fix: P0 correctness and security fixes

- Add missing 'developer' case to check_custom_feed_limit trigger (was falling through to else 1) - Scope user_entry_states join to authenticated user in /api/v1/entries (admin client bypasses RLS) - Replace in-memory rate limiting with Supabase-backed solution (UNLOGGED table + check_rate_limit RPC + pg_cron cleanup)
author: Fuwn <[email protected]> 2026-02-09 23:41:01 -0800
committer: Fuwn <[email protected]> 2026-02-09 23:41:01 -0800
commit: 56244758d94c14349540bd0951339fa939156204 (patch)
tree: 3fba880cda09c0e8d913dc30884182df5e6a73ee /apps/web/app/api/export
parent: fix: use online networkMode for offline mutations instead of offlineFirst (diff)
download: asa.news-56244758d94c14349540bd0951339fa939156204.tar.xz
asa.news-56244758d94c14349540bd0951339fa939156204.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/web/app/api/export/route.ts b/apps/web/app/api/export/route.ts
index 195d444..dff7582 100644
--- a/apps/web/app/api/export/route.ts
+++ b/apps/web/app/api/export/route.ts
@@ -12,7 +12,7 @@ export async function GET() {
     return NextResponse.json({ error: "not authenticated" }, { status: 401 })
   }
 
-  const rateLimitResult = rateLimit(`export:${user.id}`, 5, 3_600_000)
+  const rateLimitResult = await rateLimit(`export:${user.id}`, 5, 3_600_000)
   if (!rateLimitResult.success) {
     return NextResponse.json({ error: "too many requests" }, { status: 429 })
   }
author	Fuwn <[email protected]>	2026-02-09 23:41:01 -0800
committer	Fuwn <[email protected]>	2026-02-09 23:41:01 -0800
commit	56244758d94c14349540bd0951339fa939156204 (patch)
tree	3fba880cda09c0e8d913dc30884182df5e6a73ee /apps/web/app/api/export
parent	fix: use online networkMode for offline mutations instead of offlineFirst (diff)
download	asa.news-56244758d94c14349540bd0951339fa939156204.tar.xz asa.news-56244758d94c14349540bd0951339fa939156204.zip