bug: Wrapped route re-validates the already-sanitized speed with an integer-only regex, dropping valid decimals

[Anexus5919]

Description

The /api/wrapped route validates the speed query parameter twice. The zod schema (wrappedParamsSchema in lib/validations.ts) already sanitizes it via sanitizeSpeed, which accepts any value matching \d+(\.\d+)?s in the range 2s to 20s, so a request like ?speed=8.5s yields the valid sanitized value 8.5s.

When building BadgeParams, the route then re-validates that same value with an integer-only regex /^(?:[2-9]|1\d|20)s$/, which does not match decimals. A valid in-range decimal such as 8.5s therefore fails the second check and falls back to 8s. Valid decimal speeds accepted by the schema are silently dropped.

This is the same defect that was fixed for /api/streak; it also exists in the Wrapped route.

Steps to Reproduce

1. Request /api/wrapped?user=octocat&speed=8.5s.
2. Inspect the returned SVG (the --scan-speed animation duration).
3. Observe it is 8s rather than the requested 8.5s, even though 8.5s is within the accepted 2s to 20s range.

Expected Behavior

The route trusts the value already sanitized by the schema, so a valid in-range decimal speed like 8.5s is preserved instead of being reset to 8s.

Screenshots / Logs

Not applicable. Server-side parameter handling.

Environment

Other

[Anexus5919]

/claim

[github-actions]

🎉 Assigned! Welcome to the project, @Anexus5919.

⏳ Reminder: You have 2 days to submit a Pull Request. After 2 days of inactivity, you will be automatically unassigned to give others a chance (as per our GSSoC anti-hoarding policy).

💡 Please read CONTRIBUTING.md if you haven't already.

Happy coding! 🚀