From 6e2a751587f5dcc19f9ed93cf4294237c97c645b Mon Sep 17 00:00:00 2001
From: 24c02 <163450896+24c02@users.noreply.github.com>
Date: Thu, 26 Feb 2026 15:15:16 -0500
Subject: [PATCH 1/5] ouh?

---
 app/controllers/admin/search_controller.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/controllers/admin/search_controller.rb b/app/controllers/admin/search_controller.rb
index fe575a7..a1688a8 100644
--- a/app/controllers/admin/search_controller.rb
+++ b/app/controllers/admin/search_controller.rb
@@ -18,7 +18,10 @@ module Admin
     end
 
     def search_uploads(query)
-      Upload.search(query).includes(:blob, :user).order(created_at: :desc).limit(50)
+      by_search = Upload.search(query)
+      by_url = Upload.where("original_url ILIKE ?", "%#{Upload.sanitize_sql_like(query)}%")
+      Upload.where(id: by_search.select(:id)).or(Upload.where(id: by_url.select(:id)))
+            .includes(:blob, :user).order(created_at: :desc).limit(50)
     end
   end
 end

From 734865378b2e47a5731a255924df857829061778 Mon Sep 17 00:00:00 2001
From: 24c02 <163450896+24c02@users.noreply.github.com>
Date: Thu, 26 Feb 2026 15:17:51 -0500
Subject: [PATCH 2/5] fuckin CORS

---
 app/controllers/external_uploads_controller.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/controllers/external_uploads_controller.rb b/app/controllers/external_uploads_controller.rb
index 0d4dd19..c312a7a 100644
--- a/app/controllers/external_uploads_controller.rb
+++ b/app/controllers/external_uploads_controller.rb
@@ -2,6 +2,7 @@
 
 class ExternalUploadsController < ApplicationController
   skip_before_action :require_authentication!
+  before_action :set_cors_headers
 
   def show
     upload = Upload.includes(:blob).find(params[:id])
@@ -31,6 +32,8 @@ class ExternalUploadsController < ApplicationController
 
   private
 
+  def set_cors_headers = response.set_header("Access-Control-Allow-Origin", "*")
+
   def render_not_found_response(url)
     if url.match?(/\.(png|jpe?g)$/i)
       render_error_image

From fd8e730810ec0b213cc2bd019ae90226c0c6232a Mon Sep 17 00:00:00 2001
From: 24c02 <163450896+24c02@users.noreply.github.com>
Date: Fri, 6 Mar 2026 14:34:40 -0500
Subject: [PATCH 3/5] uuidv7 note

---
 app/views/docs/pages/using-cdn-urls.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/views/docs/pages/using-cdn-urls.md b/app/views/docs/pages/using-cdn-urls.md
index 3d1ac5d..a504a96 100644
--- a/app/views/docs/pages/using-cdn-urls.md
+++ b/app/views/docs/pages/using-cdn-urls.md
@@ -34,6 +34,10 @@ Requests are 301 redirected to the underlying storage bucket.
 ![](https://cdn.hackclub.com/019505e2-e7f3-7d40-a156-9c4e8b2d1f03/screenshot.png)
 ```
 
+## Security
+
+Upload IDs contain 74 bits of cryptographic randomness (UUID v7, via the OS CSPRNG). There's no file listing or directory index. URLs are safe to use for unreleased programs.
+
 ## Hotlinking
 
 Supported. URLs can be embedded in GitHub, Notion, Discord, Slack, etc.

From 7c83f01ab34c75b606fc221843ed40b74c816200 Mon Sep 17 00:00:00 2001
From: 24c02 <163450896+24c02@users.noreply.github.com>
Date: Tue, 10 Mar 2026 13:23:42 -0400
Subject: [PATCH 4/5] fix hca focb?

---
 app/models/user.rb | 37 ++++++++++++++++++++++---------------
 1 file changed, 22 insertions(+), 15 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index d4b484f..f7e92c0 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -25,24 +25,31 @@ class User < ApplicationRecord
     raise "Missing HCA user ID from authentication" if hca_id.blank?
 
     user = find_by(hca_id:)
-    user ||= find_by(slack_id:) if slack_id.present?
+
+    if slack_id.present?
+      slack_user = find_by(slack_id:)
+      if slack_user && user && slack_user.id != user.id
+        # same person, two records — merge into the slack user
+        user.uploads.update_all(user_id: slack_user.id)
+        user.destroy!
+        user = slack_user
+      elsif slack_user
+        user = slack_user
+      end
+    end
+
+    attrs = {
+      hca_id:,
+      email: auth.info.email,
+      name: auth.info.name,
+      hca_access_token: auth.credentials.token
+    }
+    attrs[:slack_id] = slack_id if slack_id.present?
 
     if user
-      user.update(
-        hca_id:,
-        slack_id:,
-        email: auth.info.email,
-        name: auth.info.name,
-        hca_access_token: auth.credentials.token
-      )
+      user.update!(attrs)
     else
-      user = create!(
-        hca_id:,
-        slack_id:,
-        email: auth.info.email,
-        name: auth.info.name,
-        hca_access_token: auth.credentials.token
-      )
+      user = create!(attrs)
     end
 
     user

From 2eeddb620aaeff02a7c40b3aa7fad33fb03253f5 Mon Sep 17 00:00:00 2001
From: 24c02 <163450896+24c02@users.noreply.github.com>
Date: Tue, 10 Mar 2026 17:56:41 -0400
Subject: [PATCH 5/5] useless commit to test deploy

---
 lib/tasks/import_slack_files.rake | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/tasks/import_slack_files.rake b/lib/tasks/import_slack_files.rake
index eeaa8ad..650e50e 100644
--- a/lib/tasks/import_slack_files.rake
+++ b/lib/tasks/import_slack_files.rake
@@ -10,7 +10,7 @@ namespace :import do
     ActiveStorage::Current.url_options = { host: ENV.fetch("CDN_HOST", "cdn.hackclub.com"), protocol: "https" }
     csv_path = ENV.fetch("CSV_PATH", "files_with_slack_url.csv")
     slack_token = ENV.fetch("SLACK_TOKEN") { raise "SLACK_TOKEN (xoxp-...) is required" }
-    thread_count = ENV.fetch("THREADS", 10).to_i
+    thread_count = ENV.fetch("THREADS", 67).to_i
     dry_run = ENV["DRY_RUN"] == "true"
 
     unless File.exist?(csv_path)