🔱 chore: Harden API Routes Against IDOR and DoS Attacks (#11760)

* 🔧 feat: Update user key handling in keys route and add comprehensive tests

- Enhanced the PUT /api/keys route to destructure request body for better clarity and maintainability.
- Introduced a new test suite for keys route, covering key update, deletion, and retrieval functionalities, ensuring robust validation and IDOR prevention.
- Added tests to verify handling of extraneous fields and missing optional parameters in requests.

* 🔧 fix: Enhance conversation deletion route with parameter validation

- Updated the DELETE /api/convos route to handle cases where the request body is empty or the 'arg' parameter is null/undefined, returning a 400 status with an appropriate error message for DoS prevention.
- Added corresponding tests to ensure proper validation and error handling for these scenarios, enhancing the robustness of the API.

* 🔧 fix: Improve request body validation in keys and convos routes

- Updated the DELETE /api/convos and PUT /api/keys routes to validate the request body, returning a 400 status for null or invalid bodies to enhance security and prevent potential DoS attacks.
- Added corresponding tests to ensure proper error handling for these scenarios, improving the robustness of the API.

api/server/routes/keys.js

@@ -5,7 +5,11 @@ const { requireJwtAuth } = require('~/server/middleware');
 const router = express.Router();
 
 router.put('/', requireJwtAuth, async (req, res) => {
-  await updateUserKey({ userId: req.user.id, ...req.body });
+  if (req.body == null || typeof req.body !== 'object') {
+    return res.status(400).send({ error: 'Invalid request body.' });
+  }
+  const { name, value, expiresAt } = req.body;
+  await updateUserKey({ userId: req.user.id, name, value, expiresAt });
   res.status(201).send();
 });