feat: harden analytics dashboard

app/api/logs/route.test.ts

@@ -0,0 +1,44 @@
+import { describe, expect, mock, test } from "bun:test";
+import type { NextRequest } from "next/server";
+
+const getLogsMock = mock(async () => ({ logs: [], total: 0, page: 1, page_size: 100 }));
+const getUserRankingMock = mock(async () => []);
+const getModelRankingMock = mock(async () => []);
+const getChannelRankingMock = mock(async () => []);
+
+mock.module("@/lib/queries", () => ({
+  getLogs: getLogsMock,
+  getUserRanking: getUserRankingMock,
+  getModelRanking: getModelRankingMock,
+  getChannelRanking: getChannelRankingMock,
+}));
+
+const { GET } = await import("./route");
+
+function request(path: string) {
+  return { nextUrl: new URL(`http://localhost${path}`) } as NextRequest;
+}
+
+describe("/api/logs", () => {
+  test("rejects reversed date ranges", async () => {
+    const res = await GET(request("/api/logs?start=200&end=100"));
+
+    expect(res.status).toBe(400);
+    expect(await res.json()).toEqual({
+      error: "Invalid query parameter",
+      field: "range",
+    });
+  });
+
+  test("clamps page size before querying", async () => {
+    getLogsMock.mockClear();
+
+    const res = await GET(request("/api/logs?page=2&page_size=10000"));
+
+    expect(res.status).toBe(200);
+    expect(getLogsMock.mock.calls[0][0]).toMatchObject({
+      page: 2,
+      pageSize: 200,
+    });
+  });
+});

app/api/logs/route.ts

@@ -1,19 +1,46 @@
 import { NextRequest, NextResponse } from "next/server";
+import { jsonError, parseOptionalInt, parsePositiveInt, parseTimestampRange } from "@/lib/api-params";
 import { getLogs } from "@/lib/queries";
 
 export async function GET(req: NextRequest) {
-  const sp = req.nextUrl.searchParams;
+  try {
+    const sp = req.nextUrl.searchParams;
+    const range = parseTimestampRange(sp);
+    if (!range.ok) return jsonError(range.field);
 
-  const data = await getLogs({
-    page: sp.get("page") ? Number(sp.get("page")) : 1,
-    pageSize: sp.get("page_size") ? Number(sp.get("page_size")) : 100,
-    startTs: sp.get("start") ? Number(sp.get("start")) : undefined,
-    endTs: sp.get("end") ? Number(sp.get("end")) : undefined,
-    username: sp.get("username") || undefined,
-    model: sp.get("model") || undefined,
-    channelId: sp.get("channel_id") ? Number(sp.get("channel_id")) : undefined,
-    tokenName: sp.get("token_name") || undefined,
-  });
+    const page = parsePositiveInt(sp.get("page"), {
+      field: "page",
+      defaultValue: 1,
+      min: 1,
+    });
+    if (!page.ok) return jsonError(page.field);
 
-  return NextResponse.json(data);
+    const pageSize = parsePositiveInt(sp.get("page_size"), {
+      field: "page_size",
+      defaultValue: 100,
+      min: 1,
+      max: 200,
+    });
+    if (!pageSize.ok) return jsonError(pageSize.field);
+
+    const channelId = parseOptionalInt(sp.get("channel_id"), "channel_id");
+    if (!channelId.ok) return jsonError(channelId.field);
+    if (channelId.value === 0) return jsonError("channel_id");
+
+    const data = await getLogs({
+      page: page.value,
+      pageSize: pageSize.value,
+      startTs: range.value.startTs,
+      endTs: range.value.endTs,
+      username: sp.get("username") || undefined,
+      model: sp.get("model") || undefined,
+      channelId: channelId.value,
+      tokenName: sp.get("token_name") || undefined,
+    });
+
+    return NextResponse.json(data);
+  } catch (error) {
+    console.error("Failed to load logs", error);
+    return jsonError(undefined, 500);
+  }
 }