fix(backend): prevent request payload from overriding id and name (#5913)

Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
2026-03-02 22:20:43 +06:00 · 2026-03-02 22:20:43 +06:00 · d6ea86dcca
commit d6ea86dcca
parent 4594e838d4
2 changed files with 68 additions and 2 deletions
--- a/packages/hoppscotch-backend/src/user-collection/user-collection.service.spec.ts
+++ b/packages/hoppscotch-backend/src/user-collection/user-collection.service.spec.ts
@ -2314,3 +2314,69 @@ describe('updateUserCollection', () => {
    );
  });
 });
+
+describe('exportUserCollectionToJSONObject', () => {
+  test('should use DB row id and title over conflicting values in stored request payload', async () => {
+    const dbRowId = 'db-row-cuid-001';
+    const dbRowTitle = 'My Request';
+    const payloadId = 'stale-payload-id-from-original';
+    const payloadName = 'stale-payload-name-from-original';
+
+    mockPrisma.userCollection.findUniqueOrThrow.mockResolvedValueOnce({
+      ...rootRESTUserCollection,
+    });
+    mockPrisma.userCollection.findMany.mockResolvedValueOnce([]);
+    mockPrisma.userRequest.findMany.mockResolvedValueOnce([
+      {
+        id: dbRowId,
+        title: dbRowTitle,
+        collectionID: rootRESTUserCollection.id,
+        userUid: user.uid,
+        type: ReqType.REST,
+        orderIndex: 1,
+        createdOn: currentTime,
+        updatedOn: currentTime,
+        mockExamples: null,
+        request: {
+          id: payloadId,
+          name: payloadName,
+          v: '12',
+          endpoint: 'https://example.com',
+          method: 'GET',
+          params: [],
+          headers: [],
+          preRequestScript: '',
+          testScript: '',
+          auth: { authType: 'none', authActive: false },
+          body: { contentType: null, body: null },
+          requestVariables: [],
+          responses: {},
+        },
+      },
+    ]);
+
+    const result = await userCollectionService.exportUserCollectionToJSONObject(
+      user.uid,
+      rootRESTUserCollection.id,
+    );
+
+    expect(result).toEqualRight(
+      expect.objectContaining({
+        requests: [expect.objectContaining({ id: dbRowId, name: dbRowTitle })],
+      }),
+    );
+  });
+
+  test('should throw USER_COLL_NOT_FOUND when collectionID is invalid', async () => {
+    mockPrisma.userCollection.findUniqueOrThrow.mockRejectedValueOnce(
+      new Error('NotFoundError'),
+    );
+
+    const result = await userCollectionService.exportUserCollectionToJSONObject(
+      user.uid,
+      'non-existent-id',
+    );
+
+    expect(result).toEqualLeft(USER_COLL_NOT_FOUND);
+  });
+});
--- a/packages/hoppscotch-backend/src/user-collection/user-collection.service.ts
+++ b/packages/hoppscotch-backend/src/user-collection/user-collection.service.ts
@ -920,9 +920,9 @@ export class UserCollectionService {
      folders: childrenCollectionObjects,
      requests: requests.map((x) => {
        return {
+          ...(x.request as Record<string, unknown>), // type casting x.request of type Prisma.JSONValue to an object to enable spread
          id: x.id,
          name: x.title,
-          ...(x.request as Record<string, unknown>), // type casting x.request of type Prisma.JSONValue to an object to enable spread
        };
      }),
      data,
@ -996,9 +996,9 @@ export class UserCollectionService {
          folders: collectionListObjects,
          requests: requests.map((x) => {
            return {
+              ...(x.request as Record<string, unknown>), // type casting x.request of type Prisma.JSONValue to an object to enable spread
              id: x.id,
              name: x.title,
-              ...(x.request as Record<string, unknown>), // type casting x.request of type Prisma.JSONValue to an object to enable spread
            };
          }),
          data: JSON.stringify(parentCollection.right.data),