feat: scope every API endpoint to the token's sub; expose ownerId in DTOs

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 08:27:26 +00:00
parent 0e16738624
commit 03fbe06a04
9 changed files with 36 additions and 26 deletions
--- a/server/api/tasks/[id]/consume.post.ts
+++ b/server/api/tasks/[id]/consume.post.ts
@@ -1,6 +1,6 @@
-// POST /api/tasks/:id/consume (desktop) — mark a web task imported. Idempotent.
+// POST /api/tasks/:id/consume (desktop) — mark the caller's web task imported. Idempotent.
 export default defineEventHandler(async (event) => {
-  const ok = await consume(getSql(), getRouterParam(event, "id")!);
+  const ok = await consume(getSql(), ownerOf(event), getRouterParam(event, "id")!);
  if (!ok) {
    throw createError({ statusCode: 404, statusMessage: "task not found" });
  }