From 38644594d24871adbb36e00f300e85485324531f Mon Sep 17 00:00:00 2001
From: Yaojia Wang <yaojia.wang@colacoder.com>
Date: Tue, 31 Mar 2026 13:44:04 +0200
Subject: [PATCH] test: add thread_id validation tests for replay API

- Test invalid thread_id with spaces returns 400
- Test thread_id with special chars returns 400
- Tighten existing 404 test assertion
---
 backend/tests/unit/replay/test_api.py | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/backend/tests/unit/replay/test_api.py b/backend/tests/unit/replay/test_api.py
index 0cf6db4..412938e 100644
--- a/backend/tests/unit/replay/test_api.py
+++ b/backend/tests/unit/replay/test_api.py
@@ -156,5 +156,21 @@ class TestGetReplay:
 
         with TestClient(app) as client:
             resp = client.get("/api/replay/missing")
-        body = resp.json()
-        assert "detail" in body or "error" in body or resp.status_code == 404
+        assert resp.status_code == 404
+        assert "detail" in resp.json()
+
+    def test_invalid_thread_id_returns_400(self) -> None:
+        app = _build_app()
+        app.state.pool = _make_mock_pool([])
+
+        with TestClient(app) as client:
+            resp = client.get("/api/replay/id%20with%20spaces")
+        assert resp.status_code == 400
+
+    def test_thread_id_special_chars_returns_400(self) -> None:
+        app = _build_app()
+        app.state.pool = _make_mock_pool([])
+
+        with TestClient(app) as client:
+            resp = client.get("/api/replay/id;DROP TABLE")
+        assert resp.status_code == 400