Skip to content

Validation: @NotBlank constraints not enforced on AddUserRequest #41

New issue
New issue
Open
Open
Validation: @NotBlank constraints not enforced on AddUserRequest#41
Labels
bugSomething isn't workingsecuritySecurity-related issues
@stanleykc

Description

@stanleykc
stanleykc
opened on Dec 31, 2025

Description

The @NotBlank validation constraints on UserController.AddUserRequest fields are not being enforced. Requests with blank/empty values for email, firstName, lastName, and password are accepted instead of being rejected with HTTP 400 Bad Request.

Current Behavior

The following requests are accepted (HTTP 201 Created) when they should be rejected:

{
  "email": "",
  "firstName": "John",
  "lastName": "Doe",
  "tenantId": 1,
  "password": "test123",
  "roles": [1]
}

Similar behavior for blank firstName, lastName, and password fields.

Expected Behavior

Requests with blank values should return HTTP 400 Bad Request with validation error messages.

Affected Component

// UserController.java
@Serdeable
public record AddUserRequest(
        @NotBlank String email,      // Not enforced
        @NotBlank String firstName,  // Not enforced
        @NotBlank String lastName,   // Not enforced
        @NotNull Long tenantId,
        @NotBlank String password,   // Not enforced
        @NotEmpty List<Long> roles)  // @NotEmpty also not enforced

Security Implications

  • Users can be created with empty passwords (password stored as empty BCrypt hash)
  • Users can be created with empty email addresses
  • Data integrity issues with blank names

Root Cause Investigation

Possible causes:

  1. Missing @Validated annotation on the controller or method
  2. Missing @Valid annotation on the @Body parameter
  3. Micronaut validation not properly configured

Suggested Fix

Add @Valid annotation to the request body parameter:

@Post
public HttpResponse<UserResponse> createUser(@Body @Valid AddUserRequest requestDTO,
                                             Authentication authentication) {

Or ensure the controller has validation enabled:

@Validated
@Controller("/api/users")
public class UserController {

Related Tests

Disabled tests documenting this behavior:

  • UserControllerValidationTest.createUser_failsWithBlankEmail()
  • UserControllerValidationTest.createUser_failsWithBlankFirstName()
  • UserControllerValidationTest.createUser_failsWithBlankLastName()
  • UserControllerValidationTest.createUser_failsWithBlankPassword()
  • UserControllerValidationTest.createUser_failsWithEmptyRoles()

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingsecuritySecurity-related issues

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions