fix(api): drop redundant dev-deps; fix server AppState for cookie_secure; add logout + illegal-transition tests

2026-06-02 15:04:07 +02:00
parent 5135aeee6c
commit 642f709bbe
5 changed files with 101 additions and 2 deletions
@@ -138,6 +138,8 @@ pub(crate) async fn set_visibility(
    Path(id): Path<String>,
    Json(req): Json<VisibilityRequest>,
 ) -> Result<StatusCode, StatusCode> {
+    // 404 (not 400) for an unparseable id — same non-leaking convention as the public
+    // surface: never reveal whether an id could exist.
    let object_id = id.parse::<ObjectId>().map_err(|_| StatusCode::NOT_FOUND)?;

    let mut tx = state