fix: remove problematic redundant uuid conversion and add api input param validations to api server

Author: jonathanykh

packages/client-direct/src/api.ts

@@ -6,14 +6,46 @@ import {
     AgentRuntime,
     elizaLogger,
     getEnvVariable,
+    UUID,
     validateCharacterConfig,
     ServiceType,
 } from "@elizaos/core";
 
 import { TeeLogQuery, TeeLogService } from "@elizaos/plugin-tee-log";
 import { REST, Routes } from "discord.js";
 import { DirectClient } from ".";
-import { stringToUuid } from "@elizaos/core";
+import { validateUuid } from "@elizaos/core";
+
+interface UUIDParams {
+    agentId: UUID;
+    roomId?: UUID;
+}
+
+function validateUUIDParams(
+    params: { agentId: string; roomId?: string },
+    res: express.Response
+): UUIDParams | null {
+    const agentId = validateUuid(params.agentId);
+    if (!agentId) {
+        res.status(400).json({
+            error: "Invalid AgentId format. Expected to be a UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+        });
+        return null;
+    }
+
+    if (params.roomId) {
+        const roomId = validateUuid(params.roomId);
+        if (!roomId) {
+            res.status(400).json({
+                error: "Invalid RoomId format. Expected to be a UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+            });
+            return null;
+        }
+        return { agentId, roomId };
+    }
+
+    return { agentId };
+}
 
 export function createApiRouter(
     agents: Map<string, AgentRuntime>,
@@ -48,7 +80,11 @@ export function createApiRouter(
     });
 
     router.get("/agents/:agentId", (req, res) => {
-        const agentId = req.params.agentId;
+        const { agentId } = validateUUIDParams(req.params, res) ?? {
+            agentId: null,
+        };
+        if (!agentId) return;
+
         const agent = agents.get(agentId);
 
         if (!agent) {
@@ -68,8 +104,11 @@ export function createApiRouter(
     });
 
     router.post("/agents/:agentId/set", async (req, res) => {
-        const agentId = req.params.agentId;
-        console.log("agentId", agentId);
+        const { agentId } = validateUUIDParams(req.params, res) ?? {
+            agentId: null,
+        };
+        if (!agentId) return;
+
         let agent: AgentRuntime = agents.get(agentId);
 
         // update character
@@ -104,7 +143,11 @@ export function createApiRouter(
     });
 
     router.get("/agents/:agentId/channels", async (req, res) => {
-        const agentId = req.params.agentId;
+        const { agentId } = validateUUIDParams(req.params, res) ?? {
+            agentId: null,
+        };
+        if (!agentId) return;
+
         const runtime = agents.get(agentId);
 
         if (!runtime) {
@@ -130,8 +173,12 @@ export function createApiRouter(
     });
 
     router.get("/agents/:agentId/:roomId/memories", async (req, res) => {
-        const agentId = req.params.agentId;
-        const roomId = stringToUuid(req.params.roomId);
+        const { agentId, roomId } = validateUUIDParams(req.params, res) ?? {
+            agentId: null,
+            roomId: null,
+        };
+        if (!agentId || !roomId) return;
+
         let runtime = agents.get(agentId);
 
         // if runtime is null, look for runtime with the same name
@@ -148,7 +195,7 @@ export function createApiRouter(
 
         try {
             const memories = await runtime.messageManager.getMemories({
-                roomId,
+                roomId: roomId,
             });
             const response = {
                 agentId,

packages/core/src/uuid.ts

@@ -1,5 +1,13 @@
 import { sha1 } from "js-sha1";
 import { UUID } from "./types.ts";
+import { z } from "zod";
+
+export const uuidSchema = z.string().uuid() as z.ZodType<UUID>;
+
+export function validateUuid(value: unknown): UUID | null {
+    const result = uuidSchema.safeParse(value);
+    return result.success ? result.data : null;
+}
 
 export function stringToUuid(target: string | number): UUID {
     if (typeof target === "number") {