fix(persistence): address PR #117 review feedback
Adopt 8 PR-agent (Qodo) findings; 4 declined (concurrency already guarded by the putSyncedRecord/markRecordSynced guards + RPC optimistic concurrency; SQL-injection / won-equality / microtask-race are false positives — see PR reply). - markRecordSynced: guard on updatedAt too — softDeleteStory doesn't bump rev, so a same-rev newer local tombstone must not be marked synced by an older push's ack (symmetric with putSyncedRecord's guard) - recordToEnvelope: fallback timestamps to 0 not Date.now() (a corrupt record should lose LWW, not win as "now") - push/delete routes: validate rev/updatedAt as finite -> 400 (was silent 200); push: Content-Length pre-check before buffering the body - pushDeletion: idbGet a single record instead of a full-store scan - manifest: Cache-Control private,no-store + client fetch cache:no-store - cloudSyncClient: Array.isArray narrowing on items/blobs - RPC: `if found` instead of `v_row.id is not null` after RETURNING INTO Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -36,10 +36,10 @@ async function postJson<T>(url: string, body: unknown): Promise<T | null> {
|
||||
export async function pullManifest(): Promise<StorySyncMeta[]> {
|
||||
if (!AUTH_ENABLED) return [];
|
||||
try {
|
||||
const res = await fetch("/api/stories/manifest", { method: "GET" });
|
||||
const res = await fetch("/api/stories/manifest", { method: "GET", cache: "no-store" });
|
||||
if (!res.ok) return [];
|
||||
const data = (await res.json()) as { items?: StorySyncMeta[] };
|
||||
return data.items ?? [];
|
||||
const data = (await res.json()) as { items?: unknown };
|
||||
return Array.isArray(data.items) ? (data.items as StorySyncMeta[]) : [];
|
||||
} catch {
|
||||
return [];
|
||||
}
|
||||
@@ -48,11 +48,8 @@ export async function pullManifest(): Promise<StorySyncMeta[]> {
|
||||
/** Pull full envelopes for the given ids. [] on empty ids / failure / auth off. */
|
||||
export async function pullBlobs(ids: string[]): Promise<StorySyncEnvelope[]> {
|
||||
if (!AUTH_ENABLED || ids.length === 0) return [];
|
||||
const data = await postJson<{ blobs?: StorySyncEnvelope[] }>(
|
||||
"/api/stories/pull",
|
||||
{ ids },
|
||||
);
|
||||
return data?.blobs ?? [];
|
||||
const data = await postJson<{ blobs?: unknown }>("/api/stories/pull", { ids });
|
||||
return Array.isArray(data?.blobs) ? (data.blobs as StorySyncEnvelope[]) : [];
|
||||
}
|
||||
|
||||
/** Push one envelope through the optimistic-concurrency RPC. Returns the
|
||||
|
||||
Reference in New Issue
Block a user