From 2fd68cfe3ae02c8cfe08bcbff32eeb3d1679c40d Mon Sep 17 00:00:00 2001
From: Eric Mc Sween <5454374+emcsween@users.noreply.github.com>
Date: Thu, 3 Jul 2025 16:08:43 -0400
Subject: [PATCH] Migrate purchaseAddon to zod

GitOrigin-RevId: 532b2f3b04dc9ef7b149a4caaa62fe8495d78622
---
 .../Features/Subscription/SubscriptionController.js    | 10 +++++++++-
 .../src/Features/Subscription/SubscriptionRouter.mjs   |  5 -----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/services/web/app/src/Features/Subscription/SubscriptionController.js b/services/web/app/src/Features/Subscription/SubscriptionController.js
index 1bfe614e81..dfeea7969e 100644
--- a/services/web/app/src/Features/Subscription/SubscriptionController.js
+++ b/services/web/app/src/Features/Subscription/SubscriptionController.js
@@ -40,6 +40,7 @@ const PermissionsManager = require('../Authorization/PermissionsManager')
 const {
   sanitizeSessionUserForFrontEnd,
 } = require('../../infrastructure/FrontEndUser')
+const { z, validateReq } = require('../../infrastructure/Validation')
 const { IndeterminateInvoiceError } = require('../Errors/Errors')
 const SubscriptionLocator = require('./SubscriptionLocator')
 
@@ -564,9 +565,16 @@ async function previewAddonPurchase(req, res) {
   })
 }
 
+const purchaseAddonSchema = z.object({
+  params: z.object({
+    addOnCode: z.string(),
+  }),
+})
+
 async function purchaseAddon(req, res, next) {
   const user = SessionManager.getSessionUser(req.session)
-  const addOnCode = req.params.addOnCode
+  const { params } = validateReq(req, purchaseAddonSchema)
+  const addOnCode = params.addOnCode
   // currently we only support having a quantity of 1
   const quantity = 1
   // currently we only support one add-on, the Ai add-on
diff --git a/services/web/app/src/Features/Subscription/SubscriptionRouter.mjs b/services/web/app/src/Features/Subscription/SubscriptionRouter.mjs
index caa4ae5984..a5fb7d695d 100644
--- a/services/web/app/src/Features/Subscription/SubscriptionRouter.mjs
+++ b/services/web/app/src/Features/Subscription/SubscriptionRouter.mjs
@@ -177,11 +177,6 @@ export default {
     webRouter.post(
       '/user/subscription/addon/:addOnCode/add',
       AuthenticationController.requireLogin(),
-      validate({
-        params: Joi.object({
-          addOnCode: Joi.string(),
-        }),
-      }),
       RateLimiterMiddleware.rateLimit(subscriptionRateLimiter),
       SubscriptionController.purchaseAddon
     )