fix: Bypass invalid values in contact patch end point (#4519)

app/models/contact.rb

@@ -31,8 +31,7 @@ class Contact < ApplicationRecord
   validates :email, allow_blank: true, uniqueness: { scope: [:account_id], case_sensitive: false }
   validates :identifier, allow_blank: true, uniqueness: { scope: [:account_id] }
   validates :phone_number,
-            allow_blank: true, uniqueness: { scope: [:account_id] },
-            format: { with: /\+[1-9]\d{1,14}\z/, message: 'should be in e164 format' }
+            allow_blank: true, uniqueness: { scope: [:account_id] }
   validates :name, length: { maximum: 255 }
 
   belongs_to :account
@@ -42,8 +41,8 @@ class Contact < ApplicationRecord
   has_many :inboxes, through: :contact_inboxes
   has_many :messages, as: :sender, dependent: :destroy_async
   has_many :notes, dependent: :destroy_async
-
   before_validation :prepare_contact_attributes
+  before_save :phone_number_format, :email_format
   after_create_commit :dispatch_create_event, :ip_lookup
   after_update_commit :dispatch_update_event
   after_destroy_commit :dispatch_destroy_event
@@ -143,6 +142,18 @@ class Contact < ApplicationRecord
     ContactIpLookupJob.perform_later(self)
   end
 
+  def phone_number_format
+    return if phone_number.blank?
+
+    self.phone_number = changes['phone_number'].first unless phone_number.match?(/\+[1-9]\d{1,14}\z/)
+  end
+
+  def email_format
+    return if email.blank?
+
+    self.email = changes['email'].first unless email.match(Devise.email_regexp)
+  end
+
   def prepare_contact_attributes
     prepare_email_attribute
     prepare_jsonb_attributes

spec/controllers/api/v1/widget/contacts_controller_spec.rb

@@ -3,7 +3,7 @@ require 'rails_helper'
 RSpec.describe '/api/v1/widget/contacts', type: :request do
   let(:account) { create(:account) }
   let(:web_widget) { create(:channel_widget, account: account) }
-  let(:contact) { create(:contact, account: account) }
+  let(:contact) { create(:contact, account: account, email: 'test@test.com', phone_number: '+745623239') }
   let(:contact_inbox) { create(:contact_inbox, contact: contact, inbox: web_widget.inbox) }
   let(:payload) { { source_id: contact_inbox.source_id, inbox_id: web_widget.inbox.id } }
   let(:token) { ::Widget::TokenService.new(payload: payload).generate_token }
@@ -39,6 +39,50 @@ RSpec.describe '/api/v1/widget/contacts', type: :request do
       end
     end
 
+    context 'with update contact' do
+      let(:params) { { website_token: web_widget.website_token } }
+
+      it 'dont update phone number if invalid phone number passed' do
+        patch '/api/v1/widget/contact',
+              params: params.merge({ phone_number: '45623239' }),
+              headers: { 'X-Auth-Token' => token },
+              as: :json
+        body = JSON.parse(response.body)
+        expect(body['phone_number']).to eq('+745623239')
+        expect(response).to have_http_status(:success)
+      end
+
+      it 'update phone number if valid phone number passed' do
+        patch '/api/v1/widget/contact',
+              params: params.merge({ phone_number: '+245623239' }),
+              headers: { 'X-Auth-Token' => token },
+              as: :json
+        body = JSON.parse(response.body)
+        expect(body['phone_number']).to eq('+245623239')
+        expect(response).to have_http_status(:success)
+      end
+
+      it 'dont update email if invalid email passed' do
+        patch '/api/v1/widget/contact',
+              params: params.merge({ email: 'test@' }),
+              headers: { 'X-Auth-Token' => token },
+              as: :json
+        body = JSON.parse(response.body)
+        expect(body['email']).to eq('test@test.com')
+        expect(response).to have_http_status(:success)
+      end
+
+      it 'update email if valid email passed' do
+        patch '/api/v1/widget/contact',
+              params: params.merge({ email: 'test-1@test.com' }),
+              headers: { 'X-Auth-Token' => token },
+              as: :json
+        body = JSON.parse(response.body)
+        expect(body['email']).to eq('test-1@test.com')
+        expect(response).to have_http_status(:success)
+      end
+    end
+
     context 'with mandatory hmac' do
       let(:identify_action) { double }
       let(:web_widget) { create(:channel_widget, account: account, hmac_mandatory: true) }