Minor, non-blocking cleanups noted in the PR #31 review:
- CORS —
corsHeaders sends Access-Control-Allow-Origin: "*". Fine for an authenticated API, but could be tightened to the app origin.
- Redundant Supabase clients —
requireAdmin instantiates a user-scoped client and an admin client, and the request handler then creates another admin client via getAdminClient(). The admin client could be created once and reused.
Context
Split out of the PR #31 review (schedule-ingestion). Pure polish — no correctness or security impact.
Minor, non-blocking cleanups noted in the PR #31 review:
corsHeaderssendsAccess-Control-Allow-Origin: "*". Fine for an authenticated API, but could be tightened to the app origin.requireAdmininstantiates a user-scoped client and an admin client, and the request handler then creates another admin client viagetAdminClient(). The admin client could be created once and reused.Context
Split out of the PR #31 review (schedule-ingestion). Pure polish — no correctness or security impact.