diff --git a/artifacts/api-server/src/routes/apps.ts b/artifacts/api-server/src/routes/apps.ts index e731a1b2..505772e2 100644 --- a/artifacts/api-server/src/routes/apps.ts +++ b/artifacts/api-server/src/routes/apps.ts @@ -43,9 +43,7 @@ async function getVisibleAppsForUser(userId: number): Promise => { } const { order } = parsed.data; + + const seen = new Set(); + for (const id of order) { + if (seen.has(id)) { + res.status(400).json({ error: `Duplicate app id in order: ${id}` }); + return; + } + seen.add(id); + } + const visible = await getVisibleAppsForUser(userId); const visibleIds = new Set(visible.map((a) => a.id)); - - const filtered = order.filter((id) => visibleIds.has(id)); - const seen = new Set(); - const dedup = filtered.filter((id) => { - if (seen.has(id)) return false; - seen.add(id); - return true; - }); + const invalid = order.filter((id) => !visibleIds.has(id)); + if (invalid.length > 0) { + res.status(400).json({ + error: `Unknown or unauthorized app id(s): ${invalid.join(", ")}`, + }); + return; + } await db.transaction(async (tx) => { await tx.delete(userAppOrdersTable).where(eq(userAppOrdersTable.userId, userId)); - if (dedup.length > 0) { + if (order.length > 0) { await tx.insert(userAppOrdersTable).values( - dedup.map((appId, idx) => ({ userId, appId, sortOrder: idx })), + order.map((appId, idx) => ({ userId, appId, sortOrder: idx })), ); } });