fix(follows): clamp public follow-list pagination

[sevencat2004]

Fixes #287

Summary

• clamp public followers/following limits to a positive default with the existing max of 100
• clamp negative offsets to 0 before building Supabase ranges
• add route tests for missing users, invalid params, large limits, and valid pagination

Validation

• corepack pnpm test -- "src/app/api/users/[username]/followers/route.test.ts" "src/app/api/users/[username]/following/route.test.ts"
• node_modules.bin\tsc.CMD -p tsconfig.json --noEmit

[greptile-apps]

Greptile Summary

This PR fixes a pagination bug in the public followers/following routes where negative limit values (e.g. -5) would pass through the old ||-coercion logic unchanged, causing Supabase's .range() to receive an inverted or negative window. It also clamps negative offsets to zero.

• Introduces parsePositiveInt and parseNonNegativeInt helpers in both route files, replacing the brittle Math.min(Number(...) || 20, 100) one-liners with explicit Number.parseInt + Number.isFinite guards.
• Adds a full suite of route-level tests (404, fallback defaults, limit capping, valid pagination) for both endpoints, verifying the exact arguments passed to Supabase's .range() call.

Confidence Score: 5/5

Safe to merge — the change narrows the set of values that reach Supabase's .range() call and is backed by targeted tests.

The helpers correctly handle every edge case: non-numeric strings (NaN → fallback), zero limit (0 ≤ 0 → fallback), negative limit, and negative offset. The Supabase range arguments are unchanged for well-formed inputs. Tests assert both the HTTP response shape and the exact .range() arguments, confirming the fix works end-to-end.

No files require special attention.

Important Files Changed

Filename	Overview
src/app/api/users/[username]/followers/route.ts	Replaces the old falsy-coercion limit/offset parsing with explicit helper functions that correctly reject negative values and zero limits; logic is correct and the Supabase range call is unaffected for valid inputs.
src/app/api/users/[username]/following/route.ts	Identical structural change to the following route — same helpers, same fix. Correct and symmetric with the followers route.
src/app/api/users/[username]/followers/route.test.ts	New test file covering 404 for unknown users, fallback for limit=0 and negative offset, capping of large limits, and valid pagination; assertions on .range() args verify the Supabase call is built correctly.
src/app/api/users/[username]/following/route.test.ts	Mirror test file for the following route; tests negative limit (-5) instead of zero, otherwise identical coverage to the followers test.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GET followers or following route] --> B[parsePositiveInt limit]
    B --> C{finite AND greater than 0?}
    C -- No --> D[fallback: 20]
    C -- Yes --> E[Math.min parsed, 100]
    D --> F[parseNonNegativeInt offset]
    E --> F
    F --> G{finite AND >= 0?}
    G -- No --> H[fallback: 0]
    G -- Yes --> I[use parsed offset]
    H --> J[Supabase .range call]
    I --> J
    J --> K{error?}
    K -- Yes --> L[400 Bad Request]
    K -- No --> M[200 OK with data and pagination]

Loading

_{Reviews (2): Last reviewed commit: "fix(follows): clamp public follow-list p..." | Re-trigger Greptile}

[sevencat2004]

Submitted this PR for the ugig bounty: "I will pay for every bug fix found and PR submitted that fixes it".

The PR is ready for review:

• fixes Public follow-list endpoints accept invalid pagination ranges #287
• automated checks are passing
• Greptile marked it safe to merge with confidence 5/5

Solana wallet for bounty payout:
Dy4yMkjCfupxaURt6iTMUrxqSDEmAJPPkKF66QahxJZD