Summary
The volunteer API could be made more robust by validating input earlier and handling failures explicitly.
Current behavior
- User input is interpolated directly into Airtable's
filterByFormula.
- Request bodies are parsed without handling malformed JSON.
- The endpoint accepts any HTTP method.
- Email addresses are not validated before use.
- Airtable lookup/create failures are logged but do not affect the response, so the endpoint may still return success even when persistence fails.
Proposed improvements
- Restrict the endpoint to POST requests.
- Gracefully handle malformed request bodies.
- Validate email addresses before processing.
- Escape user input before constructing Airtable formulas.
- Return appropriate HTTP status codes when Airtable operations fail instead of silently continuing.
I'd be happy to work on this.
Summary
The volunteer API could be made more robust by validating input earlier and handling failures explicitly.
Current behavior
filterByFormula.Proposed improvements
I'd be happy to work on this.