Two devices on the same account each kept their own localStorage location and
re-asserted it onto Feeld's single shared account-location slot on every Discover
mount — so loading the site on device B would overwrite the location device A
had just set (San Antonio → Dallas).
- useLocation: on server sync, always adopt the server's current/custom location,
overriding this device's local cache (was local-first via a `!location` guard).
Devices now converge to the server value on load. Expose `locationReady`.
- Discover: wait for `locationReady` before pushing DeviceLocationUpdate, and push
whenever the authoritative location changes (deduped by coords) instead of a
one-shot stale-cache assert. Device B now stamps the server's value onto Feeld,
not its own old location.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ANALYTICS_OWN_PROFILE_FRAGMENT spreads ...ProfileLocationFragment but never
interpolated ${PROFILE_LOCATION_FRAGMENT}, unlike its siblings (PROFILE_CONTENT,
LIKES, SEARCH_SETTINGS). The dangling spread propagated up through
AUTH_PROFILE_FRAGMENT → AUTH_PROVIDER_FRAGMENT → APP_SETTINGS_QUERY, which the
Settings page runs on mount — producing "Invariant Violation: No fragment named
ProfileLocationFragment" and crashing <SettingsPage>.
Add the interpolation so the fragment is self-contained. Also fixes the same
latent break in AUTH_PROVIDER_QUERY and ANALYTICS_QUERY.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Captured a real iOS Feeld token-refresh request — our outbound headers were
unmistakably "not the iOS app." Aligning so requests fingerprint identically.
- APP_VERSION 8.11.0 → 9.4.3 in constants.ts, server/index.js, vite.config.ts
- Bundle id corrected to com.3nder.threender (was com.3nder.ios)
- REQUEST_HEADERS User-Agent now the realistic Alamofire iOS UA, not 'feeld-mobile'
- server/index.js refreshAccessToken now sends the full Firebase iOS header
set (FirebaseAuth.iOS UA, X-Client-Version, X-Firebase-AppCheck fallback,
X-Firebase-GMPID, X-Ios-Bundle-Identifier) and uses camelCase body keys.
Response parsing accepts both camelCase and snake_case for resilience.
- vite proxy /api/firebase now applies the same iOS headers in dev mode
- vite proxy /api/graphql strips browser sec-* fingerprint headers and sets
the realistic Alamofire UA unconditionally (was a conditional 'feeld-mobile')
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Defense-in-depth banned-country gate covering every entry point that could
set a location Feeld's policy disallows (~60 countries from their support
article):
- New src/config/bannedCountries.ts — single source of truth (ISO codes + aliases)
- New src/utils/reverseGeocode.ts — Nominatim reverse lookup w/ localStorage cache
- New src/api/links/bannedCountryLink.ts — Apollo link chokepoint; intercepts
every DeviceLocationUpdate mutation and refuses to forward if reverse-geocode
resolves to a banned country. Catches Settings, Discover, Likes scanner, and
ApiExplorer raw GraphQL alike.
- useLocation.tsx — setLocation throws BannedCountryError; saveLocation gate;
sanitize banned entries on localStorage and server hydration
- Settings.tsx — block at search, saved-location pick, and save-current
- Likes.tsx — skip banned saved locations in scanForLikes and "Fuck It" scan
- server/index.js — PUT /api/saved-locations filters; readSavedLocations
filters legacy banned entries so rotation cron is safe too
- nginx.conf — route additions for new backend endpoints
Plus the broader rc/realign-graphql-ops session work: GraphQL query/mutation
realignment after Feeld API changes, ApiExplorer updates, Profile/Discover/Likes
refinements, useFavorites hook, dataSync extensions, vite proxy adjustments.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- New Matches page with match scoring system
- New OkCupid page and API integration
- Enhanced Likes page with scanner improvements and enrichment
- Updated Settings, Discover, Messages, and Chat pages
- Improved auth, GraphQL client, and Stream Chat setup
- Added new backend endpoints (matchScoring.js)
- Removed old Proxyman capture logs
- Updated nginx config and Vite proxy settings
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Trey T