From 061c3baab36805847bf44750ddb1b00d78597084 Mon Sep 17 00:00:00 2001
From: sladro <sladro@163.com>
Date: Fri, 27 Mar 2026 11:54:42 +0800
Subject: [PATCH] fix: normalize malformed pairing requests

---
 .../Api/PairingEndpoints.cs                   | 22 ++++++++++++++++++-
 .../Api/PairingEndpointsTests.cs              |  5 +++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/apps/windows_agent/src/TermRemoteCtl.Agent/Api/PairingEndpoints.cs b/apps/windows_agent/src/TermRemoteCtl.Agent/Api/PairingEndpoints.cs
index df789af..f61de21 100644
--- a/apps/windows_agent/src/TermRemoteCtl.Agent/Api/PairingEndpoints.cs
+++ b/apps/windows_agent/src/TermRemoteCtl.Agent/Api/PairingEndpoints.cs
@@ -1,3 +1,4 @@
+using System.Text.Json;
 using Microsoft.AspNetCore.Mvc;
 using TermRemoteCtl.Agent.Security;
 
@@ -26,12 +27,13 @@ public static class PairingEndpoints
         });
 
         group.MapPost("/redeem", async (
-            [FromBody] RedeemPairingRequest? request,
+            HttpRequest httpRequest,
             PairingService pairingService,
             AuditLog auditLog,
             IClock clock,
             CancellationToken cancellationToken) =>
         {
+            var request = await ReadRedeemRequestAsync(httpRequest, cancellationToken);
             var validationError = ValidateRedeemRequest(request);
             if (validationError is not null)
             {
@@ -56,6 +58,24 @@ public static class PairingEndpoints
         return endpoints;
     }
 
+    private static async Task<RedeemPairingRequest?> ReadRedeemRequestAsync(
+        HttpRequest httpRequest,
+        CancellationToken cancellationToken)
+    {
+        try
+        {
+            return await httpRequest.ReadFromJsonAsync<RedeemPairingRequest>(cancellationToken);
+        }
+        catch (JsonException)
+        {
+            return null;
+        }
+        catch (BadHttpRequestException)
+        {
+            return null;
+        }
+    }
+
     private static RedeemPairingResponse? ValidateRedeemRequest(RedeemPairingRequest? request)
     {
         if (request is null)
diff --git a/apps/windows_agent/tests/TermRemoteCtl.Agent.IntegrationTests/Api/PairingEndpointsTests.cs b/apps/windows_agent/tests/TermRemoteCtl.Agent.IntegrationTests/Api/PairingEndpointsTests.cs
index 15f0110..b8a9b85 100644
--- a/apps/windows_agent/tests/TermRemoteCtl.Agent.IntegrationTests/Api/PairingEndpointsTests.cs
+++ b/apps/windows_agent/tests/TermRemoteCtl.Agent.IntegrationTests/Api/PairingEndpointsTests.cs
@@ -43,8 +43,13 @@ public sealed class PairingEndpointsTests
         using var content = new StringContent("{\"code\":", Encoding.UTF8, "application/json");
 
         using var response = await client.PostAsync("/api/pairing/redeem", content);
+        var payload = await response.Content.ReadFromJsonAsync<RedeemResponse>();
 
         Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+        Assert.NotNull(payload);
+        Assert.False(payload.Success);
+        Assert.Equal("invalid_request", payload.ErrorCode);
+        Assert.Equal("rejected", payload.Status);
     }
 
     [Fact]