fabi/Mangalord
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bugfix: tighten validation, drop dead sendBeacon, NUL byte (0.34.1)

Browse Source 
Five small fixes from REVIEW.md §2/§4/§8:

- attach_tag: 64-char cap at the handler so the validation error
  envelope matches username/collection-name.
- create_token: same 64-char cap on bot token names.
- LocalStorage::resolve rejects NUL bytes explicitly so callers see
  BadKey instead of an opaque IO error.
- sendBeacon dropped from the reader's pagehide flush — it's POST-only
  and the server's read-progress route is PUT, so every page-close
  was logging a 405 then falling through to the same keepalive fetch
  anyway. Keepalive fetch is now the only path.
- Frontend logout sets content-type: application/json for symmetry
  with the other mutation helpers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-05-28 19:17:01 +02:00
parent e7662d18d6
commit 8667f8b957
11 changed files with 137 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
backend/src/api/auth.rs
View File

@@ -230,8 +230,24 @@ async fn create_token(
Json(input): Json<CreateTokenInput>,
) -> AppResult<impl IntoResponse> {
let name = input.name.trim();
// Both arms use `ValidationFailed` (422 with field details) to
// match the structured-error shape `attach_tag` returns for the
// same kind of free-form-identifier validation. The other
// /auth/* handlers in this file use `InvalidInput` (400); the
// divergence is pre-existing and would warrant a project-wide
// pass to flip them all if the client side wants uniform per-
// field error rendering.
if name.is_empty() {
return Err(AppError::InvalidInput("token name is required".into()));
return Err(AppError::ValidationFailed {
message: "token name is required".into(),
details: serde_json::json!({ "name": "required" }),
});
}
if name.chars().count() > 64 {
return Err(AppError::ValidationFailed {
message: "token name too long".into(),
details: serde_json::json!({ "name": "max 64 characters" }),
});
}
let (raw, hash) = generate_token();
let token = repo::api_token::create(&state.db, user.id, name, &hash).await?;