fix(feed): clamp public user feed pagination

[Jorel97]

Fixes #318.

Summary

• parse public user feed limit and offset through a bounded integer helper
• default invalid/empty limits to 20, cap high limits at 50, and clamp offsets to a non-negative integer
• add route tests for invalid strings, negative offsets, fractional params, and high-limit capping

Tests

• Not run locally: this Codex runtime has Node but no npm/pnpm executable or installed project dependencies.

[greptile-apps]

Greptile Summary

This PR fixes pagination on the public user feed endpoint by replacing ad-hoc parseInt calls with a parsePaginationParam helper that correctly handles non-numeric strings, fractional values, negative offsets, and out-of-range limits. Three vitest cases are added to verify the boundary behaviour.

• parsePaginationParam clamps limit to [1, 50] (default 20) and offset to [0, 100_000] (default 0), using Math.trunc for fractional inputs and falling back to the default for non-finite values.
• Tests cover invalid strings ("abc", "-10"), fractional truncation with high-limit capping ("250.7", "3.9"), and zero-limit clamping — all asserting both the Supabase range call arguments and the returned pagination object.

Confidence Score: 5/5

Safe to merge; the helper logic is correct and the tests accurately verify the clamping contract.

The change is narrowly scoped to input parsing: the helper produces correct results for all tested edge cases and the route behaviour is otherwise unchanged. The offset ceiling is generous for the in-memory fetch pattern but is still a strict improvement over the previous uncapped parseInt.

No files require special attention.

Important Files Changed

Filename	Overview
src/app/api/users/[username]/feed/route.ts	Adds parsePaginationParam helper that correctly clamps limit to [1,50] and offset to [0,100_000]; helper logic is sound but the 100_000 offset ceiling is high given that range(0, limit+offset-1) fetches all rows up-front for in-memory merge-sort pagination.
src/app/api/users/[username]/feed/route.test.ts	New test file with three well-structured cases covering invalid strings, fractional truncation with high-limit capping, and zero-limit clamping; mock setup correctly avoids the post-titles code path by using empty comment data.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Route as GET /api/users/[username]/feed
    participant Helper as parsePaginationParam
    participant DB as Supabase

    Client->>Route: "?limit=X&offset=Y"
    Route->>Helper: parsePaginationParam(limit, 20, 1, 50)
    Helper-->>Route: clamped limit in [1, 50]
    Route->>Helper: parsePaginationParam(offset, 0, 0, 100_000)
    Helper-->>Route: clamped offset in [0, 100_000]
    Route->>DB: profiles.select().eq(username).single()
    DB-->>Route: "profile | 404"
    Route->>DB: posts.range(0, limit+offset-1)
    DB-->>Route: rawPosts[]
    Route->>DB: post_comments.range(0, limit+offset-1)
    DB-->>Route: rawComments[]
    Note over Route: merge, sort by created_at, slice(offset, offset+limit)
    Route-->>Client: "{ data, pagination: { total, limit, offset } }"

Loading

_{Reviews (2): Last reviewed commit: "test(feed): cover zero public feed limit" | Re-trigger Greptile}

[greptile-apps]

Want your agent to iterate on Greptile's feedback? Try greploops.