Skip to content

fix: resolve 6 bugs — password hashing, SQL injection risk, JWT inconsistency, and count query params#8

Merged
ehsanking merged 1 commit into
mainfrom
claude/analyze-and-fix-bugs-fQ4z0
May 10, 2026
Merged

fix: resolve 6 bugs — password hashing, SQL injection risk, JWT inconsistency, and count query params#8
ehsanking merged 1 commit into
mainfrom
claude/analyze-and-fix-bugs-fQ4z0

Conversation

@ehsanking
Copy link
Copy Markdown
Owner

@ehsanking ehsanking commented May 10, 2026

  • app/api/users/route.ts: hash passwords with bcrypt before storing; fix
    count query sending wrong params when no search filter is active (passed
    [limit] to a parameterless SQL statement, causing a better-sqlite3 error)
  • app/api/users/[id]/route.ts: hash password with bcrypt on user update
  • app/api/sessions/[id]/route.ts: replace double-quoted SQL string literal
    with a parameterised binding (SQLite treats double-quotes as identifiers)
  • app/api/client/login/route.ts: replace inconsistent raw JWT_SECRET check
    (min 64 chars) with getJwtSecret() so client and admin tokens share the
    same secret derivation logic
  • lib/db.ts: catch and log startup validateConnection() errors instead of
    silently dropping them

https://claude.ai/code/session_01DkUApogQMjHvzsmsEty9z7

@claude
fix: resolve 6 bugs — password hashing, SQL injection risk, JWT incon…
9c153f2 
…sistency, and count query params

- app/api/users/route.ts: hash passwords with bcrypt before storing; fix
  count query sending wrong params when no search filter is active (passed
  `[limit]` to a parameterless SQL statement, causing a better-sqlite3 error)
- app/api/users/[id]/route.ts: hash password with bcrypt on user update
- app/api/sessions/[id]/route.ts: replace double-quoted SQL string literal
  with a parameterised binding (SQLite treats double-quotes as identifiers)
- app/api/client/login/route.ts: replace inconsistent raw JWT_SECRET check
  (min 64 chars) with getJwtSecret() so client and admin tokens share the
  same secret derivation logic
- lib/db.ts: catch and log startup validateConnection() errors instead of
  silently dropping them

https://claude.ai/code/session_01DkUApogQMjHvzsmsEty9z7
@vercel
Copy link
Copy Markdown

vercel Bot commented May 10, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
power-vpn Ready Ready Preview, Comment, Open in v0 May 10, 2026 11:43pm

@ehsanking ehsanking merged commit ef0a9ea into main May 10, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ehsanking @claude