fix(mobile): harden native OAuth bridge (review follow-ups)#250
Conversation
Adversarial self-review of #248 (CodeRabbit was rate-limited and never reviewed it). The bridge is structurally sound — these are the confirmed follow-ups: - Add a route test for /api/native-auth/mint (the cookie-authed endpoint had no route-glue coverage while claim did): no-session 401s, valid-session mint, and no-store headers. - Add a regression test for the native-bridge page (mint POST -> App Link with the ?code= contract -> redirect; error path). - /api/native-auth/claim: add the in-process rate limiter used by the other 12+ public endpoints (best-effort/consistency — the 256-bit, 60s, single-use code is the real guard; the limiter resets on Vercel cold starts). - native-bridge page: 10s AbortController on the mint fetch so an accept-then-hang server surfaces the error UI instead of a stuck Custom Tab; abort on unmount. - Fix two stale/incorrect comments: native-done claimed a non-existent manual code-entry recovery; native-auth-bridge cited /api/auth/native-claim (the real path is /api/native-auth/claim). The review also flagged native-auth-return.ts:11 for the same comment fix — a false positive; that comment is already correct, so no change there.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Review limit reached
More reviews will be available in 22 minutes and 43 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Coverage Report for apps/web
|
Why
#248 (in-app native Google sign-in) merged without a CodeRabbit review — CodeRabbit was rate-limited at the time and its incremental engine now treats those commits as "already reviewed," so it won't re-review them. I ran an adversarial self-review instead (4 reviewers across security / correctness / mobile-App-Link / data+tests, then per-finding verification).
Verdict: the bridge is structurally sound — 256-bit single-use codes, atomic
DELETE … RETURNINGclaim, HttpOnly + SameSite CSRF safety, no token-in-URL. Nothing above medium. These are the confirmed follow-ups (hardening + test coverage + doc accuracy), not hole-plugging.Changes
/api/native-auth/mint— the cookie-authed endpoint had no route-glue test whileclaimdid (no-session 401s, valid-session mint,no-store).native-bridgepage — mint POST → App Link?code=contract → redirect, plus the error path./api/native-auth/claim— matches the 12+ other public endpoints. Best-effort/consistency only (resets on Vercel cold starts); the 256-bit/60s/single-use code is the real guard.AbortControlleron the mint fetch — an accept-then-hang server now surfaces the error UI instead of a stuck Custom Tab; aborts on unmount.native-doneclaimed a non-existent manual code-entry recovery;native-auth-bridgecited/api/auth/native-claim(real path/api/native-auth/claim).The review also flagged
native-auth-return.ts:11for the same comment fix — a false positive; that comment is already correct, so no change.Deliberately not done (settled design): no custom-scheme fallback, no web-side code-entry form, Bearer→Keystore stays a Phase 3 item.
Validation