From c25926514b2d1090e34fb06349794b44f6000b12 Mon Sep 17 00:00:00 2001
From: Kharec <sandro@cazzaniga.fr>
Date: Sun, 23 Nov 2025 14:19:54 +0100
Subject: [PATCH] fix: add explicit empty-field validation check in handlers

---
 internal/handlers/auth_handler.go | 35 +++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/internal/handlers/auth_handler.go b/internal/handlers/auth_handler.go
index 4510af4..b21f639 100644
--- a/internal/handlers/auth_handler.go
+++ b/internal/handlers/auth_handler.go
@@ -225,6 +225,11 @@ func (h *AuthHandler) ResendVerificationEmail(w http.ResponseWriter, r *http.Req
 
 	email := strings.TrimSpace(req.Email)
 
+	if email == "" {
+		SendErrorResponse(w, "Email address is required", http.StatusBadRequest)
+		return
+	}
+
 	err := h.authService.ResendVerificationEmail(email)
 	if err != nil {
 		switch {
@@ -293,6 +298,11 @@ func (h *AuthHandler) RequestPasswordReset(w http.ResponseWriter, r *http.Reques
 
 	usernameOrEmail := strings.TrimSpace(req.UsernameOrEmail)
 
+	if usernameOrEmail == "" {
+		SendErrorResponse(w, "Username or email is required", http.StatusBadRequest)
+		return
+	}
+
 	if err := h.authService.RequestPasswordReset(usernameOrEmail); err != nil {
 	}
 
@@ -319,6 +329,11 @@ func (h *AuthHandler) ResetPassword(w http.ResponseWriter, r *http.Request) {
 	token := strings.TrimSpace(req.Token)
 	newPassword := strings.TrimSpace(req.NewPassword)
 
+	if token == "" {
+		SendErrorResponse(w, "Token is required", http.StatusBadRequest)
+		return
+	}
+
 	if err := validation.ValidatePassword(newPassword); err != nil {
 		SendErrorResponse(w, err.Error(), http.StatusBadRequest)
 		return
@@ -467,6 +482,11 @@ func (h *AuthHandler) UpdatePassword(w http.ResponseWriter, r *http.Request) {
 	currentPassword := strings.TrimSpace(req.CurrentPassword)
 	newPassword := strings.TrimSpace(req.NewPassword)
 
+	if currentPassword == "" {
+		SendErrorResponse(w, "Current password is required", http.StatusBadRequest)
+		return
+	}
+
 	if err := validation.ValidatePassword(newPassword); err != nil {
 		SendErrorResponse(w, err.Error(), http.StatusBadRequest)
 		return
@@ -538,6 +558,11 @@ func (h *AuthHandler) ConfirmAccountDeletion(w http.ResponseWriter, r *http.Requ
 
 	token := strings.TrimSpace(req.Token)
 
+	if token == "" {
+		SendErrorResponse(w, "Deletion token is required", http.StatusBadRequest)
+		return
+	}
+
 	if err := h.authService.ConfirmAccountDeletionWithPosts(token, req.DeletePosts); err != nil {
 		switch {
 		case errors.Is(err, services.ErrInvalidDeletionToken):
@@ -591,6 +616,11 @@ func (h *AuthHandler) RefreshToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if req.RefreshToken == "" {
+		SendErrorResponse(w, "Refresh token is required", http.StatusBadRequest)
+		return
+	}
+
 	result, err := h.authService.RefreshAccessToken(req.RefreshToken)
 	if !HandleServiceError(w, err, "Token refresh failed", http.StatusInternalServerError) {
 		return
@@ -618,6 +648,11 @@ func (h *AuthHandler) RevokeToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if req.RefreshToken == "" {
+		SendErrorResponse(w, "Refresh token is required", http.StatusBadRequest)
+		return
+	}
+
 	err := h.authService.RevokeRefreshToken(req.RefreshToken)
 	if err != nil {
 		SendErrorResponse(w, "Failed to revoke token", http.StatusInternalServerError)