fix: address code review findings for info broker removal service

- Fix Prisma enum casing: snake_case -> UPPERCASE to match TypeScript types - Add admin auth guard on POST /process endpoint (P0 security) - Fix DELETE /request/:id to return valid enum status (REJECTED not cancelled) - Fix brokerName bug: was set to brokerId, now resolves actual broker name - Add missing BrokerCategory enum export to types package - Add HOME_TITLE to AlertSource enum - Replace unsafe 'as any' casts with proper enum imports - Fix broker ID with space (familytree Now -> familytreenow) - Add missing Prisma relation fields for RemovalRequest and BrokerListing - Add FALSE_POSITIVE to CorrelationStatus enum Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-17 01:45:54 -04:00
parent bd881045f4
commit e9e547be78
5 changed files with 64 additions and 48 deletions
--- a/packages/api/src/routes/removebrokers.routes.ts
+++ b/packages/api/src/routes/removebrokers.routes.ts
@@ -1,6 +1,6 @@
 import { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
 import { prisma } from '@shieldai/db';
-import { RemovalStatus, Severity } from '@shieldai/types';
+import { RemovalStatus, Severity, AlertCategory, EntityTypes } from '@shieldai/types';
 import {
  removeBrokersService,
  removeBrokersScheduler,
@@ -144,13 +144,13 @@ export async function removebrokersRoutes(fastify: FastifyInstance) {
            userId: (request as AuthRequest).user!.id,
            brokerName: listing.brokerName,
            brokerId: listing.brokerId,
-            category: 'INFO_BROKER_LISTING' as any,
+            category: AlertCategory.INFO_BROKER_LISTING,
            severity: Severity.MEDIUM,
            title: `Personal listing found on ${listing.brokerName}`,
            description: `Your personal information was found on ${listing.brokerName} (${listing.brokerId}). Consider submitting a removal request.`,
            entities: [
-              { type: 'USER_ID' as any, value: (request as AuthRequest).user!.id },
-            ],
+               { type: EntityTypes.USER_ID, value: (request as AuthRequest).user!.id },
+             ],
            metadata: { url: listing.url },
          });
        } catch {
@@ -319,7 +319,7 @@ export async function removebrokersRoutes(fastify: FastifyInstance) {
      return reply.send({
        request: {
          id: req.id,
-          status: 'cancelled',
+          status: RemovalStatus.REJECTED,
        },
      });
    } catch (error) {
@@ -335,6 +335,10 @@ export async function removebrokersRoutes(fastify: FastifyInstance) {
      return reply.code(401).send({ error: 'User not authenticated' });
    }

+    if (authReq.user.role !== 'admin' && authReq.user.role !== 'support') {
+      return reply.code(403).send({ error: 'Admin access required' });
+    }
+
    try {
      const results = await removeBrokersService.processPendingRequests();