trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions

Scope all Drizzle queries by user_id from authenticated session

Browse source 
Every data API route now filters SELECT, INSERT, UPDATE, and DELETE
queries by the authenticated user's ID, ensuring full multi-tenant
data isolation. Candle queries are scoped via chart_id ownership.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marko Djordjevic 2026-02-20 13:08:09 +01:00
parent 9901d0f3f1
commit 5f727d84c6
15 changed files with 75 additions and 60 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/app/api/charts/[id]/route.ts
View file

@ -1,7 +1,7 @@
import { NextRequest, NextResponse } from 'next/server';
import { db } from '@/lib/db';
import { charts, candles, annotations, spanAnnotations } from '@/lib/db/schema';
import { eq } from 'drizzle-orm';
import { eq, and } from 'drizzle-orm';
import { getAuthUser } from '@/lib/auth';
export async function GET(
@ -20,7 +20,7 @@ export async function GET(
return NextResponse.json({ error: 'Invalid chart ID' }, { status: 400 });
}
const result = await db.select().from(charts).where(eq(charts.id, chartId)).limit(1);
const result = await db.select().from(charts).where(and(eq(charts.id, chartId), eq(charts.user_id, user.id))).limit(1);
if (result.length === 0) {
return NextResponse.json({ error: 'Chart not found' }, { status: 404 });
@ -45,7 +45,7 @@ export async function DELETE(
return NextResponse.json({ error: 'Invalid chart ID' }, { status: 400 });
}
const existing = await db.select().from(charts).where(eq(charts.id, chartId)).limit(1);
const existing = await db.select().from(charts).where(and(eq(charts.id, chartId), eq(charts.user_id, user.id))).limit(1);
if (existing.length === 0) {
return NextResponse.json({ error: 'Chart not found' }, { status: 404 });
}

4
src/app/api/charts/route.ts
View file

@ -1,7 +1,7 @@
import { NextResponse } from 'next/server';
import { db } from '@/lib/db';
import { charts } from '@/lib/db/schema';
import { desc } from 'drizzle-orm';
import { desc, eq } from 'drizzle-orm';
import { getAuthUser } from '@/lib/auth';
export async function GET() {
@ -10,6 +10,6 @@ export async function GET() {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
const allCharts = await db.select().from(charts).orderBy(desc(charts.created_at));
const allCharts = await db.select().from(charts).where(eq(charts.user_id, user.id)).orderBy(desc(charts.created_at));
return NextResponse.json(allCharts);
}