fix(db): don't query database if user isn't logged in

jacc · jacc · commit c916f707740f · 2026-04-07T18:35:38.000-04:00
diff --git a/src/pages/api/me.ts b/src/pages/api/me.ts
@@ -1,5 +1,6 @@
 import * as schema from "$drizzle/schema";
 import { withDb } from "@/db";
+import { getCookie } from "cookies-next";
 import { eq } from "drizzle-orm";
 import type { NextApiRequest, NextApiResponse } from "next";
 import { getUID } from "./saves";
@@ -9,6 +10,14 @@ async function get(req: NextApiRequest, res: NextApiResponse) {
 		const uid = await getUID(req, res, db);
 		if (!uid) return res.status(401).end();
 
+		// getUID already verified the token. Re-use the DB query it made
+		// by checking if there's a token — if so, the user record exists.
+		const token = getCookie("token", { req, res });
+		if (!token) {
+			// Anonymous user — no user record
+			return res.json(undefined);
+		}
+
 		const [user] = await db
 			.select()
 			.from(schema.users)
diff --git a/src/pages/api/saves/index.ts b/src/pages/api/saves/index.ts
@@ -56,37 +56,30 @@ export async function getUID(
 ): Promise<string> {
 	let uid = getCookie("uid", { req, res });
 	if (uid && typeof uid === "string") {
-		// uids can be anonymous, so we need to check if the user exists
-
-		const [user] = await db
-			.select()
-			.from(schema.users)
-			.where(eq(schema.users.id, uid))
-			.limit(1);
-
-		if (user) {
-			// user exists, so we check if the user is authenticated
-			// verify that the user has a stored token
-			let token = getCookie("token", { req, res });
-			if (!token) {
-				res.status(400);
-				throw new Error("User is not authenticated (1)");
-			}
-			// verify that the token is valid
-			const { valid, userId } = verifyToken(
-				token as string,
-				user.cookie_secret,
-			);
-			if (!valid || userId !== uid) {
-				res.status(400);
-				throw new Error(`User is not authenticated (valid token: ${valid})`);
+		// Only authenticated users (those with a token cookie) need a DB lookup.
+		// Anonymous users will never be in the users table, so skip the query.
+		const token = getCookie("token", { req, res });
+		if (token) {
+			const [user] = await db
+				.select()
+				.from(schema.users)
+				.where(eq(schema.users.id, uid))
+				.limit(1);
+
+			if (user) {
+				const { valid, userId } = verifyToken(
+					token as string,
+					user.cookie_secret,
+				);
+				if (!valid || userId !== uid) {
+					res.status(400);
+					throw new Error(`User is not authenticated (valid token: ${valid})`);
+				}
 			}
 		}
-		// everything is ok, so we return the uid
 		return uid as string;
 	} else {
 		console.log("Generating new UID...");
-		// no uid, so we create an anonymous one
 		uid = crypto.randomBytes(16).toString("hex");
 		setCookie("uid", uid, {
 			req,
