workspace_id accepts URL-unsafe characters (slash, empty string) making workspaces inaccessible

[EnjoyBacon7]

Summary

There is no validation on workspace_id when creating a workspace. Characters such as / are accepted and stored, but the resulting workspace is permanently inaccessible via the REST API because the slash is interpreted as a URL path separator.

Root cause

CreateWorkspaceRequest in openrag/routers/workspaces.py:24 declares workspace_id: str with no constraints. FastAPI/Pydantic accept any string, including empty strings and strings containing slashes.

# workspaces.py:24 — no validation on workspace_id
class CreateWorkspaceRequest(BaseModel):
    workspace_id: str
    display_name: str | None = None

Steps to reproduce

# Create a workspace with a slash in the ID
curl -X POST http://<host>/partition/default/workspaces \
  -H "Content-Type: application/json" \
  -d '{"workspace_id": "ws/slash"}'
# Returns 201 Created

# Try to access it — 404 because the router parses the slash as a path separator
curl http://<host>/partition/default/workspaces/ws/slash
# Returns 404 Not Found (route not matched)

An empty string "" is also accepted, producing a workspace that cannot be referenced in any subsequent API call.

Expected behaviour

workspace_id should be validated to contain only URL-safe characters (e.g. alphanumerics, hyphens, underscores). Invalid values should return 422 Unprocessable Entity.

Suggested fix

Add a Pydantic validator using a regex pattern:

from pydantic import field_validator
import re

class CreateWorkspaceRequest(BaseModel):
    workspace_id: str
    display_name: str | None = None

    @field_validator("workspace_id")
    @classmethod
    def validate_workspace_id(cls, v: str) -> str:
        if not v or not re.fullmatch(r"[a-zA-Z0-9_-]+", v):
            raise ValueError("workspace_id must be non-empty and contain only alphanumeric characters, hyphens, or underscores")
        return v

Affected file

openrag/routers/workspaces.py, line 24