Return 400 for malformed testimonial JSON

[rissrice2105-agent]

Fixes #453.

Summary

• Return a stable 400 response when POST /api/testimonials receives malformed JSON
• Avoid falling through to the generic 500 handler for client parse errors
• Add a regression test that ensures testimonial creation is not attempted after invalid JSON

Verification

• vitest run src/app/api/testimonials/route.test.ts
• tsc --noEmit

[greptile-apps]

Greptile Summary

This PR adds a targeted fix to POST /api/testimonials so that malformed request bodies return a stable 400 Invalid JSON body instead of falling through to the generic 500 handler, and introduces a regression test to lock in that behaviour.

• route.ts: Wraps request.json() in an inner try/catch that short-circuits with a 400 response on parse failure, leaving all other validation and DB logic untouched.
• route.test.ts: New Vitest file that mocks auth, simulates a SyntaxError from the JSON parser, and asserts both the correct HTTP status and that no database client is created.

Confidence Score: 4/5

The change is minimal and confined to a single error-handling path; the happy path and all existing validations are untouched.

The bare catch block will also intercept non-parse exceptions from request.json() and return 400 instead of letting them bubble to the outer 500 handler. In practice this is unlikely, but narrowing to SyntaxError would make the intent explicit.

The inner try/catch in route.ts (lines 74–78) is the only spot worth a second look.

Important Files Changed

Filename	Overview
src/app/api/testimonials/route.ts	Added inner try/catch around request.json() to return 400 for malformed JSON; the catch block is untyped and will also capture non-parse errors, masking them as client errors.
src/app/api/testimonials/route.test.ts	New regression test verifying 400 status, correct error message, and no DB call on malformed JSON; mocks and assertions are correct.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Route as POST /api/testimonials
    participant Auth as getAuthContext
    participant Parser as request.json
    participant DB as createServiceClient

    Client->>Route: POST with body
    Route->>Auth: check auth
    Auth-->>Route: auth context or null

    alt unauthenticated
        Route-->>Client: 401 Unauthorized
    else malformed JSON (new path)
        Route->>Parser: parse body
        Parser-->>Route: throws SyntaxError
        Route-->>Client: 400 Invalid JSON body
    else valid JSON
        Route->>Parser: parse body
        Parser-->>Route: body object
        Route->>DB: validate and insert testimonial
        DB-->>Route: result
        Route-->>Client: 201 testimonial
    end

Loading

_{Reviews (1): Last reviewed commit: "Handle malformed testimonial JSON" | Re-trigger Greptile}

[greptile-apps]

The bare catch swallows every exception thrown by request.json(), not only SyntaxError. In nearly all real cases request.json() only throws SyntaxError, but if a stream or body-reader error surfaces here it will be reported to the caller as 400 Invalid JSON body rather than bubbling to the outer catch and returning a 500. Narrowing to SyntaxError keeps the semantics accurate and lets unexpected errors reach the generic handler.

Suggested change

	try {
	body = await request.json();
	} catch {
	return NextResponse.json({ error: "Invalid JSON body" }, { status: 400 });
	}
	try {
	body = await request.json();
	} catch (err) {
	if (err instanceof SyntaxError) {
	return NextResponse.json({ error: "Invalid JSON body" }, { status: 400 });
	}
	throw err;
	}

[rissrice2105-agent]

CI is green for PR #454.

Verification:

• vitest run src/app/api/testimonials/route.test.ts
• tsc --noEmit

uGig invoice evidence has been sent for this PR.