fix: enforce catalog integrity for order item creation

[dharapandya85]

Fixes #18

Changes:

• computes total server-side
• prevents client from overriding financial values
• rejects unknown products

Summary by CodeRabbit

• Bug Fixes
  • Order submissions now reject items that are not plain objects and disallow supplying name, unitPrice, or total on items, improving order data integrity and preventing malformed orders.

[vercel]

@dharapandya85 is attempting to deploy a commit to the Revon Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bd0b22c1-510a-47db-aba4-75766d4fe860

📥 Commits

Reviewing files that changed from the base of the PR and between 455386d and ba3d53b.

📒 Files selected for processing (1)

• backend/db.js

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/db.js

---

📝 Walkthrough

Walkthrough

The createOrder function in the backend database module now validates each order item: it rejects non-object or array items and prohibits client-supplied name, unitPrice, or total properties, ensuring those fields are derived from the catalog server-side.

Changes

Cohort / File(s)	Summary
Order Validation backend/db.js	Added item-format checks in createOrder (reject non-object/array items) and new guard rejecting items that include name, unitPrice, or total; catalog lookups and derived computations remain unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Fix backend startup crash and improve order-by-id retrieval #46: Modifies backend/db.js order handling and JSON-backed persistence; strongly related to catalog-based order validation changes.

Suggested labels

medium

Poem

🐰 At the catalog gate I stand so spry,
No client price may flutter by,
Names and totals kept in sight,
Server-made numbers, safe and right. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: enforcing catalog integrity when creating order items, which directly matches the primary objective of validating order products against catalog.
Linked Issues check	✅ Passed	The PR implementation meets all three acceptance criteria from Issue #18: rejects unknown productId, derives item name/unitPrice from catalog, and prevents client-provided overrides by rejecting items with these properties.
Out of Scope Changes check	✅ Passed	All changes in backend/db.js are focused on validating order items against the catalog and preventing client overrides, directly aligned with Issue #18 requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@backend/db.js`:
- Around line 244-247: The map callback used to build parsedItems currently uses
the 'in' operator on item which can throw a TypeError for
null/undefined/primitives and also checks prototype properties; before accessing
'in' replace that with a type guard that ensures item is a non-null object
(e.g., typeof item === 'object' && item !== null) and then use
Object.prototype.hasOwnProperty.call(item, 'name') / 'unitPrice' / 'total' to
check only own properties; update the items.map callback to validate and throw
the existing Error when those own properties are present, and otherwise continue
parsing so malformed payloads produce a controlled validation error instead of a
runtime TypeError.

---

ℹ️ Review info

Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0a9875a5-d430-4829-8be2-4625fef04d23

📥 Commits

Reviewing files that changed from the base of the PR and between 7c7156f and 455386d.

📒 Files selected for processing (1)

• backend/db.js

[fuzziecoder]

@dharapandya85 there are some issues please fix it then let me know

[dharapandya85]

@dharapandya85 there are some issues please fix it then let me know

@fuzziecoder ,please check now.