Skip to main content

Edge Case: Chatbot API Security and Error Handling

non-critical   Property: ChurchWiseAI   Category: Security Tier: all Persona: security-tester Touchpoint: /api/chatbot/stream

Preconditions

  • Chatbot API endpoint is live
  • Demo church exists with ID in test data

Steps

#ActionExpected Result
1Send request missing churchId parameterAPI returns 400 Bad Request. Error message indicates missing required field.
2Send request missing sessionId parameterAPI returns 400 Bad Request. Error message indicates missing required field.
3Send request missing message parameterAPI returns 400 Bad Request. Error message indicates missing required field.
4Send request with nonexistent churchIdAPI returns 404 Not Found. No error response leaks database structure.
5Send valid request with all required fieldsAPI returns 200 OK with AI response, or 403 if chatbot disabled on demo. No 500 error.
6Send request with agentType=prayerAPI routes to prayer agent. Returns status < 500 (no crash). Response uses care/prayer tone.
7Send request with agentType=visitor (unknown agent)API handles gracefully. Returns 400 (invalid agent type) or defaults to main agent. No 500.
8Send oversized message (>2000 chars)API returns 400 with message 'Message too long'. No truncation, no silent failure.
9Send message with XSS payload in textAPI accepts message. No 500 error. Response is properly escaped when rendered.

Known Failure Modes

  • Missing required fields returns 500 instead of 400 — poor error handling
  • Nonexistent church returns 500 — information disclosure vulnerability
  • Oversized message crashes API — DoS vector
  • Agent type routing crashes — uncaught error on unknown types

References

Notes

Tests chatbot API edge cases: missing/invalid inputs, unknown agent types, message size limits, and error handling. API must validate all inputs, return appropriate error codes (400/404 vs 500), and never crash or leak information. XSS in chat messages must be handled safely at render time.