Added a user profile and github token saving after logging in

[anshggss]

Related Issue

• Closes: 🚀 Feature: adding a user profile section to save user's github token #485

---

Description

This PR adds GitHub token management to the authentication flow, enabling users to save and use their GitHub personal access token within the app.

Key changes include:

• Updated the Mongoose user model to support token storage (changed token field type in schema)
• Added a POST route to save the GitHub token to MongoDB
• Modified the passport field to carry the auth token
• Added a setToken route so users can enter their token on login
• Added a redirect to the SetToken page when a user has no token saved
• Displayed the logged-in username in the navbar; tracker now reloads automatically on login

---

How Has This Been Tested?

• Manually tested token save/retrieval flow end-to-end
• Verified redirect to SetToken page when token is absent
• Confirmed navbar updates correctly after login
• Unit tests

---

Screenshots (if applicable)

---

Type of Change

• Bug fix
• New feature
• Code style update
• Breaking change
• Documentation update

Summary by CodeRabbit

• New Features
  • Added GitHub Personal Access Token management flow with a dedicated token entry page following login
  • Introduced user profile page accessible from the navbar
  • Updated navbar to display user profile link when logged in
  • Enhanced tracker page with automatic data fetching based on username and token changes

[netlify]

✅ Deploy Preview for github-spy ready!

Name	Link
🔨 Latest commit	e8b6fa2
🔍 Latest deploy log	https://app.netlify.com/projects/github-spy/deploys/6a19c215a1d7a60008a774ce
😎 Deploy Preview	https://deploy-preview-490--github-spy.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Warning

Review limit reached

@mehul-m-prajapati, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 5 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 284c394e-e2c4-4e50-a017-e1866d911b9a

📥 Commits

Reviewing files that changed from the base of the PR and between b4c8307 and e8b6fa2.

📒 Files selected for processing (5)

• backend/config/passportConfig.js
• src/App.tsx
• src/Routes/Router.tsx
• src/pages/Login/Login.tsx
• src/pages/Tracker/Tracker.tsx

📝 Walkthrough

Walkthrough

This PR implements persistent GitHub token storage and user profile management. The backend adds a token field to users and exposes a POST /token endpoint; the frontend introduces UserContext for session state, new token entry and profile pages, conditional navigation based on login status, and auto-fetch behavior in the tracker that eliminates manual token re-entry.

Changes

User Profile and Token Management Feature

Layer / File(s)	Summary
Backend User Schema and Token Endpoint backend/models/User.js, backend/config/passportConfig.js, backend/routes/auth.js	UserSchema adds unique sparse token field; Passport's successful-auth response includes both email and token; new POST /token endpoint accepts credentials-based requests and persists token via User.findByIdAndUpdate.
Frontend User Context Infrastructure src/context/UserContext.tsx, src/main.tsx	Creates UserContext, UserProvider, and useUser() hook for shared session state; wraps app at root to supply user and token-update helpers to all children.
Token Entry Routing and Component src/App.tsx, src/Routes/Router.tsx, src/components/SetToken.tsx	New /enterToken fullscreen route renders SetToken component, which posts user-entered token to backend and redirects to / on success or shows error message on failure.
Login with UserContext Integration src/pages/Login/Login.tsx	Stores returned user object in UserContext on successful login and routes to /enterToken when token is absent, otherwise to /; JSX layout expanded into multi-line structure.
Profile Page with Token and Logout src/pages/Profile/Profile.tsx	New profile page allows users to update their token via POST /token, shows username, provides logout via /api/auth/logout, and returns to login when user state is cleared.
Navigation Conditional on User State src/components/Navbar.tsx	Reads UserContext to conditionally render /profile link with username when user exists, or fallback /login "Login" link when no user; applied to both desktop and mobile menus.
Tracker Auto-Fetch with UserContext src/pages/Tracker/Tracker.tsx	Migrates auth state from useGitHubAuth to UserContext, adds debounced auto-fetch on username change and tab-visibility change, removes auth form submit button, and updates error alert to show only dataError.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• GitMetricsLab/github_tracker#255: Both modify Tracker's auto-fetch and authentication-driven data flow with similar debounce and effect patterns.
• GitMetricsLab/github_tracker#277: Both touch Navbar conditional rendering logic based on user state.
• GitMetricsLab/github_tracker#269: Both modify FULLSCREEN_ROUTES in App.tsx for route-based layout control.

Suggested labels

quality:clean, level:advanced, type:feature

Poem

🐰 A user arrives, now with profile in sight,
Token persists through the GitHub night,
No more re-entry, the tracker runs free,
With context that flows where it ought to be! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'Added a user profile and github token saving after logging in' directly matches the main changes in the changeset—user profile implementation and GitHub token persistence after login.
Description check	✅ Passed	The pull request description follows the template, includes all required sections (Related Issue, Description, Testing, Type of Change), and provides comprehensive details about the changes and manual testing.
Linked Issues check	✅ Passed	All coding requirements from issue #485 are met: User schema updated for token storage, profile page with token save/logout functionality, SetToken page for token entry, and auto-redirect when token is absent.
Out of Scope Changes check	✅ Passed	All code changes are directly scoped to issue #485 requirements: token schema/persistence, profile UI, token entry flow, navbar user display, and context integration. No unrelated changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎉 Thank you @anshggss for your contribution. Please make sure your PR follows https://github.com/GitMetricsLab/github_tracker/blob/main/CONTRIBUTING.md#-pull-request-guidelines

[Copilot]

Pull request overview

This PR adds per-user GitHub Personal Access Token (PAT) management to the authentication flow, introducing a Profile/SetToken UX and wiring the stored token into the tracker experience.

Changes:

• Adds a backend /api/auth/token endpoint and extends the user/session payload to include a stored GitHub token.
• Introduces a frontend UserContext, updates login to populate it, and adds Profile + SetToken pages/routes.
• Updates navbar and tracker to reflect logged-in user info and prefill username/token for GitHub data fetching.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/Routes/Router.tsx	Adds routes for /enterToken and /profile.
src/pages/Tracker/Tracker.tsx	Prefills tracker auth fields from UserContext and auto-fetches on username changes.
src/pages/Profile/Profile.tsx	New profile page to display username, save token, and logout.
src/pages/Login/Login.tsx	Sets UserContext on login and redirects to SetToken if token is missing.
src/main.tsx	Wraps app in UserProvider.
src/context/UserContext.tsx	Adds new context/provider for logged-in user data + token updates.
src/components/SetToken.tsx	New fullscreen flow to save a token immediately after login.
src/components/Navbar.tsx	Shows username (link to profile) when logged in, otherwise Login link.
src/App.tsx	Treats /enterToken as a fullscreen route.
backend/routes/auth.js	Adds token-save endpoint to persist PAT for authenticated users.
backend/models/User.js	Adds token field to the User schema.
backend/config/passportConfig.js	Includes token in the login response user payload.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 10

🧹 Nitpick comments (1)

src/pages/Tracker/Tracker.tsx (1)

93-98: ⚡ Quick win

Avoid double fetches between username-change and page/tab effects.

fetchData is invoked in both effects. When username changes while on a later page, this can issue duplicate page-1 requests and increase API load.

Refactor direction

-  // Auto-fetch when debounced username or token changes
-  useEffect(() => {
-    if (debouncedUsername && token.trim()) {
-      setPage(0);
-      fetchData(debouncedUsername, 1, ROWS_PER_PAGE);
-    }
-  }, [debouncedUsername, token]);
+  // Reset pagination when auth/query identity changes
+  useEffect(() => {
+    setPage(0);
+  }, [debouncedUsername, token]);

-  // Fetch when tab or page changes (username already set)
+  // Single fetch path
   useEffect(() => {
-    if (username) {
-      fetchData(username, page + 1, ROWS_PER_PAGE);
+    if (debouncedUsername && token.trim()) {
+      fetchData(debouncedUsername, page + 1, ROWS_PER_PAGE);
     }
-  }, [tab, page]);
+  }, [debouncedUsername, token, tab, page]);

Also applies to: 101-105

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/Tracker/Tracker.tsx` around lines 93 - 98, The current useEffect
calling setPage(0) and fetchData(debouncedUsername, 1, ROWS_PER_PAGE) causes
duplicate requests because another effect also fetches when page/tab changes;
change the debouncedUsername effect to only setPage(0) (remove the direct
fetchData call) and ensure the existing page/tab effect (the effect that listens
to page, tab, token) also includes debouncedUsername in its dependency list so
it will perform a single fetchData(debouncedUsername, 1, ROWS_PER_PAGE) when the
username changes to page 1.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/models/User.js`:
- Around line 19-23: The User schema currently stores the GitHub PAT in the
token field as plaintext; change storage to a secure pattern: stop exposing it
by default (make the token field non-selectable) and switch to encrypted-at-rest
or a secrets-vault reference. Concretely, update the token definition in User
schema (token) to set it as excluded from default queries (select:false) and
replace direct assignment with a setter/getter that encrypts/decrypts using the
chosen key management solution (or store only a vault/secretId reference instead
of the raw PAT); ensure any code paths that read/write token use the new
encrypt/decrypt or vault API through well-named helpers (e.g.,
UserSchema.methods.setGithubToken / getGithubToken) so plaintext tokens are
never persisted or returned by default.

In `@backend/routes/auth.js`:
- Around line 43-46: The current check accepts whitespace-only tokens; update
the handler that reads const { token } = req.body to trim the incoming string
and validate the trimmed value instead: create a trimmedToken (e.g.,
tokenTrimmed = token && token.trim()), return res.status(400).json({ message:
'Token is required' }) when tokenTrimmed is falsy/empty, and thereafter use the
trimmedToken wherever the token is stored or used (replace usages of token with
the trimmed value).
- Around line 48-53: The current token-save logic always returns success and
leaks internal error messages; update the handler around User.findByIdAndUpdate
to check the returned value (result) and only set req.user.token and send a 200
when result is truthy, return a 404/appropriate client error if no document was
updated, and on exceptions avoid exposing err.message to clients — log the full
error server-side and return a generic 500 message; also detect duplicate-key
errors (e.g., err.code === 11000) and return a 409-ish response with a safe
message.

In `@src/components/Navbar.tsx`:
- Line 5: Remove the unused Github import from the lucide-react import list in
Navbar.tsx: locate the import statement that currently imports Moon, Sun, Menu,
X, Github and delete Github so only the used icons (Moon, Sun, Menu, X) remain,
which will resolve the ESLint unused-import error.

In `@src/components/SetToken.tsx`:
- Around line 30-33: The handler in the SetToken component currently only acts
when response.data.success is true; add an else branch after the if
(response.data.success) block to explicitly set an error message in component
state (use the existing message setter, e.g., setMessage) and avoid silent
failures; prefer using response.data.message if present, otherwise set a generic
failure string—keep calls to updateToken(token) and navigate("/") only inside
the success branch.

In `@src/context/UserContext.tsx`:
- Around line 3-8: UserData currently declares _id while backend auth payload
uses id; update the frontend contract to accept the backend shape by replacing
or supporting _id with id: change the UserData interface (symbol: UserData in
src/context/UserContext.tsx) so it uses id: string instead of _id, or allow both
by adding id?: string and mapping/normalizing when consuming auth payloads
(e.g., normalizeAuthPayload functions or where setUser is called) so the app
consistently uses user.id internally; ensure all usages of UserData (state,
setUser, selectors) read the normalized id field.

In `@src/pages/Login/Login.tsx`:
- Around line 44-51: The login code currently checks response.data.message ===
"Login successful" and assumes response.data.user exists; change the branch to
rely on a stable success indicator (e.g., HTTP status or a boolean like
response.data.success) instead of a specific message string, guard against a
missing user payload before calling setUser/navigating (check response.data.user
and handle null/undefined by showing an error or fallback), and when user object
exists use user.token to choose navigate("/enterToken") vs navigate("/"); update
references in this flow (response, response.data, setUser, userData, token,
navigate) accordingly.

In `@src/pages/Profile/Profile.tsx`:
- Around line 38-45: The token submission allows blank/whitespace values; before
calling axios.post and before calling updateToken/setSaved validate the token by
trimming it and rejecting empty strings (e.g. const cleaned = token.trim(); if
(!cleaned) return/show validation error). Apply the same trim-and-non-empty
check in both places where tokens are saved (the block that calls
axios.post(...) and the other save path around updateToken/setSaved referenced
at lines 112-118) so only non-empty trimmed tokens are posted and persisted.
- Around line 23-29: handleLogout currently calls axios.get to /api/auth/logout
which uses a GET for a state-changing operation; change the request to use
axios.post (e.g., await axios.post(`${backendUrl}/api/auth/logout`, {}, {
withCredentials: true })) and ensure the backend route that handles logout
accepts POST; keep the finally behavior (setUser(null); navigate("/login")) and
retain withCredentials so cookies/session are sent.

In `@src/pages/Tracker/Tracker.tsx`:
- Around line 93-98: The effect currently triggers fetchData when
debouncedUsername changes even if token is empty; update the useEffect
conditional to require a truthy token before auto-fetching (e.g., change the
inner if to check both debouncedUsername and token), so call setPage(0) and
fetchData(debouncedUsername, 1, ROWS_PER_PAGE) only when token is present; keep
token in the dependency array and use the existing symbols useEffect,
debouncedUsername, token, setPage, fetchData, and ROWS_PER_PAGE to locate the
change.

---

Nitpick comments:
In `@src/pages/Tracker/Tracker.tsx`:
- Around line 93-98: The current useEffect calling setPage(0) and
fetchData(debouncedUsername, 1, ROWS_PER_PAGE) causes duplicate requests because
another effect also fetches when page/tab changes; change the debouncedUsername
effect to only setPage(0) (remove the direct fetchData call) and ensure the
existing page/tab effect (the effect that listens to page, tab, token) also
includes debouncedUsername in its dependency list so it will perform a single
fetchData(debouncedUsername, 1, ROWS_PER_PAGE) when the username changes to page
1.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1b75422d-76d9-4d9d-bd0f-5cc24439cf81

📥 Commits

Reviewing files that changed from the base of the PR and between 6c6bc3e and b4c8307.

📒 Files selected for processing (12)

• backend/config/passportConfig.js
• backend/models/User.js
• backend/routes/auth.js
• src/App.tsx
• src/Routes/Router.tsx
• src/components/Navbar.tsx
• src/components/SetToken.tsx
• src/context/UserContext.tsx
• src/main.tsx
• src/pages/Login/Login.tsx
• src/pages/Profile/Profile.tsx
• src/pages/Tracker/Tracker.tsx

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Avoid storing GitHub PATs as plaintext in user records.

This persists a long-lived credential directly in clear text. Encrypt it at rest (or use a secrets vault pattern) and avoid exposing it by default in queries.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/models/User.js` around lines 19 - 23, The User schema currently
stores the GitHub PAT in the token field as plaintext; change storage to a
secure pattern: stop exposing it by default (make the token field
non-selectable) and switch to encrypted-at-rest or a secrets-vault reference.
Concretely, update the token definition in User schema (token) to set it as
excluded from default queries (select:false) and replace direct assignment with
a setter/getter that encrypts/decrypts using the chosen key management solution
(or store only a vault/secretId reference instead of the raw PAT); ensure any
code paths that read/write token use the new encrypt/decrypt or vault API
through well-named helpers (e.g., UserSchema.methods.setGithubToken /
getGithubToken) so plaintext tokens are never persisted or returned by default.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Reject whitespace-only token input.

At Line 44, a string like " " passes validation and gets stored as a token. Trim first and validate the trimmed value.

Suggested patch

-    const { token } = req.body;
-    if (!token) {
+    const token = req.body.token?.trim();
+    if (!token) {
         return res.status(400).json({ message: 'Token is required' });
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const { token } = req.body;
	if (!token) {
	return res.status(400).json({ message: 'Token is required' });
	}
	const token = req.body.token?.trim();
	if (!token) {
	return res.status(400).json({ message: 'Token is required' });
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/routes/auth.js` around lines 43 - 46, The current check accepts
whitespace-only tokens; update the handler that reads const { token } = req.body
to trim the incoming string and validate the trimmed value instead: create a
trimmedToken (e.g., tokenTrimmed = token && token.trim()), return
res.status(400).json({ message: 'Token is required' }) when tokenTrimmed is
falsy/empty, and thereafter use the trimmedToken wherever the token is stored or
used (replace usages of token with the trimmed value).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Verify update success and avoid leaking raw backend errors.

At Line 48-53, this always returns success when no document is updated, and exposes err.message to clients. Return a safe generic 500 and handle null-update/duplicate-key cases explicitly.

Suggested patch

-        await User.findByIdAndUpdate(req.user._id, { token });
+        const updated = await User.findByIdAndUpdate(
+          req.user._id,
+          { token },
+          { new: true, runValidators: true }
+        );
+        if (!updated) {
+          return res.status(404).json({ message: "User not found" });
+        }
         req.user.token = token;
         res.status(200).json({ success: true, message: 'Token saved successfully' });
     } catch (err) {
-        res.status(500).json({ message: 'Error saving token', error: err.message });
+        if (err?.code === 11000) {
+          return res.status(409).json({ message: "Token already in use" });
+        }
+        res.status(500).json({ message: 'Error saving token' });
     }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/routes/auth.js` around lines 48 - 53, The current token-save logic
always returns success and leaks internal error messages; update the handler
around User.findByIdAndUpdate to check the returned value (result) and only set
req.user.token and send a 200 when result is truthy, return a 404/appropriate
client error if no document was updated, and on exceptions avoid exposing
err.message to clients — log the full error server-side and return a generic 500
message; also detect duplicate-key errors (e.g., err.code === 11000) and return
a 409-ish response with a safe message.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove unused Github import to clear lint failure.

Github is imported but never used, matching the ESLint error.

Suggested fix

-import { Moon, Sun, Menu, X, Github } from "lucide-react";
+import { Moon, Sun, Menu, X } from "lucide-react";

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	import { Moon, Sun, Menu, X, Github } from "lucide-react";
	import { Moon, Sun, Menu, X } from "lucide-react";

🧰 Tools

🪛 ESLint

[error] 5-5: 'Github' is defined but never used.

(@typescript-eslint/no-unused-vars)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/Navbar.tsx` at line 5, Remove the unused Github import from
the lucide-react import list in Navbar.tsx: locate the import statement that
currently imports Moon, Sun, Menu, X, Github and delete Github so only the used
icons (Moon, Sun, Menu, X) remain, which will resolve the ESLint unused-import
error.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Handle non-success API responses explicitly.

If the request resolves but success is false, the UI shows no error and does nothing. Add an else branch to set a message.

Suggested patch

       if (response.data.success) {
         updateToken(token);
         navigate("/");
+      } else {
+        setMessage(response.data.message ?? "Failed to save token.");
       }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (response.data.success) {
	updateToken(token);
	navigate("/");
	}
	if (response.data.success) {
	updateToken(token);
	navigate("/");
	} else {
	setMessage(response.data.message ?? "Failed to save token.");
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/SetToken.tsx` around lines 30 - 33, The handler in the
SetToken component currently only acts when response.data.success is true; add
an else branch after the if (response.data.success) block to explicitly set an
error message in component state (use the existing message setter, e.g.,
setMessage) and avoid silent failures; prefer using response.data.message if
present, otherwise set a generic failure string—keep calls to updateToken(token)
and navigate("/") only inside the success branch.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Unify user identifier contract (id vs _id) across backend/frontend.

UserData requires _id, but current auth payload uses id. This mismatch is brittle and can break state handling unless every caller remaps fields.

Suggested patch (frontend contract-side)

 export interface UserData {
-  _id: string;
+  id: string;
+  _id?: string;
   username: string;
   email: string;
   token?: string;
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/context/UserContext.tsx` around lines 3 - 8, UserData currently declares
_id while backend auth payload uses id; update the frontend contract to accept
the backend shape by replacing or supporting _id with id: change the UserData
interface (symbol: UserData in src/context/UserContext.tsx) so it uses id:
string instead of _id, or allow both by adding id?: string and
mapping/normalizing when consuming auth payloads (e.g., normalizeAuthPayload
functions or where setUser is called) so the app consistently uses user.id
internally; ensure all usages of UserData (state, setUser, selectors) read the
normalized id field.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Decouple login success flow from message text and guard missing user payload.

The post-login branch is tied to an exact message string and assumes response.data.user exists. A backend copy change or malformed success payload can skip navigation or crash on userData.token.

Suggested fix

-      if (response.data.message === "Login successful") {
-        const userData = response.data.user;
-        setUser(userData);
-        if (!userData.token) {
-          navigate("/enterToken");
-        } else {
-          navigate("/");
-        }
-      }
+      const userData = response.data?.user;
+      if (response.status === 200 && userData) {
+        setUser(userData);
+        navigate(userData.token ? "/" : "/enterToken");
+      } else {
+        setMessage(response.data?.message || "Login failed");
+      }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/Login/Login.tsx` around lines 44 - 51, The login code currently
checks response.data.message === "Login successful" and assumes
response.data.user exists; change the branch to rely on a stable success
indicator (e.g., HTTP status or a boolean like response.data.success) instead of
a specific message string, guard against a missing user payload before calling
setUser/navigating (check response.data.user and handle null/undefined by
showing an error or fallback), and when user object exists use user.token to
choose navigate("/enterToken") vs navigate("/"); update references in this flow
(response, response.data, setUser, userData, token, navigate) accordingly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Use a non-GET request for logout.

Logout mutates session state and should not be invoked with GET. Using POST (and matching backend route) reduces CSRF/safe-method exposure.

Suggested fix

-      await axios.get(`${backendUrl}/api/auth/logout`, { withCredentials: true });
+      await axios.post(
+        `${backendUrl}/api/auth/logout`,
+        {},
+        { withCredentials: true },
+      );

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const handleLogout = async () => {
	try {
	await axios.get(`${backendUrl}/api/auth/logout`, { withCredentials: true });
	} finally {
	setUser(null);
	navigate("/login");
	}
	const handleLogout = async () => {
	try {
	await axios.post(
	`${backendUrl}/api/auth/logout`,
	{},
	{ withCredentials: true },
	);
	} finally {
	setUser(null);
	navigate("/login");
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/Profile/Profile.tsx` around lines 23 - 29, handleLogout currently
calls axios.get to /api/auth/logout which uses a GET for a state-changing
operation; change the request to use axios.post (e.g., await
axios.post(`${backendUrl}/api/auth/logout`, {}, { withCredentials: true })) and
ensure the backend route that handles logout accepts POST; keep the finally
behavior (setUser(null); navigate("/login")) and retain withCredentials so
cookies/session are sent.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Block empty or whitespace-only token saves.

Token submission currently accepts blank/whitespace input, which can save unusable credentials and keep users stuck in token setup flows.

Suggested fix

   const handleSaveToken = async (e: React.FormEvent) => {
     e.preventDefault();
+    const trimmedToken = token.trim();
+    if (!trimmedToken) {
+      setError("Token is required.");
+      return;
+    }
     setIsLoading(true);
     setError("");
     setSaved(false);
     try {
       const response = await axios.post(
         `${backendUrl}/api/auth/token`,
-        { token },
+        { token: trimmedToken },
         { withCredentials: true }
       );
       if (response.data.success) {
-        updateToken(token);
+        updateToken(trimmedToken);
         setSaved(true);
         setTimeout(() => setSaved(false), 3000);
       }

Also applies to: 112-118

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/Profile/Profile.tsx` around lines 38 - 45, The token submission
allows blank/whitespace values; before calling axios.post and before calling
updateToken/setSaved validate the token by trimming it and rejecting empty
strings (e.g. const cleaned = token.trim(); if (!cleaned) return/show validation
error). Apply the same trim-and-non-empty check in both places where tokens are
saved (the block that calls axios.post(...) and the other save path around
updateToken/setSaved referenced at lines 112-118) so only non-empty trimmed
tokens are posted and persisted.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Gate auto-fetch by token presence.

This effect fetches on username debounce even when token is empty, which can create repeated unauthenticated calls and noisy error states.

Suggested fix

-  useEffect(() => {
-    if (debouncedUsername) {
+  useEffect(() => {
+    if (debouncedUsername && token.trim()) {
       setPage(0);
       fetchData(debouncedUsername, 1, ROWS_PER_PAGE);
     }
   }, [debouncedUsername, token]);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	useEffect(() => {
	if (debouncedUsername) {
	setPage(0);
	fetchData(debouncedUsername, 1, ROWS_PER_PAGE);
	}
	}, [debouncedUsername, token]);
	useEffect(() => {
	if (debouncedUsername && token.trim()) {
	setPage(0);
	fetchData(debouncedUsername, 1, ROWS_PER_PAGE);
	}
	}, [debouncedUsername, token]);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/Tracker/Tracker.tsx` around lines 93 - 98, The effect currently
triggers fetchData when debouncedUsername changes even if token is empty; update
the useEffect conditional to require a truthy token before auto-fetching (e.g.,
change the inner if to check both debouncedUsername and token), so call
setPage(0) and fetchData(debouncedUsername, 1, ROWS_PER_PAGE) only when token is
present; keep token in the dependency array and use the existing symbols
useEffect, debouncedUsername, token, setPage, fetchData, and ROWS_PER_PAGE to
locate the change.

[anshggss]

Hey @mehul-m-prajapati can you check my pr and and merge?

[github-actions]

🎉🎉 Thank you for your contribution! Your PR #490 has been merged! 🎉🎉