Handle int overflow in provided userID

jmgasper · jmgasper · commit 1490cee2e8df · 2026-03-10T17:43:05.000+11:00
diff --git a/src/api/project-member/dto/create-member.dto.spec.ts b/src/api/project-member/dto/create-member.dto.spec.ts
@@ -14,13 +14,32 @@ describe('CreateMemberDto', () => {
     ).toThrow(BadRequestException);
   });
 
-  it('accepts numeric-string user ids', () => {
+  it('accepts numeric-string user ids without coercing them to numbers', () => {
     const dto = plainToInstance(CreateMemberDto, {
       userId: '456',
       role: ProjectMemberRole.customer,
     });
 
-    expect(dto.userId).toBe(456);
+    expect(dto.userId).toBe('456');
     expect(validateSync(dto)).toEqual([]);
   });
+
+  it('preserves numeric-string user ids above Number.MAX_SAFE_INTEGER', () => {
+    const dto = plainToInstance(CreateMemberDto, {
+      userId: '9007199254740993',
+      role: ProjectMemberRole.customer,
+    });
+
+    expect(dto.userId).toBe('9007199254740993');
+    expect(validateSync(dto)).toEqual([]);
+  });
+
+  it('rejects user ids outside the supported bigint range', () => {
+    expect(() =>
+      plainToInstance(CreateMemberDto, {
+        userId: '9223372036854775808',
+        role: ProjectMemberRole.customer,
+      }),
+    ).toThrow(BadRequestException);
+  });
 });
diff --git a/src/api/project-member/dto/create-member.dto.ts b/src/api/project-member/dto/create-member.dto.ts
@@ -1,43 +1,54 @@
+import { BadRequestException } from '@nestjs/common';
 import { ProjectMemberRole } from '@prisma/client';
 import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
-import { IsEnum, IsNumber, IsOptional } from 'class-validator';
+import { IsEnum, IsOptional, IsString } from 'class-validator';
 import { parseNumericStringId } from 'src/shared/utils/service.utils';
 
 /**
- * Parses optional integer-like input values from query/body payloads.
+ * Parses optional user ids from query/body payloads while preserving exact
+ * digits.
  *
  * @param value Raw unknown value from the incoming payload.
- * @returns A truncated number when parseable, otherwise `undefined`.
+ * @returns A normalized numeric-string id when parseable, otherwise
+ * `undefined`.
  * @throws {BadRequestException} If a provided value is not a numeric string or
- * finite number.
+ * finite number within the supported bigint range.
  */
-function parseOptionalInteger(value: unknown): number | undefined {
+function parseOptionalUserId(value: unknown): string | undefined {
   if (typeof value === 'undefined' || value === null || value === '') {
     return undefined;
   }
 
   if (typeof value === 'number') {
-    return Number(
-      parseNumericStringId(String(Math.trunc(value)), 'User id'),
-    );
+    return parseNumericStringId(
+      String(Math.trunc(value)),
+      'User id',
+    ).toString();
   }
 
-  return Number(parseNumericStringId(String(value), 'User id'));
+  if (typeof value === 'string' || typeof value === 'bigint') {
+    return parseNumericStringId(String(value), 'User id').toString();
+  }
+
+  throw new BadRequestException('User id must be a numeric string.');
 }
 
 /**
  * DTO for creating a project member.
  *
- * Validation requires `role`, while the service still defensively falls back
- * to `getDefaultProjectRole` when role is missing in runtime payloads.
+ * Validation requires `role`. `userId` is normalized to a numeric string so
+ * values beyond JavaScript's safe integer range are preserved exactly.
  */
 export class CreateMemberDto {
-  @ApiPropertyOptional({ description: 'User id. Defaults to current user.' })
+  @ApiPropertyOptional({
+    description: 'User id. Defaults to current user.',
+    type: String,
+  })
   @IsOptional()
-  @Transform(({ value }) => parseOptionalInteger(value))
-  @IsNumber()
-  userId?: number;
+  @Transform(({ value }) => parseOptionalUserId(value))
+  @IsString()
+  userId?: string;
 
   @ApiProperty({ enum: ProjectMemberRole, enumName: 'ProjectMemberRole' })
   @IsEnum(ProjectMemberRole)
diff --git a/src/api/project-member/project-member.service.spec.ts b/src/api/project-member/project-member.service.spec.ts
@@ -151,7 +151,7 @@ describe('ProjectMemberService', () => {
     await service.addMember(
       '1001',
       {
-        userId: 456,
+        userId: '456',
         role: ProjectMemberRole.customer,
       },
       {
@@ -182,7 +182,28 @@ describe('ProjectMemberService', () => {
       service.addMember(
         '1001',
         {
-          userId: 'invalid' as unknown as number,
+          userId: 'invalid' as unknown as string,
+          role: ProjectMemberRole.customer,
+        },
+        {
+          userId: '123',
+          roles: ['Topcoder User'],
+          isMachine: false,
+        },
+        undefined,
+      ),
+    ).rejects.toBeInstanceOf(BadRequestException);
+
+    expect(prismaMock.project.findFirst).not.toHaveBeenCalled();
+    expect(prismaMock.$transaction).not.toHaveBeenCalled();
+  });
+
+  it('rejects out-of-range target user ids before querying the project', async () => {
+    await expect(
+      service.addMember(
+        '1001',
+        {
+          userId: '10000000000000011111',
           role: ProjectMemberRole.customer,
         },
         {
diff --git a/src/api/project-member/project-member.service.ts b/src/api/project-member/project-member.service.ts
@@ -820,12 +820,14 @@ export class ProjectMemberService {
    * Resolves the target project-member user id from request payload state.
    *
    * Defaults to the authenticated actor when `dto.userId` is omitted, and
-   * rejects provided values that are not numeric.
+   * rejects provided values that are not numeric or exceed the supported
+   * signed 64-bit bigint range.
    *
    * @param userId Raw `CreateMemberDto.userId` payload value.
    * @param actorUserId Authenticated caller id used as the default target.
    * @returns Normalized target user id string.
-   * @throws {BadRequestException} If a provided `userId` is not numeric.
+   * @throws {BadRequestException} If a provided `userId` is not numeric or is
+   * outside the supported bigint range.
    */
   private resolveTargetUserId(
     userId: CreateMemberDto['userId'] | string | bigint | null | undefined,
diff --git a/src/shared/utils/service.utils.ts b/src/shared/utils/service.utils.ts
@@ -15,6 +15,8 @@ import { PrismaService } from 'src/shared/modules/global/prisma.service';
 import { PermissionService } from 'src/shared/services/permission.service';
 import { hasAdminRole } from 'src/shared/utils/permission.utils';
 
+const MAX_SIGNED_BIGINT_ID = 9223372036854775807n;
+
 /**
  * Parses an id using `BigInt(...)` semantics and throws on invalid input.
  */
@@ -28,6 +30,9 @@ export function parseBigIntId(value: string, entityName: string): bigint {
 
 /**
  * Parses a strictly numeric-string id (`/^[0-9]+$/`) as bigint.
+ *
+ * Rejects values that exceed the signed 64-bit bigint range supported by the
+ * backing database schema.
  */
 export function parseNumericStringId(value: string, fieldName: string): bigint {
   const normalized = String(value || '').trim();
@@ -36,7 +41,15 @@ export function parseNumericStringId(value: string, fieldName: string): bigint {
     throw new BadRequestException(`${fieldName} must be a numeric string.`);
   }
 
-  return BigInt(normalized);
+  const parsed = BigInt(normalized);
+
+  if (parsed > MAX_SIGNED_BIGINT_ID) {
+    throw new BadRequestException(
+      `${fieldName} must be less than or equal to ${MAX_SIGNED_BIGINT_ID.toString()}.`,
+    );
+  }
+
+  return parsed;
 }
 
 /**
