Skip to content

Comments

resend: fix payload mismatch in summary cron job#1186

Merged
elie222 merged 3 commits intomainfrom
fix/resend-summary-payload-mismatch
Jan 4, 2026
Merged

resend: fix payload mismatch in summary cron job#1186
elie222 merged 3 commits intomainfrom
fix/resend-summary-payload-mismatch

Conversation

@elie222
Copy link
Owner

@elie222 elie222 commented Jan 4, 2026
edited by coderabbitai bot
Loading

User description

Fixes the mismatch between /api/resend/summary/all (sender) and /api/resend/summary (receiver) payloads.

  • Moved validation schema to a shared file
  • Updated cron job to send emailAccountId instead of email
  • Added type safety to QStash enqueuing to prevent future mismatches

Generated description

Below is a concise technical summary of the changes proposed in this PR:
Align the payload structure for the resend summary cron job by sending emailAccountId instead of email and centralizing its validation schema. Update the Outlook account linking process to consistently use providerAccountId for identifying existing accounts.

TopicDetails
Outlook Linking Update Update the Outlook account linking process to consistently use providerAccountId for identifying existing accounts and simplify the account lookup logic by removing redundant email-based searches.
Modified files (1)
  • apps/web/app/api/outlook/linking/callback/route.ts
Latest Contributors(2)
UserCommitDate
elie222Don-t-force-user-to-lo...December 04, 2025
eduardoleliss@gmail.comPR-feedbackAugust 29, 2025
Resend Payload Fix Align the payload structure for the resend summary cron job by sending emailAccountId instead of email and centralizing the validation schema for type safety in QStash enqueuing.
Modified files (3)
  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/route.ts
  • apps/web/app/api/resend/summary/all/route.ts
Latest Contributors(2)
UserCommitDate
elie222clean-up-resend-summar...January 03, 2026
eduardo.lelis@withjoy.comAdressing-PR-Feedback....June 12, 2025
 This pull request is reviewed by Baz. Review like a pro on (Baz).

Summary by CodeRabbit

Release Notes

  • Refactor
    • Streamlined account identification logic to use unique identifiers instead of email addresses.
    • Extracted and centralized validation schemas for email operations across the API.

✏️ Tip: You can customize this high-level summary in your review settings.

elie222 added 3 commits January 4, 2026 10:18
@elie222
fix(security): remove email-based fallback in Microsoft OAuth linking
4bac86f 
Removes insecure email-based account matching that could allow account
hijacking when different Microsoft accounts share the same email address
(e.g., shared mailboxes). Now matches solely by provider ID, consistent
with Google OAuth implementation.
@elie222
provider account id microsoft
b2cd44e
@elie222
fix(resend): fix payload mismatch in summary cron job
83f7b89
@vercel
Copy link

vercel bot commented Jan 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
inbox-zero Ready Ready Preview Jan 4, 2026 8:32am

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 4, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Refactors account identification across Outlook linking and Resend summary endpoints from email-based lookups to ID-based identification, and extracts shared validation schemas into a dedicated module.

Changes

Cohort / File(s) Summary
Outlook linking callback refactoring
apps/web/app/api/outlook/linking/callback/route.ts		 Simplifies account identification to use providerAccountId (from profile.id) exclusively, removing email-based lookup path; updates validation and account lookup/creation logic accordingly; replaces all microsoftProviderAccountId and email-based references with new providerAccountId variable
Resend summary payload refactoring
apps/web/app/api/resend/summary/all/route.ts		 Changes from email-based to ID-based identification; updates Prisma select from email to id; replaces payload field from { email } to { emailAccountId }; updates error logging to reference emailAccountId
Validation schema extraction
apps/web/app/api/resend/summary/route.ts, apps/web/app/api/resend/summary/validation.ts		 Extracts inline Zod schema from route handler to dedicated validation module; route now imports sendSummaryEmailBody from ./validation instead of defining it locally; new module exports schema and inferred type SendSummaryEmailBody

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

  • #1172 — Applies the same pattern of switching EmailAccount identification from email field to ID in Prisma queries
  • #1069 — Modifies the same Outlook linking callback route with different account identification logic changes
  • #187 — Modifies the same resend summary endpoints and validation structures

Poem

🐰 IDs instead of emails we now hold,
Validation schemas, neatly scrolled,
Outlook links grow ever fine,
Resend summaries by ID align,
Simpler paths through code we've traced!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: fixing a payload mismatch in the resend summary cron job by aligning sender and receiver endpoints to use emailAccountId consistently.
✨ Finishing touches
  • 📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@macroscopeapp
Copy link
Contributor

macroscopeapp bot commented Jan 4, 2026
edited
Loading

Fix Resend summary cron by enqueueing emailAccountId payloads and require providerAccountId + email in GET /api/outlook/linking/callback

Switch the Resend summary cron job to publish emailAccountId payloads and validate them via a new shared schema; update the Outlook linking callback to require profile.id and email and resolve accounts only by providerAccountId.

📍Where to Start

Start with the sendSummaryAllUpdate publisher in apps/web/app/api/resend/summary/all/route.ts, then review the request validation in apps/web/app/api/resend/summary/validation.ts, and finally the account resolution logic in apps/web/app/api/outlook/linking/callback/route.ts.

📊 Macroscope summarized 83f7b89. 3 files reviewed, 2 issues evaluated, 2 issues filtered, 0 comments posted. View details

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 4, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

coderabbitai[bot]
coderabbitai bot reviewed Jan 4, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
apps/web/app/api/resend/summary/validation.ts (1)

3-5: Consider adding stricter validation for emailAccountId.

The current schema only validates that emailAccountId is a string. Consider adding .min(1) to prevent empty strings, which would cause database query failures.

🔎 Proposed enhancement 
 export const sendSummaryEmailBody = z.object({
-  emailAccountId: z.string(),
+  emailAccountId: z.string().min(1),
 });
📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 52a2895 and 83f7b89.

📒 Files selected for processing (4)
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/resend/summary/route.ts
  • apps/web/app/api/resend/summary/validation.ts
🧰 Additional context used
📓 Path-based instructions (20)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/data-fetching.mdc)

**/*.{ts,tsx}: For API GET requests to server, use the swr package
Use result?.serverError with toastError from @/components/Toast for error handling in async operations

**/*.{ts,tsx}: Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls
Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls
Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

**/*.{ts,tsx}: For early access feature flags, create hooks using the naming convention use[FeatureName]Enabled that return a boolean from useFeatureFlagEnabled("flag-key")
For A/B test variant flags, create hooks using the naming convention use[FeatureName]Variant that define variant types, use useFeatureFlagVariantKey() with type casting, and provide a default "control" fallback
Use kebab-case for PostHog feature flag keys (e.g., inbox-cleaner, pricing-options-2)
Always define types for A/B test variant flags (e.g., type PricingVariant = "control" | "variant-a" | "variant-b") and provide type safety through type casting

**/*.{ts,tsx}: Don't use primitive type aliases or misleading types
Don't use empty type parameters in type aliases and interfaces
Don't use this and super in static contexts
Don't use any or unknown as type constraints
Don't use the TypeScript directive @ts-ignore
Don't use TypeScript enums
Don't export imported variables
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions
Don't use TypeScript namespaces
Don't use non-null assertions with the ! postfix operator
Don't use parameter properties in class constructors
Don't use user-defined types
Use as const instead of literal types and type annotations
Use either T[] or Array<T> consistently
Initialize each enum member value explicitly
Use export type for types
Use `impo...

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/prisma-enum-imports.mdc)

Always import Prisma enums from @/generated/prisma/enums instead of @/generated/prisma/client to avoid Next.js bundling errors in client components

Import Prisma using the project's centralized utility: import prisma from '@/utils/prisma'

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
apps/web/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Import specific lodash functions rather than entire lodash library to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Do not export types/interfaces that are only used within the same file. Export later if needed

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
apps/web/app/api/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/security-audit.mdc)

apps/web/app/api/**/*.{ts,tsx}: API routes must use withAuth, withEmailAccount, or withError middleware for authentication
All database queries must include user scoping with emailAccountId or userId filtering in WHERE clauses
Request parameters must be validated before use; avoid direct parameter usage without type checking
Use generic error messages instead of revealing internal details; throw SafeError instead of exposing user IDs, resource IDs, or system information
API routes should only return necessary fields using select in database queries to prevent unintended information disclosure
Cron endpoints must use hasCronSecret or hasPostCronSecret to validate cron requests and prevent unauthorized access
Request bodies should use Zod schemas for validation to ensure type safety and prevent injection attacks

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
**/app/api/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/app/api/**/*.ts: ALL API routes that handle user data MUST use appropriate middleware: use withEmailAccount for email-scoped operations, use withAuth for user-scoped operations, or use withError with proper validation for public/custom auth endpoints
Use withEmailAccount middleware for operations scoped to a specific email account, including reading/writing emails, rules, schedules, or any operation using emailAccountId
Use withAuth middleware for user-level operations such as user settings, API keys, and referrals that use only userId
Use withError middleware only for public endpoints, custom authentication logic, or cron endpoints. For cron endpoints, MUST use hasCronSecret() or hasPostCronSecret() validation
Cron endpoints without proper authentication can be triggered by anyone. CRITICAL: All cron endpoints MUST validate cron secret using hasCronSecret(request) or hasPostCronSecret(request) and capture unauthorized attempts with captureException()
Always validate request bodies using Zod schemas to ensure type safety and prevent invalid data from reaching database operations
Maintain consistent error response format across all API routes to avoid information disclosure while providing meaningful error feedback

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/*.ts: ALL database queries MUST be scoped to the authenticated user/account by including user/account filtering in WHERE clauses to prevent unauthorized data access
Always validate that resources belong to the authenticated user before performing operations, using ownership checks in WHERE clauses or relationships
Always validate all input parameters for type, format, and length before using them in database queries
Use SafeError for error responses to prevent information disclosure. Generic error messages should not reveal internal IDs, logic, or resource ownership details
Only return necessary fields in API responses using Prisma's select option. Never expose sensitive data such as password hashes, private keys, or system flags
Prevent Insecure Direct Object References (IDOR) by validating resource ownership before operations. All findUnique/findFirst calls MUST include ownership filters
Prevent mass assignment vulnerabilities by explicitly whitelisting allowed fields in update operations instead of accepting all user-provided data
Prevent privilege escalation by never allowing users to modify system fields, ownership fields, or admin-only attributes through user input
All findMany queries MUST be scoped to the user's data by including appropriate WHERE filters to prevent returning data from other users
Use Prisma relationships for access control by leveraging nested where clauses (e.g., emailAccount: { id: emailAccountId }) to validate ownership

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
**/*.{tsx,ts}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

**/*.{tsx,ts}: Use Shadcn UI and Tailwind for components and styling
Use next/image package for images
For API GET requests to server, use the swr package with hooks like useSWR to fetch data
For text inputs, use the Input component with registerProps for form integration and error handling

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
**/*.{tsx,ts,css}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

Implement responsive design with Tailwind CSS using a mobile-first approach

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{js,jsx,ts,tsx}: Don't use accessKey attribute on any HTML element
Don't set aria-hidden="true" on focusable elements
Don't add ARIA roles, states, and properties to elements that don't support them
Don't use distracting elements like <marquee> or <blink>
Only use the scope prop on <th> elements
Don't assign non-interactive ARIA roles to interactive HTML elements
Make sure label elements have text content and are associated with an input
Don't assign interactive ARIA roles to non-interactive HTML elements
Don't assign tabIndex to non-interactive HTML elements
Don't use positive integers for tabIndex property
Don't include "image", "picture", or "photo" in img alt prop
Don't use explicit role property that's the same as the implicit/default role
Make static elements with click handlers use a valid role attribute
Always include a title element for SVG elements
Give all elements requiring alt text meaningful information for screen readers
Make sure anchors have content that's accessible to screen readers
Assign tabIndex to non-interactive HTML elements with aria-activedescendant
Include all required ARIA attributes for elements with ARIA roles
Make sure ARIA properties are valid for the element's supported roles
Always include a type attribute for button elements
Make elements with interactive roles and handlers focusable
Give heading elements content that's accessible to screen readers (not hidden with aria-hidden)
Always include a lang attribute on the html element
Always include a title attribute for iframe elements
Accompany onClick with at least one of: onKeyUp, onKeyDown, or onKeyPress
Accompany onMouseOver/onMouseOut with onFocus/onBlur
Include caption tracks for audio and video elements
Use semantic elements instead of role attributes in JSX
Make sure all anchors are valid and navigable
Ensure all ARIA properties (aria-*) are valid
Use valid, non-abstract ARIA roles for elements with ARIA roles
Use valid AR...

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
!(pages/_document).{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

Don't use the next/head module in pages/_document.js on Next.js projects

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts,jsx,tsx}: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
apps/web/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/**/*.{ts,tsx,js,jsx}: Use @/ path aliases for imports from project root
Prefer self-documenting code over comments; use descriptive variable and function names instead of explaining intent with comments
Add helper functions to the bottom of files, not the top
All imports go at the top of files, no mid-file dynamic imports

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
apps/web/app/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

Follow NextJS app router structure with (app) directory

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
apps/web/**/*.{ts,tsx,js,jsx,json,css}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

Format code with Prettier

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
apps/web/**/*.{example,ts,json}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

Add environment variables to .env.example, env.ts, and turbo.json

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
apps/web/app/api/**/*.ts

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/app/api/**/*.ts: Create GET API routes wrapped with withAuth or withEmailAccount middleware for fetching data
Export response types from GET API routes using export type GetXResponse = Awaited<ReturnType<typeof getData>>

Files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
apps/web/app/api/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/fullstack-workflow.mdc)

apps/web/app/api/**/route.ts: Create GET API routes using withAuth or withEmailAccount middleware in apps/web/app/api/*/route.ts, export response types as GetExampleResponse type alias for client-side type safety
Always export response types from GET routes as Get[Feature]Response using type inference from the data fetching function for type-safe client consumption
Do NOT use POST API routes for mutations - always use server actions with next-safe-action instead

Files:

  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
**/app/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/get-api-route.mdc)

**/app/**/route.ts: Always wrap GET API route handlers with withAuth or withEmailAccount middleware for consistent error handling and authentication in Next.js App Router
Infer and export response type for GET API routes using Awaited<ReturnType<typeof functionName>> pattern in Next.js
Use Prisma for database queries in GET API routes
Return responses using NextResponse.json() in GET API routes
Do not use try/catch blocks in GET API route handlers when using withAuth or withEmailAccount middleware, as the middleware handles error handling

Files:

  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
apps/web/app/**/[!.]*/route.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Use kebab-case for route directories in Next.js App Router (e.g., api/hello-world/route)

Files:

  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
**/{app,pages}/**/{route,+page}.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/logging.mdc)

**/{app,pages}/**/{route,+page}.{ts,tsx}: Use middleware wrappers (withError, withAuth, withEmailAccount, withEmailProvider) that automatically create loggers with request context in API routes
Enrich logger context within route handlers using logger.with() to add request-specific fields like messageId

Files:

  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
  • apps/web/app/api/resend/summary/route.ts
🧠 Learnings (29)
📚 Learning: 2025-11-25T14:37:09.306Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/utils/actions/*.validation.ts : Define Zod validation schemas in separate `*.validation.ts` files and export both the schema and inferred type (e.g., `CreateExampleBody`)

Applied to files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-11-25T14:37:09.306Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/utils/actions/*.validation.ts : Export types from Zod schemas using `z.infer<>` to maintain type safety between validation and client usage

Applied to files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-11-25T14:39:49.448Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/server-actions.mdc:0-0
Timestamp: 2025-11-25T14:39:49.448Z
Learning: Applies to apps/web/utils/actions/*.validation.ts : Define input validation schemas using Zod in `.validation.ts` files and export both the schema and its inferred TypeScript type

Applied to files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-11-25T14:39:49.448Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/server-actions.mdc:0-0
Timestamp: 2025-11-25T14:39:49.448Z
Learning: Applies to apps/web/utils/actions/*.validation.ts : Create separate validation files for server actions using the naming convention `apps/web/utils/actions/NAME.validation.ts` containing Zod schemas and inferred types

Applied to files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-11-25T14:39:08.150Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/**/*.{ts,tsx} : Request bodies should use Zod schemas for validation to ensure type safety and prevent injection attacks

Applied to files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-11-25T14:39:27.909Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : Always validate request bodies using Zod schemas to ensure type safety and prevent invalid data from reaching database operations

Applied to files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-11-25T14:36:51.389Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/form-handling.mdc:0-0
Timestamp: 2025-11-25T14:36:51.389Z
Learning: Applies to **/*.validation.ts : Define validation schemas using Zod

Applied to files:

  • apps/web/app/api/resend/summary/validation.ts
📚 Learning: 2025-11-25T14:38:07.606Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm.mdc:0-0
Timestamp: 2025-11-25T14:38:07.606Z
Learning: Applies to apps/web/utils/ai/**/*.ts : LLM feature functions must import from `zod` for schema validation, use `createScopedLogger` from `@/utils/logger`, `chatCompletionObject` and `createGenerateObject` from `@/utils/llms`, and import `EmailAccountWithAI` type from `@/utils/llms/types`

Applied to files:

  • apps/web/app/api/resend/summary/validation.ts
  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-11-25T14:36:53.147Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/form-handling.mdc:0-0
Timestamp: 2025-11-25T14:36:53.147Z
Learning: Applies to **/*.validation.{ts,tsx} : Define validation schemas using Zod

Applied to files:

  • apps/web/app/api/resend/summary/validation.ts
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to app/api/**/*.ts : All input parameters must be validated - check for presence, type, and format before use; use Zod schemas to validate request bodies with type guards and constraints

Applied to files:

  • apps/web/app/api/resend/summary/validation.ts
📚 Learning: 2025-11-25T14:39:27.909Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : Use `withEmailAccount` middleware for operations scoped to a specific email account, including reading/writing emails, rules, schedules, or any operation using `emailAccountId`

Applied to files:

  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to app/api/**/*.ts : Use `withEmailAccount` middleware for operations scoped to a specific email account (reading/writing emails, rules, schedules, etc.) - provides `emailAccountId`, `userId`, and `email` in `request.auth`

Applied to files:

  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
📚 Learning: 2025-11-25T14:39:04.892Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: Applies to apps/web/app/api/**/route.ts : All database queries must include user/account filtering with `emailAccountId` or `userId` in WHERE clauses to prevent IDOR vulnerabilities

Applied to files:

  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to app/api/**/*.ts : ALL API routes that handle user data MUST use appropriate middleware: `withEmailAccount` for email-scoped operations, `withAuth` for user-scoped operations, or `withError` with proper validation for public/cron endpoints

Applied to files:

  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
📚 Learning: 2025-11-25T14:39:27.909Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : ALL API routes that handle user data MUST use appropriate middleware: use `withEmailAccount` for email-scoped operations, use `withAuth` for user-scoped operations, or use `withError` with proper validation for public/custom auth endpoints

Applied to files:

  • apps/web/app/api/resend/summary/all/route.ts
  • apps/web/app/api/outlook/linking/callback/route.ts
📚 Learning: 2025-07-17T04:19:57.099Z 
Learnt from: edulelis
Repo: elie222/inbox-zero PR: 576
File: packages/resend/emails/digest.tsx:78-83
Timestamp: 2025-07-17T04:19:57.099Z
Learning: In packages/resend/emails/digest.tsx, the DigestEmailProps type uses `[key: string]: DigestItem[] | undefined | string | Date | undefined` instead of intersection types like `& Record<string, DigestItem[] | undefined>` due to implementation constraints. This was the initial implementation approach and cannot be changed to more restrictive typing.

Applied to files:

  • apps/web/app/api/resend/summary/all/route.ts
📚 Learning: 2025-12-21T12:21:37.794Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-12-21T12:21:37.794Z
Learning: Applies to apps/web/app/api/**/*.ts : Create GET API routes wrapped with `withAuth` or `withEmailAccount` middleware for fetching data

Applied to files:

  • apps/web/app/api/resend/summary/all/route.ts
📚 Learning: 2025-11-25T14:39:27.909Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : Maintain consistent error response format across all API routes to avoid information disclosure while providing meaningful error feedback

Applied to files:

  • apps/web/app/api/resend/summary/all/route.ts
📚 Learning: 2025-11-25T14:37:09.306Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/app/api/**/route.ts : Create GET API routes using `withAuth` or `withEmailAccount` middleware in `apps/web/app/api/*/route.ts`, export response types as `GetExampleResponse` type alias for client-side type safety

Applied to files:

  • apps/web/app/api/resend/summary/all/route.ts
📚 Learning: 2025-11-25T14:39:49.448Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/server-actions.mdc:0-0
Timestamp: 2025-11-25T14:39:49.448Z
Learning: Applies to apps/web/utils/actions/*.ts : Use `actionClient` when both authenticated user context and a specific emailAccountId are needed, with emailAccountId bound when calling from the client

Applied to files:

  • apps/web/app/api/outlook/linking/callback/route.ts
📚 Learning: 2025-07-08T13:14:07.449Z 
Learnt from: elie222
Repo: elie222/inbox-zero PR: 537
File: apps/web/app/(app)/[emailAccountId]/clean/onboarding/page.tsx:30-34
Timestamp: 2025-07-08T13:14:07.449Z
Learning: The clean onboarding page in apps/web/app/(app)/[emailAccountId]/clean/onboarding/page.tsx is intentionally Gmail-specific and should show an error for non-Google email accounts rather than attempting to support multiple providers.

Applied to files:

  • apps/web/app/api/outlook/linking/callback/route.ts
📚 Learning: 2025-11-25T14:39:08.150Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/**/*.{ts,tsx} : All database queries must include user scoping with `emailAccountId` or `userId` filtering in WHERE clauses

Applied to files:

  • apps/web/app/api/outlook/linking/callback/route.ts
📚 Learning: 2025-11-25T14:39:04.892Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: Applies to apps/web/app/api/**/route.ts : Use Zod schemas for request body validation in API routes

Applied to files:

  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-11-25T14:39:49.448Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/server-actions.mdc:0-0
Timestamp: 2025-11-25T14:39:49.448Z
Learning: Applies to apps/web/utils/actions/*.ts : Use `.schema()` method with Zod validation schemas from corresponding `.validation.ts` files in next-safe-action configuration

Applied to files:

  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-11-25T14:37:09.306Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/utils/actions/*.ts : Use `next-safe-action` with Zod schemas for all server actions (create/update/delete mutations), storing validation schemas in `apps/web/utils/actions/*.validation.ts`

Applied to files:

  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-11-25T14:42:16.602Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:16.602Z
Learning: The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Applied to files:

  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-11-25T14:42:11.919Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:11.919Z
Learning: Applies to utils/**/*.{js,ts,jsx,tsx} : The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Applied to files:

  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-12-21T12:21:37.794Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-12-21T12:21:37.794Z
Learning: Applies to apps/web/utils/actions/**/*.ts : Use `next-safe-action` with Zod schemas for server actions to handle mutations

Applied to files:

  • apps/web/app/api/resend/summary/route.ts
📚 Learning: 2025-11-25T14:37:09.306Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/components/**/*Form*.tsx : Use React Hook Form with Zod validation (`zodResolver`) for form handling, with form components using `register`, `handleSubmit`, and error handling from the hook

Applied to files:

  • apps/web/app/api/resend/summary/route.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Baz Reviewer
  • GitHub Check: test
🔇 Additional comments (3)
apps/web/app/api/outlook/linking/callback/route.ts (1)

116-136: LGTM! Security improvement by removing email-based account lookup.

This change removes the insecure email-based fallback for account matching, preventing potential account hijacking through shared email addresses. The account lookup now relies solely on providerAccountId, aligning with Google OAuth behavior.

apps/web/app/api/resend/summary/all/route.ts (1)

16-16: LGTM! Payload mismatch fixed with type safety.

The changes correctly align the sender endpoint with the receiver by:

  • Using emailAccountId instead of email in the payload
  • Adding type parameter SendSummaryEmailBody to publishToQstashQueue for compile-time type safety
  • Updating error logging to use emailAccountId

This prevents future payload mismatches through type checking.

Also applies to: 48-80

apps/web/app/api/resend/summary/route.ts (1)

14-14: LGTM! Centralized validation prevents schema drift.

The import of sendSummaryEmailBody from the shared validation module ensures that both the sender (/api/resend/summary/all) and receiver (/api/resend/summary) endpoints use the same validation schema, preventing future payload mismatches.

Also applies to: 42-51

@elie222 elie222 merged commit 80dee08 into main Jan 4, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

+2 more reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@baz-reviewer baz-reviewer[bot] baz-reviewer[bot] approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@elie222