Skip to content

fix(mobile): harden native OAuth bridge (review follow-ups)#250

Merged
RyRy79261 merged 1 commit into
mainfrom
fix/native-oauth-review-followups
Jun 20, 2026
Merged

fix(mobile): harden native OAuth bridge (review follow-ups)#250
RyRy79261 merged 1 commit into
mainfrom
fix/native-oauth-review-followups

Conversation

@RyRy79261

Copy link
Copy Markdown
Owner

Why

#248 (in-app native Google sign-in) merged without a CodeRabbit review — CodeRabbit was rate-limited at the time and its incremental engine now treats those commits as "already reviewed," so it won't re-review them. I ran an adversarial self-review instead (4 reviewers across security / correctness / mobile-App-Link / data+tests, then per-finding verification).

Verdict: the bridge is structurally sound — 256-bit single-use codes, atomic DELETE … RETURNING claim, HttpOnly + SameSite CSRF safety, no token-in-URL. Nothing above medium. These are the confirmed follow-ups (hardening + test coverage + doc accuracy), not hole-plugging.

Changes

Sev Fix
med Route test for /api/native-auth/mint — the cookie-authed endpoint had no route-glue test while claim did (no-session 401s, valid-session mint, no-store).
low Regression test for native-bridge page — mint POST → App Link ?code= contract → redirect, plus the error path.
low Rate limiter on /api/native-auth/claim — matches the 12+ other public endpoints. Best-effort/consistency only (resets on Vercel cold starts); the 256-bit/60s/single-use code is the real guard.
low 10s AbortController on the mint fetch — an accept-then-hang server now surfaces the error UI instead of a stuck Custom Tab; aborts on unmount.
low Two stale comments fixednative-done claimed a non-existent manual code-entry recovery; native-auth-bridge cited /api/auth/native-claim (real path /api/native-auth/claim).

The review also flagged native-auth-return.ts:11 for the same comment fix — a false positive; that comment is already correct, so no change.

Deliberately not done (settled design): no custom-scheme fallback, no web-side code-entry form, Bearer→Keystore stays a Phase 3 item.

Validation

  • 215 test files / 2064 tests pass; typecheck + lint clean; capacitor static export builds.

Adversarial self-review of #248 (CodeRabbit was rate-limited and never reviewed
it). The bridge is structurally sound — these are the confirmed follow-ups:

- Add a route test for /api/native-auth/mint (the cookie-authed endpoint had no
  route-glue coverage while claim did): no-session 401s, valid-session mint, and
  no-store headers.
- Add a regression test for the native-bridge page (mint POST -> App Link with the
  ?code= contract -> redirect; error path).
- /api/native-auth/claim: add the in-process rate limiter used by the other 12+
  public endpoints (best-effort/consistency — the 256-bit, 60s, single-use code
  is the real guard; the limiter resets on Vercel cold starts).
- native-bridge page: 10s AbortController on the mint fetch so an accept-then-hang
  server surfaces the error UI instead of a stuck Custom Tab; abort on unmount.
- Fix two stale/incorrect comments: native-done claimed a non-existent manual
  code-entry recovery; native-auth-bridge cited /api/auth/native-claim (the real
  path is /api/native-auth/claim).

The review also flagged native-auth-return.ts:11 for the same comment fix — a
false positive; that comment is already correct, so no change there.
@vercel

vercel Bot commented Jun 19, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
intake-tracker Ready Ready Preview, Comment Jun 19, 2026 6:05pm

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@RyRy79261, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 22 minutes and 43 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9906d06c-404a-4f84-8d98-127f55161032

📥 Commits

Reviewing files that changed from the base of the PR and between b5175d5 and 87b7d5d.

📒 Files selected for processing (6)
  • apps/web/src/app/api/native-auth/claim/route.ts
  • apps/web/src/app/api/native-auth/mint/route.test.ts
  • apps/web/src/app/auth/native-bridge/page.test.tsx
  • apps/web/src/app/auth/native-bridge/page.tsx
  • apps/web/src/app/auth/native-done/page.tsx
  • apps/web/src/lib/native-auth-bridge.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/native-oauth-review-followups

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown
Contributor

Coverage Report for apps/web

Status Category Percentage Covered / Total
🔵 Lines 56.27% (🎯 54%) 6672 / 11856
🔵 Statements 54.89% (🎯 53%) 7120 / 12970
🔵 Functions 45.93% (🎯 45%) 1480 / 3222
🔵 Branches 46.68% (🎯 44%) 4006 / 8580
Generated in workflow #470 for commit 87b7d5d by the Vitest Coverage Report Action

@RyRy79261 RyRy79261 merged commit 130b380 into main Jun 20, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant