Skip to content

fix: resolve auth api and dashboard issues#51

Open
Deusthenight wants to merge 1 commit into
HappyHackingSpace:mainfrom
Deusthenight:fix/auth-api-dashboard-errors
Open

fix: resolve auth api and dashboard issues#51
Deusthenight wants to merge 1 commit into
HappyHackingSpace:mainfrom
Deusthenight:fix/auth-api-dashboard-errors

Conversation

@Deusthenight

@Deusthenight Deusthenight commented Jul 4, 2026

Copy link
Copy Markdown

Summary by CodeRabbit

  • New Features

    • The dashboard now loads through a dedicated content view with better handling for loading, empty, and populated states.
    • Community selection is more seamless, automatically opening a relevant dashboard view when no workspace is selected.
  • Bug Fixes

    • Improved support for requests from approved web app locations while keeping direct/non-browser access working.
    • Community loading now handles missing data more gracefully by showing an empty state instead of errors.

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Refactors the dashboard page into a Suspense-wrapped DashboardContent client component handling feed, community, and tenant logic. Backend CORS origin handling is replaced with an allowlist-based callback and explicit methods/headers. Also updates tsconfig build options, frontend env example secrets/URLs, and community fetch error handling.

Changes

Dashboard Refactor

Layer / File(s) Summary
DashboardContent extraction and page wiring
frontend/src/app/dashboard/dashboard-content.tsx, frontend/src/app/dashboard/page.tsx
New client component handles session, community/tenant selection via URL, feed state, redirect logic, and UI rendering; DashboardPage is reduced to a Suspense wrapper around it.
Community fetch error handling
frontend/src/hooks/use-communities.ts
Defaults fetched communities to an empty array on missing data and resets communities/error state on fetch failure with a warning log.

Backend and Config Updates

Layer / File(s) Summary
CORS allowlist
backend/src/main.ts
Replaces production-based origin toggle with an explicit allowlist array and callback-based origin validation; adds explicit CORS methods and allowed headers.
Build/env config
backend/tsconfig.json, frontend/.env.example
Adds rootDir, outDir, and ignoreDeprecations to tsconfig; updates AUTH_SECRET/NEXTAUTH_SECRET and AUTH_URL/NEXTAUTH_URL in the env example.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant DashboardPage
  participant DashboardContent
  participant useCommunities
  participant useActivityFeed
  participant Router

  DashboardPage->>DashboardContent: render inside Suspense
  DashboardContent->>useCommunities: fetch communities
  DashboardContent->>useActivityFeed: fetch posts
  useCommunities-->>DashboardContent: communities loaded
  alt no tenantId in URL
    DashboardContent->>Router: replace to /dashboard?tenantId=...
  end
  DashboardContent-->>DashboardPage: render feed UI
Loading

Poem

A rabbit hops through dashboard code,
Splitting content down a Suspense-y road,
CORS gates now guard with an allowlist true,
Env secrets refreshed, tsconfig too. 🐇
Hop hop hooray, the burrow's secure! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main scope: fixes around auth configuration and dashboard behavior.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/src/main.ts`:
- Around line 14-20: The CORS allowlist in allowedOrigins currently mixes
FRONTEND_URL with localhost/127.0.0.1 dev URLs unconditionally, which leaves dev
origins trusted in production. Update backend/src/main.ts so the allowedOrigins
construction in the startup/CORS setup only appends the localhost/127.0.0.1
entries when running in a development environment, and keep production limited
to the configured FRONTEND_URL; use the existing allowedOrigins symbol so the
gating is easy to find.

In `@backend/tsconfig.json`:
- Line 18: The tsconfig setting uses a TypeScript 6-only deprecation target,
which conflicts with the currently pinned TypeScript 5.7.x version. Update the
backend/tsconfig.json setting for ignoreDeprecations to a 5.x-compatible value,
or alternatively align the TypeScript version in backend/package.json to 6.0;
check the tsconfig field and the package.json TypeScript dependency together so
they match.

In `@frontend/.env.example`:
- Around line 1-2: The .env example secrets are using a real-looking base64
value, which can be flagged by secret scanners and copied into real environments
accidentally. Update the placeholders for AUTH_SECRET and NEXTAUTH_SECRET in the
.env.example file to obviously fake, non-secret values (for example, a
“changeme” style placeholder) so it is clear they must be replaced before use.

In `@frontend/src/hooks/use-communities.ts`:
- Around line 33-36: The catch block in useCommunities is clearing the hook’s
error state, which hides fetch failures from consumers like DiscoverPage. Update
the error handling in useCommunities so the catch path preserves the failure by
setting error to the caught exception (or a derived message) instead of
resetting it to null, while still clearing communities as needed; keep the
existing loading/reset flow in the hook’s fetch logic intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9384b23e-08c4-46c8-b64d-1bd968f72984

📥 Commits

Reviewing files that changed from the base of the PR and between d21eca4 and aaca7ed.

📒 Files selected for processing (6)
  • backend/src/main.ts
  • backend/tsconfig.json
  • frontend/.env.example
  • frontend/src/app/dashboard/dashboard-content.tsx
  • frontend/src/app/dashboard/page.tsx
  • frontend/src/hooks/use-communities.ts

Comment thread backend/src/main.ts
Comment on lines +14 to +20
const allowedOrigins = [
process.env.FRONTEND_URL,
'http://localhost:3001',
'http://127.0.0.1:3001',
'http://localhost:8080',
'http://127.0.0.1:8080',
].filter(Boolean) as string[];

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Dev-only origins remain allowed in production.

allowedOrigins unconditionally includes localhost:3001/127.0.0.1:3001/:8080 dev URLs alongside FRONTEND_URL, with no environment gating. In production this means the credentialed CORS allowlist always trusts local dev origins, unnecessarily widening the trust boundary for a credentials-enabled API.

🔒 Proposed fix — gate dev origins by environment
-  const allowedOrigins = [
-    process.env.FRONTEND_URL,
-    'http://localhost:3001',
-    'http://127.0.0.1:3001',
-    'http://localhost:8080',
-    'http://127.0.0.1:8080',
-  ].filter(Boolean) as string[];
+  const devOrigins = [
+    'http://localhost:3001',
+    'http://127.0.0.1:3001',
+    'http://localhost:8080',
+    'http://127.0.0.1:8080',
+  ];
+  const allowedOrigins = [
+    process.env.FRONTEND_URL,
+    ...(process.env.NODE_ENV !== 'production' ? devOrigins : []),
+  ].filter(Boolean) as string[];
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const allowedOrigins = [
process.env.FRONTEND_URL,
'http://localhost:3001',
'http://127.0.0.1:3001',
'http://localhost:8080',
'http://127.0.0.1:8080',
].filter(Boolean) as string[];
const devOrigins = [
'http://localhost:3001',
'http://127.0.0.1:3001',
'http://localhost:8080',
'http://127.0.0.1:8080',
];
const allowedOrigins = [
process.env.FRONTEND_URL,
...(process.env.NODE_ENV !== 'production' ? devOrigins : []),
].filter(Boolean) as string[];
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/src/main.ts` around lines 14 - 20, The CORS allowlist in
allowedOrigins currently mixes FRONTEND_URL with localhost/127.0.0.1 dev URLs
unconditionally, which leaves dev origins trusted in production. Update
backend/src/main.ts so the allowedOrigins construction in the startup/CORS setup
only appends the localhost/127.0.0.1 entries when running in a development
environment, and keep production limited to the configured FRONTEND_URL; use the
existing allowedOrigins symbol so the gating is easy to find.

Comment thread backend/tsconfig.json
"rootDir": "./src",
"outDir": "./dist",
"baseUrl": "./",
"ignoreDeprecations": "6.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check pinned typescript version in backend
fd package.json backend -x jq -r '.devDependencies.typescript // .dependencies.typescript' {}

Repository: HappyHackingSpace/CommunityHub

Length of output: 175


🌐 Web query:

TypeScript ignoreDeprecations "6.0" 5.7.3 diagnostic TS5103 docs

💡 Result:

In TypeScript 5.7.3, the compiler option "ignoreDeprecations": "6.0" is invalid and will trigger diagnostic error TS5103: "Invalid value for '--ignoreDeprecations'" [1][2][3]. The "ignoreDeprecations": "6.0" setting is a feature introduced specifically in TypeScript 6.0 to allow developers to suppress deprecation warnings for features that are planned for removal in TypeScript 7.0 [4]. Because TypeScript 5.7.3 predates the 6.0 release, it does not recognize "6.0" as a valid argument for this configuration option [4][5]. If you are encountering deprecation warnings in TypeScript 5.7.3, you must use a version-appropriate value (such as "5.0") if supported by your specific environment, or address the underlying configuration issue directly by removing or updating the deprecated feature [6][1]. Attempting to use "6.0" in any TypeScript 5.x version will consistently result in error TS5103 [1][2][3].

Citations:


backend/tsconfig.json uses a TypeScript 6-only value
backend/package.json pins TypeScript ^5.7.3, so ignoreDeprecations: "6.0" will fail on this branch with TS5103. Either switch to a 5.x-compatible value or upgrade TypeScript to 6.0.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/tsconfig.json` at line 18, The tsconfig setting uses a TypeScript
6-only deprecation target, which conflicts with the currently pinned TypeScript
5.7.x version. Update the backend/tsconfig.json setting for ignoreDeprecations
to a 5.x-compatible value, or alternatively align the TypeScript version in
backend/package.json to 6.0; check the tsconfig field and the package.json
TypeScript dependency together so they match.

Comment thread frontend/.env.example
Comment on lines +1 to +2
AUTH_SECRET=XKZ7Z1O3bhU4caz2D8ouu7dKhXyQ+ZUhsjvTwtHxp10=
NEXTAUTH_SECRET=XKZ7Z1O3bhU4caz2D8ouu7dKhXyQ+ZUhsjvTwtHxp10=

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Use an obvious placeholder instead of a real-looking secret value.

Both AUTH_SECRET and NEXTAUTH_SECRET use an identical, well-formed base64 string. Secret scanners flag this as a potential real credential, and if ever copy-pasted verbatim into a real .env, it provides no security. Prefer a clearly fake placeholder (e.g., AUTH_SECRET=changeme-generate-with-openssl-rand-base64-32).

🧰 Tools
🪛 Betterleaks (1.6.0)

[high] 1-1: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)


[high] 2-2: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/.env.example` around lines 1 - 2, The .env example secrets are using
a real-looking base64 value, which can be flagged by secret scanners and copied
into real environments accidentally. Update the placeholders for AUTH_SECRET and
NEXTAUTH_SECRET in the .env.example file to obviously fake, non-secret values
(for example, a “changeme” style placeholder) so it is clear they must be
replaced before use.

Source: Linters/SAST tools

Comment on lines 33 to +36
} catch (err: any) {
console.error("Failed to fetch communities", err);
setError(err);
console.warn('Failed to fetch communities, using empty state', err?.message || err);
setCommunities([]);
setError(null);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Don't clear error state on fetch failure — it breaks downstream error UIs.

Resetting error to null in the catch block means the hook's error state is always null, so consumers can no longer distinguish "no communities" from "fetch failed."

DiscoverPage renders a spinner while loading, shows an error panel only when error is set, otherwise shows "No communities found" when filteredCommunities is empty. With this change, backend/network failures will silently render as "The directory is currently empty," hiding real failures from users.

🐛 Proposed fix to preserve error visibility
       } catch (err: any) {
         console.warn('Failed to fetch communities, using empty state', err?.message || err);
         setCommunities([]);
-        setError(null);
+        setError(err instanceof Error ? err : new Error(err?.message || 'Failed to fetch communities'));
       } finally {
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
} catch (err: any) {
console.error("Failed to fetch communities", err);
setError(err);
console.warn('Failed to fetch communities, using empty state', err?.message || err);
setCommunities([]);
setError(null);
} catch (err: any) {
console.warn('Failed to fetch communities, using empty state', err?.message || err);
setCommunities([]);
setError(err instanceof Error ? err : new Error(err?.message || 'Failed to fetch communities'));
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/hooks/use-communities.ts` around lines 33 - 36, The catch block
in useCommunities is clearing the hook’s error state, which hides fetch failures
from consumers like DiscoverPage. Update the error handling in useCommunities so
the catch path preserves the failure by setting error to the caught exception
(or a derived message) instead of resetting it to null, while still clearing
communities as needed; keep the existing loading/reset flow in the hook’s fetch
logic intact.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant