Overview

Implement update and delete endpoints for gists with PIN validation to ensure only authorized users can modify or remove gists.

Tasks

• Create PUT /api/gists/[id] endpoint
• Create DELETE /api/gists/[id] endpoint
• Implement PIN validation for both endpoints
• Ensure atomic operations (metadata + blob)
• Handle version conflicts
• Add audit logging

Technical Requirements

• Edge runtime compatible
• PIN validation using PBKDF2 (matching creation hash)
• Atomic updates/deletes for both metadata and blob
• Optimistic locking for concurrent updates
• Clean up both R2 objects on delete
• Log security-relevant events

Endpoints

PUT /api/gists/[id]

• Updates existing gist with new data
• Requires PIN in request header or body
• Validates PIN against stored hash
• Updates both metadata and blob atomically
• Response: 200 on success, 401 for wrong PIN, 404 if not found

DELETE /api/gists/[id]

• Deletes gist permanently
• Requires PIN in request header or body
• Validates PIN against stored hash
• Removes both metadata and blob
• Response: 204 on success, 401 for wrong PIN, 404 if not found

Acceptance Criteria

• Can update gist with correct PIN
• Can delete gist with correct PIN
• Returns 401 for incorrect PIN
• Returns 404 for non-existent gists
• Operations are atomic (all or nothing)
• No orphaned data in R2
• Version conflicts are handled gracefully

Dependencies

• feat: implement POST /api/gists endpoint #105 (Create Gist API)
• feat: implement GET endpoints for gists #106 (Read Gist APIs)

References

• See docs/PHASE_5_ISSUE_TRACKING.md for detailed specifications