Skip to content

feat: add bug CRUD routes, controller and model #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Aarvayn wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add bug CRUD routes, controller and model #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions core-services/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
node_modules
.env
90 changes: 90 additions & 0 deletions core-services/Models/bug.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
const mongoose = require('mongoose');

const bugSchema = new mongoose.Schema(
{
title:
{
type:String,
required:true,
trim:true
},
description:
{
type: String,
required: true
},
techStack:
[{
type: String,
lowercase: true,
trim: true
}],
tags:
[{
type: String,
lowercase: true,
trim: true
}],
difficulty:
{
type: String,
enum: ["EASY", "MEDIUM", "HARD"],
index: true
},
reward:
{
type: Number,
required: true,
min: 1
},
status:
{
type: String,
enum: ["OPEN", "SOLVED", "CLOSED"],
default: "OPEN",
index: true
},
ownerId:
{
type: mongoose.Schema.Types.ObjectId,
ref: "User",
index: true
},
Comment on lines +47 to +52

@coderabbitai coderabbitai Bot Apr 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -type f -name "*bugController*" -o -name "*bug.js" | grep -E "\.(js|ts)$"

Repository: call-0f-code/Bug-Graveyard

Length of output: 144

🏁 Script executed:

cd core-services && git ls-files | grep -i bug | head -20

Repository: call-0f-code/Bug-Graveyard

Length of output: 151

🏁 Script executed:

cat -n core-services/Models/bug.js

Repository: call-0f-code/Bug-Graveyard

Length of output: 2130

🏁 Script executed:

cat -n core-services/controllers/bugController.js 2>/dev/null || echo "File not found in expected location"

Repository: call-0f-code/Bug-Graveyard

Length of output: 2728

Require ownerId for created bugs.

The ownerId field is currently optional, and the controller's createBug function (line 21) does not set this value from the authenticated user—it only extracts {title, description, deadline, reward} from the request. This allows bugs to be persisted with a null ownerId, creating orphan records that cannot be reliably authorized, listed by owner, or refunded. The schema must enforce required: true, and the controller must source ownerId from the authenticated request context rather than the request body.

🛡️ Proposed schema change 
     ownerId: 
     {
       type: mongoose.Schema.Types.ObjectId,
       ref: "User",
+      required: true,
       index: true
     },
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
ownerId:
{
type: mongoose.Schema.Types.ObjectId,
ref: "User",
index: true
},
ownerId:
{
type: mongoose.Schema.Types.ObjectId,
ref: "User",
required: true,
index: true
},
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@core-services/Models/bug.js` around lines 47 - 52, The ownerId field is
optional in the Bug schema and createBug doesn't set it from the authenticated
user, allowing orphaned bugs; update the Bug model's ownerId schema (symbol:
ownerId) to include required: true and keep the ObjectId ref to "User", and then
modify the createBug controller (symbol: createBug) to source ownerId from the
authenticated request context (e.g., req.user.id or req.user._id) instead of the
request body—also remove ownerId from the destructured body fields ({title,
description, deadline, reward}) so persisted bugs always have a validated owner
reference for authorization and listing.

acceptedSolutionId:
{
type: mongoose.Schema.Types.ObjectId,
ref: "Solution"
},
solutionCount:
{
type: Number,
default: 0
},
Comment on lines +58 to +62

@coderabbitai coderabbitai Bot Apr 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cd core-services && cat -n Models/bug.js | head -80

Repository: call-0f-code/Bug-Graveyard

Length of output: 1925

🏁 Script executed:

cd core-services && rg "solutionCount" --type js -B 2 -A 2

Repository: call-0f-code/Bug-Graveyard

Length of output: 384

🏁 Script executed:

cd core-services && rg "\$inc|solutionCount\s*[:=]|updateOne|updateMany|findByIdAndUpdate" --type js -B 2 -A 2 | head -100

Repository: call-0f-code/Bug-Graveyard

Length of output: 673

🏁 Script executed:

cd core-services && find . -name "*[Ss]olution*" -type f | grep -E "\.(js|ts)$"

Repository: call-0f-code/Bug-Graveyard

Length of output: 94

🏁 Script executed:

cd core-services && cat src/models/Solution.js && echo "---" && find . -name "*[Ss]olution*[Cc]ontroller*" -type f

Repository: call-0f-code/Bug-Graveyard

Length of output: 887

🏁 Script executed:

cd core-services && find . -type f -name "*.js" -exec rg -l "new Solution|solution.*save|solutionCount.*\+|\$inc.*solutionCount" {} \; | head -10

Repository: call-0f-code/Bug-Graveyard

Length of output: 52

🏁 Script executed:

cd core-services && rg "solution|Solution" --type js -i | grep -i "controller\|route" | head -20

Repository: call-0f-code/Bug-Graveyard

Length of output: 52

🏁 Script executed:

cd core-services && ls -la controllers/ && ls -la src/controllers/ 2>/dev/null || echo "src/controllers not found"

Repository: call-0f-code/Bug-Graveyard

Length of output: 419

🏁 Script executed:

cd core-services && cat -n controllers/bugController.js

Repository: call-0f-code/Bug-Graveyard

Length of output: 2728

🏁 Script executed:

cd core-services && find . -name "*route*" -type f && find . -name "*middleware*" -type f

Repository: call-0f-code/Bug-Graveyard

Length of output: 52

🏁 Script executed:

cd core-services && rg -i "bug|solution" --type js | grep -i "increment\|decrement\|add\|remove" | head -20

Repository: call-0f-code/Bug-Graveyard

Length of output: 52

Add minimum value validation to prevent negative solutionCount.

The updateBug controller allows direct updates to solutionCount via request body, making it possible to set negative values. A min: 0 validation constraint should be added to the schema to prevent invalid counter states that could corrupt listing/sorting logic.

Proposed validation 
     solutionCount: 
     {
       type: Number,
-      default: 0
+      default: 0,
+      min: 0
     },
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@core-services/Models/bug.js` around lines 58 - 62, The solutionCount schema
field lacks a minimum constraint allowing negative values; update the
solutionCount definition in Models/bug.js (field name: solutionCount) to include
a Mongoose validation of min: 0 (and keep default: 0) so any direct updates
(e.g., via updateBug) will be rejected if negative; ensure the schema change is
saved and tests/requests that set solutionCount < 0 now fail validation.

github:
{
repoUrl: String,
filePath: String,
issueUrl: String
},
deadline: Date,
isRewardLocked:
{
type: Boolean,
default: true
},
isAbusive:
{
type: Boolean,
default: false
},
refundProcessed:
{
type: Boolean,
default: false
Comment on lines +40 to +83

@coderabbitai coderabbitai Bot Apr 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Inspect Bug write paths for raw request-body persistence.
# Expected: Bug.create/findByIdAndUpdate should use an explicit allowlist DTO, not req.body directly.

rg -n -C4 'Bug\.(create|findByIdAndUpdate|findOneAndUpdate|updateOne)\s*\(|req\.body' --iglob '*.js'

Repository: call-0f-code/Bug-Graveyard

Length of output: 1981

🏁 Script executed:

#!/bin/bash
# In bugController.js updateBug function, replace req.body with explicit field allowlist
# Example: const {title, description, reward} = req.body; then pass {title, description, reward} to findByIdAndUpdate

Repository: call-0f-code/Bug-Graveyard

Length of output: 52

Fix the update handler to whitelist mutable fields.

While createBug correctly whitelists fields before creation, the updateBug handler passes req.body directly to findByIdAndUpdate, allowing users to modify protected fields. Extract allowed fields from the request body before the update call, mirroring the allowlist pattern already used in create.

Fields like status, acceptedSolutionId, isRewardLocked, isAbusive, and refundProcessed must remain server-controlled and are vulnerable in the current update path.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@core-services/Models/bug.js` around lines 40 - 83, The updateBug handler
currently passes req.body straight into findByIdAndUpdate, allowing clients to
change protected server-controlled fields; update the updateBug function to
mirror createBug's allowlist pattern: build an updates object by extracting only
permitted mutable fields from req.body (e.g., title, description,
github.repoUrl, github.filePath, github.issueUrl, deadline, reward-related
editable fields) and explicitly exclude server-controlled fields such as status,
acceptedSolutionId, isRewardLocked, isAbusive, refundProcessed, ownerId,
solutionCount before calling Bug.findByIdAndUpdate; ensure you still call
findByIdAndUpdate with { new: true, runValidators: true } so validation and
return of the updated document continue to work.

}
},
{
timestamps: true
}
);
module.exports = mongoose.model('Bug',bugSchema);
21 changes: 21 additions & 0 deletions core-services/config/dbConnection.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
const mongoose = require('mongoose');

const connectDb = async() =>
{
try
{
const connect = await mongoose.connect(process.env.CONNECTION_STRING);
console.log(
'Database connected:',
connect.connection.host,
connect.connection.name
);
}
catch (err)
{
console.log(err);
process.exit(1);
}
Comment on lines +14 to +18

@coderabbitai coderabbitai Bot Apr 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Log errors to stderr and add disconnect handling.

Two minor concerns:

  • console.log(err) writes DB connection failure to stdout; use console.error so errors land in the proper stream.
  • mongoose.connect only rejects on the initial handshake. Later disconnects, auth failures, or topology errors won't hit this catch. Attach listeners on mongoose.connection (error, disconnected) to surface runtime issues; otherwise the process will silently run with a broken DB while Mongoose buffers (and eventually times out) every query.
Proposed fix 
     catch (err)
     {
-        console.log(err);
+        console.error('Database connection failed:', err);
         process.exit(1);
     }
 };
+
+mongoose.connection.on('error', (err) => console.error('Mongoose error:', err));
+mongoose.connection.on('disconnected', () => console.warn('Mongoose disconnected'));
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@core-services/config/dbConnection.js` around lines 14 - 18, The catch block
for mongoose.connect currently uses console.log(err) and doesn't handle later
connection events; change console.log(err) to console.error(err) in the existing
catch so the initial handshake error goes to stderr, and add listeners on
mongoose.connection (e.g., mongoose.connection.on('error', handler) and
mongoose.connection.on('disconnected', handler)) to log runtime connection
errors/disconnects and exit or trigger reconnection logic as appropriate so the
process does not silently run with a broken DB; locate the existing
mongoose.connect call and the catch block and attach the connection listeners
there (use the same logging mechanism, e.g., console.error or your
processLogger, and call process.exit(1) or other cleanup inside the handlers).

};

module.exports = connectDb;
8 changes: 8 additions & 0 deletions core-services/constants.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
exports.constants =
{
VALIDATION_ERROR:400,
NOT_FOUND:404,
UNAUTHORIZED:401,
FORBIDDEN:403,
SERVER_ERROR:500
};
96 changes: 96 additions & 0 deletions core-services/controllers/bugController.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
const asyncHandler = require('express-async-handler');
const Bug = require('../Models/bug');

//@desc Get all Bugs..
//@route Get /api/bugs
//@access public

const getBugs = asyncHandler(async (req,res) =>
{
const bugs = await Bug.find();
res.status(200).json(bugs);
});

//@desc Create new Bug..
//@route POST /api/bugs
//@access public

const createBug = asyncHandler(async (req, res) =>
{
console.log('The request body is: ',req.body);
const {title,description,deadline,reward} = req.body;
if(!title || !description || !deadline || !reward)
{
res.status(400);
throw new Error('All fields are mandatory')
}
const bug = await Bug.create({
title,
description,
deadline,
reward
});
res.status(201).json(bug);
});

//@desc Get Bug by id..
//@route Get /api/bugs/:id
//@access public

const getBug = asyncHandler(async (req, res) =>
{
const bug = await Bug.findById(req.params.id);
if(!bug)
{
res.status(404);
throw new Error('Bug not found');
}
res.status(200).json(bug);
});
Comment on lines +40 to +49

@coderabbitai coderabbitai Bot Apr 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Validate req.params.id as an ObjectId before findById.

getBug, updateBug, and deleteBugs all pass req.params.id straight into Bug.findById. If the caller sends something that isn't a 24-char hex string (e.g. /api/bugs/foo), Mongoose throws a CastError before your if (!bug) guard runs — res.status(...) was never set, so with the current errorHandler the default branch hits and the request hangs (see the errorHandler comment). Validate up front and return a proper 404/400.

Proposed fix (apply in getBug, updateBug, deleteBugs) 
 const mongoose = require('mongoose');
 ...
 const getBug = asyncHandler(async (req, res) => 
 {
+        if (!mongoose.isValidObjectId(req.params.id))
+        {
+            res.status(404);
+            throw new Error('Bug not found');
+        }
         const bug = await Bug.findById(req.params.id);
         if(!bug)
         {
            res.status(404);
            throw new Error('Bug not found');
         }
         res.status(200).json(bug);
 });
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@core-services/controllers/bugController.js` around lines 40 - 49, Validate
req.params.id with mongoose.Types.ObjectId.isValid before calling Bug.findById
in getBug, updateBug, and deleteBugs; if the id is invalid, set an appropriate
status (e.g., res.status(404) or 400) and throw a new Error ('Bug not found' or
'Invalid id') so the errorHandler gets the status, and only call Bug.findById
when the id is valid to avoid Mongoose CastError.


//@desc Update Bug by id..
//@route PUT /api/bugs/:id
//@access public

const updateBug = asyncHandler(async(req, res) =>
{
const bug = await Bug.findById(req.params.id);
if(!bug)
{
res.status(404);
throw new Error('Bug not found');
}
const updatedBug = await Bug.findByIdAndUpdate(
req.params.id,
req.body,
{new: true}
);

res.status(200).json(updatedBug);
});
Comment on lines +55 to +70

@coderabbitai coderabbitai Bot Apr 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

mongoose 9 findByIdAndUpdate runValidators default behavior

💡 Result:

In Mongoose 9, the default behavior of Model.findByIdAndUpdate regarding runValidators is false. Update validators, including those triggered by runValidators: true, are off by default for findByIdAndUpdate and similar update operations. You must explicitly set { runValidators: true } in the options to enable validation on updates. This has been consistent across Mongoose versions, including 9.x, with no changes noted in the 9.0 changelog or migration guides.

Citations:

🏁 Script executed:

# Find the Bug model/schema definition
fd -t f Bug -i | grep -E '\.(js|ts)$'

Repository: call-0f-code/Bug-Graveyard

Length of output: 207

🏁 Script executed:

# Also search for Bug schema/model definition in common patterns
rg "const Bug|export.*Bug|mongoose.model.*Bug" -t js -t ts -A 5

Repository: call-0f-code/Bug-Graveyard

Length of output: 595

🏁 Script executed:

# Check the Bug schema definition in the Models directory (since that's what the controller imports)
cat -n core-services/Models/bug.js

Repository: call-0f-code/Bug-Graveyard

Length of output: 2130

🏁 Script executed:

# Also check the src models version to see if there are differences
cat -n core-services/src/models/Bug.js

Repository: call-0f-code/Bug-Graveyard

Length of output: 1892

🏁 Script executed:

# Let's check the full updateBug function and surrounding context
sed -n '45,90p' core-services/controllers/bugController.js

Repository: call-0f-code/Bug-Graveyard

Length of output: 979

🏁 Script executed:

# Also check if there are any other update operations or patterns in the controller
rg "findByIdAndUpdate|findOneAndUpdate" core-services/controllers/bugController.js -A 10 -B 2

Repository: call-0f-code/Bug-Graveyard

Length of output: 332

Harden updateBug: whitelist fields, run validators, drop redundant fetch.

Three issues here:

  1. Mass assignment / NoSQL injection risk. Passing req.body directly to findByIdAndUpdate lets a client set arbitrary fields or inject Mongo operators (e.g. {"$rename": {...}}). The schema includes sensitive fields (status, ownerId, isAbusive, isRewardLocked, refundProcessed) that should never be client-editable. Pick the allowed fields explicitly.

  2. Schema validators don't run by default on findByIdAndUpdate. Pass runValidators: true so required rules on title, description, reward and the min: 1 constraint on reward are enforced on updates.

  3. The preceding findById is redundant — findByIdAndUpdate already returns null if no document matches, so you can check the result instead and save a round trip.

Proposed fix 
-const updateBug = asyncHandler(async(req, res) => 
-{
-    const bug = await Bug.findById(req.params.id);
-    if(!bug)
-    {
-        res.status(404);
-        throw new Error('Bug not found');
-    }
-    const updatedBug = await Bug.findByIdAndUpdate(
-        req.params.id,
-        req.body,
-        {new: true}
-    );
-
-    res.status(200).json(updatedBug);
-});
+const updateBug = asyncHandler(async (req, res) =>
+{
+    const { title, description, deadline, reward } = req.body;
+    const updates = { title, description, deadline, reward };
+    Object.keys(updates).forEach(k => updates[k] === undefined && delete updates[k]);
+
+    const updatedBug = await Bug.findByIdAndUpdate(
+        req.params.id,
+        updates,
+        { new: true, runValidators: true }
+    );
+    if (!updatedBug)
+    {
+        res.status(404);
+        throw new Error('Bug not found');
+    }
+    res.status(200).json(updatedBug);
+});
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@core-services/controllers/bugController.js` around lines 55 - 70, In
updateBug, avoid mass-assignment and the redundant pre-fetch: build a whitelist
object from req.body containing only allowed updatable fields (e.g., title,
description, reward, tags — explicitly exclude status, ownerId, isAbusive,
isRewardLocked, refundProcessed and any keys starting with $), then call
Bug.findByIdAndUpdate(req.params.id, whitelistObject, { new: true,
runValidators: true, context: 'query' }) and check the returned updatedBug for
null to return 404; remove the initial Bug.findById call and ensure validators
are enforced by passing runValidators: true (and context: 'query' if using
mongoose validators that need it).


//@desc Delete Bug..
//@route DELETE /api/bugs/:id
//@access public

const deleteBugs = asyncHandler(async (req, res) =>
{
const bug = await Bug.findById(req.params.id);
if(!bug)
{
res.status(404);
throw new Error('Bug not found');
}

await bug.deleteOne();
res.status(200).json(bug);
});

module.exports =
{
getBugs,
createBug,
getBug,
updateBug,
deleteBugs
};
34 changes: 34 additions & 0 deletions core-services/middleware/errorHandler.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
const{constants} = require('../constants');
const errorHandler = (err,req,res,next) =>
{
const statusCode = res.statusCode ? res.statusCode: 500;

switch (statusCode)
{
case constants.VALIDATION_ERROR:
res.json({title: "Validation Failed",message: err.message,stackTrace: err.stack});
break;

case constants.NOT_FOUND:
res.json({title: "Not Found",message: err.message,stackTrace: err.stack});
break;

case constants.UNAUTHORIZED:
res.json({title: "Not Authorized",message: err.message,stackTrace: err.stack});
break;

case constants.FORBIDDEN:
res.json({title: "Forbidden",message: err.message,stackTrace: err.stack});
break;

case constants.SERVER_ERROR:
res.json({title: "Server Error",message: err.message,stackTrace: err.stack});
break;

default:
console.log('No Error');
break;
}
};
Comment on lines +1 to +32

@coderabbitai coderabbitai Bot Apr 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: unmapped errors leave the request hanging; stack traces leak to clients.

Several problems on this hot path:

  1. Request hang on any unmapped error. In Express, res.statusCode defaults to 200. So if any handler throws without first calling res.status(400|401|403|404|500) (e.g. a Mongoose CastError from an invalid :id in getBug/updateBug/deleteBugs, a schema validation failure in createBug, a DB timeout, a thrown TypeError, etc.), statusCode becomes 200, falls through to default, logs "No Error", and never sends a response — the client hangs until its socket timeout. This will bite you the first time anyone hits /api/bugs/not-an-object-id.
  2. Status on the wire is never explicitly set. The middleware should call res.status(statusCode) before res.json(...) so the HTTP status matches the payload regardless of what the controller set.
  3. err.stack is returned in the response body. That's an information-disclosure issue in production; gate it on NODE_ENV !== 'production'.
  4. The switch on constants is verbose and duplicated — a lookup table is clearer and removes the risk of forgetting a break.
Proposed fix 
-const{constants} = require('../constants');
-const errorHandler = (err,req,res,next) =>
-{
-    const statusCode = res.statusCode ? res.statusCode: 500;
-
-    switch (statusCode) 
-    {
-        case constants.VALIDATION_ERROR:
-            res.json({title: "Validation Failed",message: err.message,stackTrace: err.stack});
-            break;
-
-        case constants.NOT_FOUND:
-            res.json({title: "Not Found",message: err.message,stackTrace: err.stack});
-            break;
-        
-        case constants.UNAUTHORIZED:
-            res.json({title: "Not Authorized",message: err.message,stackTrace: err.stack});
-            break;    
-
-        case constants.FORBIDDEN:
-            res.json({title: "Forbidden",message: err.message,stackTrace: err.stack});
-            break;
-
-        case constants.SERVER_ERROR:
-            res.json({title: "Server Error",message: err.message,stackTrace: err.stack});
-            break;
-
-        default:
-            console.log('No Error');
-            break;
-    }
-};
+const { constants } = require('../constants');
+
+const TITLES = {
+    [constants.VALIDATION_ERROR]: 'Validation Failed',
+    [constants.NOT_FOUND]: 'Not Found',
+    [constants.UNAUTHORIZED]: 'Not Authorized',
+    [constants.FORBIDDEN]: 'Forbidden',
+    [constants.SERVER_ERROR]: 'Server Error',
+};
+
+const errorHandler = (err, req, res, next) => {
+    // If no explicit error status was set by the controller, treat as 500.
+    const statusCode =
+        res.statusCode && res.statusCode !== 200 ? res.statusCode : 500;
+
+    res.status(statusCode).json({
+        title: TITLES[statusCode] || 'Error',
+        message: err.message,
+        ...(process.env.NODE_ENV !== 'production' && { stackTrace: err.stack }),
+    });
+};
 
 module.exports = errorHandler;
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@core-services/middleware/errorHandler.js` around lines 1 - 32, The
errorHandler middleware currently lets unmapped errors hang, leaks stacks, and
never explicitly sets the HTTP status; update the errorHandler function to:
determine the statusCode as res.statusCode && res.statusCode !== 200 ?
res.statusCode : constants.SERVER_ERROR (so unmapped errors become 500), create
a lookup map (e.g., statusTitles = { [constants.VALIDATION_ERROR]: 'Validation
Failed', ... }) instead of the switch, call res.status(statusCode) before
sending a response, and send res.json with { title: statusTitles[statusCode] ||
'Error', message: err.message, ...(process.env.NODE_ENV !== 'production' && {
stackTrace: err.stack }) } so stack traces are only included outside production
and every path returns a JSON response; keep the middleware signature
errorHandler(err, req, res, next) and ensure the default path returns a 500 JSON
response instead of logging and falling through.


module.exports = errorHandler;
70 changes: 25 additions & 45 deletions core-services/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading