kuns/claudedo-online
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: scope every API endpoint to the token's sub; expose ownerId in DTOs

Browse Source 
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Claude
2026-06-11 08:27:26 +00:00
parent 0e16738624
commit 03fbe06a04
9 changed files with 36 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
server/api/lists/[id]/tasks.get.ts
View File

@@ -1,10 +1,11 @@
// GET /api/lists/:id/tasks (web) — Idle tasks for a list. 404 if the list is unknown.
// GET /api/lists/:id/tasks (web) — the caller's Idle tasks for a list. 404 if the list is unknown (to the caller).
export default defineEventHandler(async (event) => {
const id = getRouterParam(event, "id")!;
const ownerId = ownerOf(event);
const sql = getSql();
if (!(await listExists(sql, id))) {
if (!(await listExists(sql, ownerId, id))) {
throw createError({ statusCode: 404, statusMessage: "list not found" });
}
const rows = await getTasksForList(sql, id);
const rows = await getTasksForList(sql, ownerId, id);
return rows.map(toTaskDto);
});