More fixes, adds limits

2026-03-11 17:55:35 +00:00 · 2026-03-01 22:10:41 +05:30 · 2026-03-01 22:10:41 +05:30 · ce98e2f89f
commit ce98e2f89f
parent 5ee0f9cf98
5 changed files with 13 additions and 5 deletions
--- a/server/routes/users/[id]/bookmarks.ts
+++ b/server/routes/users/[id]/bookmarks.ts
@ -51,7 +51,7 @@ export default defineEventHandler(async event => {

  if (method === 'PUT') {
    const body = await readBody(event);
-    const validatedBody = z.array(bookmarkDataSchema).parse(body);
+    const validatedBody = z.array(bookmarkDataSchema).max(1000).parse(body);

    const now = new Date();
    const upserts = validatedBody.map((item: any) => {
--- a/server/routes/users/[id]/lists/index.patch.ts
+++ b/server/routes/users/[id]/lists/index.patch.ts
@ -51,7 +51,9 @@ export default defineEventHandler(async event => {
    });
  }

-  const result = await prisma.$transaction(async tx => {
+  let result;
+  try {
+    result = await prisma.$transaction(async tx => {
    if (
      validatedBody.name ||
      validatedBody.description !== undefined ||
@ -106,6 +108,12 @@ export default defineEventHandler(async event => {
      include: { list_items: true },
    });
  });
+  } catch (err: any) {
+    if (err.code === 'P2002') {
+      throw createError({ statusCode: 409, message: 'A list with this name already exists' });
+    }
+    throw err;
+  }

  return {
    list: result,
--- a/server/routes/users/[id]/progress/import.ts
+++ b/server/routes/users/[id]/progress/import.ts
@ -73,7 +73,7 @@ export default defineEventHandler(async event => {

  try {
    const body = await readBody(event);
-    const validatedBody = z.array(progressItemSchema).parse(body);
+    const validatedBody = z.array(progressItemSchema).max(1000).parse(body);

    const existingItems = await prisma.progress_items.findMany({
      where: { user_id: userId },
--- a/server/routes/users/[id]/watch-history/[tmdbid]/index.ts
+++ b/server/routes/users/[id]/watch-history/[tmdbid]/index.ts
@ -58,7 +58,7 @@ export default defineEventHandler(async event => {
      // Accept single object (normal playback) or array (e.g. user import)
      const bodySchema = z.union([
        watchHistoryItemSchema,
-        z.array(watchHistoryItemSchema),
+        z.array(watchHistoryItemSchema).max(1000),
      ]);
      const parsed = bodySchema.parse(body);
      const items = Array.isArray(parsed) ? parsed : [parsed];
--- a/server/utils/prisma.ts
+++ b/server/utils/prisma.ts
@ -11,7 +11,7 @@ const pool =
  globalForPrisma.pool ||
  new Pool({
    connectionString: process.env.DATABASE_URL,
-    max: parseInt(process.env.DB_POOL_MAX || '1000', 10),
+    max: Math.max(1, parseInt(process.env.DB_POOL_MAX, 10) || 30),
    connectionTimeoutMillis: 10000,
    idleTimeoutMillis: 300000,
  });