Skip to content

feat: implement Update/Delete APIs with enhanced security #119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 8, 2025
Merged

feat: implement Update/Delete APIs with enhanced security #119

merged 1 commit into from
Jun 8, 2025

Conversation

nullcoder
Copy link
Owner

Summary

  • Implements PUT and DELETE endpoints for /api/gists/[id] with comprehensive security features
  • Adds dual authentication methods (metadata proof for one-time views, PIN for protected gists)
  • Refactors all API tests to follow consistent naming pattern

Test plan

  • All 69 tests passing with 100% coverage
  • DELETE endpoint validates metadata proof for one-time gists
  • DELETE endpoint validates PIN for protected gists
  • PUT endpoint supports multipart form data updates
  • PUT endpoint validates PIN and prevents concurrent conflicts
  • CSRF protection active on all state-changing endpoints
  • WebCrypto API migration complete for edge runtime

🤖 Generated with Claude Code

@nullcoder @claude
feat: implement Update/Delete APIs with enhanced security (#107)
cdc8560 
This PR completes Issue #107 by implementing PUT and DELETE endpoints for the /api/gists/[id] route with comprehensive security features and API test refactoring.

## Key Features

### DELETE Endpoint
- Dual authentication methods:
  - One-time view gists: metadata proof validation (SHA-256 hash)
  - PIN-protected gists: PIN validation via X-Edit-Password header
- CSRF protection on all state-changing endpoints
- Fixed race condition by moving auto-deletion to explicit DELETE endpoint

### PUT Endpoint
- Multipart form data support for gist updates
- PIN validation for protected gists
- Optimistic locking to prevent concurrent update conflicts
- Support for updating encrypted user metadata and editor preferences

### Security Enhancements
- Created reusable CSRF validation in lib/security.ts
- Converted all crypto operations to WebCrypto API for edge runtime
- Added comprehensive schema validation using Zod
- Proper error handling with typed AppError system

### API Test Refactoring
- Established consistent test pattern: route.{method}.test.ts
- Split all combined test files by HTTP method
- Created API_TEST_PATTERN.md documentation
- All 69 tests passing with 100% coverage

### Additional Improvements
- Implemented user metadata encryption support
- Created shared schemas in lib/api-schemas.ts
- Added editor preferences to create/update operations
- Updated tracking documents and TODO.md

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 ghostpaste cdc8560 Visit preview Jun 08 2025, 01:50 AM

@nullcoder nullcoder merged commit 56e74a7 into main Jun 8, 2025
1 check passed
@nullcoder nullcoder deleted the feat/update-delete-apis branch June 8, 2025 01:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nullcoder