42 KiB
42 KiB
Per-User Data Isolation (ownerId Scoping) Implementation Plan
For agentic workers: REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (
- [ ]) syntax for tracking.
Goal: Scope every read and write in the ClaudeDo Online API to the authenticated token's sub (server-side ownership boundary), expose ownerId in all DTOs, and make the FE filter by owner and surface a clear "missing 'user' role" state.
Architecture: Add a nullable owner_id text column to lists and tasks. Every repo function takes the caller's ownerId (= Zitadel sub, taken from the verified token in event.context.user, never from the client). Reads return rows where owner_id = caller OR owner_id IS NULL (NULL = legacy/pre-multi-user, visible per the desktop handoff contract). Writes stamp owner_id = caller; upserts adopt legacy rows but are blocked (ON CONFLICT … WHERE) from touching rows owned by someone else. Full-replace deletes (PUT /lists, PUT /tasks/mirror) are scoped to the caller's partition so one user's sync can never wipe another's data. The role gate (commit d4c7347) already exists and is untouched.
Tech Stack: Nuxt 4 / Nitro, postgres.js, Vitest, Bun. Tests run against the real claudedo_test DB.
Already done (do NOT re-implement): role-based access in server/middleware/1.auth.ts + server/utils/auth.ts (items 1–2 of the handoff brief). This plan covers items 3–4 (ownerId plumbing + FE) and the security-prerequisite scoping.
Environment setup (needed by Tasks 1, 2, 6)
All test/migrate commands need the shared-Postgres password and the test DB URL:
source ~/.secrets/coolify-tokens.env
export DATABASE_URL="postgres://mika:${SHARED_POSTGRES_PASSWORD}@localhost:54320/claudedo_test"
(localhost:54320 is the Coolify proxy in front of the shared Postgres container l8kogcggsc80sgcgk8kswww4. Verified reachable from this host.)
Run everything with Bun: ~/.bun/bin/bun if bun is not in PATH.
Task 1: Schema — owner_id columns
Files:
-
Modify:
server/utils/schema.ts -
Step 1: Append owner_id DDL to INIT_SQL
In server/utils/schema.ts, the template string ends with:
create index if not exists idx_tasks_unconsumed on tasks(consumed) where consumed = false;
`;
Add the two alter table lines before the closing backtick, so the end of INIT_SQL reads:
create index if not exists idx_tasks_unconsumed on tasks(consumed) where consumed = false;
-- Multi-user plumbing: rows are owned by a Zitadel sub. NULL = legacy/unowned (pre-multi-user).
alter table lists add column if not exists owner_id text;
alter table tasks add column if not exists owner_id text;
`;
Do NOT add owner_id to the create table statements — production tables already exist, so create table if not exists is a no-op there; the alter table … if not exists lines are the single mechanism that works on both fresh and existing databases.
- Step 2: Apply to the test DB and verify
source ~/.secrets/coolify-tokens.env
export DATABASE_URL="postgres://mika:${SHARED_POSTGRES_PASSWORD}@localhost:54320/claudedo_test"
bun run migrate
psql "$DATABASE_URL" -c "\d lists" -c "\d tasks" | grep owner_id
Expected: schema applied, then two owner_id | text lines.
- Step 3: Run the existing test suite to confirm nothing broke
bun run test
Expected: all existing tests PASS (the new column is nullable; nothing references it yet).
- Step 4: Commit
git add server/utils/schema.ts
git commit -m "feat: add nullable owner_id columns to lists and tasks"
Task 2: Repo layer — owner scoping (TDD)
Files:
- Modify:
server/utils/repo.ts(full rewrite below) - Test:
tests/repo.test.ts(full rewrite below)
Every repo function gains an ownerId: string parameter (always the second argument, after sql). Scoping rule used everywhere: a row is mine if owner_id = ${ownerId} OR owner_id IS NULL.
- Step 1: Replace
tests/repo.test.tswith the owner-aware suite
This updates every existing call site to pass an owner ("u1") — preserving all prior behavioral assertions — and adds an owner isolation describe block. Full file content:
import { afterAll, beforeEach, describe, expect, it } from "vitest";
import postgres from "postgres";
import * as repo from "../server/utils/repo";
const sql = postgres(process.env.DATABASE_URL!, { max: 1, onnotice: () => {} });
const U1 = "user-1";
const U2 = "user-2";
beforeEach(async () => {
await sql`truncate lists cascade`;
});
afterAll(async () => {
await sql.end();
});
describe("lists", () => {
it("full-replace upserts supplied and deletes missing", async () => {
await repo.replaceLists(sql, U1, [
{ id: "a", name: "A" },
{ id: "b", name: "B" },
]);
await repo.replaceLists(sql, U1, [{ id: "a", name: "A2" }]); // b removed, a renamed
const got = await repo.getLists(sql, U1);
expect(got).toEqual([{ id: "a", name: "A2", owner_id: U1 }]);
});
it("empty payload clears all my lists", async () => {
await repo.replaceLists(sql, U1, [{ id: "a", name: "A" }]);
await repo.replaceLists(sql, U1, []);
expect(await repo.getLists(sql, U1)).toEqual([]);
});
it("deleting a list cascades its tasks", async () => {
await repo.replaceLists(sql, U1, [{ id: "a", name: "A" }]);
await repo.upsertDesktopTask(sql, U1, "t1", { listId: "a", title: "x" });
await repo.replaceLists(sql, U1, []); // removes a + cascades t1
expect(await repo.getUnconsumed(sql, U1)).toEqual([]);
});
it("listExists validates listId within the caller's scope", async () => {
await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]);
expect(await repo.listExists(sql, U1, "L")).toBe(true);
expect(await repo.listExists(sql, U1, "ghost")).toBe(false);
expect(await repo.listExists(sql, U2, "L")).toBe(false); // not my list
});
});
describe("tasks", () => {
beforeEach(async () => {
await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]);
});
it("web create returns generated GUID, source=web, consumed=false, stamped owner", async () => {
const t = await repo.createWebTask(sql, U1, { listId: "L", title: "buy milk", description: null });
expect(t.id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/);
expect(t.source).toBe("web");
expect(t.consumed).toBe(false);
expect(t.title).toBe("buy milk");
expect(t.owner_id).toBe(U1);
});
it("desktop upsert is idempotent by id; source=desktop on insert", async () => {
const a = await repo.upsertDesktopTask(sql, U1, "fixed-id", { listId: "L", title: "one" });
expect(a.created).toBe(true);
const b = await repo.upsertDesktopTask(sql, U1, "fixed-id", { listId: "L", title: "two", description: "d" });
expect(b.created).toBe(false);
const tasks = await repo.getTasksForList(sql, U1, "L");
expect(tasks).toHaveLength(1);
expect(tasks[0].title).toBe("two");
expect(tasks[0].description).toBe("d");
expect(tasks[0].source).toBe("desktop");
});
it("getUnconsumed returns only web tasks with consumed=false", async () => {
await repo.createWebTask(sql, U1, { listId: "L", title: "web1", description: null });
await repo.upsertDesktopTask(sql, U1, "d1", { listId: "L", title: "desk1" });
const u = await repo.getUnconsumed(sql, U1);
expect(u).toHaveLength(1);
expect(u[0].title).toBe("web1");
});
it("consume sets consumed=true and is reflected in getUnconsumed", async () => {
const t = await repo.createWebTask(sql, U1, { listId: "L", title: "c", description: null });
expect(await repo.consume(sql, U1, t.id)).toBe(true);
expect(await repo.getUnconsumed(sql, U1)).toEqual([]);
});
it("consume on unknown id returns false", async () => {
expect(await repo.consume(sql, U1, "nope")).toBe(false);
});
it("deleteTask is idempotent", async () => {
const t = await repo.createWebTask(sql, U1, { listId: "L", title: "c", description: null });
await repo.deleteTask(sql, U1, t.id);
await repo.deleteTask(sql, U1, t.id); // no throw on absent
expect(await repo.getTasksForList(sql, U1, "L")).toEqual([]);
});
});
describe("mirrorDesktopTasks (desktop Idle full-replace)", () => {
beforeEach(async () => {
await repo.replaceLists(sql, U1, [
{ id: "L", name: "List" },
{ id: "L2", name: "List 2" },
]);
});
it("inserts items as desktop-owned (consumed=true, source=desktop, stamped owner)", async () => {
await repo.mirrorDesktopTasks(sql, U1, [
{ id: "m1", listId: "L", title: "one", description: "d1" },
{ id: "m2", listId: "L2", title: "two" },
]);
const t = await repo.getTasksForList(sql, U1, "L");
expect(t).toHaveLength(1);
expect(t[0]).toMatchObject({ id: "m1", title: "one", description: "d1", source: "desktop", consumed: true, owner_id: U1 });
expect(await repo.getTasksForList(sql, U1, "L2")).toHaveLength(1);
});
it("upserts existing items by id (title/listId/description)", async () => {
await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L", title: "one" }]);
await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L2", title: "renamed", description: "x" }]);
const onL = await repo.getTasksForList(sql, U1, "L");
const onL2 = await repo.getTasksForList(sql, U1, "L2");
expect(onL).toHaveLength(0);
expect(onL2).toHaveLength(1);
expect(onL2[0]).toMatchObject({ title: "renamed", description: "x" });
});
it("deletes desktop tasks whose id is not in the array", async () => {
await repo.mirrorDesktopTasks(sql, U1, [
{ id: "m1", listId: "L", title: "one" },
{ id: "m2", listId: "L", title: "two" },
]);
await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L", title: "one" }]); // m2 dropped
const t = await repo.getTasksForList(sql, U1, "L");
expect(t.map((x) => x.id)).toEqual(["m1"]);
});
it("empty array deletes all my desktop tasks", async () => {
await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L", title: "one" }]);
await repo.mirrorDesktopTasks(sql, U1, []);
expect(await repo.getTasksForList(sql, U1, "L")).toEqual([]);
});
it("does NOT touch web-created tasks awaiting pull (consumed=false)", async () => {
const web = await repo.createWebTask(sql, U1, { listId: "L", title: "web", description: null });
await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L", title: "desk" }]);
const unconsumed = await repo.getUnconsumed(sql, U1);
expect(unconsumed.map((x) => x.id)).toEqual([web.id]);
expect((await repo.getTasksForList(sql, U1, "L")).map((x) => x.id).sort()).toEqual([web.id, "m1"].sort());
});
it("claims a web task when its id is mirrored (becomes consumed=true)", async () => {
const web = await repo.createWebTask(sql, U1, { listId: "L", title: "web", description: null });
await repo.mirrorDesktopTasks(sql, U1, [{ id: web.id, listId: "L", title: "web (imported)" }]);
expect(await repo.getUnconsumed(sql, U1)).toEqual([]); // no longer awaiting pull
const t = await repo.getTasksForList(sql, U1, "L");
expect(t[0]).toMatchObject({ id: web.id, title: "web (imported)", consumed: true });
});
});
describe("owner isolation", () => {
it("lists are invisible to other users; legacy (NULL owner) lists visible to everyone", async () => {
await repo.replaceLists(sql, U1, [{ id: "mine", name: "Mine" }]);
await sql`insert into lists (id, name) values ('legacy', 'Old')`; // pre-multi-user row
expect((await repo.getLists(sql, U1)).map((l) => l.id).sort()).toEqual(["legacy", "mine"]);
expect((await repo.getLists(sql, U2)).map((l) => l.id)).toEqual(["legacy"]);
});
it("replaceLists never deletes or renames another user's lists", async () => {
await repo.replaceLists(sql, U1, [{ id: "a", name: "A" }]);
await repo.replaceLists(sql, U2, [{ id: "b", name: "B" }]); // U2's full catalog: just b
expect((await repo.getLists(sql, U1)).map((l) => l.id)).toEqual(["a"]);
expect((await repo.getLists(sql, U2)).map((l) => l.id)).toEqual(["b"]);
// U2 upserting U1's id must not steal/rename it
await repo.replaceLists(sql, U2, [{ id: "a", name: "stolen" }, { id: "b", name: "B" }]);
const u1Lists = await repo.getLists(sql, U1);
expect(u1Lists).toEqual([{ id: "a", name: "A", owner_id: U1 }]);
});
it("replaceLists adopts legacy lists (stamps the caller as owner)", async () => {
await sql`insert into lists (id, name) values ('legacy', 'Old')`;
await repo.replaceLists(sql, U1, [{ id: "legacy", name: "Old" }]);
expect((await repo.getLists(sql, U2)).map((l) => l.id)).toEqual([]); // no longer legacy
expect((await repo.getLists(sql, U1))[0]).toMatchObject({ id: "legacy", owner_id: U1 });
});
it("tasks are invisible to other users; legacy tasks visible to everyone", async () => {
await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]);
await repo.createWebTask(sql, U1, { listId: "L", title: "mine", description: null });
await sql`insert into tasks (id, list_id, title, source) values ('legacy-t', 'L', 'old', 'web')`;
expect((await repo.getUnconsumed(sql, U2)).map((t) => t.id)).toEqual(["legacy-t"]);
expect((await repo.getTasksForList(sql, U2, "L")).map((t) => t.id)).toEqual(["legacy-t"]);
expect(await repo.getUnconsumed(sql, U1)).toHaveLength(2);
});
it("one user's mirror never deletes another user's desktop tasks", async () => {
await repo.replaceLists(sql, U1, [{ id: "L1", name: "U1 List" }]);
await repo.replaceLists(sql, U2, [{ id: "L2", name: "U2 List" }]);
await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L1", title: "u1 task" }]);
await repo.mirrorDesktopTasks(sql, U2, [{ id: "m2", listId: "L2", title: "u2 task" }]);
// U2's full-replace (only m2) must not have wiped U1's m1:
expect((await repo.getTasksForList(sql, U1, "L1")).map((t) => t.id)).toEqual(["m1"]);
// and an empty mirror from U2 clears only U2's partition:
await repo.mirrorDesktopTasks(sql, U2, []);
expect((await repo.getTasksForList(sql, U1, "L1")).map((t) => t.id)).toEqual(["m1"]);
expect(await repo.getTasksForList(sql, U2, "L2")).toEqual([]);
});
it("mirror upsert cannot claim another user's task by id", async () => {
await repo.replaceLists(sql, U1, [{ id: "L1", name: "U1 List" }]);
await repo.replaceLists(sql, U2, [{ id: "L2", name: "U2 List" }]);
const web = await repo.createWebTask(sql, U1, { listId: "L1", title: "u1 web", description: null });
await repo.mirrorDesktopTasks(sql, U2, [{ id: web.id, listId: "L2", title: "hijack" }]);
// U1's web task is untouched and still awaiting pull:
const u1 = await repo.getUnconsumed(sql, U1);
expect(u1.map((t) => t.id)).toEqual([web.id]);
expect(u1[0].title).toBe("u1 web");
});
it("upsertDesktopTask cannot overwrite another user's task", async () => {
await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]);
await repo.upsertDesktopTask(sql, U1, "shared-id", { listId: "L", title: "u1 owns this" });
const res = await repo.upsertDesktopTask(sql, U2, "shared-id", { listId: "L", title: "u2 steal" });
expect(res.created).toBe(false);
expect((await repo.getTasksForList(sql, U1, "L"))[0].title).toBe("u1 owns this");
});
it("consume and delete are scoped to the caller", async () => {
await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]);
const t = await repo.createWebTask(sql, U1, { listId: "L", title: "w", description: null });
expect(await repo.consume(sql, U2, t.id)).toBe(false);
await repo.deleteTask(sql, U2, t.id); // no-op for U2
expect((await repo.getUnconsumed(sql, U1)).map((x) => x.id)).toEqual([t.id]);
});
});
- Step 2: Run the tests to verify they fail
source ~/.secrets/coolify-tokens.env
export DATABASE_URL="postgres://mika:${SHARED_POSTGRES_PASSWORD}@localhost:54320/claudedo_test"
bun run test tests/repo.test.ts
Expected: FAIL — the repo functions don't accept the ownerId argument yet (calls pass owner where lists/task args are expected, assertions on owner_id fail).
- Step 3: Rewrite
server/utils/repo.tswith owner scoping
Full file content:
import postgres from "postgres";
import { randomUUID } from "node:crypto";
type Sql = ReturnType<typeof postgres>;
export interface ListRow {
id: string;
name: string;
owner_id: string | null;
}
export interface TaskRow {
id: string;
list_id: string;
title: string;
description: string | null;
source: string;
consumed: boolean;
owner_id: string | null;
created_at: Date;
updated_at: Date;
}
// Ownership model: every read/write is scoped to the caller's Zitadel sub (ownerId).
// owner_id NULL = legacy row from before multi-user — visible to every authorized user
// and adopted (stamped with the caller's sub) by the caller's next write that touches it.
// Upserts use `on conflict … where` so they can never modify a row owned by someone else.
export async function getLists(sql: Sql, ownerId: string): Promise<ListRow[]> {
return sql<ListRow[]>`
select id, name, owner_id from lists
where owner_id = ${ownerId} or owner_id is null
order by name`;
}
/** Full-replace of the caller's catalog: upsert all supplied, delete the caller's (and legacy) lists not present (cascades tasks). */
export async function replaceLists(
sql: Sql,
ownerId: string,
lists: { id: string; name: string }[],
): Promise<void> {
await sql.begin(async (tx) => {
for (const l of lists) {
await tx`
insert into lists (id, name, owner_id, updated_at)
values (${l.id}, ${l.name}, ${ownerId}, now())
on conflict (id) do update set name = excluded.name, owner_id = ${ownerId}, updated_at = now()
where lists.owner_id = ${ownerId} or lists.owner_id is null`;
}
const ids = lists.map((l) => l.id);
if (ids.length) {
await tx`delete from lists where (owner_id = ${ownerId} or owner_id is null) and id <> all(${ids})`;
} else {
await tx`delete from lists where owner_id = ${ownerId} or owner_id is null`;
}
});
}
export async function listExists(sql: Sql, ownerId: string, id: string): Promise<boolean> {
const rows = await sql`
select 1 from lists where id = ${id} and (owner_id = ${ownerId} or owner_id is null)`;
return rows.length > 0;
}
export async function getTasksForList(sql: Sql, ownerId: string, listId: string): Promise<TaskRow[]> {
return sql<TaskRow[]>`
select * from tasks
where list_id = ${listId} and (owner_id = ${ownerId} or owner_id is null)
order by created_at`;
}
export async function createWebTask(
sql: Sql,
ownerId: string,
t: { listId: string; title: string; description: string | null },
): Promise<TaskRow> {
const id = randomUUID();
const [row] = await sql<TaskRow[]>`
insert into tasks (id, list_id, title, description, source, consumed, owner_id)
values (${id}, ${t.listId}, ${t.title}, ${t.description}, 'web', false, ${ownerId})
returning *`;
return row;
}
/** Idempotent upsert of a desktop Idle task by id. Returns whether a row was inserted. */
export async function upsertDesktopTask(
sql: Sql,
ownerId: string,
id: string,
t: { listId: string; title: string; description?: string | null },
): Promise<{ created: boolean }> {
const [row] = await sql<{ created: boolean }[]>`
insert into tasks (id, list_id, title, description, source, owner_id)
values (${id}, ${t.listId}, ${t.title}, ${t.description ?? null}, 'desktop', ${ownerId})
on conflict (id) do update set
list_id = excluded.list_id,
title = excluded.title,
description = excluded.description,
owner_id = ${ownerId},
updated_at = now()
where tasks.owner_id = ${ownerId} or tasks.owner_id is null
returning (xmax = 0) as created`;
// row is undefined when the id exists but belongs to another user: blocked no-op.
return { created: row?.created ?? false };
}
/**
* Full-replace of the caller's desktop-owned partition (their current Idle backlog).
* Mirrors `replaceLists`: upsert every supplied task as desktop-owned (consumed=true), and
* delete any of the caller's (or legacy) desktop-owned tasks not in the payload. Web-created
* tasks still awaiting pull (consumed=false) and other users' rows are left untouched.
*/
export async function mirrorDesktopTasks(
sql: Sql,
ownerId: string,
items: { id: string; listId: string; title: string; description?: string | null }[],
): Promise<void> {
await sql.begin(async (tx) => {
for (const t of items) {
await tx`
insert into tasks (id, list_id, title, description, source, consumed, owner_id)
values (${t.id}, ${t.listId}, ${t.title}, ${t.description ?? null}, 'desktop', true, ${ownerId})
on conflict (id) do update set
list_id = excluded.list_id,
title = excluded.title,
description = excluded.description,
source = 'desktop',
consumed = true,
owner_id = ${ownerId},
updated_at = now()
where tasks.owner_id = ${ownerId} or tasks.owner_id is null`;
}
const ids = items.map((t) => t.id);
if (ids.length) {
await tx`delete from tasks
where consumed = true and (owner_id = ${ownerId} or owner_id is null) and id <> all(${ids})`;
} else {
await tx`delete from tasks where consumed = true and (owner_id = ${ownerId} or owner_id is null)`;
}
});
}
/** The caller's web-created tasks the desktop has not yet imported. */
export async function getUnconsumed(sql: Sql, ownerId: string): Promise<TaskRow[]> {
return sql<TaskRow[]>`
select * from tasks
where source = 'web' and consumed = false and (owner_id = ${ownerId} or owner_id is null)
order by created_at`;
}
export async function consume(sql: Sql, ownerId: string, id: string): Promise<boolean> {
const res = await sql`
update tasks set consumed = true, updated_at = now()
where id = ${id} and (owner_id = ${ownerId} or owner_id is null)`;
return res.count > 0;
}
export async function deleteTask(sql: Sql, ownerId: string, id: string): Promise<void> {
await sql`delete from tasks where id = ${id} and (owner_id = ${ownerId} or owner_id is null)`;
}
- Step 4: Run the repo tests to verify they pass
bun run test tests/repo.test.ts
Expected: PASS (all describe blocks, including owner isolation).
Note: bun run build / the handlers will be broken at this point (signature change) — that is expected and fixed in Tasks 3–4. Do not run the build here.
- Step 5: Commit
git add server/utils/repo.ts tests/repo.test.ts
git commit -m "feat: scope all repo reads/writes to the caller's ownerId"
Task 3: ownerOf helper + DTO ownerId
Files:
-
Create:
server/utils/session.ts -
Modify:
server/utils/dto.ts -
Step 1: Create
server/utils/session.ts
Nitro auto-imports everything in server/utils/, so handlers can call ownerOf(event) without importing. The token is verified by server/middleware/1.auth.ts before any handler runs; this helper just extracts the sub (and hard-fails if a verified token somehow lacks one). Client-supplied ownerId in request bodies is never read — this is the only ownership source.
import { createError, type H3Event } from "h3";
/** The authenticated caller's Zitadel sub — the ownership key for all row scoping. */
export function ownerOf(event: H3Event): string {
const sub = (event.context.user as { sub?: unknown } | undefined)?.sub;
if (typeof sub !== "string" || !sub) {
throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
}
return sub;
}
- Step 2: Add
ownerIdto the task DTO
Replace the full content of server/utils/dto.ts:
import type { TaskRow } from "./repo";
export interface TaskDto {
id: string;
listId: string;
title: string;
description: string | null;
source: string;
consumed: boolean;
ownerId: string | null;
createdAt: string;
}
export function toTaskDto(row: TaskRow): TaskDto {
return {
id: row.id,
listId: row.list_id,
title: row.title,
description: row.description,
source: row.source,
consumed: row.consumed,
ownerId: row.owner_id,
createdAt: new Date(row.created_at).toISOString(),
};
}
- Step 3: Commit
git add server/utils/session.ts server/utils/dto.ts
git commit -m "feat: ownerOf(event) helper and ownerId in task DTO"
(No test run here — handlers still reference old repo signatures until Task 4; the unit suites in tests/ don't touch these two files' behavior in isolation.)
Task 4: Thread ownerId through every API handler
Files:
- Modify:
server/api/lists.get.ts - Modify:
server/api/lists.put.ts - Modify:
server/api/lists/[id]/tasks.get.ts - Modify:
server/api/tasks.post.ts - Modify:
server/api/tasks.get.ts - Modify:
server/api/tasks/mirror.put.ts - Modify:
server/api/tasks/[id].put.ts - Modify:
server/api/tasks/[id].delete.ts - Modify:
server/api/tasks/[id]/consume.post.ts
All nine handlers below are complete file contents — replace each file wholesale. Behavior notes: any ownerId a client sends in a body is ignored (we never read it); the server stamps from the token.
- Step 1:
server/api/lists.get.ts
// GET /api/lists (web) — the caller's lists (plus legacy unowned).
export default defineEventHandler(async (event) => {
const rows = await getLists(getSql(), ownerOf(event));
return rows.map((r) => ({ id: r.id, name: r.name, ownerId: r.owner_id }));
});
- Step 2:
server/api/lists.put.ts
// PUT /api/lists (desktop) — full-replace of the caller's catalog. Upsert all supplied;
// delete the caller's lists not present. Any client-supplied ownerId is ignored — the
// server stamps ownership from the verified token.
export default defineEventHandler(async (event) => {
const body = await readBody(event);
if (
!Array.isArray(body) ||
body.some((l) => typeof l?.id !== "string" || typeof l?.name !== "string")
) {
throw createError({ statusCode: 400, statusMessage: "expected [{ id, name }]" });
}
await replaceLists(
getSql(),
ownerOf(event),
body.map((l) => ({ id: l.id, name: l.name })),
);
return { ok: true };
});
- Step 3:
server/api/lists/[id]/tasks.get.ts
// GET /api/lists/:id/tasks (web) — the caller's Idle tasks for a list. 404 if the list is unknown (to the caller).
export default defineEventHandler(async (event) => {
const id = getRouterParam(event, "id")!;
const ownerId = ownerOf(event);
const sql = getSql();
if (!(await listExists(sql, ownerId, id))) {
throw createError({ statusCode: 404, statusMessage: "list not found" });
}
const rows = await getTasksForList(sql, ownerId, id);
return rows.map(toTaskDto);
});
- Step 4:
server/api/tasks.post.ts
// POST /api/tasks (web) — create an Idle task with a server-generated GUID, owned by the caller.
export default defineEventHandler(async (event) => {
const body = await readBody(event);
const title = typeof body?.title === "string" ? body.title.trim() : "";
const listId = body?.listId;
if (!title || typeof listId !== "string") {
throw createError({ statusCode: 400, statusMessage: "title and listId are required" });
}
const description =
typeof body?.description === "string" && body.description.trim() ? body.description : null;
const ownerId = ownerOf(event);
const sql = getSql();
if (!(await listExists(sql, ownerId, listId))) {
throw createError({ statusCode: 404, statusMessage: "list not found" });
}
const row = await createWebTask(sql, ownerId, { listId, title, description });
setResponseStatus(event, 201);
return toTaskDto(row);
});
- Step 5:
server/api/tasks.get.ts
// GET /api/tasks?consumed=false (desktop) — the caller's web-created tasks not yet imported.
export default defineEventHandler(async (event) => {
const rows = await getUnconsumed(getSql(), ownerOf(event));
return rows.map((r) => ({
id: r.id,
listId: r.list_id,
title: r.title,
description: r.description,
ownerId: r.owner_id,
createdAt: new Date(r.created_at).toISOString(),
}));
});
- Step 6:
server/api/tasks/mirror.put.ts
// PUT /api/tasks/mirror (desktop) — full-replace of the caller's desktop Idle backlog.
// Body: [{ id, listId, title, description? }, ...] (camelCase). An empty array is valid and
// clears the caller's desktop-owned partition. Mirrors PUT /lists. Web-created tasks awaiting
// pull (consumed=false) and other users' rows are never touched. Any client-supplied ownerId
// on items is ignored — ownership comes from the verified token.
export default defineEventHandler(async (event) => {
const body = await readBody(event);
if (!Array.isArray(body)) {
throw createError({ statusCode: 400, statusMessage: "expected an array of tasks" });
}
const items: { id: string; listId: string; title: string; description: string | null }[] = [];
for (let i = 0; i < body.length; i++) {
const t = body[i];
if (typeof t?.id !== "string" || !t.id.trim()) {
throw createError({ statusCode: 400, statusMessage: `item ${i}: id is required` });
}
if (typeof t?.listId !== "string" || !t.listId.trim()) {
throw createError({ statusCode: 400, statusMessage: `item ${i}: listId is required` });
}
if (typeof t?.title !== "string" || !t.title.trim()) {
throw createError({ statusCode: 400, statusMessage: `item ${i}: title is required` });
}
items.push({
id: t.id,
listId: t.listId,
title: t.title,
description: typeof t.description === "string" ? t.description : null,
});
}
const ownerId = ownerOf(event);
const sql = getSql();
// Every referenced list must exist for the caller (lists are full-replaced before tasks are mirrored).
const listIds = [...new Set(items.map((t) => t.listId))];
for (const id of listIds) {
if (!(await listExists(sql, ownerId, id))) {
throw createError({ statusCode: 400, statusMessage: `unknown listId: ${id}` });
}
}
await mirrorDesktopTasks(sql, ownerId, items);
return { ok: true, count: items.length };
});
- Step 7:
server/api/tasks/[id].put.ts
// PUT /api/tasks/:id (desktop) — idempotent upsert mirroring a desktop Idle task, owned by the caller.
export default defineEventHandler(async (event) => {
const id = getRouterParam(event, "id")!;
const body = await readBody(event);
const title = body?.title;
const listId = body?.listId;
if (typeof title !== "string" || !title.trim() || typeof listId !== "string") {
throw createError({ statusCode: 400, statusMessage: "listId and title are required" });
}
const description = typeof body?.description === "string" ? body.description : null;
const ownerId = ownerOf(event);
const sql = getSql();
if (!(await listExists(sql, ownerId, listId))) {
throw createError({ statusCode: 404, statusMessage: "list not found" });
}
const { created } = await upsertDesktopTask(sql, ownerId, id, { listId, title, description });
setResponseStatus(event, created ? 201 : 200);
return { id };
});
- Step 8:
server/api/tasks/[id].delete.ts
// DELETE /api/tasks/:id (desktop) — task left Idle on desktop. Idempotent, scoped to the caller's rows.
export default defineEventHandler(async (event) => {
await deleteTask(getSql(), ownerOf(event), getRouterParam(event, "id")!);
setResponseStatus(event, 204);
return null;
});
- Step 9:
server/api/tasks/[id]/consume.post.ts
// POST /api/tasks/:id/consume (desktop) — mark the caller's web task imported. Idempotent.
export default defineEventHandler(async (event) => {
const ok = await consume(getSql(), ownerOf(event), getRouterParam(event, "id")!);
if (!ok) {
throw createError({ statusCode: 404, statusMessage: "task not found" });
}
return { ok: true };
});
- Step 10: Full test suite + build
source ~/.secrets/coolify-tokens.env
export DATABASE_URL="postgres://mika:${SHARED_POSTGRES_PASSWORD}@localhost:54320/claudedo_test"
bun run test
bun run build
Expected: all tests PASS; nuxt build completes without errors (this is the type/wiring check for the handlers — they have no unit tests of their own; the repo layer they delegate to is covered).
- Step 11: Commit
git add server/api server/utils
git commit -m "feat: scope every API endpoint to the token's sub; expose ownerId in DTOs"
Task 5: FE — owner filtering (defense-in-depth) + missing-role state
Files:
-
Modify:
app/composables/useAuth.ts -
Modify:
app/pages/index.vue(script + small template additions; styles untouched) -
Step 1: Surface the HTTP status on API errors
Replace the full content of app/composables/useAuth.ts:
import type { ZitadelAuth } from "@kuns/zitadel-auth";
/** API call failure carrying the HTTP status (401 = authenticated but not authorized). */
export class ApiError extends Error {
constructor(
message: string,
public status: number,
) {
super(message);
}
}
// Access the bootstrap-provided Zitadel auth instance + a small JSON helper for /api calls.
// By the time any component mounts, the plugin has gated auth, so `auth` is authenticated.
// `auth.fetch` auto-attaches the Bearer access token.
export function useAuth() {
const { $auth } = useNuxtApp() as unknown as { $auth: ZitadelAuth };
async function api<T = unknown>(path: string, init?: RequestInit): Promise<T> {
const res = await $auth.fetch(`/api${path}`, init);
if (!res.ok) {
let message = `${res.status}`;
try {
const body = await res.json();
message = body?.statusMessage || body?.message || message;
} catch {
// non-JSON error body
}
throw new ApiError(message, res.status);
}
if (res.status === 204) return undefined as T;
return (await res.json()) as T;
}
return { auth: $auth, api };
}
- Step 2: index.vue script — ownerId types, owner filter, 401→missing-role handling
In app/pages/index.vue make these script edits (each shown as exact old → new):
(a) Add an explicit import as the first line inside <script setup lang="ts"> (the useAuth composable itself stays auto-imported; the class import is explicit to be unambiguous):
import { ApiError } from "~/composables/useAuth";
(b) Extend both interfaces — replace:
interface List {
id: string;
name: string;
}
interface Task {
id: string;
listId: string;
title: string;
description: string | null;
source: string;
consumed: boolean;
createdAt: string;
}
with:
interface List {
id: string;
name: string;
ownerId?: string | null;
}
interface Task {
id: string;
listId: string;
title: string;
description: string | null;
source: string;
consumed: boolean;
ownerId?: string | null;
createdAt: string;
}
(c) After the line const error = ref<string | null>(null); add:
// Authenticated but the token lacks the required Zitadel project role → API answers 401.
const missingRole = ref(false);
// Defense-in-depth: the server already scopes every query by the token's sub; additionally
// hide anything not owned by the current user. Absent ownerId = legacy (pre-multi-user) row.
const mine = (x: { ownerId?: string | null }) => !x.ownerId || x.ownerId === auth.user?.sub;
function handleApiError(e: unknown) {
if (e instanceof ApiError && e.status === 401) {
missingRole.value = true;
} else {
error.value = (e as Error).message;
}
}
(d) In refreshLists, replace:
lists.value = await api<List[]>("/lists");
with:
lists.value = (await api<List[]>("/lists")).filter(mine);
and replace its catch body error.value = (e as Error).message; with handleApiError(e);
(e) In refreshTasks, replace:
tasks.value = await api<Task[]>(`/lists/${selectedId.value}/tasks`);
with:
tasks.value = (await api<Task[]>(`/lists/${selectedId.value}/tasks`)).filter(mine);
and replace its catch body error.value = (e as Error).message; with handleApiError(e);
(f) In addTask, replace the catch body error.value = (e as Error).message; with handleApiError(e);
- Step 3: index.vue template — missing-role state
(a) In <main class="content">, add a new first branch ahead of the existing <template v-if="loadingLists"> (and change that one to v-else-if):
<template v-if="missingRole">
<div class="empty">
<p class="empty-mark">⚠</p>
<p class="empty-title">No access yet</p>
<p class="muted">
You're signed in, but your account is missing the “user” role for ClaudeDo.
Ask the admin to grant it in Zitadel, then sign in again.
</p>
<button class="link" @click="auth.logout()">Sign out</button>
</div>
</template>
<template v-else-if="loadingLists">
(The old <template v-if="loadingLists"> line is the only line that changes to v-else-if; the rest of the chain below it already uses v-else-if/v-else and stays as is. Keep the existing <p v-if="error" …> line above this block unchanged.)
(b) Hide the composer dock in that state — replace:
<footer v-if="lists.length" class="dock">
with:
<footer v-if="lists.length && !missingRole" class="dock">
- Step 4: Build to verify the FE compiles
bun run build
Expected: build completes without errors.
-
Step 5 (optional, if quick visual confirmation is wanted): use the local preview approach from memory
local-ui-preview.md(seed fake oidc user in localStorage + Playwright API mocks returning 401) to screenshot the missing-role state. Skip if the build is green and time is short — the state is simple. -
Step 6: Commit
git add app/composables/useAuth.ts app/pages/index.vue
git commit -m "feat(web): filter by ownerId and surface missing-role 401 state"
Task 6: Docs + deploy
Files:
-
Modify:
README.md(API section, lines ~29–48) -
Step 1: Document the ownership model in README.md
In the ## API intro, replace:
Every `/api/**` route requires a valid Zitadel **access token** (`Authorization: Bearer …`)
belonging to the owner. Missing/invalid/expired → `401`. No anonymous access.
with:
Every `/api/**` route requires a valid Zitadel **access token** (`Authorization: Bearer …`)
carrying the `user` project role. Missing/invalid/expired/role-less → `401`. No anonymous access.
**Ownership:** every row carries `owner_id` = the writer's token `sub`. All reads and writes are
scoped server-side to the caller (`owner_id = sub OR owner_id IS NULL`); full-replace endpoints
only replace the caller's partition. `owner_id IS NULL` marks legacy pre-multi-user rows — visible
to all authorized users and adopted by the next write that touches them. DTOs expose this as a
nullable `ownerId`; any client-supplied `ownerId` is ignored.
And in the endpoint table, replace the GET /api/lists row:
| `GET /api/lists` | web | → 200 `[{id,name}]` |
with:
| `GET /api/lists` | web | → 200 `[{id,name,ownerId}]` |
and the GET /api/tasks?consumed=false row:
| `GET /api/tasks?consumed=false` | desktop | → 200 `[{id, listId, title, description, createdAt}]` web tasks not yet imported (awaiting pull) |
with:
| `GET /api/tasks?consumed=false` | desktop | → 200 `[{id, listId, title, description, ownerId, createdAt}]` web tasks not yet imported (awaiting pull) |
- Step 2: Commit
git add README.md
git commit -m "docs: ownership model and ownerId in API contract"
- Step 3: Deploy
Production schema migrates itself on boot (server/plugins/migrate.ts applies the new alter table lines idempotently). No new env vars are needed.
redeploy xry0o2jdaz5125qrx5t32xhx "feat: per-user data isolation (ownerId scoping)"
Then poll until the deployment finishes:
coolify-status xry0o2jdaz5125qrx5t32xhx
Expected: status running:healthy on the new deployment.
- Step 4: Verify production schema + service
source ~/.secrets/coolify-tokens.env
psql "postgres://mika:${SHARED_POSTGRES_PASSWORD}@localhost:54320/claudedo" \
-c "select column_name from information_schema.columns where table_name in ('lists','tasks') and column_name='owner_id'"
curl -s -o /dev/null -w "%{http_code}" https://claudedo.kuns.dev/api/lists
Expected: two owner_id rows; 401 from the unauthenticated curl (auth gate alive).
- Step 5: Update the project memory file
Append to /home/mika/.claude/projects/-home-mika-claudedo-online/memory/claudedo-online.md (under the existing bullets):
- **Per-user isolation (since 2026-06-11):** `lists.owner_id` / `tasks.owner_id` (nullable text = Zitadel sub; NULL = legacy, visible to all, adopted on next write). Every repo fn takes `ownerId` (from `ownerOf(event)` in `server/utils/session.ts`); reads filter `owner_id = sub OR NULL`, full-replace deletes are scoped to the caller's partition, upserts use `ON CONFLICT … WHERE` so they can't touch other users' rows. DTOs expose nullable `ownerId`; client-supplied ownerId ignored. FE filters by `auth.user.sub` and shows a missing-role screen on 401.
Out of scope (deliberately)
- Backfilling
owner_idfor existing prod rows: unnecessary — the desktop's next sync (PUT /lists+PUT /tasks/mirror) full-replaces and thereby adopts/stamps everything; web-created legacy tasks stay visible (NULL = legacy) until consumed. - Indexes on
owner_id: table sizes are tiny (single-digit users); add later if ever needed. - Desktop repo changes /
docs/online-inbox-api-contract.md: lives in the ClaudeDo desktop repo, already updated by the desktop session per the handoff. - Changing the role gate: already shipped in
d4c7347.