Skip to content

fix: handle null name parameter in user creation endpoints#11215

Open
njg7194 wants to merge 1 commit intoappwrite:mainfrom
njg7194:fix/null-name-validation
Open

fix: handle null name parameter in user creation endpoints#11215
njg7194 wants to merge 1 commit intoappwrite:mainfrom
njg7194:fix/null-name-validation

Conversation

@njg7194
Copy link

@njg7194 njg7194 commented Feb 1, 2026

What does this PR do?

Fixes #8785

Problem

When a client explicitly sends name: null in the request body to any of the user creation endpoints (POST /v1/users, /v1/users/bcrypt, /v1/users/md5, etc.), the API returns a vague server error instead of handling it gracefully.

Solution

The name parameter now uses the Nullable validator wrapper (consistent with email and phone parameters that already handle null values):

  1. Changed the param validator from new Text(128) to new Nullable(new Text(128))
  2. Changed the action function parameter type from string $name to ?string $name
  3. Used null coalescing operator ($name ?? '') when passing to createUser() function

Affected Endpoints

  • POST /v1/users
  • POST /v1/users/bcrypt
  • POST /v1/users/md5
  • POST /v1/users/argon2
  • POST /v1/users/sha
  • POST /v1/users/phpass
  • POST /v1/users/scrypt
  • POST /v1/users/scrypt-modified

Testing

  • Sending name: null now creates user with empty name (same as not sending name at all)
  • Sending name: "John" works as before
  • Not sending name parameter works as before

Related Issue

Fixes #8785

@njg7194
fix: handle null name parameter in user creation endpoints
7c36b77 
Fixes appwrite#8785

When a client explicitly sends `name: null` in the request body,
the API now properly handles it instead of returning a vague server error.

Changes:
- Wrap Text(128) validator with Nullable() for the name parameter
- Accept nullable string (?string) in action functions
- Use null coalescing operator ($name ?? '') when calling createUser

This makes the name parameter consistent with email and phone parameters
which already use the Nullable wrapper.
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 1, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This change modifies user creation API endpoints to accept null values for the name parameter instead of rejecting them with a server error. The implementation updates the name parameter declarations from Text(128) to Nullable(Text(128)) across eight endpoints, adjusts corresponding action signatures to accept ?string $name, and normalizes null values to empty strings internally via the nullish coalescing operator ($name ?? '') before creating user documents. Affected endpoints include the base /v1/users route and its password-hashing variants (bcrypt, md5, argon2, sha, phpass, scrypt, scrypt-modified) along with related password and verification update endpoints.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: making the name parameter nullable in user creation endpoints.
Description check ✅ Passed The description clearly explains the problem, solution, affected endpoints, testing approach, and links to the related issue.
Linked Issues check ✅ Passed The PR successfully addresses issue #8785 by making the name parameter nullable across all user creation endpoints, allowing null values without server errors.
Out of Scope Changes check ✅ Passed All changes are focused on making the name parameter nullable in user creation endpoints, directly addressing the linked issue with no extraneous modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link

github-actions bot commented Feb 1, 2026

Security Scan Results for PR

Docker Image Scan Results

Package Version Vulnerability Severity
libcrypto3 3.5.4-r0 CVE-2025-15467 CRITICAL
libcrypto3 3.5.4-r0 CVE-2025-69419 HIGH
libpng 1.6.51-r0 CVE-2025-66293 HIGH
libpng 1.6.51-r0 CVE-2026-22695 HIGH
libpng 1.6.51-r0 CVE-2026-22801 HIGH
libpng-dev 1.6.51-r0 CVE-2025-66293 HIGH
libpng-dev 1.6.51-r0 CVE-2026-22695 HIGH
libpng-dev 1.6.51-r0 CVE-2026-22801 HIGH
libssl3 3.5.4-r0 CVE-2025-15467 CRITICAL
libssl3 3.5.4-r0 CVE-2025-69419 HIGH
openssl 3.5.4-r0 CVE-2025-15467 CRITICAL
openssl 3.5.4-r0 CVE-2025-69419 HIGH
openssl-dev 3.5.4-r0 CVE-2025-15467 CRITICAL
openssl-dev 3.5.4-r0 CVE-2025-69419 HIGH
py3-urllib3 1.26.20-r0 CVE-2026-21441 HIGH
py3-urllib3-pyc 1.26.20-r0 CVE-2026-21441 HIGH

Source Code Scan Results

🎉 No vulnerabilities found!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🐛 Bug Report: All Users.CreateUser... endpoints return a vague server error is null name is provided

1 participant

@njg7194