kuns/claudedo-online
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: scope every API endpoint to the token's sub; expose ownerId in DTOs

Browse Source 
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Claude
2026-06-11 08:27:26 +00:00
parent 0e16738624
commit 03fbe06a04
9 changed files with 36 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
server/api/tasks.post.ts
View File

@@ -1,4 +1,4 @@
// POST /api/tasks (web) — create an Idle task with a server-generated GUID.
// POST /api/tasks (web) — create an Idle task with a server-generated GUID, owned by the caller.
export default defineEventHandler(async (event) => {
const body = await readBody(event);
const title = typeof body?.title === "string" ? body.title.trim() : "";
@@ -9,12 +9,13 @@ export default defineEventHandler(async (event) => {
const description =
typeof body?.description === "string" && body.description.trim() ? body.description : null;
const ownerId = ownerOf(event);
const sql = getSql();
if (!(await listExists(sql, listId))) {
if (!(await listExists(sql, ownerId, listId))) {
throw createError({ statusCode: 404, statusMessage: "list not found" });
}
const row = await createWebTask(sql, { listId, title, description });
const row = await createWebTask(sql, ownerId, { listId, title, description });
setResponseStatus(event, 201);
return toTaskDto(row);
});