highperfocused/multica
1
0
Fork 0
mirror of https://github.com/multica-ai/multica.git synced 2026-06-17 03:38:32 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
feat/skill-import-conflict-cli
multica/server/internal/handler/pin.go
Bohan Jiang f628e48775 refactor(server): error-returning ParseUUID to prevent silent data loss 
* refactor(server): make ParseUUID error-returning to prevent silent data loss (MUL-1410)

util.ParseUUID previously swallowed errors and returned a zero pgtype.UUID
on invalid input. When this zero UUID reached a write query (DELETE/UPDATE),
the SQL matched zero rows and the handler returned 2xx success — producing
silent data corruption. #1661 (DeleteIssue with identifier-style ID) was the
visible symptom; PR #1680 patched that one site, this commit closes the
class of bug.

Changes:

- util.ParseUUID now returns (pgtype.UUID, error). Add util.MustParseUUID
  for trusted round-trips that should panic on invalid input.
- handler/handler.go: parseUUID wrapper now calls MustParseUUID — any
  unguarded user-input string reaching it surfaces as a recovered panic
  (chi middleware.Recoverer → 500) instead of silently corrupting data.
  Add parseUUIDOrBadRequest(w, s, fieldName) for handler entry points.
- Convert every Queries.Delete*/Update* call site reachable from raw user
  input (autopilot, comment, project, skill, skill_file, label, pin,
  attachment, feedback, issue assignee, daemon runtime, workspace) to
  validate UUIDs explicitly with parseUUIDOrBadRequest, returning 400 on
  invalid input. Where a resolved entity.ID is already in scope, write
  queries now use it directly instead of re-parsing the URL string.
- Update getWorkspaceMember + loadIssueForUser to handle invalid UUIDs
  gracefully (404/400 instead of panic).
- Update util/middleware/cmd-level callers (subscriber_listeners,
  notification_listeners, activity_listeners, scope_authorizer,
  middleware/workspace) to use the error-returning API.
- Add server/internal/util/pgx_test.go covering valid/invalid input and
  the MustParseUUID panic contract.
- Add TestDeleteIssueByIdentifier + TestDeleteIssueRejectsInvalidUUID
  regression tests in handler_test.go (the original #1661 bug + the
  invalid-input case).
- Document the handler UUID parsing convention in CLAUDE.md so the rule
  is enforceable in future PR review.

* fix(server): address GPT-Boy review of #1748

P1 fixes from PR #1748 review:

1. Migrate remaining request-boundary UUIDs to parseUUIDOrBadRequest so
   malformed input returns 400 instead of panic/500. Was missing on:
   - issue.go: workspace_id in CreateIssue/ChildIssueProgress/ListIssues/
     SearchIssues/BatchUpdateIssues/BatchDeleteIssues; project_id /
     parent_issue_id / lead_id / assignee_id / assignee_ids / creator_id
     filters; batch issue_ids and assignee/parent/project fields in
     BatchUpdateIssues (skip on bad input via util.ParseUUID, matching
     the existing per-row continue semantics).
   - project.go: project id + workspace_id in GetProject/UpdateProject/
     DeleteProject; lead_id in CreateProject/UpdateProject;
     workspace_id in ListProjects + SearchProjects.
   - handler.go: resolveActor now uses util.ParseUUID for X-Agent-ID /
     X-Task-ID headers; invalid UUID falls back to "member" (matches
     pre-existing semantics) instead of panicking.
   - issue.go: validateAssigneePair returns 400 on invalid workspace_id
     instead of panicking.

2. Fix issue:deleted WS event payloads to emit uuidToString(issue.ID)
   instead of the raw URL string. After an identifier-path delete
   ("MUL-7"), the previous payload would have leaked the identifier to
   subscribers, leaving stale entries in frontend caches that key by
   UUID. Updated DeleteIssue (issue.go:1341) and BatchDeleteIssues
   (issue.go:1641). The slog "issue deleted" log line also now records
   the resolved UUID so logs match the WS payload.

3. Extend TestDeleteIssueByIdentifier to subscribe to the bus and
   assert issue:deleted.payload.issue_id is the resolved UUID, not
   the identifier.

* fix(server): validate remaining reviewed UUID inputs

* fix(server): validate remaining handler UUID inputs

* fix(server): finish request boundary UUID audit

* fix(server): validate remaining request body UUIDs

* fix(server): validate runtime path UUIDs

* fix(server): validate remaining audit UUID inputs

---------

Co-authored-by: Eve <eve@multica.ai>
2026-04-28 14:50:28 +08:00

231 lines
6.2 KiB
Go
Raw Permalink Blame History

package handler
import (
"encoding/json"
"net/http"
"github.com/go-chi/chi/v5"
db "github.com/multica-ai/multica/server/pkg/db/generated"
"github.com/multica-ai/multica/server/pkg/protocol"
)
// PinnedItemResponse carries pin metadata only. Title / status / identifier /
// icon are intentionally NOT included — clients derive them from their own
// issue / project query cache so that an `issue:updated` event flows naturally
// into the sidebar without needing a cross-entity invalidate on `pinKeys`.
type PinnedItemResponse struct {
ID string `json:"id"`
WorkspaceID string `json:"workspace_id"`
UserID string `json:"user_id"`
ItemType string `json:"item_type"`
ItemID string `json:"item_id"`
Position float64 `json:"position"`
CreatedAt string `json:"created_at"`
}
func pinnedItemToResponse(p db.PinnedItem) PinnedItemResponse {
return PinnedItemResponse{
ID: uuidToString(p.ID),
WorkspaceID: uuidToString(p.WorkspaceID),
UserID: uuidToString(p.UserID),
ItemType: p.ItemType,
ItemID: uuidToString(p.ItemID),
Position: p.Position,
CreatedAt: timestampToString(p.CreatedAt),
}
}
type CreatePinRequest struct {
ItemType string `json:"item_type"`
ItemID string `json:"item_id"`
}
type ReorderPinsRequest struct {
Items []ReorderItem `json:"items"`
}
type ReorderItem struct {
ID string `json:"id"`
Position float64 `json:"position"`
}
func (h *Handler) ListPins(w http.ResponseWriter, r *http.Request) {
userID, ok := requireUserID(w, r)
if !ok {
return
}
workspaceID := h.resolveWorkspaceID(r)
pins, err := h.Queries.ListPinnedItems(r.Context(), db.ListPinnedItemsParams{
WorkspaceID: parseUUID(workspaceID),
UserID: parseUUID(userID),
})
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to list pins")
return
}
resp := make([]PinnedItemResponse, 0, len(pins))
for _, p := range pins {
resp = append(resp, pinnedItemToResponse(p))
}
writeJSON(w, http.StatusOK, resp)
}
func (h *Handler) CreatePin(w http.ResponseWriter, r *http.Request) {
userID, ok := requireUserID(w, r)
if !ok {
return
}
workspaceID := h.resolveWorkspaceID(r)
var req CreatePinRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "invalid request body")
return
}
if req.ItemType != "issue" && req.ItemType != "project" {
writeError(w, http.StatusBadRequest, "item_type must be 'issue' or 'project'")
return
}
if req.ItemID == "" {
writeError(w, http.StatusBadRequest, "item_id is required")
return
}
itemUUID, ok := parseUUIDOrBadRequest(w, req.ItemID, "item_id")
if !ok {
return
}
wsUUID, ok := parseUUIDOrBadRequest(w, workspaceID, "workspace id")
if !ok {
return
}
// Verify the item exists in this workspace
switch req.ItemType {
case "issue":
if _, err := h.Queries.GetIssueInWorkspace(r.Context(), db.GetIssueInWorkspaceParams{
ID: itemUUID, WorkspaceID: wsUUID,
}); err != nil {
writeError(w, http.StatusNotFound, "issue not found")
return
}
case "project":
if _, err := h.Queries.GetProjectInWorkspace(r.Context(), db.GetProjectInWorkspaceParams{
ID: itemUUID, WorkspaceID: wsUUID,
}); err != nil {
writeError(w, http.StatusNotFound, "project not found")
return
}
}
// Get max position to append at end
maxPos, err := h.Queries.GetMaxPinnedItemPosition(r.Context(), db.GetMaxPinnedItemPositionParams{
WorkspaceID: wsUUID,
UserID: parseUUID(userID),
})
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to get position")
return
}
pin, err := h.Queries.CreatePinnedItem(r.Context(), db.CreatePinnedItemParams{
WorkspaceID: wsUUID,
UserID: parseUUID(userID),
ItemType: req.ItemType,
ItemID: itemUUID,
Position: maxPos + 1,
})
if err != nil {
if isUniqueViolation(err) {
writeError(w, http.StatusConflict, "item already pinned")
return
}
writeError(w, http.StatusInternalServerError, "failed to create pin")
return
}
resp := pinnedItemToResponse(pin)
h.publish(protocol.EventPinCreated, workspaceID, "member", userID, map[string]any{"pin": resp})
writeJSON(w, http.StatusCreated, resp)
}
func (h *Handler) DeletePin(w http.ResponseWriter, r *http.Request) {
userID, ok := requireUserID(w, r)
if !ok {
return
}
workspaceID := h.resolveWorkspaceID(r)
itemType := chi.URLParam(r, "itemType")
itemID := chi.URLParam(r, "itemId")
wsUUID, ok := parseUUIDOrBadRequest(w, workspaceID, "workspace id")
if !ok {
return
}
itemUUID, ok := parseUUIDOrBadRequest(w, itemID, "item id")
if !ok {
return
}
err := h.Queries.DeletePinnedItem(r.Context(), db.DeletePinnedItemParams{
WorkspaceID: wsUUID,
UserID: parseUUID(userID),
ItemType: itemType,
ItemID: itemUUID,
})
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to delete pin")
return
}
h.publish(protocol.EventPinDeleted, workspaceID, "member", userID, map[string]any{
"item_type": itemType,
"item_id": itemID,
})
w.WriteHeader(http.StatusNoContent)
}
func (h *Handler) ReorderPins(w http.ResponseWriter, r *http.Request) {
userID, ok := requireUserID(w, r)
if !ok {
return
}
workspaceID := h.resolveWorkspaceID(r)
var req ReorderPinsRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "invalid request body")
return
}
wsUUID, ok := parseUUIDOrBadRequest(w, workspaceID, "workspace id")
if !ok {
return
}
for _, item := range req.Items {
itemUUID, ok := parseUUIDOrBadRequest(w, item.ID, "items[].id")
if !ok {
return
}
if err := h.Queries.UpdatePinnedItemPosition(r.Context(), db.UpdatePinnedItemPositionParams{
Position: item.Position,
ID: itemUUID,
WorkspaceID: wsUUID,
UserID: parseUUID(userID),
}); err != nil {
writeError(w, http.StatusInternalServerError, "failed to reorder pins")
return
}
}
// Fan out so other sessions (web/desktop, or a second tab) refetch
// the pin list and pick up the new order. Without this, reorder is
// only consistent on the originating client until a hard refresh.
h.publish(protocol.EventPinReordered, workspaceID, "member", userID, map[string]any{"items": req.Items})
w.WriteHeader(http.StatusNoContent)
}
Reference in New Issue View Git Blame Copy Permalink