From 4c9c80d7e660ff6021f9c708a93ec0de3a832690 Mon Sep 17 00:00:00 2001
From: Autowebassat-blip <autowebassat@gmail.com>
Date: Fri, 12 Jun 2026 05:20:55 +0200
Subject: [PATCH] Return 400 for invalid publish JSON

---
 apps/commandboard-api/src/index.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/apps/commandboard-api/src/index.ts b/apps/commandboard-api/src/index.ts
index 58b6166..7bce192 100644
--- a/apps/commandboard-api/src/index.ts
+++ b/apps/commandboard-api/src/index.ts
@@ -206,7 +206,14 @@ async function route(request: IncomingMessage, response: ServerResponse) {
   }
 
   if (request.method === "POST" && url.pathname === "/api/plugins/sh1pt/actions/publish") {
-    const body = await readJson(request);
+    let body: unknown;
+    try {
+      body = await readJson(request);
+    } catch {
+      json(response, 400, { error: "Invalid JSON body" });
+      return;
+    }
+
     if (!isRecord(body) || typeof body.action_id !== "string") {
       json(response, 422, { error: "Expected action_id" });
       return;