Coarsen GPS coordinates to 3 dp before API/URL and deduplicate runSearch triggers

- HeroSearch: round lat/lng to 3 decimal places (~111m precision) before emit to prevent exact location leakage in shareable URLs and server logs - Home: move duplicate-search guard into runSearch (single choke point) instead of watcher, eliminating race between route.query sync and direct onSearch call - Add inline documentation referencing .claude/rules/frontend.md privacy guidance
2026-06-10 11:08:55 +01:00
parent 1ae2f1396d
commit adf0b93a45
2 changed files with 22 additions and 5 deletions
--- a/resources/js/components/landing/HeroSearch.vue
+++ b/resources/js/components/landing/HeroSearch.vue
@@ -58,6 +58,18 @@ const props = defineProps({

 const emit = defineEmits(['search'])

+// Coarsen GPS coordinates to ~111 m (3 dp) before they leave the browser.
+// "Use my location" coords flow into the shareable URL, the /api/stations
+// request, and server/access logs — full precision would broadcast the user's
+// exact position to anyone they share the resulting link with. 3 dp is ample
+// for a radius station search. See .claude/rules/frontend.md.
+const COORDINATE_DECIMALS = 3
+
+function coarsenCoordinate(value) {
+    const factor = 10 ** COORDINATE_DECIMALS
+    return Math.round(value * factor) / factor
+}
+
 const postcode = ref('')
 const locating = ref(false)

@@ -88,8 +100,8 @@ function useMyLocation() {
            postcode.value = ''
            emit('search', {
                postcode: null,
-                lat: coords.latitude,
-                lng: coords.longitude,
+                lat: coarsenCoordinate(coords.latitude),
+                lng: coarsenCoordinate(coords.longitude),
                fuelType: props.fuelType,
                radius: props.radius,
                sort: props.sort,