fix(activity): clamp public user pagination params

[sevencat2004]

Summary

• fixes invalid limit / offset handling in the public user activity endpoint
• defaults non-positive limits to 20, caps large limits at 50, and clamps negative offsets to 0
• adds route tests for missing profiles, invalid pagination, large limit caps, and valid pagination

Closes #283

Validation

• corepack pnpm test -- src/app/api/users/[username]/activity/route.test.ts
• node_modules.bin\tsc.CMD -p tsconfig.json --noEmit

Submitted for the ugig bounty: I will pay for every bug fix found and PR submitted that fixes it.

Solana wallet for bounty payout:
Dy4yMkjCfupxaURt6iTMUrxqSDEmAJPPkKF66QahxJZD

[greptile-apps]

Greptile Summary

This PR tightens pagination input handling in the public user activity route by replacing bare parseInt calls with two focused helpers — parsePositiveInt and parseNonNegativeInt — and adds a Vitest suite to cover the edge cases.

• route.ts: parsePositiveInt falls back to 20 for zero or negative limits (previously limit=0 would produce an invalid .range(offset, offset-1) call); parseNonNegativeInt clamps negative offsets to 0. The 50-item hard cap is preserved via Math.min.
• route.test.ts: Four new tests verify the 404 path, invalid-pagination clamping, large-limit cap (500 → 50), and normal pagination; mock chains correctly mirror the Supabase query shape.

Confidence Score: 5/5

Safe to merge — the change is narrowly scoped to input parsing and introduces no new external dependencies or behavioral changes beyond the intended clamping.

Both helpers handle NaN, null, empty string, zero, negative, and oversized values correctly. The .range() call now always receives a valid non-negative pair, closing the invalid-range bug. Tests verify every clamping branch and the 404 path directly against the route handler.

No files require special attention.

Important Files Changed

Filename	Overview
src/app/api/users/[username]/activity/route.ts	Adds two well-typed helper functions to replace the previous bare parseInt calls; correctly defaults non-positive limits to 20, caps at 50, and clamps negative offsets to 0.
src/app/api/users/[username]/activity/route.test.ts	New test file covering 404 on missing profile, zero/negative pagination clamping, large-limit cap, and the happy path; mock chain accurately reflects the Supabase query shape.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Route as GET /api/users/:username/activity
    participant ParseHelpers as parsePositiveInt / parseNonNegativeInt
    participant Supabase

    Client->>Route: "GET ?limit=X&offset=Y"
    Route->>ParseHelpers: parsePositiveInt(limit, 20)
    ParseHelpers-->>Route: clamped limit (1-50, default 20)
    Route->>ParseHelpers: parseNonNegativeInt(offset, 0)
    ParseHelpers-->>Route: "clamped offset (>=0, default 0)"
    Route->>Supabase: profiles.select(id).eq(username).single()
    alt profile not found
        Supabase-->>Route: data null, error present
        Route-->>Client: 404 User not found
    else profile found
        Supabase-->>Route: data with id
        Route->>Supabase: "activities.select(*).eq(user_id).eq(is_public,true).order().range(offset, offset+limit-1)"
        alt DB error
            Supabase-->>Route: error
            Route-->>Client: 400 error message
        else success
            Supabase-->>Route: data and count
            Route-->>Client: 200 data with pagination
        end
    end

Loading

_{Reviews (1): Last reviewed commit: "test(activity): cover public user pagina..." | Re-trigger Greptile}