 10000 }).withMessage('Job description must be between 10 and 10000 characters'),
  
  handleValidationErrors
];

backend/app.js

Before:

app.post(
    "/api/ats-score",
    generalRateLimiter,
    asyncHandler(async (req, res) => {
        const { resumeText, jobDescription } = req.body;
        
        // Manual validation
        if (!resumeText || !jobDescription) {
            return res.status(400).json({
                success: false,
                message: "Both resume text and job description are required",
            });
        }
        // ... rest of handler

After:

app.post(
    "/api/ats-score",
    generalRateLimiter,
    validateATSScore,  // ✅ Validation middleware
    asyncHandler(async (req, res) => {
        const { resumeText, jobDescription } = req.body;
        // No manual validation needed - middleware handles it!
        // ... rest of handler

🔒 Security Improvements

1. DoS Prevention: Max 50KB input prevents resource exhaustion attacks
2. Type Safety: Ensures only strings are processed by TF-IDF algorithm
3. Input Sanitization: Validates data before processing
4. Consistent Error Handling: Uses standardized validation responses

🎨 Code Quality

• ✅ Follows existing validation pattern from other endpoints
• ✅ Consistent with project architecture
• ✅ No UI changes (backend only)
• ✅ Comprehensive test coverage
• ✅ Clear error messages for debugging

📋 Checklist

• Code follows project style and patterns
• All tests passing (8/8)
• No breaking changes
• Security vulnerability fixed
• Consistent with existing validation middleware
• Local and remote branches synced
• Only backend logic changes (no frontend)

🔗 Related

• Related to validation work in PR Create a landing page. Setup React Router for navigating multiple pages. #2 (input validation for compile/optimize endpoints)
• Addresses security gap introduced with ATS feature addition
• Part of ongoing security hardening efforts

📊 Impact

• Security: HIGH - Prevents DoS attacks
• Code Quality: HIGH - Improves consistency
• User Experience: MEDIUM - Better error messages
• Breaking Changes: NONE

---

Reviewer Notes:
This PR follows the same validation pattern established in previous merged PRs. The validation rules are appropriate for the ATS scoring use case and prevent potential abuse of the TF-IDF calculation endpoint.