+++
title = "Implement POST /api/quotes/:id — partial update, verify X-Auth-Code header, update updated_at"
priority = 5
status = "todo"
ticket_type = "task"
dependencies = ["f3dc74", "a5049d", "d792e2", "175382"]
+++
The `quotesdb` API is built with Axum + Tokio, targeting Cloudflare Workers via `workers-rs`. It serves JSON at `/api/*` endpoints and persists data to Cloudflare D1 (production) or a local SQLite file via Turso (development). Source lives in `src/bin/api/`.
Shared types and utilities are in `src/lib.rs` — code placed there must compile for both the host target and `wasm32-unknown-unknown`.
`POST /api/quotes/:id` performs a partial update of a quote. The caller must provide the correct auth code via the `X-Auth-Code` request header. Only fields present in the request body are updated; absent fields are left unchanged. Optional fields (`source`, `date`) can be explicitly set to `null` to clear them.
Implement the `POST /api/quotes/:id` handler:
1. Extract `:id` from the path
2. Verify the `X-Auth-Code` header matches the stored `auth_code` — return 403 on mismatch
3. Apply a partial UPDATE to the `quotes` row (only update supplied fields)
4. Update `updated_at` timestamp
5. If `tags` is present in the body, replace all tags for the quote
6. Return 200 with the updated quote
- Return 404 if the quote ID does not exist.
- Return 403 (not 401) on auth code mismatch; do not reveal whether the ID exists to unauthenticated callers.
- Setting a field to `null` in the request body should clear it (for `source` and `date`).
- `updated_at` must be set to `CURRENT_TIMESTAMP` on every update.
Use `superpowers:test-driven-development` — write tests for: valid auth 200, wrong auth 403, not found 404, partial update, null-to-clear.
Use `superpowers:verification-before-completion` before closing.
Run in order from the `quotesdb/` directory:
```sh
cargo fmt
cargo check
cargo clippy
cargo test
```
`feat(quotesdb): implement POST /api/quotes/:id — partial update with auth verification`