Description
The POST /v1/holders endpoint accepts any string for the type field, including invalid values like "INVALID". A holder is created successfully (201) even though the type should be restricted to NATURAL_PERSON or LEGAL_PERSON.
Root Cause
In pkg/mmodel/holder.go, the CreateHolderInput.Type field uses:
Type *string `json:"type" validate:"required" example:"NATURAL_PERSON" enums:"NATURAL_PERSON,LEGAL_PERSON"`
The enums tag is a Swagger/documentation annotation only — it does not trigger validation. The validate tag only checks required, not the allowed values.
For comparison, alias.go correctly uses oneof in the validate tag:
Role string `json:"role" validate:"required,oneof=PRIMARY_HOLDER LEGAL_REPRESENTATIVE RESPONSIBLE_PARTY"`
Expected Behavior
When type is not one of NATURAL_PERSON or LEGAL_PERSON, the API should return:
- HTTP 400
- A structured error indicating the invalid field value
Suggested Fix
Add oneof to the validate tag:
Type *string `json:"type" validate:"required,oneof=NATURAL_PERSON LEGAL_PERSON" example:"NATURAL_PERSON" enums:"NATURAL_PERSON,LEGAL_PERSON"`
Description
The
POST /v1/holdersendpoint accepts any string for thetypefield, including invalid values like"INVALID". A holder is created successfully (201) even though the type should be restricted toNATURAL_PERSONorLEGAL_PERSON.Root Cause
In
pkg/mmodel/holder.go, theCreateHolderInput.Typefield uses:The
enumstag is a Swagger/documentation annotation only — it does not trigger validation. Thevalidatetag only checksrequired, not the allowed values.For comparison,
alias.gocorrectly usesoneofin the validate tag:Expected Behavior
When
typeis not one ofNATURAL_PERSONorLEGAL_PERSON, the API should return:Suggested Fix
Add
oneofto the validate tag: