Handle malformed JSON in message send API

[phucnguyen1707]

Summary

• return a 400 Invalid JSON body response when POST /api/messages/send receives malformed JSON
• keep the existing Zod validation path unchanged for parsed request bodies
• add regression coverage for the malformed JSON case

Closes #410

Testing

• ./node_modules/.bin/vitest run src/app/api/messages/send/route.test.ts
• ./node_modules/.bin/eslint src/app/api/messages/send/route.ts src/app/api/messages/send/route.test.ts

Note: the local pre-commit hook could not run through pnpm because pnpm failed before lint with a cache sqlite error (unable to open database file). I ran the scoped Vitest and ESLint commands directly through node_modules instead.

[greptile-apps]

Greptile Summary

This PR guards the POST /api/messages/send handler against malformed request bodies by wrapping request.json() in its own try/catch and returning a structured 400 before any downstream logic runs. A new Vitest file adds regression coverage for that specific path.

• route.ts: a small inner try/catch is added around request.json(); on parse failure it returns { error: \"Invalid JSON body\" } with status 400, leaving the Zod validation and all business logic paths unchanged.
• route.test.ts: introduces a new test file that mocks all external dependencies (getAuthContext, Supabase, email, webhooks, notifications) and asserts the 400 response for a broken JSON body; only the malformed-JSON case is covered — happy path and other error branches have no tests in this file.

Confidence Score: 4/5

Safe to merge — the change is narrow, correctly scoped inside the outer catch, and does not alter any existing code paths.

The route change is minimal and correct: the inner catch fires only for parse failures and returns before any business logic executes, so existing paths are untouched. The test file is new and covers only the targeted error case; there are no tests for auth failures, valid payloads, or Zod validation errors, which means regressions in those paths would go undetected by this suite.

route.test.ts — the test suite is thin; only the malformed-JSON case is exercised.

Important Files Changed

Filename	Overview
src/app/api/messages/send/route.ts	Adds a nested try/catch around request.json() to return a 400 "Invalid JSON body" response instead of letting a SyntaxError bubble to the outer catch and produce a 500.
src/app/api/messages/send/route.test.ts	New test file with a single case covering the malformed-JSON path; mocks all external dependencies correctly, but leaves the happy path and other error branches untested.

Sequence Diagram

sequenceDiagram
    participant Client
    participant POST as POST /api/messages/send
    participant Auth as getAuthContext
    participant Body as request.json()
    participant Zod as sendMessageSchema.safeParse
    participant DB as Supabase

    Client->>POST: POST with JSON body
    POST->>Auth: getAuthContext(request)
    Auth-->>POST: "null (401 Unauthorized) or {user, supabase}"
    POST->>Body: await request.json()
    Note over Body: NEW: wrapped in try/catch
    alt Malformed JSON
        Body-->>POST: throws SyntaxError
        POST-->>Client: "400 { error: "Invalid JSON body" }"
    else Valid JSON
        Body-->>POST: parsed object
        POST->>Zod: safeParse(body)
        alt Validation fails
            Zod-->>POST: error
            POST-->>Client: "400 { error: "..." }"
        else Validation passes
            Zod-->>POST: "{recipient, content}"
            POST->>DB: look up recipient, find/create conversation, insert message
            DB-->>POST: message + conversationId
            POST-->>Client: "201 { data: { conversation_id, message } }"
        end
    end

Loading

_{Reviews (1): Last reviewed commit: "Handle malformed message JSON" | Re-trigger Greptile}