Return 400 status codes when query parameters are bad

src/lib/utils/url.server.ts

@@ -0,0 +1,25 @@
+import { error } from "@sveltejs/kit";
+import * as m from "$paraglide/messages";
+
+/**
+ * Get the year from the URL object or throw a Svelte error if the year is invalid
+ * @param url The URL object
+ * @param lowerBound The lower bound for the year. Default is 1982
+ * @param upperBound The upper bound for the year. Default is the current year
+ * @returns The year
+ * @throws Svelte error if the year is invalid
+ */
+export const getYearOrThrowSvelteError = (
+  url: URL,
+  lowerBound = 1982,
+  upperBound = new Date().getFullYear(),
+) => {
+  const year = parseInt(
+    url.searchParams.get("year") || new Date().getFullYear().toString(),
+  );
+  if (isNaN(year)) throw error(400, m.error_invalid_year());
+  if (year < lowerBound || year > upperBound) {
+    throw error(400, m.error_invalid_year());
+  }
+  return year;
+};

src/routes/(app)/committees/committee.server.ts

@@ -6,24 +6,26 @@ import { zod } from "sveltekit-superforms/adapters";
 import { message, superValidate, withFiles } from "sveltekit-superforms/server";
 import { updateSchema } from "./types";
 import { updateMarkdown } from "$lib/news/markdown/mutations.server";
+import { getYearOrThrowSvelteError } from "$lib/utils/url.server";
 
-export const getYear = (url: URL) => {
-  const yearQuery = url.searchParams.get("year");
-  const parsedYear = parseInt(yearQuery ?? "");
-  const year = isNaN(parsedYear) ? new Date().getFullYear() : parsedYear;
-  return year;
-};
 /**
+ * Load all data that every committee load function needs
+ * @param prisma The Prisma client
  * @param shortName The committee's short name
- * @param year The year to load the committee for, defaults to current year
+ * @param url The URL object
  * @returns All data that the every committee load function needs
  */
 export const committeeLoad = async (
   prisma: PrismaClient,
   shortName: string,
   url: URL,
 ) => {
-  const year = getYear(url);
+  // Allow to see committees from 1982 to the NEXT year
+  const year = getYearOrThrowSvelteError(
+    url,
+    1982,
+    new Date().getFullYear() + 1,
+  );
 
   const firstDayOfYear = new Date(`${year}-01-01`);
   const lastDayOfYear = new Date(`${year}-12-31`);

src/routes/(app)/committees/nollu/+page.server.ts

@@ -1,9 +1,15 @@
 import type { PageServerLoad } from "./$types";
-import { committeeActions, committeeLoad, getYear } from "../committee.server";
+import { committeeActions, committeeLoad } from "../committee.server";
+import { getYearOrThrowSvelteError } from "$lib/utils/url.server";
 
 export const load: PageServerLoad = async ({ locals, url }) => {
   const { prisma } = locals;
-  const year = getYear(url);
+  // Allow to see committees from 1982 to the NEXT year
+  const year = getYearOrThrowSvelteError(
+    url,
+    1982,
+    new Date().getFullYear() + 1,
+  );
   const phadderGroups = prisma.phadderGroup.findMany({
     where: {
       year,

src/routes/(app)/documents/+page.server.ts

@@ -14,12 +14,16 @@ import { zod } from "sveltekit-superforms/adapters";
 import { z } from "zod";
 import type { Actions, PageServerLoad } from "./$types";
 import * as m from "$paraglide/messages";
+import { getYearOrThrowSvelteError } from "$lib/utils/url.server";
+
+const validDocumentTypes = [
+  "board-meeting",
+  "guild-meeting",
+  "SRD-meeting",
+  "other",
+] as const;
+export type DocumentType = (typeof validDocumentTypes)[number];
 
-export type DocumentType =
-  | "board-meeting"
-  | "guild-meeting"
-  | "SRD-meeting"
-  | "other";
 const prefixByType: Record<DocumentType, string> = {
   "board-meeting": "S",
   "guild-meeting": "",
@@ -28,9 +32,12 @@ const prefixByType: Record<DocumentType, string> = {
 };
 export const load: PageServerLoad = async ({ locals, url }) => {
   const { user } = locals;
-  const year = url.searchParams.get("year") || new Date().getFullYear();
-  const type: DocumentType =
-    (url.searchParams.get("type") as DocumentType) || "board-meeting";
+  const year = getYearOrThrowSvelteError(url);
+
+  const type = url.searchParams.get("type") || "board-meeting";
+  if (!isValidDocumentType(type)) {
+    throw error(400, m.documents_errors_invalidType());
+  }
 
   const files = await fileHandler.getInBucket(
     user,
@@ -80,7 +87,7 @@ export const load: PageServerLoad = async ({ locals, url }) => {
           !meeting.startsWith("HTM") &&
           !meeting.startsWith("VTM") &&
           !meeting.startsWith("S") &&
-          meeting != year
+          meeting != year.toString()
         );
       });
       break;
@@ -137,3 +144,6 @@ export const actions: Actions = {
     });
   },
 };
+
+const isValidDocumentType = (type: string): type is DocumentType =>
+  (validDocumentTypes as unknown as string[]).includes(type);

src/translations/en.json

@@ -19,6 +19,7 @@
   "documents_guildMeetings": "Guild Meetings",
   "documents_boardMeetings": "Board Meetings",
   "documents_srdMeetings": "SRD Meetings",
+  "documents_errors_invalidType": "Invalid document type",
   "documents_other": "Other",
   "theGuild": "The Guild",
   "theBoard": "The Board",
@@ -773,6 +774,7 @@
   "error_should_not_happen": "If you think this shouldn't happen please",
   "error_or": "or",
   "error_contact": "Contact DWWW",
+  "error_invalid_year": "Invalid year",
   "back": "Back",
   "events_cancelEvent": "Cancel event",
   "events_cancelled": "Cancelled",

src/translations/sv.json

@@ -20,6 +20,7 @@
   "documents_boardMeetings": "Styrelsemöten",
   "documents_srdMeetings": "SRD-möten",
   "documents_other": "Övrigt",
+  "documents_errors_invalidType": "Ogiltig dokumenttyp",
   "theGuild": "Sektionen",
   "theBoard": "Styrelsen",
   "committees": "Utskott",
@@ -769,6 +770,7 @@
   "error_should_not_happen": "Om du tror att detta inte bör hända",
   "error_or": "eller",
   "error_contact": "Kontakta DWWW",
+  "error_invalid_year": "Ogiltigt år",
   "back": "Tillbaka",
   "events_cancelEvent": "Ställ in event",
   "events_cancelled": "Inställt",