Description
The custom @NullOrNotBlank validation constraints on UserController.UpdateSelfRequest fields are not being enforced. Requests with blank/whitespace-only values for firstName, lastName, and password are accepted instead of being rejected.
Current Behavior
The following request is accepted (HTTP 200 OK) when it should be rejected:
{
"firstName": " ",
"lastName": "Valid"
}This allows users to set their firstName to only whitespace characters.
Expected Behavior
null values should be accepted (field not updated)- Non-blank values should be accepted (field updated)
- Blank/whitespace-only values should be rejected with HTTP 400 Bad Request
Affected Component
// UserController.java
@Serdeable
public record UpdateSelfRequest(
@NullOrNotBlank String firstName, // Not enforced
@NullOrNotBlank String lastName, // Not enforced
@NullOrNotBlank String password) // Not enforcedThe NullOrNotBlankValidator class itself is correctly implemented:
public class NullOrNotBlankValidator implements ConstraintValidator<NullOrNotBlank, String> {
@Override
public boolean isValid(String value, ConstraintValidatorContext context) {
return value == null || !value.trim().isEmpty();
}
}Security Implications
- Users can set their password to whitespace only (appears blank but is a valid BCrypt hash)
- Users can have names that are only whitespace, causing display/formatting issues
Root Cause Investigation
The validator implementation is correct. The issue is likely:
- Missing
@Valid annotation on the @Body parameter
- Missing
@Validated annotation on the controller
- Custom constraint validator not being picked up by Micronaut
Suggested Fix
Ensure validation is enabled on the endpoint:
@Patch("{id}")
public HttpResponse<UserResponse> selfPatch(@PathVariable Long id,
@Body @Valid UpdateSelfRequest requestDTO,
Authentication authentication) {Related Tests
Disabled tests documenting this behavior:
UserControllerValidationTest.selfPatch_failsWithBlankFirstName()UserControllerValidationTest.selfPatch_failsWithBlankLastName()UserControllerValidationTest.selfPatch_failsWithBlankPassword()
Unit tests confirming validator logic is correct:
NullOrNotBlankValidatorTest (all tests pass)
Description
The custom
@NullOrNotBlankvalidation constraints onUserController.UpdateSelfRequestfields are not being enforced. Requests with blank/whitespace-only values for firstName, lastName, and password are accepted instead of being rejected.Current Behavior
The following request is accepted (HTTP 200 OK) when it should be rejected:
{ "firstName": " ", "lastName": "Valid" }This allows users to set their firstName to only whitespace characters.
Expected Behavior
nullvalues should be accepted (field not updated)Affected Component
The
NullOrNotBlankValidatorclass itself is correctly implemented:Security Implications
Root Cause Investigation
The validator implementation is correct. The issue is likely:
@Validannotation on the@Bodyparameter@Validatedannotation on the controllerSuggested Fix
Ensure validation is enabled on the endpoint:
Related Tests
Disabled tests documenting this behavior:
UserControllerValidationTest.selfPatch_failsWithBlankFirstName()UserControllerValidationTest.selfPatch_failsWithBlankLastName()UserControllerValidationTest.selfPatch_failsWithBlankPassword()Unit tests confirming validator logic is correct:
NullOrNotBlankValidatorTest(all tests pass)