fix: address code review findings for inventory delta feature

- Fix remaining f-string SQL injection in process_inventory (same pattern as single-item endpoints: parameterized ANY(:ids) queries) - Add null guard for item_id in backend delta remove handler - Add response status logging for inventory service HTTP calls - Fix frontend ID fallback consistency in updateInventoryLive - Replace debug print() with logger.debug() - Add comment for Decal Slot_Decal magic number Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 15:58:10 +00:00 · 2026-02-28 15:58:10 +00:00 · 973c3722bc
commit 973c3722bc
parent f145e6e131
3 changed files with 22 additions and 18 deletions
--- a/inventory-service/main.py
+++ b/inventory-service/main.py
@ -1357,16 +1357,15 @@ async def process_inventory(inventory: InventoryItem):
        item_ids = await database.fetch_all(item_ids_query, {"character_name": inventory.character_name})
        
        if item_ids:
-            id_list = [str(row['id']) for row in item_ids]
-            id_placeholder = ','.join(id_list)
-            
+            db_ids = [row['id'] for row in item_ids]
+
            # Delete from all related tables first
-            await database.execute(f"DELETE FROM item_raw_data WHERE item_id IN ({id_placeholder})")
-            await database.execute(f"DELETE FROM item_combat_stats WHERE item_id IN ({id_placeholder})")
-            await database.execute(f"DELETE FROM item_requirements WHERE item_id IN ({id_placeholder})")
-            await database.execute(f"DELETE FROM item_enhancements WHERE item_id IN ({id_placeholder})")
-            await database.execute(f"DELETE FROM item_ratings WHERE item_id IN ({id_placeholder})")
-            await database.execute(f"DELETE FROM item_spells WHERE item_id IN ({id_placeholder})")
+            for table in ('item_raw_data', 'item_combat_stats', 'item_requirements',
+                          'item_enhancements', 'item_ratings', 'item_spells'):
+                await database.execute(
+                    sa.text(f"DELETE FROM {table} WHERE item_id = ANY(:ids)"),
+                    {"ids": db_ids}
+                )
            
            # Finally delete from main items table
            await database.execute(
@ -1419,7 +1418,7 @@ async def process_inventory(inventory: InventoryItem):

                    # Container/position tracking
                    container_id=item_data.get('ContainerId', 0),
-                    slot=int(item_data.get('IntValues', {}).get('231735296', item_data.get('IntValues', {}).get(231735296, -1))),
+                    slot=int(item_data.get('IntValues', {}).get('231735296', item_data.get('IntValues', {}).get(231735296, -1))),  # Decal Slot_Decal key

                    # Item state
                    bonded=basic['bonded'],
@ -3743,7 +3742,7 @@ async def get_available_items_by_slot(
        # Debug: let's see how many items Barris actually has first
        debug_query = f"SELECT COUNT(*) as total FROM items WHERE {char_filter}"
        debug_result = await database.fetch_one(debug_query, query_params)
-        print(f"DEBUG: Total items for query: {debug_result['total']}")
+        logger.debug(f"Total items for query: {debug_result['total']}")
        
        # Main query to get items with slot information
        query = f"""