Fix session validation and null userId in localStorage operations

[Copilot]

Addresses race conditions and null reference bugs in user settings persistence that could cause cross-user data leakage and localStorage corruption.

Changes

Prevent null userId in localStorage keys (user-settings.ts:196-204)

• onMutate now derives userId from supabase.auth.getSession() instead of currentUserIdRef.current
• Skips localStorage writes when userId is unavailable (prevents showBunkCalc_null keys)

Add cross-user validation in session checks (user-settings.ts:254-259)

• validateActiveSession(expectedUserId, isComponentMounted) now verifies session.user.id === expectedUserId
• Prevents stale async operations from writing settings for the wrong user after logout/login

Handle getSession() failures gracefully (user-settings.ts:269-275)

• Wrapped sync effect IIFE in try/catch to prevent unhandled rejections on transient auth/network errors

Prevent unmount race in CourseCard (course-card.tsx:75-84)

• Added isMounted guard to skip setShowBunkCalc after component unmounts

Use static imports (course-card.tsx:1-14)

• Replaced dynamic import("@/lib/supabase/client") with static import
• Switched console.debug → logger.dev for consistency

// Before: null userId creates invalid keys
localStorage.setItem(`showBunkCalc_${currentUserIdRef.current}`, ...);  // "showBunkCalc_null"

// After: skip writes when no session
const { data: { session } } = await supabase.auth.getSession();
const userId = session?.user?.id;
if (userId) {
  localStorage.setItem(`showBunkCalc_${userId}`, ...);
}

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR hardens client-side user settings persistence by preventing null/incorrect user-scoped localStorage keys and adding session/user validation to avoid stale async writes leaking settings across users.

Changes:

• Derives userId from supabase.auth.getSession() for user-scoped localStorage keys and skips writes when userId is unavailable.
• Adds cross-user validation to storage sync (session.user.id === expectedUserId) and wraps the async sync effect in try/catch to avoid unhandled rejections.
• Updates CourseCard to use static Supabase imports, logger.dev, and an isMounted guard to prevent setState after unmount.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
src/providers/user-settings.ts	Prevents null-key localStorage writes; adds expected-user session validation and error handling around async sync logic.
src/components/attendance/course-card.tsx	Prevents unmount race in async setting load; replaces dynamic import + console.debug with static imports + logger.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

onMutate performs localStorage.setItem(...) writes without guarding for storage failures (e.g., Safari private mode / blocked storage / quota exceeded). If this throws, it can reject onMutate and potentially abort/rollback the mutation even though storage persistence is intended as best-effort. Consider wrapping the localStorage writes (and related side effects) in a try/catch and logging via logger.dev, similar to how storage writes are handled in login-form.tsx.

[Copilot]

validateActiveSession takes isComponentMounted: boolean, but passing isMounted here only passes a snapshot of the value at call time. If the effect unmounts while awaiting getSession(), validateActiveSession(...) can still return true, and callers may continue with side effects (notably the mutateSettings(...) call in the settings === null branch) after unmount. Prefer closing over the isMounted flag (or passing a () => boolean / AbortSignal) and re-checking mount state immediately after awaiting before doing side effects/mutations.