PATCH /api/threads/{id}

Authentication

Required: JWT Bearer token JWT Claims Extraction (Lines 277-281):

sub | ClaimTypes.NameIdentifier → User UUID (required)

Path Parameters

string

required

Thread UUIDFormat: Valid GUIDValidation: Route constraint :guid (Line 270)

Request Body

title

string

required

New thread titleValidation (Lines 305-313):

if (string.IsNullOrWhiteSpace(request?.Title)) {
    return BadRequest("Title is required");
}

Constraints:

MUST NOT be null
MUST NOT be empty string
MUST NOT be whitespace-only

Max Length: Not enforced by API contract (database column limit may apply)

curl -X PATCH 'http://localhost:5079/api/threads/f47ac10b-58cc-4372-a567-0e02b2c3d479' \
  -H 'Authorization: Bearer YOUR_JWT_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{"title": "Updated Thread Title"}'

{
  "success": true,
  "message": "Thread updated successfully"
}

Authorization

Ownership Verification (Lines 289-303):

var thread = await _threadsService.GetThreadAsync(threadId);
if (thread == null) {
    return NotFound("Thread not found");
}

if (thread.UserId != userId) {
    return 403 FORBIDDEN;
}

Permission Rules:

ONLY thread owner can update title
No delegation or sharing of update rights
Admins NOT exempted (no admin check in code)

Side Effects

Database Mutations (Line 315):

await _threadsService.UpdateThreadAsync(threadId, request.Title);

Tables Written:

UPDATE threads SET title = {request.Title}, updated_at = NOW() WHERE thread_id = {threadId}

Cascade Effects: None

Messages not affected
Thread visibility not changed
Ownership not changed

Permissions

Who Can Modify:

Thread owner only

Who Cannot Modify:

Other authenticated users
Unauthenticated users
Public thread viewers (even if public_sharing enabled)

Edge Cases

Thread doesn’t exist: 404 (Lines 290-293)
User is not owner: 403 (Lines 295-303)
Title is null: 400 (Lines 305-313)
Title is empty: 400 (Lines 305-313)
Title is whitespace-only: 400 (Lines 305-313)
Title same as current: Update proceeds (no change detection)
Very long title: Not validated by controller (database may truncate or error)

Error Conditions

Code	HTTP	Cause	Controller Line
N/A	401	JWT missing or invalid	Middleware
N/A	401	User ID claim missing	283-286
`INVALID_REQUEST`	400	Title null/empty/whitespace	305-313
`NOT_FOUND`	404	Thread doesn’t exist	290-293
`FORBIDDEN`	403	Not thread owner	295-303
`THREAD_UPDATE_ERROR`	500	Service exception	323-331

Exception Handling (Lines 323-331):

catch (Exception ex) {
    return StatusCode(500, new { error = ex.Message, code = "THREAD_UPDATE_ERROR" });
}

Behavioral Guarantees

Atomicity: Single UPDATE query (atomic) Idempotency: NOT idempotent

updated_at timestamp changes on every call
Even if title unchanged

Concurrency: No locking

Race condition possible if two updates concurrent
Last write wins (database-dependent)

Validation Order

User ID from JWT (401 if missing)
Thread existence (404 if not found)
Ownership (403 if not owner)
Title validation (400 if invalid)
Update execution (500 if fails)

Note: Title validated AFTER ownership check (Lines 305-315)

Database Schema Impact

Column Updated: threads.title Timestamp Updated: threads.updated_at (implicit, service-level) No Triggers: Controller doesn’t document any database triggers

​Authentication

​Path Parameters

​Request Body

​Authorization

​Side Effects

​Permissions

​Edge Cases

​Error Conditions

​Behavioral Guarantees

​Validation Order

​Database Schema Impact