Skip to content

Add pirate treasure tracking REST API#6

Draft
Copilot wants to merge 3 commits intomainfrom
copilot/add-treasure-tracking-api-again
Draft

Add pirate treasure tracking REST API#6
Copilot wants to merge 3 commits intomainfrom
copilot/add-treasure-tracking-api-again

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 14, 2026

Node.js Express API for CRUD operations on pirate treasure, backed by an in-memory store.

API

  • POST /api/treasures — create treasure (201)
  • GET /api/treasures — list all (200)
  • GET /api/treasures/:id — get by ID (200 / 404)
  • DELETE /api/treasures/:id — delete by ID (204 / 404)
  • GET / — health check

Data model

{ "id": "uuid", "name": "string", "value": 0, "location": "string", "dateFound": "string" }

IDs generated via crypto.randomUUID() (no uuid package — v13 is ESM-only, incompatible with Jest/CJS).

Validation & security hardening

  • Type + presence checks on all fields; empty strings rejected
  • Number.isFinite() guard rejects NaN/Infinity/negative values
  • HTML tag stripping on string inputs (O(n) char walk, no regex) to mitigate stored XSS
  • Error-handling middleware catches malformed JSON — returns 400 JSON instead of leaking stack traces

Project structure

src/
├── app.js              # Express app (exported, no listen — testable)
├── server.js           # Entry point, binds to PORT
├── routes/treasures.js # Router with all handlers
└── data/store.js       # In-memory array + resetTreasures()
__tests__/
└── treasures.test.js   # 20 tests (supertest, Jest)

App/server split so supertest can exercise routes without binding a port. Store reset uses treasures.length = 0 to preserve module-level references across test isolation.

Copilot AI and others added 3 commits April 14, 2026 18:38
@mickeygousset
feat: add Pirate Treasure API with full CRUD and test suite
8f68c8c 
- Express REST API with POST, GET, GET/:id, DELETE/:id endpoints
- In-memory data store with reset function for testing
- Comprehensive Jest + supertest test suite (15 tests)
- Health check endpoint at GET /
- Input validation on POST with proper error responses

Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>
@mickeygousset
fix: patch 5 Rough Seas issues from Lookout's review
f5cf30e 
RSE-1: Add error-handling middleware to prevent stack trace exposure
RSE-2: Reject empty string fields (name, location, dateFound)
RSE-3: Reject negative treasure values
RSE-4: Reject Infinity/NaN values with Number.isFinite check
RSE-5: Strip HTML tags from string inputs to prevent stored XSS
BRN-6: Simplify redundant validation (typeof handles null/undefined)

Added 5 new tests covering all fixes. All 20 tests pass.

Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>
@mickeygousset
fix: replace regex stripTags with linear O(n) character walk
741396d 
Addresses CodeQL alerts:
- js/incomplete-multi-character-sanitization: nested tags like
  <scr<script>ipt> are now properly handled
- js/polynomial-redos: no regex means no backtracking risk

Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mickeygousset mickeygousset

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mickeygousset