From 9920993ca4e52e3dd497b5932569aa05c527722d Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Tue, 24 Jun 2025 13:03:39 -0700
Subject: [PATCH 01/14] Add github action for tseting a PR branch on push

---
 .github/workflows/test.yml | 43 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 .github/workflows/test.yml

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 0000000..49490ae
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,43 @@
+name: Test code
+
+on:
+  workflow_dispatch:
+  pull_request:
+
+permissions:
+  contents: read
+
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+
+      - name: Check out repo
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and run linter
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: .docker/Dockerfile
+          tags: test-chatbot
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          outputs: type=docker
+
+      - name: Run linter
+        run: |
+          docker run --rm --memory=1g \
+          -v ${{ github.workspace }}:/chatbot_server \
+          -w /chatbot_server \
+          lint-chatbot-server \
+          sh -c "pnpm install --frozen-lockfile && pnpm test"
\ No newline at end of file

From d77a66527f75c4d9671d399323d30802d61b4b05 Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Tue, 24 Jun 2025 13:07:21 -0700
Subject: [PATCH 02/14] Add copy scripts/ line to dockerfile

---
 .docker/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.docker/Dockerfile b/.docker/Dockerfile
index c04abec..a283ae4 100644
--- a/.docker/Dockerfile
+++ b/.docker/Dockerfile
@@ -6,6 +6,7 @@ RUN corepack use pnpm@*
 
 ARG WORKDIR=/chatbot_server
 WORKDIR ${WORKDIR}
+COPY scripts/ ${WORKDIR}/scripts/
 
 # Adding package.json first will cache our dependencies so
 # that they do not have to be re-installed when the image rebuilds

From 6c853627d36c1cb27de35f093a4ab8281bbb05f6 Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Tue, 24 Jun 2025 13:16:24 -0700
Subject: [PATCH 03/14] Replace add with copy for gitconfig

---
 .docker/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.docker/Dockerfile b/.docker/Dockerfile
index a283ae4..16b625c 100644
--- a/.docker/Dockerfile
+++ b/.docker/Dockerfile
@@ -21,6 +21,6 @@ COPY . .
 RUN chmod +x ./scripts/*.sh || true
 # Set up git
 RUN apk add git
-ADD git-config.txt ${WORKDIR}
+COPY git-config.txt ${WORKDIR}
 
 EXPOSE 7000
\ No newline at end of file

From 74850b6e530edbd937e912855baf0ac892f7e199 Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Tue, 24 Jun 2025 13:20:49 -0700
Subject: [PATCH 04/14] Sync tax for test-chatbot, remove cache-to, cache-from

---
 .github/workflows/test.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 49490ae..1e45885 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -30,8 +30,6 @@ jobs:
           context: .
           file: .docker/Dockerfile
           tags: test-chatbot
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
           outputs: type=docker
 
       - name: Run linter
@@ -39,5 +37,5 @@ jobs:
           docker run --rm --memory=1g \
           -v ${{ github.workspace }}:/chatbot_server \
           -w /chatbot_server \
-          lint-chatbot-server \
+          test-chatbot \
           sh -c "pnpm install --frozen-lockfile && pnpm test"
\ No newline at end of file

From 771f04d8e470d8d3fde1cc817352fab7f32fb668 Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Tue, 24 Jun 2025 13:24:41 -0700
Subject: [PATCH 05/14] Set docker buildkit to 0 in gitconfig

---
 .github/workflows/test.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1e45885..dbaaaf3 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -13,7 +13,7 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  lint:
+  test:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
@@ -32,7 +32,9 @@ jobs:
           tags: test-chatbot
           outputs: type=docker
 
-      - name: Run linter
+      - name: Run tests
+        env:
+            DOCKER_BUILDKIT: 0
         run: |
           docker run --rm --memory=1g \
           -v ${{ github.workspace }}:/chatbot_server \

From 93b64d8212021d620230254d9dd380c09e022b97 Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Tue, 24 Jun 2025 13:29:14 -0700
Subject: [PATCH 06/14] Add conditional for copying git config if exists,
 otherwise

---
 .docker/Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.docker/Dockerfile b/.docker/Dockerfile
index 16b625c..cce3dfb 100644
--- a/.docker/Dockerfile
+++ b/.docker/Dockerfile
@@ -21,6 +21,7 @@ COPY . .
 RUN chmod +x ./scripts/*.sh || true
 # Set up git
 RUN apk add git
-COPY git-config.txt ${WORKDIR}
+
+RUN if [ -f git-config.txt ]; then cp git-config.txt ~/.gitconfig; fi
 
 EXPOSE 7000
\ No newline at end of file

From 5907ac9968e23e9de9f758fc38fff13c8a93c8bb Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Sun, 6 Jul 2025 17:29:13 -0700
Subject: [PATCH 07/14] Add twilio incoming messages schema for validation

---
 src/middlewares/webhook.middleware.js         |   0
 src/validations/index.js                      |   1 +
 .../twilio/incoming.message.validation.js     | 151 ++++++++++++++++++
 3 files changed, 152 insertions(+)
 create mode 100644 src/middlewares/webhook.middleware.js
 create mode 100644 src/validations/twilio/incoming.message.validation.js

diff --git a/src/middlewares/webhook.middleware.js b/src/middlewares/webhook.middleware.js
new file mode 100644
index 0000000..e69de29
diff --git a/src/validations/index.js b/src/validations/index.js
index a708e33..fd4ee68 100644
--- a/src/validations/index.js
+++ b/src/validations/index.js
@@ -1 +1,2 @@
 module.exports.envValidation = require('./env.validation');
+module.exports.incomingTwilioMessageValidation = require('./twilio/incoming.message.validation');
diff --git a/src/validations/twilio/incoming.message.validation.js b/src/validations/twilio/incoming.message.validation.js
new file mode 100644
index 0000000..cc68625
--- /dev/null
+++ b/src/validations/twilio/incoming.message.validation.js
@@ -0,0 +1,151 @@
+const joi = require('joi ');
+
+/**
+ * 
+ * @param {String} value 
+ * @param {import('joi').CustomValidator} helpers 
+ * @returns {import('joi').ErrorReport|String}
+ */
+function validatePhoneNumber(value, helpers) {
+  // Must start with + and have 10-15 digits after
+  const phoneRegex = /^\+[1-9]\d{1,14}$/;
+ 
+  if (!phoneRegex.test(value)) {
+    return helpers.error('any.invalid');
+  }
+  
+  return value;
+};
+
+/**
+ * 
+ * @param {String} value 
+ * @param {import('joi').CustomHelpers} helpers 
+ * @returns {import('joi').ErrorReport|String }
+ */
+function validateSafeString(value, helpers) {
+  // Check for common SQL injection patterns
+  const dangerousPatterns = [
+    /('|(\\?')|(;|\\?;))/i,  // Single quotes and semicolons
+    /--(\\s|$)/i,            // SQL comments
+    /\b(DROP|DELETE|INSERT|UPDATE|SELECT|UNION|CREATE|ALTER|EXEC|EXECUTE)\b/i, // SQL keywords
+    /<script/i,              // Basic XSS
+    /javascript:/i           // JavaScript protocol
+  ];
+  
+  for (const pattern of dangerousPatterns) {
+    if (pattern.test(value)) {
+      return helpers.error('string.unsafe');
+    }
+  }
+  
+  return value;
+};
+
+// Twilio SMS payload validation schema
+const twilioIncomingMessageSchema = joi.object({
+  // Required fields
+  Body: joi.string()
+    .required()
+    .min(1) // Ensure not empty
+    .max(1600) // SMS character limit
+    .custom(validateSafeString, 'Safe string validation')
+    .messages({
+      'any.required': 'Body is required',
+      'string.empty': 'Body cannot be empty',
+      'string.unsafe': 'Body contains potentially dangerous content',
+      'string.max': 'Body exceeds maximum SMS length'
+    }),
+
+  From: joi.string()
+    .required()
+    .custom(validatePhoneNumber, 'Phone number validation')
+    .messages({
+      'any.required': 'From phone number is required',
+      'any.invalid': 'From must be a valid phone number starting with + followed by country code and number'
+    }),
+
+  To: joi.string()
+    .required()
+    .custom(validatePhoneNumber, 'Phone number validation')
+    .messages({
+      'any.required': 'To phone number is required',
+      'any.invalid': 'To must be a valid phone number starting with + followed by country code and number'
+    }),
+
+  // Media validation - only text messages supported
+  NumMedia: joi.string()
+    .valid('0')
+    .required()
+    .messages({
+      'any.required': 'NumMedia is required',
+      'any.only': 'Only text messages are supported (NumMedia must be 0)'
+    }),
+
+  // Required Twilio fields
+  MessageSid: joi.string()
+    .pattern(/^SM[a-f0-9]{32}$/i)
+    .required()
+    .messages({
+      'string.pattern.base': 'MessageSid must be a valid Twilio Message SID'
+    }),
+
+  AccountSid: joi.string()
+    .pattern(/^AC[a-f0-9]{32}$/i)
+    .required()
+    .messages({
+      'string.pattern.base': 'AccountSid must be a valid Twilio Account SID'
+    }),
+
+  SmsMessageSid: joi.string()
+    .pattern(/^SM[a-f0-9]{32}$/i)
+    .required()
+    .messages({
+      'string.pattern.base': 'SmsMessageSid must be a valid Twilio SMS Message SID'
+    }),
+
+  SmsSid: joi.string()
+    .pattern(/^SM[a-f0-9]{32}$/i)
+    .required()
+    .messages({
+      'string.pattern.base': 'SmsSid must be a valid Twilio SMS SID'
+    }),
+
+  SmsStatus: joi.string()
+    .valid('received', 'sending', 'sent', 'failed', 'delivered', 'undelivered', 'queued')
+    .required()
+    .messages({
+      'any.only': 'SmsStatus must be a valid Twilio SMS status'
+    }),
+
+  // Optional location fields
+  ToCountry: joi.string().optional().allow(''),
+  ToState: joi.string().optional().allow(''),
+  ToCity: joi.string().optional().allow(''),
+  ToZip: joi.string().optional().allow(''),
+  FromCountry: joi.string().optional().allow(''),
+  FromState: joi.string().optional().allow(''),
+  FromCity: joi.string().optional().allow(''),
+  FromZip: joi.string().optional().allow(''),
+
+  // Other Twilio fields
+  NumSegments: joi.string()
+    .pattern(/^\d+$/)
+    .optional()
+    .messages({
+      'string.pattern.base': 'NumSegments must be a numeric string'
+    }),
+
+  ApiVersion: joi.string()
+    .pattern(/^\d{4}-\d{2}-\d{2}$/)
+    .optional()
+    .messages({
+      'string.pattern.base': 'ApiVersion must be in YYYY-MM-DD format'
+    })
+})
+  .unknown(false) // Reject any additional fields not defined in schema
+  .messages({
+    'object.unknown': 'Unknown field "{#label}" is not allowed'
+  });
+
+module.exports = twilioIncomingMessageSchema;
\ No newline at end of file

From b7cac48b5a690925c09771d5d30afd9ed2512c94 Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Mon, 7 Jul 2025 18:53:38 -0700
Subject: [PATCH 08/14] Use logger instead of console in database service

---
 src/routes/messaging.routes.js                        | 4 +++-
 src/services/databases/database.service.js            | 5 +++--
 src/validations/twilio/incoming.message.validation.js | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/routes/messaging.routes.js b/src/routes/messaging.routes.js
index 1e309c0..574ed28 100644
--- a/src/routes/messaging.routes.js
+++ b/src/routes/messaging.routes.js
@@ -1,9 +1,11 @@
 const express = require('express');
 const messagingController = require('../controllers');
+const validate = require('../middlewares/validate');
+const twilioIncomingMessageValidation = require('../validations/twilio/incoming.message.validation');
 
 const router = express.Router();
 
-router.post('/webhook/incoming-message', messagingController.handleIncomingMessage);
+router.post('/webhook/incoming-message', validate(twilioIncomingMessageValidation), messagingController.handleIncomingMessage);
 
 router.get('/', (req, res) => {
   res.send('📨 Messaging API is working');
diff --git a/src/services/databases/database.service.js b/src/services/databases/database.service.js
index 146752e..ee4ee99 100644
--- a/src/services/databases/database.service.js
+++ b/src/services/databases/database.service.js
@@ -1,11 +1,12 @@
 const { pool } = require('../../config/database');
+const logger = require('../../config/logger');
 
 async function connectDB() {
   try {
     await pool.query('SELECT NOW()');
-    console.log('PostgreSQL connected');
+    logger.log('PostgreSQL connected');
   } catch (error) {
-    console.error('PostgreSQL connection error', error);
+    logger.error('PostgreSQL connection error', error);
     process.exit(1);
   }
 }
diff --git a/src/validations/twilio/incoming.message.validation.js b/src/validations/twilio/incoming.message.validation.js
index cc68625..c246efd 100644
--- a/src/validations/twilio/incoming.message.validation.js
+++ b/src/validations/twilio/incoming.message.validation.js
@@ -21,7 +21,7 @@ function validatePhoneNumber(value, helpers) {
  * 
  * @param {String} value 
  * @param {import('joi').CustomHelpers} helpers 
- * @returns {import('joi').ErrorReport|String }
+ * @returns {import('joi').ErrorReport|String}
  */
 function validateSafeString(value, helpers) {
   // Check for common SQL injection patterns

From 845cdcb57580ea1e222d40405255b99ebaa25774 Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Tue, 8 Jul 2025 21:09:52 -0700
Subject: [PATCH 09/14] Add incoming message validation

---
 src/controllers/messaging.controller.js       |  2 +-
 src/routes/chatbot.route.js                   |  3 +-
 src/routes/messaging.routes.js                |  6 ++--
 src/server.js                                 |  2 +-
 src/services/index.js                         |  1 -
 src/validations/index.js                      |  2 +-
 .../incoming.event.notification.validation.js | 36 +++++++++++++++++++
 .../twilio/incoming.message.validation.js     |  2 +-
 .../webhook/incoming.message.validation.js    |  7 ++++
 9 files changed, 51 insertions(+), 10 deletions(-)
 create mode 100644 src/validations/openedx/incoming.event.notification.validation.js
 create mode 100644 src/validations/webhook/incoming.message.validation.js

diff --git a/src/controllers/messaging.controller.js b/src/controllers/messaging.controller.js
index 249ae65..41c5dd3 100644
--- a/src/controllers/messaging.controller.js
+++ b/src/controllers/messaging.controller.js
@@ -1,6 +1,6 @@
 const logger = require('../config/logger');
 const messagingService = require('../services');
-const { withRetryAndCatch } = require('../utils/withRetry');
+const withRetryAndCatch = require('../utils/withRetryAndCatch');
 
 /**
  * @param {Express.Request} req
diff --git a/src/routes/chatbot.route.js b/src/routes/chatbot.route.js
index 69a45c2..f7efb19 100644
--- a/src/routes/chatbot.route.js
+++ b/src/routes/chatbot.route.js
@@ -1,10 +1,9 @@
 const express = require('express');
-
 const router = express.Router();
 const { chatbotController } = require('../controllers');
 const validate = require('../middlewares/validate');
 const { chatbotValidation } = require('../validations');
 
-router.get('/chatbot', chatbotController);
+router.get('/chatbot', validate(chatbotValidation), chatbotController);
 
 module.exports = router;
diff --git a/src/routes/messaging.routes.js b/src/routes/messaging.routes.js
index 574ed28..36341a6 100644
--- a/src/routes/messaging.routes.js
+++ b/src/routes/messaging.routes.js
@@ -1,11 +1,11 @@
 const express = require('express');
-const messagingController = require('../controllers');
+const { messagingController } = require('../controllers');
 const validate = require('../middlewares/validate');
-const twilioIncomingMessageValidation = require('../validations/twilio/incoming.message.validation');
+const { incomingMessageValidation } = require('../validations');
 
 const router = express.Router();
 
-router.post('/webhook/incoming-message', validate(twilioIncomingMessageValidation), messagingController.handleIncomingMessage);
+router.post('/webhook/incoming-message', validate(incomingMessageValidation), messagingController.handleIncomingMessage);
 
 router.get('/', (req, res) => {
   res.send('📨 Messaging API is working');
diff --git a/src/server.js b/src/server.js
index f1ea0f5..e160ad3 100644
--- a/src/server.js
+++ b/src/server.js
@@ -4,7 +4,7 @@ const app = express();
 const httpStatus = require('http-status');
 const morgan = require('./config/morgan');
 const { errorHandler, errorConverter } = require('./middlewares/error');
-const chatbotRouter = require('./routes/chatbot.route');
+const chatbotRouter = require('./routes/chatbot.routes');
 const messagingRouter = require('./routes/messaging.routes');
 const ApiError = require('./utils/ApiError');
 
diff --git a/src/services/index.js b/src/services/index.js
index 95b7886..a3551b4 100644
--- a/src/services/index.js
+++ b/src/services/index.js
@@ -1,2 +1 @@
-module.exports.blogService = require('./blog.service');
 module.exports.messagingService = require('./messaging/messaging.service');
diff --git a/src/validations/index.js b/src/validations/index.js
index fd4ee68..557e6f2 100644
--- a/src/validations/index.js
+++ b/src/validations/index.js
@@ -1,2 +1,2 @@
 module.exports.envValidation = require('./env.validation');
-module.exports.incomingTwilioMessageValidation = require('./twilio/incoming.message.validation');
+module.exports.incomingMessageValidation = require('./webhook/incoming.message.validation');
\ No newline at end of file
diff --git a/src/validations/openedx/incoming.event.notification.validation.js b/src/validations/openedx/incoming.event.notification.validation.js
new file mode 100644
index 0000000..651cc76
--- /dev/null
+++ b/src/validations/openedx/incoming.event.notification.validation.js
@@ -0,0 +1,36 @@
+const joi = require('joi');
+
+// Define specific schemas later — here's a placeholder
+// https://docs.openedx.org/projects/openedx-events/en/latest/how-tos/create-a-new-event.html
+const CourseEnrollmentSchema = joi.object({
+  user_id: joi.string().required(),
+  course_id: joi.string().required(),
+  mode: joi.string().valid('audit', 'honor', 'verified', 'professional').required(),
+});
+
+const PlaceholderEventSchema = joi.object().unknown(true); // For now, accept any shape
+
+/**
+ * See below for example JSON response
+ * https://github.com/openedx/event-routing-backends/blob/master/event_routing_backends/processors/tests/fixtures/current/edx.forum.response.created.json
+ */
+const OpenEdxEventSchema = joi.object({
+  event_type: joi.string().required(), // e.g., 'event'
+  event_name: joi.string().required(), // e.g., 'org.openedx.learning.course.enrollment.registered.v1'
+  event_source: joi.string().required(), // e.g., 'openedx.learning'
+  event_time: joi.string().isoDate().required(), // ISO8601
+  data: joi.alternatives().try(
+    CourseEnrollmentSchema, // You can keep adding here
+    PlaceholderEventSchema // Fallback until more types are defined
+  ).required(),
+  context: joi.object({
+    user_id: joi.string().allow(null),
+    username: joi.string().allow(null),
+    course_id: joi.string().allow(null),
+    ip: joi.string().ip({ version: ['ipv4', 'ipv6'] }).allow(null)
+  }).unknown(true),
+  metadata: joi.object().unknown(true).optional()
+});
+
+module.exports = OpenEdxEventSchema;
+
diff --git a/src/validations/twilio/incoming.message.validation.js b/src/validations/twilio/incoming.message.validation.js
index c246efd..43d39c5 100644
--- a/src/validations/twilio/incoming.message.validation.js
+++ b/src/validations/twilio/incoming.message.validation.js
@@ -1,4 +1,4 @@
-const joi = require('joi ');
+const joi = require('joi');
 
 /**
  * 
diff --git a/src/validations/webhook/incoming.message.validation.js b/src/validations/webhook/incoming.message.validation.js
new file mode 100644
index 0000000..cc626e9
--- /dev/null
+++ b/src/validations/webhook/incoming.message.validation.js
@@ -0,0 +1,7 @@
+const joi = require('joi');
+const openedXEventSchema = require('../openedx/incoming.event.notification.validation');
+const twilioIncomingMessageSchema = require('../twilio/incoming.message.validation');
+
+const IncomingMessageSchema = joi.alternatives().try(twilioIncomingMessageSchema, openedXEventSchema);
+
+module.exports = IncomingMessageSchema;
\ No newline at end of file

From 6ae7b0bfbe803767bdc8955b67ade3a98e47759e Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Tue, 8 Jul 2025 21:21:33 -0700
Subject: [PATCH 10/14] Remove postinstall command from package.json

---
 .docker/Dockerfile | 3 +--
 package.json       | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/.docker/Dockerfile b/.docker/Dockerfile
index cce3dfb..debd63a 100644
--- a/.docker/Dockerfile
+++ b/.docker/Dockerfile
@@ -6,7 +6,6 @@ RUN corepack use pnpm@*
 
 ARG WORKDIR=/chatbot_server
 WORKDIR ${WORKDIR}
-COPY scripts/ ${WORKDIR}/scripts/
 
 # Adding package.json first will cache our dependencies so
 # that they do not have to be re-installed when the image rebuilds
@@ -22,6 +21,6 @@ RUN chmod +x ./scripts/*.sh || true
 # Set up git
 RUN apk add git
 
-RUN if [ -f git-config.txt ]; then cp git-config.txt ~/.gitconfig; fi
+ADD git-config.txt ${WORKDIR}
 
 EXPOSE 7000
\ No newline at end of file
diff --git a/package.json b/package.json
index dfa8e81..a26ec5b 100644
--- a/package.json
+++ b/package.json
@@ -23,8 +23,7 @@
         "db:migrate:test": "node .jest/jest.global-setup.js",
         "db:generate-migration": "sequelize migration:generate",
         "db:undo-migration": "sequelize db:migrate:undo",
-        "db:rollback-migrations": "sequelize db:migrate:undo:all",
-        "postinstall": "chmod +x ./scripts/*.sh"
+        "db:rollback-migrations": "sequelize db:migrate:undo:all"
     },
     "engines": {
         "node": ">20.19.2"

From 18bc6bbee697a6c522f086cf94efc1c7363116b2 Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Sun, 13 Jul 2025 16:56:50 -0700
Subject: [PATCH 11/14] Move validate phone number, safe string methods to
 utils, add test files for respective functions, modify incoming openedx and
 twilio webhook requests  to validate request.body

---
 .../utils/validatePhoneNumber.test.js         | 194 ++++++++++++
 .../utils/validateSafeString.test.js          | 296 ++++++++++++++++++
 src/__tests__/utils/withRetryAndCatch.test.js |  10 +-
 src/routes/messaging.routes.js                |   4 +-
 src/services/messaging/messaging.service.js   |   5 +-
 src/utils/validatePhoneNumber.js              |  22 ++
 src/utils/validateSafeString.js               |  30 ++
 src/validations/index.js                      |   3 +-
 .../incoming.event.notification.validation.js |  16 +-
 .../twilio/incoming.message.validation.js     |  50 +--
 10 files changed, 571 insertions(+), 59 deletions(-)
 create mode 100644 src/__tests__/utils/validatePhoneNumber.test.js
 create mode 100644 src/__tests__/utils/validateSafeString.test.js
 create mode 100644 src/utils/validatePhoneNumber.js
 create mode 100644 src/utils/validateSafeString.js

diff --git a/src/__tests__/utils/validatePhoneNumber.test.js b/src/__tests__/utils/validatePhoneNumber.test.js
new file mode 100644
index 0000000..24e5d3e
--- /dev/null
+++ b/src/__tests__/utils/validatePhoneNumber.test.js
@@ -0,0 +1,194 @@
+const validatePhoneNumber = require('../../utils/validatePhoneNumber');
+
+describe('validatePhoneNumber', () => {
+  let mockHelpers;
+
+  beforeEach(() => {
+    // Clear all mocks before each test
+    jest.clearAllMocks();
+    
+    // Mock Joi helpers
+    mockHelpers = {
+      error: jest.fn((code) => ({ code, message: `Validation error: ${code}` }))
+    };
+  });
+
+  describe('Valid phone numbers', () => {
+    it('should accept valid US/Canada phone numbers with exactly 10 digits after +1', () => {
+      const validNumbers = [
+        '+12345678901',
+        '+15551234567',
+        '+19876543210',
+        '+11234567890'
+      ];
+
+      validNumbers.forEach(number => {
+        const result = validatePhoneNumber(number, mockHelpers);
+
+        expect(result).toBe(number);
+        expect(mockHelpers.error).not.toHaveBeenCalled();
+      });
+    });
+
+    it('should reject phone numbers with less than or more than 10 digits after +1', () => {
+      const invalidNumbers = [
+        '+123456789',    // 9 digits
+        '+123456789012', // 12 digits
+        '+1',            // only +1
+        '+12',           // only +1 and 1 digit
+        '+123',          // only +1 and 2 digits
+        '+1234',         // only +1 and 3 digits
+        '+12345',        // only +1 and 4 digits
+        '+123456',       // only +1 and 5 digits
+        '+1234567',      // only +1 and 6 digits
+        '+12345678',     // only +1 and 7 digits
+        '+123456789'     // only +1 and 9 digits
+      ];
+
+      invalidNumbers.forEach(number => {
+        const result = validatePhoneNumber(number, mockHelpers);
+
+        expect(result).toEqual({ code: 'any.invalid', message: 'Validation error: any.invalid' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('any.invalid');
+      });
+    });
+  });
+
+  describe('Invalid phone numbers', () => {
+    it('should reject phone numbers that do not start with +', () => {
+      const invalidNumbers = [
+        '1234567890',
+        '1555123456',
+        '1987654321',
+        '1123456789'
+      ];
+
+      invalidNumbers.forEach(number => {
+        const result = validatePhoneNumber(number, mockHelpers);
+
+        expect(result).toEqual({ code: 'any.invalid', message: 'Validation error: any.invalid' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('any.invalid');
+      });
+    });
+
+    it('should reject phone numbers that do not start with +1', () => {
+      const invalidNumbers = [
+        '+21234567890',  // +2
+        '+31234567890',  // +3
+        '+41234567890',  // +4
+        '+51234567890',  // +5
+        '+61234567890',  // +6
+        '+71234567890',  // +7
+        '+81234567890',  // +8
+        '+91234567890'   // +9
+      ];
+
+      invalidNumbers.forEach(number => {
+        const result = validatePhoneNumber(number, mockHelpers);
+
+        expect(result).toEqual({ code: 'any.invalid', message: 'Validation error: any.invalid' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('any.invalid');
+      });
+    });
+
+    it('should reject phone numbers with non-digit characters after +1', () => {
+      const invalidNumbers = [
+        '+1a23456789',
+        '+1-234-567-8900',
+        '+1 (234) 567-8900',
+        '+1.234.567.8900',
+        '+1_234_567_8900',
+        '+1 234 567 8900'
+      ];
+
+      invalidNumbers.forEach(number => {
+        const result = validatePhoneNumber(number, mockHelpers);
+
+        expect(result).toEqual({ code: 'any.invalid', message: 'Validation error: any.invalid' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('any.invalid');
+      });
+    });
+
+    it('should reject phone numbers that are too short', () => {
+      const invalidNumbers = [
+        '+1',            // Only +1, no digits
+        '+',             // Only +
+        ''               // Empty string
+      ];
+
+      invalidNumbers.forEach(number => {
+        const result = validatePhoneNumber(number, mockHelpers);
+
+        expect(result).toEqual({ code: 'any.invalid', message: 'Validation error: any.invalid' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('any.invalid');
+      });
+    });
+  });
+
+  describe('Edge cases', () => {
+    it('should handle null and undefined values', () => {
+      const invalidValues = [null, undefined];
+
+      invalidValues.forEach(value => {
+        const result = validatePhoneNumber(value, mockHelpers);
+
+        expect(result).toEqual({ code: 'any.invalid', message: 'Validation error: any.invalid' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('any.invalid');
+      });
+    });
+
+    it('should handle non-string values', () => {
+      const invalidValues = [123, {}, [], true, false];
+
+      invalidValues.forEach(value => {
+        const result = validatePhoneNumber(value, mockHelpers);
+
+        expect(result).toEqual({ code: 'any.invalid', message: 'Validation error: any.invalid' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('any.invalid');
+      });
+    });
+
+    it('should handle strings with leading/trailing whitespace', () => {
+      const invalidNumbers = [
+        ' +1234567890',
+        '+1234567890 ',
+        ' +1234567890 ',
+        '\t+1234567890',
+        '+1234567890\n'
+      ];
+
+      invalidNumbers.forEach(number => {
+        const result = validatePhoneNumber(number, mockHelpers);
+
+        expect(result).toEqual({ code: 'any.invalid', message: 'Validation error: any.invalid' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('any.invalid');
+      });
+    });
+  });
+
+  describe('Function behavior', () => {
+    it('should return the original value for valid phone numbers', () => {
+      const validNumber = '+12345678901';
+      const result = validatePhoneNumber(validNumber, mockHelpers);
+      
+      expect(result).toBe(validNumber);
+      expect(typeof result).toBe('string');
+    });
+
+    it('should call helpers.error with correct error code for invalid numbers', () => {
+      const invalidNumber = '1234567890';
+
+      validatePhoneNumber(invalidNumber, mockHelpers);
+      
+      expect(mockHelpers.error).toHaveBeenCalledTimes(1);
+      expect(mockHelpers.error).toHaveBeenCalledWith('any.invalid');
+    });
+
+    it('should return error object from helpers.error for invalid numbers', () => {
+      const invalidNumber = '1234567890';
+      const result = validatePhoneNumber(invalidNumber, mockHelpers);
+      
+      expect(result).toEqual({ code: 'any.invalid', message: 'Validation error: any.invalid' });
+    });
+  });
+}); 
\ No newline at end of file
diff --git a/src/__tests__/utils/validateSafeString.test.js b/src/__tests__/utils/validateSafeString.test.js
new file mode 100644
index 0000000..be0cf84
--- /dev/null
+++ b/src/__tests__/utils/validateSafeString.test.js
@@ -0,0 +1,296 @@
+const validateSafeString = require('../../utils/validateSafeString');
+
+describe('validateSafeString', () => {
+  let mockHelpers;
+
+  beforeEach(() => {
+    // Mock Joi helpers
+    mockHelpers = {
+      error: jest.fn((code) => ({ code, message: `Validation error: ${code}` }))
+    };
+  });
+
+  describe('Safe strings', () => {
+    it('should accept normal text strings', () => {
+      const safeStrings = [
+        'Hello, world!',
+        'This is a normal message',
+        '1234567890',
+        'Special characters: !@#$%^&*()',
+        'Unicode: ñáéíóú',
+        'Mixed case: Hello World',
+        'Numbers and text: 123abc456def'
+      ];
+
+      safeStrings.forEach(str => {
+        const result = validateSafeString(str, mockHelpers);
+
+        expect(result).toBe(str);
+        expect(mockHelpers.error).not.toHaveBeenCalled();
+      });
+    });
+
+    it('should accept empty strings', () => {
+      const result = validateSafeString('', mockHelpers);
+
+      expect(result).toBe('');
+      expect(mockHelpers.error).not.toHaveBeenCalled();
+    });
+
+    it('should accept strings with spaces and punctuation', () => {
+      const safeStrings = [
+        '   spaces   ',
+        'multiple    spaces',
+        'punctuation: . , ! ? ; : " \' ( ) [ ] { }',
+        'newlines\nand\ttabs',
+        'quotes: "double" and \'single\''
+      ];
+
+      safeStrings.forEach(str => {
+        const result = validateSafeString(str, mockHelpers);
+
+        expect(result).toBe(str);
+        expect(mockHelpers.error).not.toHaveBeenCalled();
+      });
+    });
+  });
+
+  describe('SQL Injection patterns', () => {
+    it('should allow strings with single quotes', () => {
+      const safeStrings = [
+        "O'Connor",
+        "user's data",
+        "don't do this",
+        "it's dangerous",
+        "can't validate"
+      ];
+
+      safeStrings.forEach(str => {
+        const result = validateSafeString(str, mockHelpers);
+
+        expect(result).toBe(str);
+        expect(mockHelpers.error).not.toHaveBeenCalled();
+      });
+    });
+
+    it('should allow strings with escaped single quotes', () => {
+      const safeStrings = [
+        "O\\'Connor",
+        "user\\'s data",
+        "don\\'t do this"
+      ];
+
+      safeStrings.forEach(str => {
+        const result = validateSafeString(str, mockHelpers);
+
+        expect(result).toBe(str);
+        expect(mockHelpers.error).not.toHaveBeenCalled();
+      });
+    });
+
+    it('should allow strings with semicolons', () => {
+      const safeStrings = [
+        'SELECT is a verb;',
+        'multiple; statements; here;',
+        'normal text; followed by semicolon'
+      ];
+
+      safeStrings.forEach(str => {
+        const result = validateSafeString(str, mockHelpers);
+
+        expect(result).toBe(str);
+        expect(mockHelpers.error).not.toHaveBeenCalled();
+      });
+    });
+
+    it('should reject strings with escaped semicolons', () => {
+      const dangerousStrings = [
+        'SELECT * FROM users\\;',
+        'DROP TABLE users\\;'
+      ];
+
+      dangerousStrings.forEach(str => {
+        const result = validateSafeString(str, mockHelpers);
+
+        expect(result).toEqual({ code: 'string.unsafe', message: 'Validation error: string.unsafe' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('string.unsafe');
+      });
+    });
+
+    it('should reject strings with SQL comments', () => {
+      const dangerousStrings = [
+        'SELECT * FROM users -- comment',
+        'DROP TABLE users--',
+        'normal text -- followed by comment',
+        '-- start with comment',
+        'text -- comment -- another comment'
+      ];
+
+      dangerousStrings.forEach(str => {
+        const result = validateSafeString(str, mockHelpers);
+
+        expect(result).toEqual({ code: 'string.unsafe', message: 'Validation error: string.unsafe' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('string.unsafe');
+      });
+    });
+
+    it('should reject strings with SQL keywords and other SQL syntax', () => {
+      const dangerousStrings = [
+        'DROP TABLE users',
+        'DELETE FROM users',
+        'INSERT INTO users',
+        'UPDATE users SET',
+        'SELECT * FROM users',
+        'UNION SELECT something FROM somewhere',
+        'CREATE TABLE test',
+        'ALTER TABLE test',
+        'EXECUTE procedure'
+      ];
+
+      dangerousStrings.forEach(str => {
+        const result = validateSafeString(str, mockHelpers);
+
+        expect(result).toEqual({ code: 'string.unsafe', message: 'Validation error: string.unsafe' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('string.unsafe');
+      });
+    });
+
+    it('should allow strings with SQL keywords in normal text', () => {
+      const safeStrings = [
+        'drop is a verb',
+        'DELETE is a word',
+        'insert is a verb',
+        'update is a verb',
+        'select is a verb',
+        'union is a word',
+        'create is a verb',
+        'alter is a verb',
+        'exec is short for execute',
+        'execute is a word'
+      ];
+
+      safeStrings.forEach(str => {
+        const result = validateSafeString(str, mockHelpers);
+
+        expect(result).toBe(str);
+        expect(mockHelpers.error).not.toHaveBeenCalled();
+      });
+    });
+  });
+
+  describe('XSS patterns', () => {
+    it('should reject strings with script tags', () => {
+      const dangerousStrings = [
+        '<script>alert("xss")</script>',
+        '<SCRIPT>alert("xss")</SCRIPT>',
+        'normal text <script>alert("xss")</script>',
+        '<script src="malicious.js"></script>',
+        '<script>document.cookie</script>'
+      ];
+
+      dangerousStrings.forEach(str => {
+        const result = validateSafeString(str, mockHelpers);
+
+        expect(result).toEqual({ code: 'string.unsafe', message: 'Validation error: string.unsafe' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('string.unsafe');
+      });
+    });
+
+    it('should reject strings with javascript protocol', () => {
+      const dangerousStrings = [
+        'javascript:alert("xss")',
+        'JAVASCRIPT:alert("xss")',
+        'normal text javascript:alert("xss")',
+        'javascript:document.cookie',
+        'javascript:void(0)'
+      ];
+
+      dangerousStrings.forEach(str => {
+        const result = validateSafeString(str, mockHelpers);
+
+        expect(result).toEqual({ code: 'string.unsafe', message: 'Validation error: string.unsafe' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('string.unsafe');
+      });
+    });
+  });
+
+  describe('Edge cases', () => {
+    it('should handle null and undefined values', () => {
+      const invalidValues = [null, undefined];
+
+      invalidValues.forEach(value => {
+        const result = validateSafeString(value, mockHelpers);
+
+        expect(result).toEqual({ code: 'string.unsafe', message: 'Validation error: string.unsafe' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('string.unsafe');
+      });
+    });
+
+    it('should handle non-string values', () => {
+      const invalidValues = [123, {}, [], true, false];
+
+      invalidValues.forEach(value => {
+        const result = validateSafeString(value, mockHelpers);
+
+        expect(result).toEqual({ code: 'string.unsafe', message: 'Validation error: string.unsafe' });
+        expect(mockHelpers.error).toHaveBeenCalledWith('string.unsafe');
+      });
+    });
+
+    it('should handle strings that contain safe parts of dangerous patterns', () => {
+      const safeStrings = [
+        'script is a word',
+        'javascript is a programming language',
+        'SELECT is a verb',
+        'DROP is a verb',
+        'INSERT is a verb',
+        'UPDATE is a verb',
+        'CREATE is a verb',
+        'ALTER is a verb',
+        'EXEC is short for execute',
+        'UNION is a word'
+      ];
+
+      safeStrings.forEach(str => {
+        const result = validateSafeString(str, mockHelpers);
+
+        expect(result).toBe(str);
+        expect(mockHelpers.error).not.toHaveBeenCalled();
+      });
+    });
+  });
+
+  describe('Function behavior', () => {
+    it('should return the original value for safe strings', () => {
+      const safeString = 'Hello, world!';
+      const result = validateSafeString(safeString, mockHelpers);
+      
+      expect(result).toBe(safeString);
+      expect(typeof result).toBe('string');
+    });
+
+    it('should call helpers.error with correct error code for dangerous strings', () => {
+      const dangerousString = 'SELECT * FROM users';
+
+      validateSafeString(dangerousString, mockHelpers);
+      
+      expect(mockHelpers.error).toHaveBeenCalledTimes(1);
+      expect(mockHelpers.error).toHaveBeenCalledWith('string.unsafe');
+    });
+
+    it('should return error object from helpers.error for dangerous strings', () => {
+      const dangerousString = 'SELECT * FROM users';
+      const result = validateSafeString(dangerousString, mockHelpers);
+      
+      expect(result).toEqual({ code: 'string.unsafe', message: 'Validation error: string.unsafe' });
+    });
+
+    it('should detect the first dangerous pattern in a string', () => {
+      const dangerousString = 'normal text <script>alert("xss")</script> more text';
+      const result = validateSafeString(dangerousString, mockHelpers);
+      
+      expect(result).toEqual({ code: 'string.unsafe', message: 'Validation error: string.unsafe' });
+      expect(mockHelpers.error).toHaveBeenCalledWith('string.unsafe');
+    });
+  });
+}); 
\ No newline at end of file
diff --git a/src/__tests__/utils/withRetryAndCatch.test.js b/src/__tests__/utils/withRetryAndCatch.test.js
index eba3452..9c1c2f9 100644
--- a/src/__tests__/utils/withRetryAndCatch.test.js
+++ b/src/__tests__/utils/withRetryAndCatch.test.js
@@ -11,8 +11,7 @@ describe('withRetryAndCatch', () => {
     jest.resetModules();
     jest.doMock('../../utils/withRetry', () => {
       return jest.fn((fn) => {
-        // Just return the handler as-is for test purposes
-
+        // Return the handler as-is for test purposes
         return fn;
       });
     });
@@ -24,17 +23,14 @@ describe('withRetryAndCatch', () => {
           const maybePromise = fn(...args);
 
           if (maybePromise && typeof maybePromise.catch === 'function') {
-
             return maybePromise.catch(next);
           }
 
           return maybePromise;
         } catch (err) {
           if (typeof next === 'function') {
-
             next(err);
           } else {
-
             throw err;
           }
         }
@@ -256,7 +252,9 @@ describe('withRetryAndCatch', () => {
 
     it('should work with async/await handlers', async () => {
       const asyncHandler = jest.fn(async (req, res) => {
-        await new Promise(resolve => setTimeout(resolve, 10));
+        await new Promise(resolve => {
+          setTimeout(() => resolve(), 10);
+        });
 
         return { processed: true };
       });
diff --git a/src/routes/messaging.routes.js b/src/routes/messaging.routes.js
index 36341a6..e51bcde 100644
--- a/src/routes/messaging.routes.js
+++ b/src/routes/messaging.routes.js
@@ -1,11 +1,11 @@
 const express = require('express');
 const { messagingController } = require('../controllers');
 const validate = require('../middlewares/validate');
-const { incomingMessageValidation } = require('../validations');
+const { twilioIncomingMessageValidation } = require('../validations');
 
 const router = express.Router();
 
-router.post('/webhook/incoming-message', validate(incomingMessageValidation), messagingController.handleIncomingMessage);
+router.post('/webhook/incoming-message', validate(twilioIncomingMessageValidation), messagingController.handleIncomingMessage);
 
 router.get('/', (req, res) => {
   res.send('📨 Messaging API is working');
diff --git a/src/services/messaging/messaging.service.js b/src/services/messaging/messaging.service.js
index 668e22d..f8fe3d4 100644
--- a/src/services/messaging/messaging.service.js
+++ b/src/services/messaging/messaging.service.js
@@ -1,7 +1,10 @@
+const { env } = require('../../config/config');
 const logger = require('../../config/logger');
 const twilioClient = require('../../config/twilio');
 const SOURCES = require('../../utils/constants');
 
+const shouldValidate = env !== 'test';
+
 /**
  * 
  * @param {Express.Request} req 
@@ -11,7 +14,7 @@ function processMessage(req, requestId) {
   const source = identifySource(req);
 
   if (source === SOURCES.TWILIO) {
-    twilioClient.webhook()(req);
+    twilioClient.webhook({ validate: shouldValidate })(req);
 
     logger.info('Received Twilio Message', {
       requestId,
diff --git a/src/utils/validatePhoneNumber.js b/src/utils/validatePhoneNumber.js
new file mode 100644
index 0000000..dbc4435
--- /dev/null
+++ b/src/utils/validatePhoneNumber.js
@@ -0,0 +1,22 @@
+/**
+ * @param {String} value 
+ * @param {import('joi').CustomValidator} helpers 
+ * @returns {import('joi').ErrorReport|String}
+ */
+function validatePhoneNumber(value, helpers) {
+  // Must be a string
+  if (typeof value !== 'string') {
+    return helpers.error('any.invalid');
+  }
+  // Must start with +1 followed by exactly 10 digits (US/Canada NANP format)
+  const phoneRegex = /^\+1\d{10}$/;
+
+  if (!phoneRegex.test(value)) {
+    return helpers.error('any.invalid');
+  }
+
+  return value;
+};
+
+module.exports = validatePhoneNumber;
+
diff --git a/src/utils/validateSafeString.js b/src/utils/validateSafeString.js
new file mode 100644
index 0000000..499bfd7
--- /dev/null
+++ b/src/utils/validateSafeString.js
@@ -0,0 +1,30 @@
+/**
+ * @param {String} value 
+ * @param {import('joi').CustomHelpers} helpers 
+ * @returns {import('joi').ErrorReport|String}
+ */
+function validateSafeString(value, helpers) {
+  // Check if value is a string
+  if (typeof value !== 'string') {
+    return helpers.error('string.unsafe');
+  }
+
+  // Check for common SQL injection and XSS patterns
+  const dangerousPatterns = [
+    /--/, // SQL comments: any occurrence of --
+    // SQL keywords with other SQL syntax (e.g., SELECT ... FROM, DROP TABLE, etc.)
+    /\b(SELECT|DROP|DELETE|INSERT|UPDATE|UNION|CREATE|ALTER|EXEC|EXECUTE)\b\s+.*\b(FROM|TABLE|INTO|SET|PROCEDURE|VALUES|WHERE|JOIN|ON|BY)\b/i,
+    /<script/i,              // Basic XSS
+    /javascript:/i           // JavaScript protocol
+  ];
+  
+  for (const pattern of dangerousPatterns) {
+    if (pattern.test(value)) {
+      return helpers.error('string.unsafe');
+    }
+  }
+  
+  return value;
+};
+
+module.exports = validateSafeString;
\ No newline at end of file
diff --git a/src/validations/index.js b/src/validations/index.js
index 557e6f2..debbe0b 100644
--- a/src/validations/index.js
+++ b/src/validations/index.js
@@ -1,2 +1,3 @@
 module.exports.envValidation = require('./env.validation');
-module.exports.incomingMessageValidation = require('./webhook/incoming.message.validation');
\ No newline at end of file
+module.exports.incomingMessageValidation = require('./webhook/incoming.message.validation');
+module.exports.twilioIncomingMessageValidation = require('./twilio/incoming.message.validation');
\ No newline at end of file
diff --git a/src/validations/openedx/incoming.event.notification.validation.js b/src/validations/openedx/incoming.event.notification.validation.js
index 651cc76..6913fa2 100644
--- a/src/validations/openedx/incoming.event.notification.validation.js
+++ b/src/validations/openedx/incoming.event.notification.validation.js
@@ -2,26 +2,26 @@ const joi = require('joi');
 
 // Define specific schemas later — here's a placeholder
 // https://docs.openedx.org/projects/openedx-events/en/latest/how-tos/create-a-new-event.html
-const CourseEnrollmentSchema = joi.object({
+const courseEnrollmentSchema = joi.object({
   user_id: joi.string().required(),
   course_id: joi.string().required(),
   mode: joi.string().valid('audit', 'honor', 'verified', 'professional').required(),
 });
 
-const PlaceholderEventSchema = joi.object().unknown(true); // For now, accept any shape
+const placeholderEventSchema = joi.object().unknown(true); // For now, accept any shape
 
 /**
  * See below for example JSON response
  * https://github.com/openedx/event-routing-backends/blob/master/event_routing_backends/processors/tests/fixtures/current/edx.forum.response.created.json
  */
-const OpenEdxEventSchema = joi.object({
+const openEdxEventSchema = joi.object({
   event_type: joi.string().required(), // e.g., 'event'
   event_name: joi.string().required(), // e.g., 'org.openedx.learning.course.enrollment.registered.v1'
   event_source: joi.string().required(), // e.g., 'openedx.learning'
   event_time: joi.string().isoDate().required(), // ISO8601
   data: joi.alternatives().try(
-    CourseEnrollmentSchema, // You can keep adding here
-    PlaceholderEventSchema // Fallback until more types are defined
+    courseEnrollmentSchema, // You can keep adding here
+    placeholderEventSchema // Fallback until more types are defined
   ).required(),
   context: joi.object({
     user_id: joi.string().allow(null),
@@ -32,5 +32,9 @@ const OpenEdxEventSchema = joi.object({
   metadata: joi.object().unknown(true).optional()
 });
 
-module.exports = OpenEdxEventSchema;
+const OpenEdxIncomingMessageRequestSchema = joi.object({
+  body: openEdxEventSchema
+});
+
+module.exports = OpenEdxIncomingMessageRequestSchema;
 
diff --git a/src/validations/twilio/incoming.message.validation.js b/src/validations/twilio/incoming.message.validation.js
index 43d39c5..df48fdd 100644
--- a/src/validations/twilio/incoming.message.validation.js
+++ b/src/validations/twilio/incoming.message.validation.js
@@ -1,46 +1,6 @@
 const joi = require('joi');
-
-/**
- * 
- * @param {String} value 
- * @param {import('joi').CustomValidator} helpers 
- * @returns {import('joi').ErrorReport|String}
- */
-function validatePhoneNumber(value, helpers) {
-  // Must start with + and have 10-15 digits after
-  const phoneRegex = /^\+[1-9]\d{1,14}$/;
- 
-  if (!phoneRegex.test(value)) {
-    return helpers.error('any.invalid');
-  }
-  
-  return value;
-};
-
-/**
- * 
- * @param {String} value 
- * @param {import('joi').CustomHelpers} helpers 
- * @returns {import('joi').ErrorReport|String}
- */
-function validateSafeString(value, helpers) {
-  // Check for common SQL injection patterns
-  const dangerousPatterns = [
-    /('|(\\?')|(;|\\?;))/i,  // Single quotes and semicolons
-    /--(\\s|$)/i,            // SQL comments
-    /\b(DROP|DELETE|INSERT|UPDATE|SELECT|UNION|CREATE|ALTER|EXEC|EXECUTE)\b/i, // SQL keywords
-    /<script/i,              // Basic XSS
-    /javascript:/i           // JavaScript protocol
-  ];
-  
-  for (const pattern of dangerousPatterns) {
-    if (pattern.test(value)) {
-      return helpers.error('string.unsafe');
-    }
-  }
-  
-  return value;
-};
+const validatePhoneNumber = require('../../utils/validatePhoneNumber');
+const validateSafeString = require('../../utils/validateSafeString');
 
 // Twilio SMS payload validation schema
 const twilioIncomingMessageSchema = joi.object({
@@ -148,4 +108,8 @@ const twilioIncomingMessageSchema = joi.object({
     'object.unknown': 'Unknown field "{#label}" is not allowed'
   });
 
-module.exports = twilioIncomingMessageSchema;
\ No newline at end of file
+const twilioIncomingMessageRequestSchema = joi.object({
+  body: twilioIncomingMessageSchema
+});
+
+module.exports = twilioIncomingMessageRequestSchema;
\ No newline at end of file

From a344791684e78458c3526c3becacc1080d7be62a Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Sun, 13 Jul 2025 17:00:12 -0700
Subject: [PATCH 12/14] Remove .github/workflows/test.yml

---
 .github/workflows/test.yml | 43 --------------------------------------
 1 file changed, 43 deletions(-)
 delete mode 100644 .github/workflows/test.yml

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
deleted file mode 100644
index dbaaaf3..0000000
--- a/.github/workflows/test.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-name: Test code
-
-on:
-  workflow_dispatch:
-  pull_request:
-
-permissions:
-  contents: read
-
-# This allows a subsequently queued workflow run to interrupt previous runs
-concurrency:
-  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-
-      - name: Check out repo
-        uses: actions/checkout@v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Build and run linter
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: .docker/Dockerfile
-          tags: test-chatbot
-          outputs: type=docker
-
-      - name: Run tests
-        env:
-            DOCKER_BUILDKIT: 0
-        run: |
-          docker run --rm --memory=1g \
-          -v ${{ github.workspace }}:/chatbot_server \
-          -w /chatbot_server \
-          test-chatbot \
-          sh -c "pnpm install --frozen-lockfile && pnpm test"
\ No newline at end of file

From d2cf66b6e623bc3095a8514a26f7d6361e9e3d60 Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Sun, 13 Jul 2025 17:10:35 -0700
Subject: [PATCH 13/14] delete import for twilio incoming message validation,
 replace with general

---
 src/routes/messaging.routes.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/routes/messaging.routes.js b/src/routes/messaging.routes.js
index e51bcde..36341a6 100644
--- a/src/routes/messaging.routes.js
+++ b/src/routes/messaging.routes.js
@@ -1,11 +1,11 @@
 const express = require('express');
 const { messagingController } = require('../controllers');
 const validate = require('../middlewares/validate');
-const { twilioIncomingMessageValidation } = require('../validations');
+const { incomingMessageValidation } = require('../validations');
 
 const router = express.Router();
 
-router.post('/webhook/incoming-message', validate(twilioIncomingMessageValidation), messagingController.handleIncomingMessage);
+router.post('/webhook/incoming-message', validate(incomingMessageValidation), messagingController.handleIncomingMessage);
 
 router.get('/', (req, res) => {
   res.send('📨 Messaging API is working');

From 1f8c780a25341c245e317a156c03cebedd71a38f Mon Sep 17 00:00:00 2001
From: Mark de Dios <mhdedios@gmail.com>
Date: Sun, 13 Jul 2025 17:12:56 -0700
Subject: [PATCH 14/14] remove twilio incoming message validation from
 validations index

---
 src/validations/index.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/validations/index.js b/src/validations/index.js
index debbe0b..557e6f2 100644
--- a/src/validations/index.js
+++ b/src/validations/index.js
@@ -1,3 +1,2 @@
 module.exports.envValidation = require('./env.validation');
-module.exports.incomingMessageValidation = require('./webhook/incoming.message.validation');
-module.exports.twilioIncomingMessageValidation = require('./twilio/incoming.message.validation');
\ No newline at end of file
+module.exports.incomingMessageValidation = require('./webhook/incoming.message.validation');
\ No newline at end of file