diff options
| author | Fuwn <[email protected]> | 2026-02-09 23:41:01 -0800 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2026-02-09 23:41:01 -0800 |
| commit | 56244758d94c14349540bd0951339fa939156204 (patch) | |
| tree | 3fba880cda09c0e8d913dc30884182df5e6a73ee /apps/web/lib/api-auth.ts | |
| parent | fix: use online networkMode for offline mutations instead of offlineFirst (diff) | |
| download | asa.news-56244758d94c14349540bd0951339fa939156204.tar.xz asa.news-56244758d94c14349540bd0951339fa939156204.zip | |
fix: P0 correctness and security fixes
- Add missing 'developer' case to check_custom_feed_limit trigger (was falling through to else 1)
- Scope user_entry_states join to authenticated user in /api/v1/entries (admin client bypasses RLS)
- Replace in-memory rate limiting with Supabase-backed solution (UNLOGGED table + check_rate_limit RPC + pg_cron cleanup)
Diffstat (limited to 'apps/web/lib/api-auth.ts')
| -rw-r--r-- | apps/web/lib/api-auth.ts | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/web/lib/api-auth.ts b/apps/web/lib/api-auth.ts index e491c11..7c1d009 100644 --- a/apps/web/lib/api-auth.ts +++ b/apps/web/lib/api-auth.ts @@ -57,7 +57,7 @@ export async function authenticateApiRequest( } } - const rateLimitResult = rateLimit(`api:${keyRow.user_id}`, 100, 60_000) + const rateLimitResult = await rateLimit(`api:${keyRow.user_id}`, 100, 60_000) if (!rateLimitResult.success) { return { |