Raise 400 error on invalid cursor value (#957)

uriyyo · web-flow · commit f25b6dea0cfd · 2023-12-14T09:22:29.000Z
diff --git a/fastapi_pagination/cursor.py b/fastapi_pagination/cursor.py
@@ -5,6 +5,7 @@
     "CursorParams",
 ]
 
+import binascii
 from base64 import b64decode, b64encode
 from typing import (
     Any,
@@ -17,7 +18,7 @@
 )
 from urllib.parse import quote, unquote
 
-from fastapi import Query
+from fastapi import HTTPException, Query, status
 from pydantic import BaseModel, Field
 from typing_extensions import Literal
 
@@ -45,8 +46,14 @@ def decode_cursor(cursor: Optional[str], *, to_str: bool) -> Optional[Cursor]:
 
 def decode_cursor(cursor: Optional[str], *, to_str: bool = True) -> Optional[Cursor]:
     if cursor:
-        res = b64decode(unquote(cursor).encode())
-        return res.decode() if to_str else res
+        try:
+            res = b64decode(unquote(cursor).encode())
+            return res.decode() if to_str else res
+        except binascii.Error:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Invalid cursor value",
+            ) from None
 
     return None
 
diff --git a/tests/test_cursor.py b/tests/test_cursor.py
@@ -1,9 +1,33 @@
+from fastapi import FastAPI, status
+from fastapi.testclient import TestClient
 from pytest import raises
 
-from fastapi_pagination import paginate
-from fastapi_pagination.cursor import CursorParams
+from fastapi_pagination import add_pagination, paginate, resolve_params
+from fastapi_pagination.cursor import CursorPage, CursorParams
 
 
 def test_unsupported_params():
     with raises(ValueError, match="^'cursor' params not supported$"):
         paginate([1, 2, 3], CursorParams())
+
+
+def test_invalid_cursor():
+    app = FastAPI()
+    client = TestClient(app)
+
+    @app.get(
+        "/route",
+        response_model=CursorPage[int],
+    )
+    def route():
+        params = resolve_params()
+        params.to_raw_params()
+
+        return CursorPage(items=[])
+
+    add_pagination(app)
+
+    response = client.get("/route", params={"cursor": "invalid"})
+
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.json() == {"detail": "Invalid cursor value"}
