Use expect for api/v1 and api/web push subs controllers (#33682)

app/controllers/api/v1/push/subscriptions_controller.rb

@@ -56,12 +56,12 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
   end
 
   def subscription_params
-    params.require(:subscription).permit(:endpoint, :standard, keys: [:auth, :p256dh])
+    params.expect(subscription: [:endpoint, :standard, keys: [:auth, :p256dh]])
   end
 
   def data_params
     return {} if params[:data].blank?
 
-    params.require(:data).permit(:policy, alerts: Notification::TYPES)
+    params.expect(data: [:policy, alerts: Notification::TYPES])
   end
 end

app/controllers/api/web/push_subscriptions_controller.rb

@@ -66,7 +66,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
   end
 
   def subscription_params
-    @subscription_params ||= params.require(:subscription).permit(:standard, :endpoint, keys: [:auth, :p256dh])
+    @subscription_params ||= params.expect(subscription: [:standard, :endpoint, keys: [:auth, :p256dh]])
   end
 
   def web_push_subscription_params
@@ -82,6 +82,6 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
   end
 
   def data_params
-    @data_params ||= params.require(:data).permit(:policy, alerts: Notification::TYPES)
+    @data_params ||= params.expect(data: [:policy, alerts: Notification::TYPES])
   end
 end

spec/requests/api/v1/push/subscriptions_spec.rb

@@ -107,6 +107,13 @@ RSpec.describe 'API V1 Push Subscriptions' do
 
       it_behaves_like 'validation error'
     end
+
+    it 'gracefully handles invalid nested params' do
+      post api_v1_push_subscription_path, params: { subscription: 'invalid' }, headers: headers
+
+      expect(response)
+        .to have_http_status(400)
+    end
   end
 
   describe 'PUT /api/v1/push/subscription' do
@@ -133,6 +140,13 @@ RSpec.describe 'API V1 Push Subscriptions' do
           policy: alerts_payload[:data][:policy]
         )
     end
+
+    it 'gracefully handles invalid nested params' do
+      put api_v1_push_subscription_path(endpoint_push_subscription), params: { data: 'invalid' }, headers: headers
+
+      expect(response)
+        .to have_http_status(400)
+    end
   end
 
   describe 'GET /api/v1/push/subscription' do

spec/requests/api/web/push_subscriptions_spec.rb

@@ -52,4 +52,28 @@ RSpec.describe 'API Web Push Subscriptions' do
       end
     end
   end
+
+  describe 'POST /api/web/push_subscriptions' do
+    before { sign_in Fabricate :user }
+
+    it 'gracefully handles invalid nested params' do
+      post api_web_push_subscriptions_path, params: { subscription: 'invalid' }
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+
+  describe 'PUT /api/web/push_subscriptions' do
+    before { sign_in Fabricate :user }
+
+    let(:subscription) { Fabricate :web_push_subscription }
+
+    it 'gracefully handles invalid nested params' do
+      put api_web_push_subscription_path(subscription), params: { data: 'invalid' }
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
 end