Feeld raised its minimum supported app version (9.5.3 hit the App Store
2026-06-05) and now rejects 9.4.3 with UNSUPPORTED_APP_VERSION 400 on every
GraphQL call — which broke site load entirely. Verified 9.5.3 is accepted.
Updated APP_VERSION in constants.ts (drives the Apollo x-app-version header)
and server/index.js, plus the UA / x-app-version strings in the vite graphql,
firebase, and fldcdn proxies.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Captured a real iOS Feeld token-refresh request — our outbound headers were
unmistakably "not the iOS app." Aligning so requests fingerprint identically.
- APP_VERSION 8.11.0 → 9.4.3 in constants.ts, server/index.js, vite.config.ts
- Bundle id corrected to com.3nder.threender (was com.3nder.ios)
- REQUEST_HEADERS User-Agent now the realistic Alamofire iOS UA, not 'feeld-mobile'
- server/index.js refreshAccessToken now sends the full Firebase iOS header
set (FirebaseAuth.iOS UA, X-Client-Version, X-Firebase-AppCheck fallback,
X-Firebase-GMPID, X-Ios-Bundle-Identifier) and uses camelCase body keys.
Response parsing accepts both camelCase and snake_case for resilience.
- vite proxy /api/firebase now applies the same iOS headers in dev mode
- vite proxy /api/graphql strips browser sec-* fingerprint headers and sets
the realistic Alamofire UA unconditionally (was a conditional 'feeld-mobile')
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Defense-in-depth banned-country gate covering every entry point that could
set a location Feeld's policy disallows (~60 countries from their support
article):
- New src/config/bannedCountries.ts — single source of truth (ISO codes + aliases)
- New src/utils/reverseGeocode.ts — Nominatim reverse lookup w/ localStorage cache
- New src/api/links/bannedCountryLink.ts — Apollo link chokepoint; intercepts
every DeviceLocationUpdate mutation and refuses to forward if reverse-geocode
resolves to a banned country. Catches Settings, Discover, Likes scanner, and
ApiExplorer raw GraphQL alike.
- useLocation.tsx — setLocation throws BannedCountryError; saveLocation gate;
sanitize banned entries on localStorage and server hydration
- Settings.tsx — block at search, saved-location pick, and save-current
- Likes.tsx — skip banned saved locations in scanForLikes and "Fuck It" scan
- server/index.js — PUT /api/saved-locations filters; readSavedLocations
filters legacy banned entries so rotation cron is safe too
- nginx.conf — route additions for new backend endpoints
Plus the broader rc/realign-graphql-ops session work: GraphQL query/mutation
realignment after Feeld API changes, ApiExplorer updates, Profile/Discover/Likes
refinements, useFavorites hook, dataSync extensions, vite proxy adjustments.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- New Matches page with match scoring system
- New OkCupid page and API integration
- Enhanced Likes page with scanner improvements and enrichment
- Updated Settings, Discover, Messages, and Chat pages
- Improved auth, GraphQL client, and Stream Chat setup
- Added new backend endpoints (matchScoring.js)
- Removed old Proxyman capture logs
- Updated nginx config and Vite proxy settings
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Trey T