Altien stops shared projects from failing in silence

A quiet database mismatch was breaking shared-project lookups in production - and leaking raw server errors back to users while it did.

securityworkflow

Maintained by Allen Morgan · verified on MikeWatch

When someone tried to open a project shared with them, the lookup was hitting a type mismatch deep in the database layer and failing - silently. Nothing showed up in the server logs, so the breakage was effectively invisible from the back end, and the raw internal error was being passed straight back to the user.

Altien's fix does two things. It corrects the underlying query so shared projects load the way they should. And it reshapes the error handling: failures now get logged on the server with enough context to debug, internal error details stop leaking to clients, and if the shared-project lookup does fail, the page degrades gracefully - your own projects still load instead of the whole request collapsing.

So what Anyone running a fork where colleagues share matters or documents should check this - it's a reliability and information-leak fix in one.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from Altien/mikeOssAzure, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date

1c9e295b fix(jsonb): shared_with containment uses JSON-stringified arrays Allen Morgan 2026-05-08 ↗ GitHub

SHA	Subject	Author	Date
`1c9e295b`	fix(jsonb): shared_with containment uses JSON-stringified arrays	Allen Morgan	2026-05-08	↗ GitHub
commit body supabase-js's .contains([...]) on a JSONB column was emitting Postgres array-literal syntax (cs.{x,y}), which Postgres rejects with "invalid input syntax for type json". Passing a JSON-formatted string instead produces cs.<jsonarray>, which PostgREST interprets as JSON containment (@>). Affects: * lib/access.ts - listAccessibleProjectIds * routes/projects.ts - list + getById + share lookups * routes/tabular.ts - direct-share review lookup The fix is paired with structured logging on every shared_with query (the previous shape silently 500'd with a raw Postgres message in the response body and no backend trace) and downgrades the shared-projects failure mode from "fail the whole request" to "log + return owned projects only" so a transient shared-with failure can't lock a user out of their own data. Worth upstreaming as an independent bug-fix PR once the provider- boundary refactors land.

commit body

supabase-js's .contains([...]) on a JSONB column was emitting Postgres
array-literal syntax (cs.{x,y}), which Postgres rejects with "invalid
input syntax for type json". Passing a JSON-formatted string instead
produces cs.<jsonarray>, which PostgREST interprets as JSON containment
(@>). Affects:

  * lib/access.ts        - listAccessibleProjectIds
  * routes/projects.ts   - list + getById + share lookups
  * routes/tabular.ts    - direct-share review lookup

The fix is paired with structured logging on every shared_with query
(the previous shape silently 500'd with a raw Postgres message in the
response body and no backend trace) and downgrades the shared-projects
failure mode from "fail the whole request" to "log + return owned
projects only" so a transient shared-with failure can't lock a user
out of their own data.

Worth upstreaming as an independent bug-fix PR once the provider-
boundary refactors land.

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-196.md from inside the repo you want the changes in.

⬇ Download capture-thread-196.md