6ba5307c6c
Adopt 8 PR-agent (Qodo) findings; 4 declined (concurrency already guarded by the putSyncedRecord/markRecordSynced guards + RPC optimistic concurrency; SQL-injection / won-equality / microtask-race are false positives — see PR reply). - markRecordSynced: guard on updatedAt too — softDeleteStory doesn't bump rev, so a same-rev newer local tombstone must not be marked synced by an older push's ack (symmetric with putSyncedRecord's guard) - recordToEnvelope: fallback timestamps to 0 not Date.now() (a corrupt record should lose LWW, not win as "now") - push/delete routes: validate rev/updatedAt as finite -> 400 (was silent 200); push: Content-Length pre-check before buffering the body - pushDeletion: idbGet a single record instead of a full-store scan - manifest: Cache-Control private,no-store + client fetch cache:no-store - cloudSyncClient: Array.isArray narrowing on items/blobs - RPC: `if found` instead of `v_row.id is not null` after RETURNING INTO Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
23 lines
910 B
TypeScript
23 lines
910 B
TypeScript
import { NextResponse } from "next/server";
|
|
import { requireUser } from "@/lib/supabase/guard";
|
|
import { cloudStoryManifest } from "@/lib/persistence/cloudStore";
|
|
|
|
export const runtime = "nodejs";
|
|
|
|
// GET /api/stories/manifest — the reconcile diff basis: every cloud row for the
|
|
// signed-in user (INCLUDING tombstones), projected to {id, rev, updatedAt,
|
|
// deletedAt} without the bulky session_jsonb. Pure passthrough to cloudStore;
|
|
// requireUser 401s an unauthenticated commercial-build caller, and on the
|
|
// open-source build (AUTH_ENABLED=false) cloudStoryManifest short-circuits to []
|
|
// without ever constructing a Supabase client.
|
|
export async function GET() {
|
|
const auth = await requireUser();
|
|
if (auth instanceof NextResponse) return auth;
|
|
|
|
const items = await cloudStoryManifest();
|
|
return NextResponse.json(
|
|
{ items },
|
|
{ headers: { "Cache-Control": "private, no-store" } },
|
|
);
|
|
}
|