fix(brex): reject whitespace-only expense IDs in receipt upload instead of silently falling back to receipt match

waleedlatif1 · waleedlatif1 · commit 7ab893e31d37 · 2026-06-11T16:52:16.000-07:00
diff --git a/apps/sim/app/api/tools/brex/upload-receipt/route.test.ts b/apps/sim/app/api/tools/brex/upload-receipt/route.test.ts
@@ -94,6 +94,29 @@ describe('POST /api/tools/brex/upload-receipt', () => {
     expect(uploadInit.method).toBe('PUT')
   })
 
+  it('rejects a whitespace-only expense ID instead of falling back to receipt match', async () => {
+    const response = await POST(createMockRequest('POST', { ...baseBody, expenseId: '   ' }))
+    expect(response.status).toBe(400)
+    expect(mockFetch).not.toHaveBeenCalled()
+  })
+
+  it('trims a padded expense ID before building the upload URL', async () => {
+    mockFetch
+      .mockResolvedValueOnce(
+        jsonResponse({ id: 'receipt_5', uri: 'https://s3.example.com/presigned' })
+      )
+      .mockResolvedValueOnce(jsonResponse({}))
+
+    const response = await POST(
+      createMockRequest('POST', { ...baseBody, expenseId: '  expense_123  ' })
+    )
+    expect(response.status).toBe(200)
+    const [createUrl] = mockFetch.mock.calls[0]
+    expect(createUrl).toBe('https://api.brex.com/v1/expenses/card/expense_123/receipt_upload')
+    const data = await response.json()
+    expect(data.output.expenseId).toBe('expense_123')
+  })
+
   it('uses receipt match when no expense ID is provided', async () => {
     mockFetch
       .mockResolvedValueOnce(
diff --git a/apps/sim/app/api/tools/brex/upload-receipt/route.ts b/apps/sim/app/api/tools/brex/upload-receipt/route.ts
@@ -53,13 +53,12 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
     }
 
     const effectiveReceiptName = receiptName?.trim() || userFile.name
-    const trimmedExpenseId = expenseId?.trim() || undefined
-    const endpoint = trimmedExpenseId
-      ? `${BREX_API_BASE}/v1/expenses/card/${encodeURIComponent(trimmedExpenseId)}/receipt_upload`
+    const endpoint = expenseId
+      ? `${BREX_API_BASE}/v1/expenses/card/${encodeURIComponent(expenseId)}/receipt_upload`
       : `${BREX_API_BASE}/v1/expenses/card/receipt_match`
 
     logger.info(
-      `[${requestId}] Creating Brex ${trimmedExpenseId ? 'receipt upload' : 'receipt match'}: ${effectiveReceiptName} (${fileBuffer.length} bytes)`
+      `[${requestId}] Creating Brex ${expenseId ? 'receipt upload' : 'receipt match'}: ${effectiveReceiptName} (${fileBuffer.length} bytes)`
     )
 
     const createResponse = await fetch(endpoint, {
@@ -116,7 +115,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       output: {
         receiptId: createData.id,
         receiptName: effectiveReceiptName,
-        expenseId: trimmedExpenseId ?? null,
+        expenseId: expenseId ?? null,
       },
     })
   } catch (error) {
diff --git a/apps/sim/lib/api/contracts/tools/brex.ts b/apps/sim/lib/api/contracts/tools/brex.ts
@@ -5,7 +5,7 @@ import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
 
 export const brexUploadReceiptBodySchema = z.object({
   apiKey: z.string().min(1, 'API key is required'),
-  expenseId: z.string().min(1, 'Expense ID cannot be empty').optional(),
+  expenseId: z.string().trim().min(1, 'Expense ID cannot be empty').optional(),
   file: RawFileInputSchema,
   receiptName: z
     .string()
