refactor: use timestamp+filename for bulk message request ID

[AchoArnold]

Changes

• Generate request ID as \�ulk-{base62_timestamp}-{truncated_filename}\ instead of \�ulk-{filetype}-{nanoid}\
• Encode unix timestamp as base62 for minimal string length (~6 chars)
• Truncate filename to max 32 characters, preserving the file extension by cutting the middle of the stem
• Remove \ileType\ return value from \ValidateStore\ and \parseFile\ (no longer needed)
• Simplify frontend \cleanName()\ to just strip the \�ulk-\ prefix
• Stay on bulk-messages page after successful upload instead of redirecting to threads

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 4 complexity · 0 duplication

Metric	Results
Complexity	4
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[greptile-apps]

Greptile Summary

This PR changes how bulk message request IDs are generated — from bulk-{fileType}-{nanoid} to bulk-{base62_timestamp}-{truncated_filename} — and updates the frontend to stay on the bulk-messages page after a successful upload instead of redirecting to threads.

• ID generation (bulk_message_handler.go): Drops go-nanoid, adds a custom encodeBase62 helper and a truncateFilename function that preserves the file extension while cutting the stem to fit within 32 characters.
• Validator cleanup (bulk_message_handler_validator.go): Removes the fileType return value from ValidateStore and parseFile since it is no longer needed by the handler.
• Frontend UX (index.vue): cleanName is simplified to just strip the bulk- prefix; on successful upload the form is cleared and the history table is refreshed in place rather than navigating away.

Confidence Score: 3/5

The core ID-generation change introduces a real collision window: two uploads of the same filename within the same second produce identical request IDs, merging their message batches in the database and the history view.

The timestamp has only second-level precision, so rapid or concurrent uploads of identically-named files silently share a request ID — every message from both batches becomes indistinguishable. Raw user-supplied filenames are also embedded without sanitization, and the simplified cleanName function breaks display of all pre-existing database entries.

Focus on api/pkg/handlers/bulk_message_handler.go — specifically the generateRequestID function and its lack of a uniqueness guarantee — and web/pages/bulk-messages/index.vue for the backward-compatibility gap in cleanName.

Important Files Changed

Filename	Overview
api/pkg/handlers/bulk_message_handler.go	Replaces nanoid-based requestID with timestamp+filename; timestamp has second-level granularity, risking ID collisions for same-second uploads of the same file; also embeds raw user-supplied filename into the ID without sanitization.
api/pkg/validators/bulk_message_handler_validator.go	Removes fileType return value from ValidateStore and parseFile; clean mechanical refactor with no logic changes.
web/pages/bulk-messages/index.vue	Simplifies cleanName to strip only bulk- prefix (breaking display of historical entries) and removes post-upload redirect in favour of refreshing the history table in place.
api/go.mod	Removes go-nanoid dependency; straightforward dependency cleanup.

Sequence Diagram

sequenceDiagram
    participant U as User (Browser)
    participant V as index.vue
    participant A as BulkMessageHandler
    participant Val as BulkMessageHandlerValidator
    participant S as MessageService

    U->>V: Upload CSV/XLSX file
    V->>A: POST /v1/bulk-messages (multipart)
    A->>Val: ValidateStore(ctx, userID, file)
    Val-->>A: messages, userLocation, errors
    A->>A: generateRequestID(file.Filename)
    note over A: bulk-{base62(now.Unix())}-{truncate(filename,32)}
    loop For each message (goroutine)
        A->>S: SendMessage(requestID, ...)
    end
    A-->>V: 202 Accepted
    V->>V: "formFile = null"
    V->>A: GET /v1/bulk-messages
    A-->>V: bulk order history
    V-->>U: Refresh history table

Loading

_{Reviews (1): Last reviewed commit: "refactor: use timestamp+filename for bul..." | Re-trigger Greptile}

[greptile-apps]

Timestamp-only uniqueness — concurrent uploads collide

time.Now().Unix() has one-second granularity, so two uploads of the same filename that arrive within the same second produce an identical requestID. All messages from both batches would be tagged with the same ID and become indistinguishable in search and in the history table. The previous nanoid-based scheme avoided this by adding 10 random characters. Adding even 4 random alphanumeric characters after the timestamp (e.g. bulk-{ts}-{file}-{rand4}) would make collisions astronomically unlikely while keeping the human-readable filename benefit.

[AchoArnold]

Fixed. Added a 4-character random base62 suffix after the timestamp, making the format \�ulk-{base62_ts}{rand4}-{filename}. This makes same-second collisions astronomically unlikely while keeping the human-readable filename.

[greptile-apps]

cleanName breaks display of historical entries

The simplified regex strips only the bulk- prefix, so existing database entries with the old bulk-csv-NANOID or bulk-xls-NANOID format will now render as csv-NANOID / xls-NANOID in the history table. Previously they rendered as NANOID.csv / NANOID.xlsx. A backward-compatible implementation would retain the old prefix checks as fallback branches for entries that don't match the new bulk-{ts}-{filename} pattern.

[AchoArnold]

Fixed. Restored the old prefix checks as fallback branches for legacy entries (bulk-csv-/bulk-xls-). New entries using the timestamp format just strip the bulk- prefix.

[greptile-apps]

Unsanitized user-supplied filename embedded in requestID

truncateFilename preserves the raw filename characters (spaces, Unicode, dashes, dots, %, etc.) from the client's upload. The previous scheme used only a controlled string ("csv" or "xls"). If requestID is ever used in a log query, a URL parameter, or any downstream context that doesn't expect arbitrary text, the unsanitized portion could cause unexpected behavior. Consider stripping or replacing non-alphanumeric characters (excluding . and -) before embedding the filename in the ID.

[AchoArnold]

Fixed. Added a sanitizeFilename function that strips all characters except alphanumeric, dots, and hyphens before embedding the filename in the request ID.