fix(auth): ignore malformed user cookies

author: Fuwn <[email protected]> 2026-03-28 06:02:54 +0000
committer: Fuwn <[email protected]> 2026-03-28 06:04:13 +0000
commit: 8a99dd5c4b74a4ea2ce715aed5e517022621f05c (patch)
tree: 56e24474d2240e77887450e0e52617e358ac3379 /src/routes/api/notifications
parent: fix(cache): respect AniList media list recache windows (diff)
download: due.moe-8a99dd5c4b74a4ea2ce715aed5e517022621f05c.tar.xz
due.moe-8a99dd5c4b74a4ea2ce715aed5e517022621f05c.zip
2 files changed, 14 insertions, 8 deletions
diff --git a/src/routes/api/notifications/subscribe/+server.ts b/src/routes/api/notifications/subscribe/+server.ts
index 806785e4..203470e0 100644
--- a/src/routes/api/notifications/subscribe/+server.ts
+++ b/src/routes/api/notifications/subscribe/+server.ts
@@ -1,6 +1,6 @@
-import { userIdentity } from "$lib/Data/AniList/identity";
+import { safeUserIdentity } from "$lib/Data/AniList/identity";
 import { setUserSubscription } from "$lib/Database/SB/User/notifications";
-import { decodeAuthCookieOrThrow } from "$lib/Effect/authCookie";
+import { decodeAuthCookieOrNull } from "$lib/Effect/authCookie";
 import { decodeRequestJsonOrThrow } from "$lib/Effect/requestBody";
 import { Schema } from "effect";
 
@@ -12,8 +12,11 @@ export const POST = async ({ cookies, request, url }) => {
 
 	if (!userCookie || !fingerprint) return unauthorised;
 
-	const user = decodeAuthCookieOrThrow(userCookie);
-	const userId = (await userIdentity(user)).id;
+	const user = decodeAuthCookieOrNull(userCookie);
+
+	if (!user) return unauthorised;
+
+	const userId = (await safeUserIdentity(user))?.id;
 
 	if (!userId) return unauthorised;
 
diff --git a/src/routes/api/notifications/unsubscribe/+server.ts b/src/routes/api/notifications/unsubscribe/+server.ts
index 87f8b498..94bbd497 100644
--- a/src/routes/api/notifications/unsubscribe/+server.ts
+++ b/src/routes/api/notifications/unsubscribe/+server.ts
@@ -1,6 +1,6 @@
-import { userIdentity } from "$lib/Data/AniList/identity";
+import { safeUserIdentity } from "$lib/Data/AniList/identity";
 import { deleteUserSubscription } from "$lib/Database/SB/User/notifications";
-import { decodeAuthCookieOrThrow } from "$lib/Effect/authCookie";
+import { decodeAuthCookieOrNull } from "$lib/Effect/authCookie";
 
 const unauthorised = new Response("Unauthorised", { status: 401 });
 
@@ -10,8 +10,11 @@ export const POST = async ({ cookies, url }) => {
 
 	if (!userCookie || !fingerprint) return unauthorised;
 
-	const user = decodeAuthCookieOrThrow(userCookie);
-	const userId = (await userIdentity(user)).id;
+	const user = decodeAuthCookieOrNull(userCookie);
+
+	if (!user) return unauthorised;
+
+	const userId = (await safeUserIdentity(user))?.id;
 
 	if (!userId) return unauthorised;
author	Fuwn <[email protected]>	2026-03-28 06:02:54 +0000
committer	Fuwn <[email protected]>	2026-03-28 06:04:13 +0000
commit	8a99dd5c4b74a4ea2ce715aed5e517022621f05c (patch)
tree	56e24474d2240e77887450e0e52617e358ac3379 /src/routes/api/notifications
parent	fix(cache): respect AniList media list recache windows (diff)
download	due.moe-8a99dd5c4b74a4ea2ce715aed5e517022621f05c.tar.xz due.moe-8a99dd5c4b74a4ea2ce715aed5e517022621f05c.zip