Skip to content

Security/apis#162

Merged
breadddevv merged 2 commits into
mainfrom
security/apis
Jul 9, 2026
Merged

Security/apis#162
breadddevv merged 2 commits into
mainfrom
security/apis

Conversation

@breadddevv

@breadddevv breadddevv commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • Bug Fixes

    • Added stricter workspace validation for API requests, returning clearer errors for invalid workspace IDs.
    • Improved request handling so invalid workspace access is rejected earlier across authenticated endpoints.
  • Refactor

    • Cleaned up several API routes and standardized middleware usage without changing their visible behavior.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a workspace ID validation utility (verifyWorkspace) and a withHandler wrapper in lib/security.ts, wires it into withAuth/withKey middleware, and removes an unused import elsewhere. The remainder is a broad cleanup of unused imports, commented-out auth imports, unused helper functions, and minor request-body simplifications across dozens of API routes.

Changes

Workspace validation feature

Layer / File(s) Summary
Workspace ID validation utilities
lib/security.ts
Adds verifyWorkspace to validate the id query param against an allowed pattern and withHandler to enforce that check with 400/500 error responses.
Wire validation into auth middleware
lib/withAuth.ts, pages/api/setup/opencloudtest.ts
withAuth and withKey now call verifyWorkspace early and return 400 on failure; an unused withAuth import is removed from an unrelated setup route.

API route import cleanup and minor refactors

Layer / File(s) Summary
Remove unused NextApiRequest type imports
components/docs/modals.tsx, pages/api/user/firstLogin.ts, pages/api/workspace/[id]/allies/..., pages/api/workspace/[id]/home/..., pages/api/workspace/[id]/policies/..., pages/api/workspace/[id]/resignations/..., pages/api/workspace/[id]/sessions/..., pages/api/workspace/[id]/settings/..., pages/api/workspace/[id]/userbook/..., pages/api/workspace/[id]/wall/[postId]/delete.ts, and others
Narrows Next.js type imports to NextApiResponse only across many route files and removes an unused icon import in a docs modal.
Fix commented-out withAuth imports
pages/api/workspace/[id]/settings/general/guides.ts, .../home.ts, .../leaderboard.ts, .../notices.ts, .../policies.ts, .../session-colors.ts, .../sessions.ts, .../transfer.ts, pages/api/workspace/[id]/policies/create.ts
Activates or removes previously commented-out withAuth/withSession imports so export default withAuth(handler) resolves correctly.
Remove unused imports and helper functions
pages/api/workspace/[id]/activity/..., .../allies/..., .../guides/[docid]/delete.ts, .../home/..., .../settings/general/ally.ts, .../settings/roles/..., .../settings/users/..., .../staff/search/[username].ts, .../views/[viewId].ts, .../views/index.ts, .../wall/post.ts
Strips unused config/userinfo/noblox/permission-related imports and removes standalone helper functions like hasManageViewsPermission, keeping handler logic unchanged.
Simplify request body destructuring
pages/api/workspace/[id]/sessions/manage/[sid]/claim.ts, .../claimSlot.ts, .../unclaim.ts
Removes unused timezoneOffset destructuring and a redundant days array constant in session claim/unclaim endpoints.

Estimated code review effort: 2 (Simple) | ~15 minutes

Suggested reviewers: brennanpeters

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ❓ Inconclusive The title is related to the changes, but it is too vague to convey the main API security and auth updates. Use a clearer title like "Add workspace validation to API handlers" or "Harden API routes with workspace checks".
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/apis

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
lib/security.ts (1)

18-37: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consistent response methods would improve clarity.

withHandler uses .send() for the 400 response (line 23) but .json() for the 500 response (line 32). In Next.js these are functionally equivalent for objects, but mixing them is inconsistent. The same pattern appears in withAuth.ts.

♻️ Suggested consistency fix
       if (!verifyWorkspace(req)) return res.status(400).json({
         success: false,
         error: "Not valid workspace"
       });
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@lib/security.ts` around lines 18 - 37, The response handling in withHandler
is inconsistent because the 400 branch uses send while the 500 branch uses json;
update withHandler to use the same response method for both branches, and apply
the same consistency fix in withAuth.ts so the API error responses follow one
pattern throughout.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@lib/security.ts`:
- Around line 18-37: The response handling in withHandler is inconsistent
because the 400 branch uses send while the 500 branch uses json; update
withHandler to use the same response method for both branches, and apply the
same consistency fix in withAuth.ts so the API error responses follow one
pattern throughout.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1e5a517c-d2ec-4038-8d4f-72edaef94740

📥 Commits

Reviewing files that changed from the base of the PR and between 959781e and ec4c72d.

📒 Files selected for processing (72)
  • components/docs/modals.tsx
  • lib/security.ts
  • lib/withAuth.ts
  • pages/api/setup/opencloudtest.ts
  • pages/api/user/firstLogin.ts
  • pages/api/workspace/[id]/activity/history/[userId].ts
  • pages/api/workspace/[id]/allies/[aid]/delete.ts
  • pages/api/workspace/[id]/allies/[aid]/discipline.ts
  • pages/api/workspace/[id]/allies/[aid]/notes.ts
  • pages/api/workspace/[id]/allies/[aid]/reps.ts
  • pages/api/workspace/[id]/allies/[aid]/update.ts
  • pages/api/workspace/[id]/allies/[aid]/visits/[vid].ts
  • pages/api/workspace/[id]/allies/[aid]/visits/index.ts
  • pages/api/workspace/[id]/allies/new.ts
  • pages/api/workspace/[id]/announcement/update.ts
  • pages/api/workspace/[id]/api-keys/[keyId]/create.ts
  • pages/api/workspace/[id]/api-keys/[keyId]/delete.ts
  • pages/api/workspace/[id]/birthday/[userId].ts
  • pages/api/workspace/[id]/guides/[docid]/delete.ts
  • pages/api/workspace/[id]/home/activeSessions.ts
  • pages/api/workspace/[id]/home/docs.ts
  • pages/api/workspace/[id]/home/new-members.ts
  • pages/api/workspace/[id]/home/quickLinks.ts
  • pages/api/workspace/[id]/home/upcoming.ts
  • pages/api/workspace/[id]/home/wall.ts
  • pages/api/workspace/[id]/policies/[docId].ts
  • pages/api/workspace/[id]/policies/create.ts
  • pages/api/workspace/[id]/policies/pending.ts
  • pages/api/workspace/[id]/resignations/count.ts
  • pages/api/workspace/[id]/resignations/create.ts
  • pages/api/workspace/[id]/resignations/update.ts
  • pages/api/workspace/[id]/sessions/[sid]/notes/[noteId].ts
  • pages/api/workspace/[id]/sessions/create-unscheduled.ts
  • pages/api/workspace/[id]/sessions/manage/[sid]/claim.ts
  • pages/api/workspace/[id]/sessions/manage/[sid]/claimSlot.ts
  • pages/api/workspace/[id]/sessions/manage/[sid]/end.ts
  • pages/api/workspace/[id]/sessions/manage/[sid]/unclaim.ts
  • pages/api/workspace/[id]/settings/api-keys/[keyId]/delete.ts
  • pages/api/workspace/[id]/settings/api-keys/create.ts
  • pages/api/workspace/[id]/settings/api-keys/index.ts
  • pages/api/workspace/[id]/settings/general/alliance-strikes.ts
  • pages/api/workspace/[id]/settings/general/ally.ts
  • pages/api/workspace/[id]/settings/general/birthdays/hook.ts
  • pages/api/workspace/[id]/settings/general/birthdays/test.ts
  • pages/api/workspace/[id]/settings/general/discord/hook.ts
  • pages/api/workspace/[id]/settings/general/discord/milestone/key.ts
  • pages/api/workspace/[id]/settings/general/discord/milestone/test.ts
  • pages/api/workspace/[id]/settings/general/discord/test.ts
  • pages/api/workspace/[id]/settings/general/guides.ts
  • pages/api/workspace/[id]/settings/general/home.ts
  • pages/api/workspace/[id]/settings/general/leaderboard.ts
  • pages/api/workspace/[id]/settings/general/notices.ts
  • pages/api/workspace/[id]/settings/general/policies.ts
  • pages/api/workspace/[id]/settings/general/roblox/key.ts
  • pages/api/workspace/[id]/settings/general/roblox/test.ts
  • pages/api/workspace/[id]/settings/general/session-colors.ts
  • pages/api/workspace/[id]/settings/general/sessions.ts
  • pages/api/workspace/[id]/settings/general/transfer.ts
  • pages/api/workspace/[id]/settings/roles/[roleid]/delete.ts
  • pages/api/workspace/[id]/settings/roles/index.ts
  • pages/api/workspace/[id]/settings/roles/new.ts
  • pages/api/workspace/[id]/settings/users/[userid]/remove.ts
  • pages/api/workspace/[id]/settings/users/[userid]/update.ts
  • pages/api/workspace/[id]/settings/users/add.ts
  • pages/api/workspace/[id]/staff/search/[username].ts
  • pages/api/workspace/[id]/timezone.ts
  • pages/api/workspace/[id]/userbook/[uid]/[entryId]/delete.ts
  • pages/api/workspace/[id]/userbook/[uid]/[entryId]/redact.ts
  • pages/api/workspace/[id]/views/[viewId].ts
  • pages/api/workspace/[id]/views/index.ts
  • pages/api/workspace/[id]/wall/[postId]/delete.ts
  • pages/api/workspace/[id]/wall/post.ts
💤 Files with no reviewable changes (15)
  • pages/api/workspace/[id]/settings/general/policies.ts
  • pages/api/workspace/[id]/settings/general/home.ts
  • pages/api/workspace/[id]/settings/roles/new.ts
  • pages/api/workspace/[id]/policies/create.ts
  • pages/api/workspace/[id]/settings/general/session-colors.ts
  • pages/api/workspace/[id]/settings/users/[userid]/remove.ts
  • pages/api/workspace/[id]/settings/general/transfer.ts
  • pages/api/workspace/[id]/settings/roles/[roleid]/delete.ts
  • components/docs/modals.tsx
  • pages/api/workspace/[id]/settings/roles/index.ts
  • pages/api/workspace/[id]/home/quickLinks.ts
  • pages/api/workspace/[id]/settings/general/sessions.ts
  • pages/api/workspace/[id]/settings/general/notices.ts
  • pages/api/workspace/[id]/settings/general/leaderboard.ts
  • pages/api/workspace/[id]/settings/general/guides.ts

@breadddevv breadddevv merged commit aa1e761 into main Jul 9, 2026
5 checks passed
@breadddevv breadddevv deleted the security/apis branch July 9, 2026 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant