From ece1561c3a235d9b1d7dfa0be93105e2d1b9c7e6 Mon Sep 17 00:00:00 2001
From: Paul Jakob Kroker <pjkroker@amazon.de>
Date: Tue, 23 Jun 2026 17:55:07 +0200
Subject: [PATCH] fix: remove scan() fallback in demo listTodos to prevent
 multi-tenant data leak

listTodos() now always uses query() with a userId filter, matching the
auth-cognito template pattern. Fixes the incorrect positional query() call
and eliminates the unfiltered scan that exposed all users' todos.
---
 .changeset/fix-list-todos-tenant-leak.md      |  5 +++++
 .../templates/demo/aws-blocks/index.ts        | 21 ++++++++++---------
 2 files changed, 16 insertions(+), 10 deletions(-)
 create mode 100644 .changeset/fix-list-todos-tenant-leak.md

diff --git a/.changeset/fix-list-todos-tenant-leak.md b/.changeset/fix-list-todos-tenant-leak.md
new file mode 100644
index 00000000..b7b2b30f
--- /dev/null
+++ b/.changeset/fix-list-todos-tenant-leak.md
@@ -0,0 +1,5 @@
+---
+"@aws-blocks/create-blocks-app": patch
+---
+
+Fix multi-tenant data leak in demo template: `listTodos()` no longer falls back to `scan()` when no `sortBy` is provided. All paths now use `query()` with a `userId` filter, ensuring users only see their own todos.
diff --git a/packages/create-blocks-app/templates/demo/aws-blocks/index.ts b/packages/create-blocks-app/templates/demo/aws-blocks/index.ts
index 488f1634..85de1ef7 100644
--- a/packages/create-blocks-app/templates/demo/aws-blocks/index.ts
+++ b/packages/create-blocks-app/templates/demo/aws-blocks/index.ts
@@ -117,17 +117,18 @@ export const api = new ApiNamespace(scope, 'api', (context) => ({
 
   async listTodos(sortBy?: 'priority' | 'title' | 'createdAt'): Promise<Todo[]> {
     const user = await auth.requireAuth(context);
-    
-    const indexMap = { 
-      priority: 'byPriority', 
-      title: 'byTitle', 
-      createdAt: 'byCreatedAt' 
+
+    const indexMap = {
+      priority: 'byPriority',
+      title: 'byTitle',
+      createdAt: 'byCreatedAt'
     } as const;
-    
-    const iterator = sortBy 
-      ? todos.query(indexMap[sortBy], { userId: { equals: user.username } })
-      : todos.scan();
-    
+
+    const iterator = todos.query({
+      index: sortBy ? indexMap[sortBy] : 'byCreatedAt',
+      where: { userId: { equals: user.username } }
+    });
+
     return await Array.fromAsync(iterator);
   },