From 4b0056301616d47cb91d645ee13b8e157c99780c Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 11 Jun 2026 08:30:10 +0000 Subject: [PATCH] feat: per-user data isolation (ownerId scoping) --- .../plans/2026-06-11-owner-scoping.md | 1126 +++++++++++++++++ 1 file changed, 1126 insertions(+) create mode 100644 docs/superpowers/plans/2026-06-11-owner-scoping.md diff --git a/docs/superpowers/plans/2026-06-11-owner-scoping.md b/docs/superpowers/plans/2026-06-11-owner-scoping.md new file mode 100644 index 0000000..c9cec77 --- /dev/null +++ b/docs/superpowers/plans/2026-06-11-owner-scoping.md @@ -0,0 +1,1126 @@ +# Per-User Data Isolation (ownerId Scoping) Implementation Plan + +> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. + +**Goal:** Scope every read and write in the ClaudeDo Online API to the authenticated token's `sub` (server-side ownership boundary), expose `ownerId` in all DTOs, and make the FE filter by owner and surface a clear "missing 'user' role" state. + +**Architecture:** Add a nullable `owner_id text` column to `lists` and `tasks`. Every repo function takes the caller's `ownerId` (= Zitadel `sub`, taken from the verified token in `event.context.user`, never from the client). Reads return rows where `owner_id = caller OR owner_id IS NULL` (NULL = legacy/pre-multi-user, visible per the desktop handoff contract). Writes stamp `owner_id = caller`; upserts adopt legacy rows but are blocked (`ON CONFLICT … WHERE`) from touching rows owned by someone else. Full-replace deletes (`PUT /lists`, `PUT /tasks/mirror`) are scoped to the caller's partition so one user's sync can never wipe another's data. The role gate (commit `d4c7347`) already exists and is untouched. + +**Tech Stack:** Nuxt 4 / Nitro, postgres.js, Vitest, Bun. Tests run against the real `claudedo_test` DB. + +**Already done (do NOT re-implement):** role-based access in `server/middleware/1.auth.ts` + `server/utils/auth.ts` (items 1–2 of the handoff brief). This plan covers items 3–4 (ownerId plumbing + FE) and the security-prerequisite scoping. + +--- + +## Environment setup (needed by Tasks 1, 2, 6) + +All test/migrate commands need the shared-Postgres password and the test DB URL: + +```bash +source ~/.secrets/coolify-tokens.env +export DATABASE_URL="postgres://mika:${SHARED_POSTGRES_PASSWORD}@localhost:54320/claudedo_test" +``` + +(`localhost:54320` is the Coolify proxy in front of the shared Postgres container `l8kogcggsc80sgcgk8kswww4`. Verified reachable from this host.) + +Run everything with Bun: `~/.bun/bin/bun` if `bun` is not in PATH. + +--- + +### Task 1: Schema — `owner_id` columns + +**Files:** +- Modify: `server/utils/schema.ts` + +- [ ] **Step 1: Append owner_id DDL to INIT_SQL** + +In `server/utils/schema.ts`, the template string ends with: + +``` +create index if not exists idx_tasks_unconsumed on tasks(consumed) where consumed = false; +`; +``` + +Add the two `alter table` lines before the closing backtick, so the end of `INIT_SQL` reads: + +```ts +create index if not exists idx_tasks_unconsumed on tasks(consumed) where consumed = false; + +-- Multi-user plumbing: rows are owned by a Zitadel sub. NULL = legacy/unowned (pre-multi-user). +alter table lists add column if not exists owner_id text; +alter table tasks add column if not exists owner_id text; +`; +``` + +Do NOT add `owner_id` to the `create table` statements — production tables already exist, so `create table if not exists` is a no-op there; the `alter table … if not exists` lines are the single mechanism that works on both fresh and existing databases. + +- [ ] **Step 2: Apply to the test DB and verify** + +```bash +source ~/.secrets/coolify-tokens.env +export DATABASE_URL="postgres://mika:${SHARED_POSTGRES_PASSWORD}@localhost:54320/claudedo_test" +bun run migrate +psql "$DATABASE_URL" -c "\d lists" -c "\d tasks" | grep owner_id +``` + +Expected: `schema applied`, then two `owner_id | text` lines. + +- [ ] **Step 3: Run the existing test suite to confirm nothing broke** + +```bash +bun run test +``` + +Expected: all existing tests PASS (the new column is nullable; nothing references it yet). + +- [ ] **Step 4: Commit** + +```bash +git add server/utils/schema.ts +git commit -m "feat: add nullable owner_id columns to lists and tasks" +``` + +--- + +### Task 2: Repo layer — owner scoping (TDD) + +**Files:** +- Modify: `server/utils/repo.ts` (full rewrite below) +- Test: `tests/repo.test.ts` (full rewrite below) + +Every repo function gains an `ownerId: string` parameter (always the second argument, after `sql`). Scoping rule used everywhere: a row is *mine* if `owner_id = ${ownerId} OR owner_id IS NULL`. + +- [ ] **Step 1: Replace `tests/repo.test.ts` with the owner-aware suite** + +This updates every existing call site to pass an owner (`"u1"`) — preserving all prior behavioral assertions — and adds an `owner isolation` describe block. Full file content: + +```ts +import { afterAll, beforeEach, describe, expect, it } from "vitest"; +import postgres from "postgres"; +import * as repo from "../server/utils/repo"; + +const sql = postgres(process.env.DATABASE_URL!, { max: 1, onnotice: () => {} }); + +const U1 = "user-1"; +const U2 = "user-2"; + +beforeEach(async () => { + await sql`truncate lists cascade`; +}); + +afterAll(async () => { + await sql.end(); +}); + +describe("lists", () => { + it("full-replace upserts supplied and deletes missing", async () => { + await repo.replaceLists(sql, U1, [ + { id: "a", name: "A" }, + { id: "b", name: "B" }, + ]); + await repo.replaceLists(sql, U1, [{ id: "a", name: "A2" }]); // b removed, a renamed + const got = await repo.getLists(sql, U1); + expect(got).toEqual([{ id: "a", name: "A2", owner_id: U1 }]); + }); + + it("empty payload clears all my lists", async () => { + await repo.replaceLists(sql, U1, [{ id: "a", name: "A" }]); + await repo.replaceLists(sql, U1, []); + expect(await repo.getLists(sql, U1)).toEqual([]); + }); + + it("deleting a list cascades its tasks", async () => { + await repo.replaceLists(sql, U1, [{ id: "a", name: "A" }]); + await repo.upsertDesktopTask(sql, U1, "t1", { listId: "a", title: "x" }); + await repo.replaceLists(sql, U1, []); // removes a + cascades t1 + expect(await repo.getUnconsumed(sql, U1)).toEqual([]); + }); + + it("listExists validates listId within the caller's scope", async () => { + await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]); + expect(await repo.listExists(sql, U1, "L")).toBe(true); + expect(await repo.listExists(sql, U1, "ghost")).toBe(false); + expect(await repo.listExists(sql, U2, "L")).toBe(false); // not my list + }); +}); + +describe("tasks", () => { + beforeEach(async () => { + await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]); + }); + + it("web create returns generated GUID, source=web, consumed=false, stamped owner", async () => { + const t = await repo.createWebTask(sql, U1, { listId: "L", title: "buy milk", description: null }); + expect(t.id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/); + expect(t.source).toBe("web"); + expect(t.consumed).toBe(false); + expect(t.title).toBe("buy milk"); + expect(t.owner_id).toBe(U1); + }); + + it("desktop upsert is idempotent by id; source=desktop on insert", async () => { + const a = await repo.upsertDesktopTask(sql, U1, "fixed-id", { listId: "L", title: "one" }); + expect(a.created).toBe(true); + const b = await repo.upsertDesktopTask(sql, U1, "fixed-id", { listId: "L", title: "two", description: "d" }); + expect(b.created).toBe(false); + const tasks = await repo.getTasksForList(sql, U1, "L"); + expect(tasks).toHaveLength(1); + expect(tasks[0].title).toBe("two"); + expect(tasks[0].description).toBe("d"); + expect(tasks[0].source).toBe("desktop"); + }); + + it("getUnconsumed returns only web tasks with consumed=false", async () => { + await repo.createWebTask(sql, U1, { listId: "L", title: "web1", description: null }); + await repo.upsertDesktopTask(sql, U1, "d1", { listId: "L", title: "desk1" }); + const u = await repo.getUnconsumed(sql, U1); + expect(u).toHaveLength(1); + expect(u[0].title).toBe("web1"); + }); + + it("consume sets consumed=true and is reflected in getUnconsumed", async () => { + const t = await repo.createWebTask(sql, U1, { listId: "L", title: "c", description: null }); + expect(await repo.consume(sql, U1, t.id)).toBe(true); + expect(await repo.getUnconsumed(sql, U1)).toEqual([]); + }); + + it("consume on unknown id returns false", async () => { + expect(await repo.consume(sql, U1, "nope")).toBe(false); + }); + + it("deleteTask is idempotent", async () => { + const t = await repo.createWebTask(sql, U1, { listId: "L", title: "c", description: null }); + await repo.deleteTask(sql, U1, t.id); + await repo.deleteTask(sql, U1, t.id); // no throw on absent + expect(await repo.getTasksForList(sql, U1, "L")).toEqual([]); + }); +}); + +describe("mirrorDesktopTasks (desktop Idle full-replace)", () => { + beforeEach(async () => { + await repo.replaceLists(sql, U1, [ + { id: "L", name: "List" }, + { id: "L2", name: "List 2" }, + ]); + }); + + it("inserts items as desktop-owned (consumed=true, source=desktop, stamped owner)", async () => { + await repo.mirrorDesktopTasks(sql, U1, [ + { id: "m1", listId: "L", title: "one", description: "d1" }, + { id: "m2", listId: "L2", title: "two" }, + ]); + const t = await repo.getTasksForList(sql, U1, "L"); + expect(t).toHaveLength(1); + expect(t[0]).toMatchObject({ id: "m1", title: "one", description: "d1", source: "desktop", consumed: true, owner_id: U1 }); + expect(await repo.getTasksForList(sql, U1, "L2")).toHaveLength(1); + }); + + it("upserts existing items by id (title/listId/description)", async () => { + await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L", title: "one" }]); + await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L2", title: "renamed", description: "x" }]); + const onL = await repo.getTasksForList(sql, U1, "L"); + const onL2 = await repo.getTasksForList(sql, U1, "L2"); + expect(onL).toHaveLength(0); + expect(onL2).toHaveLength(1); + expect(onL2[0]).toMatchObject({ title: "renamed", description: "x" }); + }); + + it("deletes desktop tasks whose id is not in the array", async () => { + await repo.mirrorDesktopTasks(sql, U1, [ + { id: "m1", listId: "L", title: "one" }, + { id: "m2", listId: "L", title: "two" }, + ]); + await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L", title: "one" }]); // m2 dropped + const t = await repo.getTasksForList(sql, U1, "L"); + expect(t.map((x) => x.id)).toEqual(["m1"]); + }); + + it("empty array deletes all my desktop tasks", async () => { + await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L", title: "one" }]); + await repo.mirrorDesktopTasks(sql, U1, []); + expect(await repo.getTasksForList(sql, U1, "L")).toEqual([]); + }); + + it("does NOT touch web-created tasks awaiting pull (consumed=false)", async () => { + const web = await repo.createWebTask(sql, U1, { listId: "L", title: "web", description: null }); + await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L", title: "desk" }]); + const unconsumed = await repo.getUnconsumed(sql, U1); + expect(unconsumed.map((x) => x.id)).toEqual([web.id]); + expect((await repo.getTasksForList(sql, U1, "L")).map((x) => x.id).sort()).toEqual([web.id, "m1"].sort()); + }); + + it("claims a web task when its id is mirrored (becomes consumed=true)", async () => { + const web = await repo.createWebTask(sql, U1, { listId: "L", title: "web", description: null }); + await repo.mirrorDesktopTasks(sql, U1, [{ id: web.id, listId: "L", title: "web (imported)" }]); + expect(await repo.getUnconsumed(sql, U1)).toEqual([]); // no longer awaiting pull + const t = await repo.getTasksForList(sql, U1, "L"); + expect(t[0]).toMatchObject({ id: web.id, title: "web (imported)", consumed: true }); + }); +}); + +describe("owner isolation", () => { + it("lists are invisible to other users; legacy (NULL owner) lists visible to everyone", async () => { + await repo.replaceLists(sql, U1, [{ id: "mine", name: "Mine" }]); + await sql`insert into lists (id, name) values ('legacy', 'Old')`; // pre-multi-user row + expect((await repo.getLists(sql, U1)).map((l) => l.id).sort()).toEqual(["legacy", "mine"]); + expect((await repo.getLists(sql, U2)).map((l) => l.id)).toEqual(["legacy"]); + }); + + it("replaceLists never deletes or renames another user's lists", async () => { + await repo.replaceLists(sql, U1, [{ id: "a", name: "A" }]); + await repo.replaceLists(sql, U2, [{ id: "b", name: "B" }]); // U2's full catalog: just b + expect((await repo.getLists(sql, U1)).map((l) => l.id)).toEqual(["a"]); + expect((await repo.getLists(sql, U2)).map((l) => l.id)).toEqual(["b"]); + // U2 upserting U1's id must not steal/rename it + await repo.replaceLists(sql, U2, [{ id: "a", name: "stolen" }, { id: "b", name: "B" }]); + const u1Lists = await repo.getLists(sql, U1); + expect(u1Lists).toEqual([{ id: "a", name: "A", owner_id: U1 }]); + }); + + it("replaceLists adopts legacy lists (stamps the caller as owner)", async () => { + await sql`insert into lists (id, name) values ('legacy', 'Old')`; + await repo.replaceLists(sql, U1, [{ id: "legacy", name: "Old" }]); + expect((await repo.getLists(sql, U2)).map((l) => l.id)).toEqual([]); // no longer legacy + expect((await repo.getLists(sql, U1))[0]).toMatchObject({ id: "legacy", owner_id: U1 }); + }); + + it("tasks are invisible to other users; legacy tasks visible to everyone", async () => { + await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]); + await repo.createWebTask(sql, U1, { listId: "L", title: "mine", description: null }); + await sql`insert into tasks (id, list_id, title, source) values ('legacy-t', 'L', 'old', 'web')`; + expect((await repo.getUnconsumed(sql, U2)).map((t) => t.id)).toEqual(["legacy-t"]); + expect((await repo.getTasksForList(sql, U2, "L")).map((t) => t.id)).toEqual(["legacy-t"]); + expect(await repo.getUnconsumed(sql, U1)).toHaveLength(2); + }); + + it("one user's mirror never deletes another user's desktop tasks", async () => { + await repo.replaceLists(sql, U1, [{ id: "L1", name: "U1 List" }]); + await repo.replaceLists(sql, U2, [{ id: "L2", name: "U2 List" }]); + await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L1", title: "u1 task" }]); + await repo.mirrorDesktopTasks(sql, U2, [{ id: "m2", listId: "L2", title: "u2 task" }]); + // U2's full-replace (only m2) must not have wiped U1's m1: + expect((await repo.getTasksForList(sql, U1, "L1")).map((t) => t.id)).toEqual(["m1"]); + // and an empty mirror from U2 clears only U2's partition: + await repo.mirrorDesktopTasks(sql, U2, []); + expect((await repo.getTasksForList(sql, U1, "L1")).map((t) => t.id)).toEqual(["m1"]); + expect(await repo.getTasksForList(sql, U2, "L2")).toEqual([]); + }); + + it("mirror upsert cannot claim another user's task by id", async () => { + await repo.replaceLists(sql, U1, [{ id: "L1", name: "U1 List" }]); + await repo.replaceLists(sql, U2, [{ id: "L2", name: "U2 List" }]); + const web = await repo.createWebTask(sql, U1, { listId: "L1", title: "u1 web", description: null }); + await repo.mirrorDesktopTasks(sql, U2, [{ id: web.id, listId: "L2", title: "hijack" }]); + // U1's web task is untouched and still awaiting pull: + const u1 = await repo.getUnconsumed(sql, U1); + expect(u1.map((t) => t.id)).toEqual([web.id]); + expect(u1[0].title).toBe("u1 web"); + }); + + it("upsertDesktopTask cannot overwrite another user's task", async () => { + await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]); + await repo.upsertDesktopTask(sql, U1, "shared-id", { listId: "L", title: "u1 owns this" }); + const res = await repo.upsertDesktopTask(sql, U2, "shared-id", { listId: "L", title: "u2 steal" }); + expect(res.created).toBe(false); + expect((await repo.getTasksForList(sql, U1, "L"))[0].title).toBe("u1 owns this"); + }); + + it("consume and delete are scoped to the caller", async () => { + await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]); + const t = await repo.createWebTask(sql, U1, { listId: "L", title: "w", description: null }); + expect(await repo.consume(sql, U2, t.id)).toBe(false); + await repo.deleteTask(sql, U2, t.id); // no-op for U2 + expect((await repo.getUnconsumed(sql, U1)).map((x) => x.id)).toEqual([t.id]); + }); +}); +``` + +- [ ] **Step 2: Run the tests to verify they fail** + +```bash +source ~/.secrets/coolify-tokens.env +export DATABASE_URL="postgres://mika:${SHARED_POSTGRES_PASSWORD}@localhost:54320/claudedo_test" +bun run test tests/repo.test.ts +``` + +Expected: FAIL — the repo functions don't accept the `ownerId` argument yet (calls pass owner where lists/task args are expected, assertions on `owner_id` fail). + +- [ ] **Step 3: Rewrite `server/utils/repo.ts` with owner scoping** + +Full file content: + +```ts +import postgres from "postgres"; +import { randomUUID } from "node:crypto"; + +type Sql = ReturnType; + +export interface ListRow { + id: string; + name: string; + owner_id: string | null; +} + +export interface TaskRow { + id: string; + list_id: string; + title: string; + description: string | null; + source: string; + consumed: boolean; + owner_id: string | null; + created_at: Date; + updated_at: Date; +} + +// Ownership model: every read/write is scoped to the caller's Zitadel sub (ownerId). +// owner_id NULL = legacy row from before multi-user — visible to every authorized user +// and adopted (stamped with the caller's sub) by the caller's next write that touches it. +// Upserts use `on conflict … where` so they can never modify a row owned by someone else. + +export async function getLists(sql: Sql, ownerId: string): Promise { + return sql` + select id, name, owner_id from lists + where owner_id = ${ownerId} or owner_id is null + order by name`; +} + +/** Full-replace of the caller's catalog: upsert all supplied, delete the caller's (and legacy) lists not present (cascades tasks). */ +export async function replaceLists( + sql: Sql, + ownerId: string, + lists: { id: string; name: string }[], +): Promise { + await sql.begin(async (tx) => { + for (const l of lists) { + await tx` + insert into lists (id, name, owner_id, updated_at) + values (${l.id}, ${l.name}, ${ownerId}, now()) + on conflict (id) do update set name = excluded.name, owner_id = ${ownerId}, updated_at = now() + where lists.owner_id = ${ownerId} or lists.owner_id is null`; + } + const ids = lists.map((l) => l.id); + if (ids.length) { + await tx`delete from lists where (owner_id = ${ownerId} or owner_id is null) and id <> all(${ids})`; + } else { + await tx`delete from lists where owner_id = ${ownerId} or owner_id is null`; + } + }); +} + +export async function listExists(sql: Sql, ownerId: string, id: string): Promise { + const rows = await sql` + select 1 from lists where id = ${id} and (owner_id = ${ownerId} or owner_id is null)`; + return rows.length > 0; +} + +export async function getTasksForList(sql: Sql, ownerId: string, listId: string): Promise { + return sql` + select * from tasks + where list_id = ${listId} and (owner_id = ${ownerId} or owner_id is null) + order by created_at`; +} + +export async function createWebTask( + sql: Sql, + ownerId: string, + t: { listId: string; title: string; description: string | null }, +): Promise { + const id = randomUUID(); + const [row] = await sql` + insert into tasks (id, list_id, title, description, source, consumed, owner_id) + values (${id}, ${t.listId}, ${t.title}, ${t.description}, 'web', false, ${ownerId}) + returning *`; + return row; +} + +/** Idempotent upsert of a desktop Idle task by id. Returns whether a row was inserted. */ +export async function upsertDesktopTask( + sql: Sql, + ownerId: string, + id: string, + t: { listId: string; title: string; description?: string | null }, +): Promise<{ created: boolean }> { + const [row] = await sql<{ created: boolean }[]>` + insert into tasks (id, list_id, title, description, source, owner_id) + values (${id}, ${t.listId}, ${t.title}, ${t.description ?? null}, 'desktop', ${ownerId}) + on conflict (id) do update set + list_id = excluded.list_id, + title = excluded.title, + description = excluded.description, + owner_id = ${ownerId}, + updated_at = now() + where tasks.owner_id = ${ownerId} or tasks.owner_id is null + returning (xmax = 0) as created`; + // row is undefined when the id exists but belongs to another user: blocked no-op. + return { created: row?.created ?? false }; +} + +/** + * Full-replace of the caller's desktop-owned partition (their current Idle backlog). + * Mirrors `replaceLists`: upsert every supplied task as desktop-owned (consumed=true), and + * delete any of the caller's (or legacy) desktop-owned tasks not in the payload. Web-created + * tasks still awaiting pull (consumed=false) and other users' rows are left untouched. + */ +export async function mirrorDesktopTasks( + sql: Sql, + ownerId: string, + items: { id: string; listId: string; title: string; description?: string | null }[], +): Promise { + await sql.begin(async (tx) => { + for (const t of items) { + await tx` + insert into tasks (id, list_id, title, description, source, consumed, owner_id) + values (${t.id}, ${t.listId}, ${t.title}, ${t.description ?? null}, 'desktop', true, ${ownerId}) + on conflict (id) do update set + list_id = excluded.list_id, + title = excluded.title, + description = excluded.description, + source = 'desktop', + consumed = true, + owner_id = ${ownerId}, + updated_at = now() + where tasks.owner_id = ${ownerId} or tasks.owner_id is null`; + } + const ids = items.map((t) => t.id); + if (ids.length) { + await tx`delete from tasks + where consumed = true and (owner_id = ${ownerId} or owner_id is null) and id <> all(${ids})`; + } else { + await tx`delete from tasks where consumed = true and (owner_id = ${ownerId} or owner_id is null)`; + } + }); +} + +/** The caller's web-created tasks the desktop has not yet imported. */ +export async function getUnconsumed(sql: Sql, ownerId: string): Promise { + return sql` + select * from tasks + where source = 'web' and consumed = false and (owner_id = ${ownerId} or owner_id is null) + order by created_at`; +} + +export async function consume(sql: Sql, ownerId: string, id: string): Promise { + const res = await sql` + update tasks set consumed = true, updated_at = now() + where id = ${id} and (owner_id = ${ownerId} or owner_id is null)`; + return res.count > 0; +} + +export async function deleteTask(sql: Sql, ownerId: string, id: string): Promise { + await sql`delete from tasks where id = ${id} and (owner_id = ${ownerId} or owner_id is null)`; +} +``` + +- [ ] **Step 4: Run the repo tests to verify they pass** + +```bash +bun run test tests/repo.test.ts +``` + +Expected: PASS (all describe blocks, including `owner isolation`). + +Note: `bun run build` / the handlers will be broken at this point (signature change) — that is expected and fixed in Tasks 3–4. Do not run the build here. + +- [ ] **Step 5: Commit** + +```bash +git add server/utils/repo.ts tests/repo.test.ts +git commit -m "feat: scope all repo reads/writes to the caller's ownerId" +``` + +--- + +### Task 3: `ownerOf` helper + DTO `ownerId` + +**Files:** +- Create: `server/utils/session.ts` +- Modify: `server/utils/dto.ts` + +- [ ] **Step 1: Create `server/utils/session.ts`** + +Nitro auto-imports everything in `server/utils/`, so handlers can call `ownerOf(event)` without importing. The token is verified by `server/middleware/1.auth.ts` before any handler runs; this helper just extracts the sub (and hard-fails if a verified token somehow lacks one). Client-supplied `ownerId` in request bodies is never read — this is the only ownership source. + +```ts +import { createError, type H3Event } from "h3"; + +/** The authenticated caller's Zitadel sub — the ownership key for all row scoping. */ +export function ownerOf(event: H3Event): string { + const sub = (event.context.user as { sub?: unknown } | undefined)?.sub; + if (typeof sub !== "string" || !sub) { + throw createError({ statusCode: 401, statusMessage: "Unauthorized" }); + } + return sub; +} +``` + +- [ ] **Step 2: Add `ownerId` to the task DTO** + +Replace the full content of `server/utils/dto.ts`: + +```ts +import type { TaskRow } from "./repo"; + +export interface TaskDto { + id: string; + listId: string; + title: string; + description: string | null; + source: string; + consumed: boolean; + ownerId: string | null; + createdAt: string; +} + +export function toTaskDto(row: TaskRow): TaskDto { + return { + id: row.id, + listId: row.list_id, + title: row.title, + description: row.description, + source: row.source, + consumed: row.consumed, + ownerId: row.owner_id, + createdAt: new Date(row.created_at).toISOString(), + }; +} +``` + +- [ ] **Step 3: Commit** + +```bash +git add server/utils/session.ts server/utils/dto.ts +git commit -m "feat: ownerOf(event) helper and ownerId in task DTO" +``` + +(No test run here — handlers still reference old repo signatures until Task 4; the unit suites in `tests/` don't touch these two files' behavior in isolation.) + +--- + +### Task 4: Thread `ownerId` through every API handler + +**Files:** +- Modify: `server/api/lists.get.ts` +- Modify: `server/api/lists.put.ts` +- Modify: `server/api/lists/[id]/tasks.get.ts` +- Modify: `server/api/tasks.post.ts` +- Modify: `server/api/tasks.get.ts` +- Modify: `server/api/tasks/mirror.put.ts` +- Modify: `server/api/tasks/[id].put.ts` +- Modify: `server/api/tasks/[id].delete.ts` +- Modify: `server/api/tasks/[id]/consume.post.ts` + +All nine handlers below are complete file contents — replace each file wholesale. Behavior notes: any `ownerId` a client sends in a body is ignored (we never read it); the server stamps from the token. + +- [ ] **Step 1: `server/api/lists.get.ts`** + +```ts +// GET /api/lists (web) — the caller's lists (plus legacy unowned). +export default defineEventHandler(async (event) => { + const rows = await getLists(getSql(), ownerOf(event)); + return rows.map((r) => ({ id: r.id, name: r.name, ownerId: r.owner_id })); +}); +``` + +- [ ] **Step 2: `server/api/lists.put.ts`** + +```ts +// PUT /api/lists (desktop) — full-replace of the caller's catalog. Upsert all supplied; +// delete the caller's lists not present. Any client-supplied ownerId is ignored — the +// server stamps ownership from the verified token. +export default defineEventHandler(async (event) => { + const body = await readBody(event); + if ( + !Array.isArray(body) || + body.some((l) => typeof l?.id !== "string" || typeof l?.name !== "string") + ) { + throw createError({ statusCode: 400, statusMessage: "expected [{ id, name }]" }); + } + await replaceLists( + getSql(), + ownerOf(event), + body.map((l) => ({ id: l.id, name: l.name })), + ); + return { ok: true }; +}); +``` + +- [ ] **Step 3: `server/api/lists/[id]/tasks.get.ts`** + +```ts +// GET /api/lists/:id/tasks (web) — the caller's Idle tasks for a list. 404 if the list is unknown (to the caller). +export default defineEventHandler(async (event) => { + const id = getRouterParam(event, "id")!; + const ownerId = ownerOf(event); + const sql = getSql(); + if (!(await listExists(sql, ownerId, id))) { + throw createError({ statusCode: 404, statusMessage: "list not found" }); + } + const rows = await getTasksForList(sql, ownerId, id); + return rows.map(toTaskDto); +}); +``` + +- [ ] **Step 4: `server/api/tasks.post.ts`** + +```ts +// POST /api/tasks (web) — create an Idle task with a server-generated GUID, owned by the caller. +export default defineEventHandler(async (event) => { + const body = await readBody(event); + const title = typeof body?.title === "string" ? body.title.trim() : ""; + const listId = body?.listId; + if (!title || typeof listId !== "string") { + throw createError({ statusCode: 400, statusMessage: "title and listId are required" }); + } + const description = + typeof body?.description === "string" && body.description.trim() ? body.description : null; + + const ownerId = ownerOf(event); + const sql = getSql(); + if (!(await listExists(sql, ownerId, listId))) { + throw createError({ statusCode: 404, statusMessage: "list not found" }); + } + + const row = await createWebTask(sql, ownerId, { listId, title, description }); + setResponseStatus(event, 201); + return toTaskDto(row); +}); +``` + +- [ ] **Step 5: `server/api/tasks.get.ts`** + +```ts +// GET /api/tasks?consumed=false (desktop) — the caller's web-created tasks not yet imported. +export default defineEventHandler(async (event) => { + const rows = await getUnconsumed(getSql(), ownerOf(event)); + return rows.map((r) => ({ + id: r.id, + listId: r.list_id, + title: r.title, + description: r.description, + ownerId: r.owner_id, + createdAt: new Date(r.created_at).toISOString(), + })); +}); +``` + +- [ ] **Step 6: `server/api/tasks/mirror.put.ts`** + +```ts +// PUT /api/tasks/mirror (desktop) — full-replace of the caller's desktop Idle backlog. +// Body: [{ id, listId, title, description? }, ...] (camelCase). An empty array is valid and +// clears the caller's desktop-owned partition. Mirrors PUT /lists. Web-created tasks awaiting +// pull (consumed=false) and other users' rows are never touched. Any client-supplied ownerId +// on items is ignored — ownership comes from the verified token. +export default defineEventHandler(async (event) => { + const body = await readBody(event); + if (!Array.isArray(body)) { + throw createError({ statusCode: 400, statusMessage: "expected an array of tasks" }); + } + + const items: { id: string; listId: string; title: string; description: string | null }[] = []; + for (let i = 0; i < body.length; i++) { + const t = body[i]; + if (typeof t?.id !== "string" || !t.id.trim()) { + throw createError({ statusCode: 400, statusMessage: `item ${i}: id is required` }); + } + if (typeof t?.listId !== "string" || !t.listId.trim()) { + throw createError({ statusCode: 400, statusMessage: `item ${i}: listId is required` }); + } + if (typeof t?.title !== "string" || !t.title.trim()) { + throw createError({ statusCode: 400, statusMessage: `item ${i}: title is required` }); + } + items.push({ + id: t.id, + listId: t.listId, + title: t.title, + description: typeof t.description === "string" ? t.description : null, + }); + } + + const ownerId = ownerOf(event); + const sql = getSql(); + + // Every referenced list must exist for the caller (lists are full-replaced before tasks are mirrored). + const listIds = [...new Set(items.map((t) => t.listId))]; + for (const id of listIds) { + if (!(await listExists(sql, ownerId, id))) { + throw createError({ statusCode: 400, statusMessage: `unknown listId: ${id}` }); + } + } + + await mirrorDesktopTasks(sql, ownerId, items); + return { ok: true, count: items.length }; +}); +``` + +- [ ] **Step 7: `server/api/tasks/[id].put.ts`** + +```ts +// PUT /api/tasks/:id (desktop) — idempotent upsert mirroring a desktop Idle task, owned by the caller. +export default defineEventHandler(async (event) => { + const id = getRouterParam(event, "id")!; + const body = await readBody(event); + const title = body?.title; + const listId = body?.listId; + if (typeof title !== "string" || !title.trim() || typeof listId !== "string") { + throw createError({ statusCode: 400, statusMessage: "listId and title are required" }); + } + const description = typeof body?.description === "string" ? body.description : null; + + const ownerId = ownerOf(event); + const sql = getSql(); + if (!(await listExists(sql, ownerId, listId))) { + throw createError({ statusCode: 404, statusMessage: "list not found" }); + } + + const { created } = await upsertDesktopTask(sql, ownerId, id, { listId, title, description }); + setResponseStatus(event, created ? 201 : 200); + return { id }; +}); +``` + +- [ ] **Step 8: `server/api/tasks/[id].delete.ts`** + +```ts +// DELETE /api/tasks/:id (desktop) — task left Idle on desktop. Idempotent, scoped to the caller's rows. +export default defineEventHandler(async (event) => { + await deleteTask(getSql(), ownerOf(event), getRouterParam(event, "id")!); + setResponseStatus(event, 204); + return null; +}); +``` + +- [ ] **Step 9: `server/api/tasks/[id]/consume.post.ts`** + +```ts +// POST /api/tasks/:id/consume (desktop) — mark the caller's web task imported. Idempotent. +export default defineEventHandler(async (event) => { + const ok = await consume(getSql(), ownerOf(event), getRouterParam(event, "id")!); + if (!ok) { + throw createError({ statusCode: 404, statusMessage: "task not found" }); + } + return { ok: true }; +}); +``` + +- [ ] **Step 10: Full test suite + build** + +```bash +source ~/.secrets/coolify-tokens.env +export DATABASE_URL="postgres://mika:${SHARED_POSTGRES_PASSWORD}@localhost:54320/claudedo_test" +bun run test +bun run build +``` + +Expected: all tests PASS; `nuxt build` completes without errors (this is the type/wiring check for the handlers — they have no unit tests of their own; the repo layer they delegate to is covered). + +- [ ] **Step 11: Commit** + +```bash +git add server/api server/utils +git commit -m "feat: scope every API endpoint to the token's sub; expose ownerId in DTOs" +``` + +--- + +### Task 5: FE — owner filtering (defense-in-depth) + missing-role state + +**Files:** +- Modify: `app/composables/useAuth.ts` +- Modify: `app/pages/index.vue` (script + small template additions; styles untouched) + +- [ ] **Step 1: Surface the HTTP status on API errors** + +Replace the full content of `app/composables/useAuth.ts`: + +```ts +import type { ZitadelAuth } from "@kuns/zitadel-auth"; + +/** API call failure carrying the HTTP status (401 = authenticated but not authorized). */ +export class ApiError extends Error { + constructor( + message: string, + public status: number, + ) { + super(message); + } +} + +// Access the bootstrap-provided Zitadel auth instance + a small JSON helper for /api calls. +// By the time any component mounts, the plugin has gated auth, so `auth` is authenticated. +// `auth.fetch` auto-attaches the Bearer access token. +export function useAuth() { + const { $auth } = useNuxtApp() as unknown as { $auth: ZitadelAuth }; + + async function api(path: string, init?: RequestInit): Promise { + const res = await $auth.fetch(`/api${path}`, init); + if (!res.ok) { + let message = `${res.status}`; + try { + const body = await res.json(); + message = body?.statusMessage || body?.message || message; + } catch { + // non-JSON error body + } + throw new ApiError(message, res.status); + } + if (res.status === 204) return undefined as T; + return (await res.json()) as T; + } + + return { auth: $auth, api }; +} +``` + +- [ ] **Step 2: index.vue script — ownerId types, owner filter, 401→missing-role handling** + +In `app/pages/index.vue` make these script edits (each shown as exact old → new): + +(a) Add an explicit import as the first line inside `