fix: enforce unique provider+subject constraint and harden sync route

- Change providerSubjectIdx from index to uniqueIndex in schema.ts to
  prevent multiple users sharing the same (provider, subject) pair,
  which caused non-deterministic sign-in resolution via findFirst.
- Add migration 0008_unique_provider_subject.sql: DROP the existing
  non-unique index and CREATE UNIQUE INDEX in its place.
- Validate INSTANCE_SYNC_MAX_BYTES env var in sync route: fall back to
  10 MB default when the value is non-numeric (e.g. 'off') or
  non-positive, preventing NaN comparisons that silently disabled the
  size limit.
- Return a generic error message to callers on applySyncPayload /
  applyCaddyConfig failure instead of leaking the raw error string;
  the original message is still stored internally via setSlaveLastSync.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

This commit is contained in:

fuomag9

2026-02-25 18:41:12 +01:00

parent cb3c0a1536

commit 66ad3e9431

4 changed files with 17 additions and 4 deletions

									
										2

drizzle/0008_unique_provider_subject.sql
									
										Normal file
									
												View File
												
				@@ -0,0 +1,2 @@

				DROP INDEX IF EXISTS `users_provider_subject_idx`;

				CREATE UNIQUE INDEX `users_provider_subject_idx` ON `users`(`provider`,`subject`);

fix: enforce unique provider+subject constraint and harden sync route

2 drizzle/0008_unique_provider_subject.sql Normal file Unescape Escape View File

2

drizzle/0008_unique_provider_subject.sql Normal file

View File