fix(core): fix applications APIs status guard (#6845)

packages/core/src/routes/applications/application.ts

@@ -256,7 +256,7 @@ export default function applicationRoutes<T extends ManagementApiRouter>(
         })
       ),
       response: Applications.guard,
-      status: [200, 404, 422, 500],
+      status: [200, 400, 404, 422, 500],
     }),
     async (ctx, next) => {
       const {
@@ -341,7 +341,7 @@ export default function applicationRoutes<T extends ManagementApiRouter>(
     koaGuard({
       params: object({ id: string().min(1) }),
       response: z.undefined(),
-      status: [204, 404, 422],
+      status: [204, 400, 404, 422],
     }),
     async (ctx, next) => {
       const { id } = ctx.guard.params;

packages/integration-tests/src/tests/api/application/saml-application.test.ts

@@ -1,6 +1,6 @@
 import { ApplicationType, BindingType } from '@logto/schemas';
 
-import { createApplication, deleteApplication } from '#src/api/application.js';
+import { createApplication, deleteApplication, updateApplication } from '#src/api/application.js';
 import {
   createSamlApplication,
   deleteSamlApplication,
@@ -123,6 +123,14 @@ describe('SAML application secrets/certificate/metadata', () => {
     // @ts-expect-error - Make sure the `privateKey` is not exposed
     expect(createdSecret.privateKey).toBeUndefined();
 
+    await expectRejects(updateApplication(id, { name: 'updated' }), {
+      code: 'application.saml.use_saml_app_api',
+      status: 400,
+    });
+    await expectRejects(deleteApplication(id), {
+      code: 'application.saml.use_saml_app_api',
+      status: 400,
+    });
     await deleteSamlApplication(id);
   });