fix(admin): validate userId and email are strings

waleedlatif1 · waleedlatif1 · commit 932aef3c1b4f · 2026-01-23T11:07:41.000-08:00
diff --git a/apps/sim/app/api/v1/admin/credits/route.ts b/apps/sim/app/api/v1/admin/credits/route.ts
@@ -51,6 +51,14 @@ export const POST = withAdminAuth(async (request) => {
       return badRequestResponse('Either userId or email is required')
     }
 
+    if (userId && typeof userId !== 'string') {
+      return badRequestResponse('userId must be a string')
+    }
+
+    if (email && typeof email !== 'string') {
+      return badRequestResponse('email must be a string')
+    }
+
     if (typeof amount !== 'number' || !Number.isFinite(amount) || amount <= 0) {
       return badRequestResponse('amount must be a positive number')
     }

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,14 @@ export const POST = withAdminAuth(async (request) => {`
`51`	`51`	`return badRequestResponse('Either userId or email is required')`
`52`	`52`	`}`
`53`	`53`
	`54`	`+ if (userId && typeof userId !== 'string') {`
	`55`	`+ return badRequestResponse('userId must be a string')`
	`56`	`+ }`
	`57`	`+`
	`58`	`+ if (email && typeof email !== 'string') {`
	`59`	`+ return badRequestResponse('email must be a string')`
	`60`	`+ }`
	`61`	`+`
`54`	`62`	`if (typeof amount !== 'number' \|\| !Number.isFinite(amount) \|\| amount <= 0) {`
`55`	`63`	`return badRequestResponse('amount must be a positive number')`
`56`	`64`	`}`