fix(persistence): address PR #117 review feedback

Adopt 8 PR-agent (Qodo) findings; 4 declined (concurrency already guarded by
the putSyncedRecord/markRecordSynced guards + RPC optimistic concurrency;
SQL-injection / won-equality / microtask-race are false positives — see PR reply).

- markRecordSynced: guard on updatedAt too — softDeleteStory doesn't bump rev,
  so a same-rev newer local tombstone must not be marked synced by an older
  push's ack (symmetric with putSyncedRecord's guard)
- recordToEnvelope: fallback timestamps to 0 not Date.now() (a corrupt record
  should lose LWW, not win as "now")
- push/delete routes: validate rev/updatedAt as finite -> 400 (was silent 200);
  push: Content-Length pre-check before buffering the body
- pushDeletion: idbGet a single record instead of a full-store scan
- manifest: Cache-Control private,no-store + client fetch cache:no-store
- cloudSyncClient: Array.isArray narrowing on items/blobs
- RPC: `if found` instead of `v_row.id is not null` after RETURNING INTO

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Kai ki
2026-06-28 11:52:09 +08:00
parent 739af60848
commit 6ba5307c6c
7 changed files with 63 additions and 27 deletions
+10 -4
View File
@@ -1,7 +1,6 @@
import { NextResponse } from "next/server";
import { requireUser } from "@/lib/supabase/guard";
import { cloudSoftDeleteStory } from "@/lib/persistence/cloudStore";
import { coerceEpoch } from "@/lib/persistence/types";
export const runtime = "nodejs";
@@ -24,9 +23,16 @@ export async function POST(req: Request) {
if (!id) {
return NextResponse.json({ error: "missing id" }, { status: 400 });
}
const rev = typeof body.rev === "number" ? body.rev : 1;
const deletedAt = coerceEpoch(body.deletedAt, Date.now());
// Validate rev/deletedAt as finite values (see push route rationale): reject
// bad input with 400 rather than letting NaN/Infinity reach the PostgREST
// filter or toISOString().
if (typeof body.rev !== "number" || !Number.isFinite(body.rev) || body.rev <= 0) {
return NextResponse.json({ error: "invalid rev" }, { status: 400 });
}
if (typeof body.deletedAt !== "number" || !Number.isFinite(body.deletedAt)) {
return NextResponse.json({ error: "invalid deletedAt" }, { status: 400 });
}
const ok = await cloudSoftDeleteStory(id, rev, deletedAt);
const ok = await cloudSoftDeleteStory(id, body.rev, body.deletedAt);
return NextResponse.json({ ok });
}
+4 -1
View File
@@ -15,5 +15,8 @@ export async function GET() {
if (auth instanceof NextResponse) return auth;
const items = await cloudStoryManifest();
return NextResponse.json({ items });
return NextResponse.json(
{ items },
{ headers: { "Cache-Control": "private, no-store" } },
);
}
+25 -2
View File
@@ -19,6 +19,13 @@ export async function POST(req: Request) {
const auth = await requireUser();
if (auth instanceof NextResponse) return auth;
// Pre-check Content-Length to reject an oversized body before buffering it.
// The post-read byteLength check below still covers chunked/omitted headers.
const contentLength = req.headers.get("content-length");
if (contentLength && Number(contentLength) > MAX_PUSH_BYTES) {
return NextResponse.json({ error: "payload too large" }, { status: 413 });
}
let raw: string;
try {
raw = await req.text();
@@ -38,14 +45,30 @@ export async function POST(req: Request) {
if (!env?.id || typeof env.id !== "string") {
return NextResponse.json({ error: "missing id" }, { status: 400 });
}
// Validate the LWW-ordering fields as finite values: a non-finite rev /
// updatedAt would otherwise reach the RPC, throw at toISOString(), and surface
// as a silent { stored:null, won:false } 200 — return 400 so the caller can
// diagnose a bad request rather than mistake it for a normal lost conflict.
if (typeof env.rev !== "number" || !Number.isFinite(env.rev) || env.rev <= 0) {
return NextResponse.json({ error: "invalid rev" }, { status: 400 });
}
if (typeof env.updatedAt !== "number" || !Number.isFinite(env.updatedAt)) {
return NextResponse.json({ error: "invalid updatedAt" }, { status: 400 });
}
if (
env.deletedAt != null &&
(typeof env.deletedAt !== "number" || !Number.isFinite(env.deletedAt))
) {
return NextResponse.json({ error: "invalid deletedAt" }, { status: 400 });
}
// Defensive coercion at the trust boundary (the slim session itself is left to
// the client — it's reconstructible and never security-sensitive after slim).
const result = await cloudSaveStory({
...env,
orientation: coerceOrientation(env.orientation),
updatedAt: coerceEpoch(env.updatedAt, Date.now()),
deletedAt: env.deletedAt == null ? null : coerceEpoch(env.deletedAt, Date.now()),
updatedAt: coerceEpoch(env.updatedAt, 0),
deletedAt: env.deletedAt == null ? null : coerceEpoch(env.deletedAt, 0),
});
return NextResponse.json(result);
}