Bug
The public follower-list endpoints accept unbounded numeric offset values:
GET /api/users/[username]/followersGET /api/users/[username]/following
A request such as ?offset=999999999&limit=10 passes an extreme range start into Supabase .range(...) and returns the same oversized offset in pagination metadata.
Expected
Keep normal offsets unchanged, but cap extremely large offsets before building Supabase ranges and returning pagination metadata. This matches the pagination hardening already used in other public endpoints.
Proposed fix
Cap offsets at 100_000 in both mirrored routes and add regression coverage for the generated range bounds and response metadata.
Paid task context: https://ugig.net/gigs/abd6b2a0-e728-48cf-a46f-f99e419ed94e
Bug
The public follower-list endpoints accept unbounded numeric
offsetvalues:GET /api/users/[username]/followersGET /api/users/[username]/followingA request such as
?offset=999999999&limit=10passes an extreme range start into Supabase.range(...)and returns the same oversized offset in pagination metadata.Expected
Keep normal offsets unchanged, but cap extremely large offsets before building Supabase ranges and returning pagination metadata. This matches the pagination hardening already used in other public endpoints.
Proposed fix
Cap offsets at
100_000in both mirrored routes and add regression coverage for the generated range bounds and response metadata.Paid task context: https://ugig.net/gigs/abd6b2a0-e728-48cf-a46f-f99e419ed94e