feat(auth): add per-user task isolation #27

Merged

barrettruth merged 1 commit from feat/multi-user-isolation into main

2026-03-23 03:04:16 +00:00

barrettruth commented

2026-03-23 03:03:15 +00:00

Problem

All tasks, automations, and category colors were global — any authenticated user could see and modify any other user's data. The auth gate existed but there was no data isolation behind it. Server actions had zero auth checks.

Solution

Add userId FK to tasks, automations, and categoryColors tables with a migration that defaults existing rows to user 1. Thread userId through all core functions, server actions (with requireUser/requireOwnedTask helpers), API routes (ownership verification before mutations), and dashboard pages. Closes #24.

## Problem All tasks, automations, and category colors were global — any authenticated user could see and modify any other user's data. The auth gate existed but there was no data isolation behind it. Server actions had zero auth checks. ## Solution Add `userId` FK to `tasks`, `automations`, and `categoryColors` tables with a migration that defaults existing rows to user 1. Thread `userId` through all core functions, server actions (with `requireUser`/`requireOwnedTask` helpers), API routes (ownership verification before mutations), and dashboard pages. Closes #24.