Skip to content

[enhancement] fetch cities by country code and state code #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vip20 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[enhancement] fetch cities by country code and state code #210

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6b19084
[enhancement] fetch cities by country code and state code
vip20 Mar 10, 2025
2812a92
check iso3 in country code
vip20 Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 12 additions & 6 deletions controllers/countryController.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -772,15 +772,21 @@ class CountryController {
*/
static async getStateCities(req, res, next) {
try {
const { country, state } = req.query;
if (!country) {
const { country, state, iso2, state_code } = req.query;
if (!country || !iso2 || !iso3) {

@cursor cursor Bot Jan 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Undefined iso3 causes validation to always fail

High Severity

The variable iso3 is referenced in the validation check and later lookup logic, but it's never destructured from req.query on line 775 (only country, state, iso2, and state_code are extracted). Since iso3 is always undefined, the condition !iso3 is always true, causing the function to return a 400 error for every request regardless of the parameters provided.

Additional Locations (1)

Fix in Cursor Fix in Web

@cursor cursor Bot Jan 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Validation uses OR instead of AND operators

High Severity

The validation checks use || (OR) operators instead of && (AND). Using !country || !iso2 requires ALL parameters to be present, but the intent is to require at least ONE. Other similar functions in this file consistently use the && pattern (e.g., if (!country && !iso2)). The same issue affects the state validation on line 779.

Additional Locations (1)

Fix in Cursor Fix in Web

return Respond.error(res, 'missing param (country)', 400);
}
if (!state) {
if (!state || !state_code) {
return Respond.error(res, 'missing param (state)', 400);
}

const countryData = Object.values(CountriesStateCityFormatted).find((x) => x.name.toLowerCase() === country.toLowerCase());
let countryData;
if(country){
countryData = Object.values(CountriesStateCityFormatted).find((x) => x.name.toLowerCase() === country.toLowerCase())
} else if(iso2){
countryData = Object.values(CountriesStateCityFormatted).find((x) => x.iso2.toLowerCase() === iso2.toLowerCase())
} else if(iso3){
countryData = Object.values(CountriesStateCityFormatted).find((x) => x.iso3.toLowerCase() === iso3.toLowerCase())
}
if (!countryData) {
return Respond.error(res, 'country not found', 404);
}
Expand All @@ -789,7 +795,7 @@ class CountryController {
name: x.name.trim().toLowerCase().endsWith('state') ? x.name.toLowerCase().trim() : x.name,
cities: x.cities,
}));
const stateData = Object.values(statesFormatted).find((x) => x.name.toLowerCase() === state.toLowerCase());
const stateData = state ? Object.values(statesFormatted).find((x) => x.name.toLowerCase() === state.toLowerCase()) : Object.values(statesFormatted).find((x) => x.state_code.toLowerCase() === state_code.toLowerCase());

@cursor cursor Bot Jan 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

state_code missing from mapped state objects

High Severity

The statesFormatted mapping on lines 794-797 only includes name and cities properties, but line 798 tries to access x.state_code on these objects when looking up by state code. Since state_code was not included in the mapping, it's undefined, and calling .toLowerCase() on undefined will throw a TypeError.

Additional Locations (1)

Fix in Cursor Fix in Web

@cursor cursor Bot Jan 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Success message shows undefined for alternative parameters

Medium Severity

The success message uses ${state} and ${country} directly from the query parameters. When users look up cities using alternative parameters (iso2 instead of country, or state_code instead of state), these variables will be undefined. This results in a confusing response message like "cities in state undefined of country undefined retrieved".

Fix in Cursor Fix in Web

if (!stateData) {
return Respond.error(res, 'state not found', 404);
}
Expand Down