due.moe - Unnamed repository; edit this file 'description' to name the repository.

	Commit message (Collapse)	Author	Age	Files	Lines
*	fix(api): await setShadowHidden in badges PUT	Fuwn	2026-04-18	1	-1/+4
\| \| \| \| \| \| \|	setShadowHidden is async and hits Supabase. The PUT handler called it without await, so the handler could respond before the database write landed (and any error was silently lost). Add the missing await so the response only goes out after the update settles.
*	fix(api): drop unused redirect query param from oauth refresh	Fuwn	2026-04-18	1	-3/+1
\| \| \| \| \| \| \| \| \| \| \| \|	The refresh endpoint accepted a ?redirect query param and, when present, called redirect(303, "/") instead of returning the refreshed token as JSON. The target was hardcoded to "/" regardless of the param's value, so the feature was dead — and the pattern of reading a "redirect" param invited future open-redirect bugs if someone wired the value through to redirect() directly. The sole in-tree caller (feeds/activity-notifications) reads the JSON response, so always return JSON and drop the redirect import.
*	fix(api): gate badge click-count on Origin and fix 401 response reuse	Fuwn	2026-04-18	1	-9/+11
\| \| \| \| \| \| \| \| \| \| \| \| \|	The PUT ?incrementClickCount path ran before any auth guard, letting unauthenticated callers spam-increment arbitrary badges. Require the request Origin to match appOrigin() so legitimate in-browser clicks (authenticated or not) still count while direct scripted calls are rejected. Also convert the shared `unauthorised` Response singleton into a factory. The singleton's body was consumed on first use, so subsequent 401 paths returned a `Response body is locked` error instead of the intended "Unauthorised" body.
*	fix(api): encode subsplease timezone to prevent query-param injection	Fuwn	2026-04-18	1	-5/+6
\| \| \| \| \| \| \|	The `tz` query value was interpolated raw into the upstream URL, letting callers append arbitrary query segments (e.g. `tz=foo&f=hax`). Wrap the value in encodeURIComponent and rename the local variable away from the banned `tz` abbreviation.
*	fix(auth): ignore malformed user cookies	Fuwn	2026-03-28	6	-24/+54
\|
*	fix(api): keep preferences publicly readable	Fuwn	2026-03-27	1	-4/+1
\|
*	refactor(supabase): move app access to service role	Fuwn	2026-03-27	2	-40/+56
\|
*	refactor: centralise site origin usage	Fuwn	2026-03-22	10	-55/+37
\|
*	refactor(effect): add request body schema decoders to api routes	Fuwn	2026-03-03	4	-5/+36
\|
*	refactor(effect): migrate api auth cookie decoding	Fuwn	2026-03-03	4	-57/+18
\|
*	refactor(effect): migrate core auth decode boundaries	Fuwn	2026-03-03	2	-18/+6
\|
*	chore(biome): drop formatter style overrides	Fuwn	2026-03-01	21	-530/+563
\|
*	chore(biome): re-enable noDoubleEquals rule	Fuwn	2026-03-01	1	-1/+1
\|
*	deps(sveltekit): Migrate to SvelteKit 2	Fuwn	2026-01-22	2	-2/+2
\|
*	fix(api:birthdays): Update HTML parser for primary source	Fuwn	2025-12-07	1	-3/+3
\|
*	fix: Throw redirects	Fuwn	2025-12-01	2	-2/+2
\|
*	deps(SvelteKit): Migrate to SvelteKit 2	Fuwn	2025-06-09	2	-2/+2
\|
*	fix(birthdays): Send cookie to bypass bot detection	Fuwn	2025-04-27	1	-1/+4
\|
*	fix(wrapped): li::marker consistent colouring	Fuwn	2024-12-24	1	-3/+3
\|
*	refactor(authorised): move authorised user functionality to module	Fuwn	2024-11-18	1	-5/+5
\|
*	chore(prettier): use spaces instead of tabs	Fuwn	2024-10-09	19	-356/+356
\|
*	feat(badges): move badge operations to graphql	Fuwn	2024-10-06	1	-129/+128
\|
*	feat(notifications): fingerprint for multiple grants	Fuwn	2024-08-24	2	-6/+8
\|
*	refactor(Data): rename database references	Fuwn	2024-08-24	9	-9/+9
\|
*	refactor(Database): move Supabase user modules to User module	Fuwn	2024-07-25	6	-6/+6
\|
*	refactor(Database): separate providers	Fuwn	2024-07-25	9	-9/+9
\|
*	feat(notifications): allow unsubscribe	Fuwn	2024-07-25	1	-0/+26
\|
*	refactor(trigger): v2 -> v3	Fuwn	2024-07-24	1	-8/+0
\|
*	feat: background notifications	Fuwn	2024-07-24	2	-0/+34
\|
*	refactor(Birthday): rename modules	Fuwn	2024-07-22	2	-0/+0
\|
*	feat(badges): click counter for badges	Fuwn	2024-05-27	1	-1/+8
\|
*	fix(match): delayed and subtitled time compatibility	Fuwn	2024-05-24	1	-121/+122
\|
*	fix(badges): shadow hide refresh	Fuwn	2024-05-21	1	-1/+1
\|
*	fix(badges): use correct id when hiding	Fuwn	2024-05-21	1	-1/+1
\|
*	feat(badges): individual badges shadow hiding	Fuwn	2024-05-20	1	-111/+121
\|
*	feat(badges): use array for pinned categories	Fuwn	2024-05-05	1	-7/+4
\|
*	feat(user): drag and drop pinned categories	Fuwn	2024-05-05	1	-1/+12
\|
*	feat(user): pinned category ui	Fuwn	2024-05-04	1	-1/+12
\|
*	feat(badges): allow awc badges hiding	Fuwn	2024-04-28	1	-1/+9
\|
*	fix(badges): shadow hide authorisation toggle	Fuwn	2024-04-19	1	-1/+1
\|
*	fix(badges): hide shadow hidden badges	Fuwn	2024-04-19	1	-1/+1
\|
*	feat(badges): admin shadow hide	Fuwn	2024-04-19	1	-1/+9
\|
*	fix(badges): empty fields	Fuwn	2024-04-15	1	-5/+5
\|
*	feat(badges): source and designer fields	Fuwn	2024-04-15	1	-1/+3
\|
*	feat(badges): hide category button	Fuwn	2024-04-14	1	-0/+26
\|
*	feat(badges): badge hiding	Fuwn	2024-04-13	1	-3/+4
\|
*	feat(user): biography option	Fuwn	2024-04-13	1	-5/+15
\|
*	feat(badges): custom css	Fuwn	2024-04-02	1	-3/+28
\|
*	feat(badges): migrate category mode	Fuwn	2024-03-01	1	-1/+10
\|
*	fix(preferences): add preferences when not set	Fuwn	2024-02-18	1	-31/+0
\|