diff --git a/app/api/stories/delete/route.ts b/app/api/stories/delete/route.ts index 735146d..e0c2cfb 100644 --- a/app/api/stories/delete/route.ts +++ b/app/api/stories/delete/route.ts @@ -1,7 +1,6 @@ import { NextResponse } from "next/server"; import { requireUser } from "@/lib/supabase/guard"; import { cloudSoftDeleteStory } from "@/lib/persistence/cloudStore"; -import { coerceEpoch } from "@/lib/persistence/types"; export const runtime = "nodejs"; @@ -24,9 +23,16 @@ export async function POST(req: Request) { if (!id) { return NextResponse.json({ error: "missing id" }, { status: 400 }); } - const rev = typeof body.rev === "number" ? body.rev : 1; - const deletedAt = coerceEpoch(body.deletedAt, Date.now()); + // Validate rev/deletedAt as finite values (see push route rationale): reject + // bad input with 400 rather than letting NaN/Infinity reach the PostgREST + // filter or toISOString(). + if (typeof body.rev !== "number" || !Number.isFinite(body.rev) || body.rev <= 0) { + return NextResponse.json({ error: "invalid rev" }, { status: 400 }); + } + if (typeof body.deletedAt !== "number" || !Number.isFinite(body.deletedAt)) { + return NextResponse.json({ error: "invalid deletedAt" }, { status: 400 }); + } - const ok = await cloudSoftDeleteStory(id, rev, deletedAt); + const ok = await cloudSoftDeleteStory(id, body.rev, body.deletedAt); return NextResponse.json({ ok }); } diff --git a/app/api/stories/manifest/route.ts b/app/api/stories/manifest/route.ts index 9831ac9..41af555 100644 --- a/app/api/stories/manifest/route.ts +++ b/app/api/stories/manifest/route.ts @@ -15,5 +15,8 @@ export async function GET() { if (auth instanceof NextResponse) return auth; const items = await cloudStoryManifest(); - return NextResponse.json({ items }); + return NextResponse.json( + { items }, + { headers: { "Cache-Control": "private, no-store" } }, + ); } diff --git a/app/api/stories/push/route.ts b/app/api/stories/push/route.ts index 3403cf0..8b93f34 100644 --- a/app/api/stories/push/route.ts +++ b/app/api/stories/push/route.ts @@ -19,6 +19,13 @@ export async function POST(req: Request) { const auth = await requireUser(); if (auth instanceof NextResponse) return auth; + // Pre-check Content-Length to reject an oversized body before buffering it. + // The post-read byteLength check below still covers chunked/omitted headers. + const contentLength = req.headers.get("content-length"); + if (contentLength && Number(contentLength) > MAX_PUSH_BYTES) { + return NextResponse.json({ error: "payload too large" }, { status: 413 }); + } + let raw: string; try { raw = await req.text(); @@ -38,14 +45,30 @@ export async function POST(req: Request) { if (!env?.id || typeof env.id !== "string") { return NextResponse.json({ error: "missing id" }, { status: 400 }); } + // Validate the LWW-ordering fields as finite values: a non-finite rev / + // updatedAt would otherwise reach the RPC, throw at toISOString(), and surface + // as a silent { stored:null, won:false } 200 — return 400 so the caller can + // diagnose a bad request rather than mistake it for a normal lost conflict. + if (typeof env.rev !== "number" || !Number.isFinite(env.rev) || env.rev <= 0) { + return NextResponse.json({ error: "invalid rev" }, { status: 400 }); + } + if (typeof env.updatedAt !== "number" || !Number.isFinite(env.updatedAt)) { + return NextResponse.json({ error: "invalid updatedAt" }, { status: 400 }); + } + if ( + env.deletedAt != null && + (typeof env.deletedAt !== "number" || !Number.isFinite(env.deletedAt)) + ) { + return NextResponse.json({ error: "invalid deletedAt" }, { status: 400 }); + } // Defensive coercion at the trust boundary (the slim session itself is left to // the client — it's reconstructible and never security-sensitive after slim). const result = await cloudSaveStory({ ...env, orientation: coerceOrientation(env.orientation), - updatedAt: coerceEpoch(env.updatedAt, Date.now()), - deletedAt: env.deletedAt == null ? null : coerceEpoch(env.deletedAt, Date.now()), + updatedAt: coerceEpoch(env.updatedAt, 0), + deletedAt: env.deletedAt == null ? null : coerceEpoch(env.deletedAt, 0), }); return NextResponse.json(result); } diff --git a/lib/persistence/cloudSync.ts b/lib/persistence/cloudSync.ts index e993d01..e9f83f4 100644 --- a/lib/persistence/cloudSync.ts +++ b/lib/persistence/cloudSync.ts @@ -25,6 +25,7 @@ import { putSyncedRecord, markRecordSynced, } from "./localStore"; +import { idbGet, STORIES_STORE } from "./idb"; import { coerceEpoch, type StoryRecord, type StorySyncMeta, type StorySyncEnvelope } from "./types"; // Keep in lockstep with the pull route's MAX_PULL_IDS. @@ -88,8 +89,8 @@ function recordToEnvelope(rec: StoryRecord): StorySyncEnvelope { sceneCount: rec.sceneCount ?? 0, rev: rec.rev ?? 1, session: rec.session, - updatedAt: coerceEpoch(rec.updatedAt, Date.now()), - deletedAt: rec.deletedAt == null ? null : coerceEpoch(rec.deletedAt, Date.now()), + updatedAt: coerceEpoch(rec.updatedAt, 0), + deletedAt: rec.deletedAt == null ? null : coerceEpoch(rec.deletedAt, 0), }; } @@ -105,7 +106,7 @@ async function pushOne(rec: StoryRecord): Promise { const res = await pushBlob(recordToEnvelope(rec)); if (!res) return; // network/auth failure → leave pending for next reconcile if (res.won) { - await markRecordSynced(rec.id, rec.rev ?? 1); + await markRecordSynced(rec.id, rec.rev ?? 1, coerceEpoch(rec.updatedAt, 0)); } else if (res.stored) { await putSyncedRecord(res.stored); // we lost → adopt the newer cloud state } @@ -177,7 +178,7 @@ async function reconcile(): Promise { for (const rec of toDelete) { try { const ok = await pushDelete(rec.id, rec.rev ?? 1, coerceEpoch(rec.deletedAt, Date.now())); - if (ok) await markRecordSynced(rec.id, rec.rev ?? 1); + if (ok) await markRecordSynced(rec.id, rec.rev ?? 1, coerceEpoch(rec.updatedAt, 0)); // !ok → cloud has a newer row; the next reconcile pulls it back. } catch { /* leave pending */ @@ -186,7 +187,7 @@ async function reconcile(): Promise { // Mark already-consistent records synced. for (const rec of toMarkSynced) { try { - await markRecordSynced(rec.id, rec.rev ?? 1); + await markRecordSynced(rec.id, rec.rev ?? 1, coerceEpoch(rec.updatedAt, 0)); } catch { /* best-effort */ } @@ -236,10 +237,10 @@ export async function pushDeletion(id: string): Promise { if (!AUTH_ENABLED || !id) return; try { if (!(await isAuthed())) return; - const rec = (await listAllRecordsForSync()).find((r) => r.id === id); + const rec = await idbGet(STORIES_STORE, id); if (!rec || !rec.deletedAt) return; // not a tombstone / already gone const ok = await pushDelete(id, rec.rev ?? 1, coerceEpoch(rec.deletedAt, Date.now())); - if (ok) await markRecordSynced(id, rec.rev ?? 1); + if (ok) await markRecordSynced(id, rec.rev ?? 1, coerceEpoch(rec.updatedAt, 0)); } catch { /* leave pending */ } diff --git a/lib/persistence/cloudSyncClient.ts b/lib/persistence/cloudSyncClient.ts index aa5a30c..b3179ca 100644 --- a/lib/persistence/cloudSyncClient.ts +++ b/lib/persistence/cloudSyncClient.ts @@ -36,10 +36,10 @@ async function postJson(url: string, body: unknown): Promise { export async function pullManifest(): Promise { if (!AUTH_ENABLED) return []; try { - const res = await fetch("/api/stories/manifest", { method: "GET" }); + const res = await fetch("/api/stories/manifest", { method: "GET", cache: "no-store" }); if (!res.ok) return []; - const data = (await res.json()) as { items?: StorySyncMeta[] }; - return data.items ?? []; + const data = (await res.json()) as { items?: unknown }; + return Array.isArray(data.items) ? (data.items as StorySyncMeta[]) : []; } catch { return []; } @@ -48,11 +48,8 @@ export async function pullManifest(): Promise { /** Pull full envelopes for the given ids. [] on empty ids / failure / auth off. */ export async function pullBlobs(ids: string[]): Promise { if (!AUTH_ENABLED || ids.length === 0) return []; - const data = await postJson<{ blobs?: StorySyncEnvelope[] }>( - "/api/stories/pull", - { ids }, - ); - return data?.blobs ?? []; + const data = await postJson<{ blobs?: unknown }>("/api/stories/pull", { ids }); + return Array.isArray(data?.blobs) ? (data.blobs as StorySyncEnvelope[]) : []; } /** Push one envelope through the optimistic-concurrency RPC. Returns the diff --git a/lib/persistence/localStore.ts b/lib/persistence/localStore.ts index c004fd1..820600e 100644 --- a/lib/persistence/localStore.ts +++ b/lib/persistence/localStore.ts @@ -251,10 +251,15 @@ export async function putSyncedRecord( * the rev we pushed. A newer local edit (rev moved past what we pushed) is left * pending so the next reconcile re-pushes the newer content. No-op if the * record is gone or already synced (Req 8.1). */ -export async function markRecordSynced(id: string, rev: number): Promise { +export async function markRecordSynced(id: string, rev: number, updatedAt: number): Promise { const rec = await idbGet(STORIES_STORE, id); if (!rec) return; + // Guard on BOTH rev and updatedAt. softDeleteStory bumps updatedAt WITHOUT + // bumping rev, so a same-rev-but-newer local tombstone produced while a push + // was in flight must NOT be marked synced by that older push's ack (it still + // owes a delete push). Symmetric with putSyncedRecord's concurrency guard. if ((rec.rev ?? 1) !== rev) return; + if (coerceEpoch(rec.updatedAt, 0) !== coerceEpoch(updatedAt, 0)) return; if (rec.syncState === "synced") return; await idbPut(STORIES_STORE, { ...rec, syncState: "synced" }); } diff --git a/supabase/migrations/20260628095015_upsert_story_if_newer.sql b/supabase/migrations/20260628095015_upsert_story_if_newer.sql index deb5ecb..6e95f0f 100644 --- a/supabase/migrations/20260628095015_upsert_story_if_newer.sql +++ b/supabase/migrations/20260628095015_upsert_story_if_newer.sql @@ -68,11 +68,12 @@ begin and excluded.updated_at > public.stories.updated_at) returning * into v_row; - -- v_row is populated on a fresh insert OR a winning update. It is NULL when - -- the row already existed AND the where-guard rejected the update (stale - -- write) — in that case return the current cloud row so the caller sees it + -- FOUND is the idiomatic PL/pgSQL test for whether RETURNING produced a row: + -- true on a fresh insert OR a winning update; false when the row already + -- existed AND the where-guard rejected the update (stale write). In the stale + -- case fall through and return the current cloud row so the caller sees it -- lost and can reconcile by pulling the newer cloud state. - if v_row.id is not null then + if found then return v_row; end if;