kuns/claudedo-online
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: scope every API endpoint to the token's sub; expose ownerId in DTOs

Browse Source 
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Claude
2026-06-11 08:27:26 +00:00
parent 0e16738624
commit 03fbe06a04
9 changed files with 36 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
server/api/tasks/[id].put.ts
View File

@@ -1,4 +1,4 @@
// PUT /api/tasks/:id (desktop) — idempotent upsert mirroring a desktop Idle task.
// PUT /api/tasks/:id (desktop) — idempotent upsert mirroring a desktop Idle task, owned by the caller.
export default defineEventHandler(async (event) => {
const id = getRouterParam(event, "id")!;
const body = await readBody(event);
@@ -9,12 +9,13 @@ export default defineEventHandler(async (event) => {
}
const description = typeof body?.description === "string" ? body.description : null;
const ownerId = ownerOf(event);
const sql = getSql();
if (!(await listExists(sql, listId))) {
if (!(await listExists(sql, ownerId, listId))) {
throw createError({ statusCode: 404, statusMessage: "list not found" });
}
const { created } = await upsertDesktopTask(sql, id, { listId, title, description });
const { created } = await upsertDesktopTask(sql, ownerId, id, { listId, title, description });
setResponseStatus(event, created ? 201 : 200);
return { id };
});