From 94f1a4cd7ec761e03416b1619dd24fba1a53f96d Mon Sep 17 00:00:00 2001 From: Nexus0ps Date: Tue, 2 Jun 2026 13:42:18 -0400 Subject: [PATCH] fix(users): cap follow-list offset at 100_000 before Supabase range Extreme offsets like ?offset=999999999 now cap at 100_000 for both followers and following endpoints, matching the pagination-hardening pattern used across other public endpoints. Fixes #356 --- src/app/api/users/[username]/followers/route.ts | 2 +- src/app/api/users/[username]/following/route.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/app/api/users/[username]/followers/route.ts b/src/app/api/users/[username]/followers/route.ts index b9a4adfc..2ad9f380 100644 --- a/src/app/api/users/[username]/followers/route.ts +++ b/src/app/api/users/[username]/followers/route.ts @@ -27,7 +27,7 @@ export async function GET( const supabase = await createClient(); const searchParams = request.nextUrl.searchParams; const limit = parsePositiveInt(searchParams.get("limit"), 20, 100); - const offset = parseNonNegativeInt(searchParams.get("offset"), 0); + const offset = Math.min(parseNonNegativeInt(searchParams.get("offset"), 0), 100_000); // Look up target user const { data: targetProfile, error: profileError } = await supabase diff --git a/src/app/api/users/[username]/following/route.ts b/src/app/api/users/[username]/following/route.ts index 855d4ef7..a4ef7174 100644 --- a/src/app/api/users/[username]/following/route.ts +++ b/src/app/api/users/[username]/following/route.ts @@ -27,7 +27,7 @@ export async function GET( const supabase = await createClient(); const searchParams = request.nextUrl.searchParams; const limit = parsePositiveInt(searchParams.get("limit"), 20, 100); - const offset = parseNonNegativeInt(searchParams.get("offset"), 0); + const offset = Math.min(parseNonNegativeInt(searchParams.get("offset"), 0), 100_000); // Look up target user const { data: targetProfile, error: profileError } = await supabase