Add integration tests, log sanitization, and error code documentation

[Just-Bamford]

Overview

This PR adds comprehensive testing coverage, security improvements, and documentation to improve code quality and maintainability. Four key improvements are included:

this pr Closes #340
this pr Closes #339
this pr Closes #341
this pr Closes #338

---

340. Integration Test: Creator List Response with Zero Total Results

File: src/modules/creators/creator-list-zero-results.integration.test.ts

Description:
Adds an integration test that verifies graceful handling of empty creator list responses. Tests confirm that when an empty database or a filter set matches no creators, the API returns a valid response with an empty items array and accurate pagination metadata.

What it covers:

• Response is valid with empty items array
• Pagination metadata reflects zero total results (total: 0, hasMore: false)
• All required pagination fields are present (limit, offset, total, hasMore)
• Default pagination values are applied correctly
• Uses isolated empty fixture to avoid test interference
• Returns HTTP 200 (not 404) for empty results
• Maintains valid response structure with custom pagination and filter parameters

Acceptance Criteria Met:

• ✅ Response is valid with empty items array
• ✅ Total count in pagination metadata is zero
• ✅ Test uses isolated empty fixture to avoid interference from other tests

---

339. Log Sanitization Helper for Preventing Log Injection

Files:

• src/utils/log-field-sanitizer.utils.ts (helper implementation)
• src/utils/log-field-sanitizer.utils.test.ts (comprehensive unit tests)
• src/middlewares/request-logger.middleware.ts (applied to request logging)
• src/middlewares/error.middleware.ts (applied to error logging)
• src/middlewares/body-parse-error.middleware.ts (applied to parse error logging)
• src/modules/creators/creators.sort-field.utils.ts (applied to sort field logging)

Description:
Adds a log field sanitization utility that prevents log injection attacks by escaping control characters (newlines, carriage returns, tabs, etc.) from log field values. This prevents user-supplied values like search terms and handles from breaking structured log parsing.

What it covers:

• sanitizeLogFieldValue() - Escapes control characters in individual string values
• sanitizeLogObject() - Recursively sanitizes all string values in objects and arrays
• Handles newline (\n), carriage return (\r), tab (\t), form feed (\f), vertical tab (\v), and null (\0) characters
• Applied to all log sites that include user input:
  • Request logger (sanitizes req.originalUrl)
  • Error middleware (sanitizes req.originalUrl in error logs)
  • Body parse error middleware (sanitizes req.originalUrl)
  • Creator sort field logger (sanitizes unrecognized sort values)

Unit Tests (20+ test cases):

• Newline, carriage return, tab, form feed, vertical tab, and null character escaping
• Mixed control character handling
• Edge cases (null, undefined, non-string values)
• Nested objects and arrays
• Unicode and special character preservation
• Original object immutability

Acceptance Criteria Met:

• ✅ Control characters in log field values are stripped or escaped
• ✅ Helper is applied at all log sites that include user input
• ✅ Unit test covers newline, carriage return, and tab inputs (plus additional control characters)

---

341. Error Code Registry Documentation

File: docs/ERROR_CODE_REGISTRY.md

Description:
Comprehensive documentation of the error code registry explaining what each error code means and when contributors should add new ones. Prevents ad-hoc code creation and keeps error responses consistent across the API.

What it covers:

• Overview of error codes as public API contracts

• Complete reference for all 10 error codes:

  • VALIDATION_ERROR (400)
  • NOT_FOUND (404)
  • UNAUTHORIZED (401)
  • FORBIDDEN (403)
  • CONFLICT (409)
  • BAD_REQUEST (400)
  • INTERNAL_ERROR (500)
  • RATE_LIMIT (429)
  • DATABASE_ERROR / PRISMA_ERROR (400)
  • TOKEN_ERROR / JWT_ERROR (401)

• For each code: HTTP status, meaning, when to use, and JSON example

• Criteria for adding new error codes (4 criteria)

• Criteria for NOT adding new codes (4 reasons)

• Step-by-step implementation guide for adding new codes

• Real example (INCOMPLETE_PROFILE)

• Error code stability guidelines for backward compatibility

Acceptance Criteria Met:

• ✅ Every existing error code has documented meaning
• ✅ Criteria for adding new codes are clearly stated
• ✅ No code changes required; this is a docs-only issue

---

338. Integration Test: Creator List with Combined Sort and Filter Parameters

File: src/modules/creators/creator-list-sort-filter-combined.integration.test.ts

Description:
Adds an integration test that verifies sort and filter parameters work correctly when applied together. Confirms that items satisfy the filter constraint AND are in the expected sort order, and that neither constraint is dropped silently.

Fixture Set (5 creators with variety):

• 3 verified creators (Alice, Bob, Charlie) with different creation dates
• 2 unverified creators (Diana, Eve) with different creation dates
• Mix of searchable handles ("jazz", "rock")

Test Cases (9 total):

1. Filter verified=true + Sort createdAt desc - Verifies both constraints
2. Filter verified=true + Sort displayName asc - Different sort field
3. Filter search=jazz + Sort handle asc - Search filter with sort
4. Filter verified=false + Sort updatedAt desc - Unverified filter
5. Filter verified=true + search=jazz + Sort createdAt asc - Multiple filters + sort
6. Pagination metadata correct with filters and sort
7. Fails if filter is dropped - Detects missing filter constraint
8. Fails if sort is dropped - Detects wrong sort order
9. Response structure valid with combined parameters

Acceptance Criteria Met:

• ✅ Response items match the applied filter
• ✅ Items are in the correct sort order
• ✅ Test fails if either constraint is dropped silently

---

Summary

This PR improves code quality through:

• Testing: 2 new integration tests covering edge cases and combined parameters
• Security: Log sanitization preventing injection attacks
• Documentation: Comprehensive error code registry for contributors

All changes are backward compatible and follow existing code patterns.

[drips-wave]

@Just-Bamford Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits