Conversation
…unt-prompt Add consent and account_select to Microsoft Entra
…unt-prompt Simple consent test
…unt-prompt Enable AuthJS debug
…unt-prompt Set logger, update error page
…unt-prompt Add temporary bypass
…unt-prompt Separate google/microsoft-entra-id logic on jwt
…unt-prompt Allow dangerous linking
…unt-prompt Log user, account
…unt-prompt Update token expiry logic
…unt-prompt Skip checks as test
…unt-prompt Add missing authorization url
…unt-prompt Copy google provider props
…unt-prompt Test with reduced scope
|
@claude review |
|
Claude encountered an error —— View job I'll analyze this and get back to you. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (3)
apps/web/app/api/google/linking/callback/route.ts (2)
76-77: Use structured logger context for errorsPass errors as structured context for consistency with the rest of the file.
- logger.error("ID token verification failed using googleAuth:", err); + logger.error("ID token verification failed using googleAuth", { error: err });
172-174: Unreachable mapping branch (“Missing access_token”)This code path never throws a “Missing access_token” error. Consider pruning or mapping to realistic googleAuth.getToken failures instead.
apps/web/app/api/outlook/linking/callback/route.ts (1)
136-139: Consider including source user id in “Merging…” logYou include sourceUserId in the post-transaction log. Including it here improves traceability if the transaction fails.
- logger.info("Merging Microsoft account linked to user.", { - email: providerEmail, - targetUserId, - }); + logger.info("Merging Microsoft account linked to user.", { + email: providerEmail, + targetUserId, + sourceUserId: existingAccount.userId, + });
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
apps/web/app/api/google/linking/callback/route.ts(3 hunks)apps/web/app/api/outlook/linking/callback/route.ts(3 hunks)
🧰 Additional context used
📓 Path-based instructions (10)
apps/web/**/*.{ts,tsx}
📄 CodeRabbit Inference Engine (apps/web/CLAUDE.md)
apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Path aliases: Use@/for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Leverage TypeScript inference for better DX
Files:
apps/web/app/api/google/linking/callback/route.tsapps/web/app/api/outlook/linking/callback/route.ts
apps/web/app/**
📄 CodeRabbit Inference Engine (apps/web/CLAUDE.md)
NextJS app router structure with (app) directory
Files:
apps/web/app/api/google/linking/callback/route.tsapps/web/app/api/outlook/linking/callback/route.ts
apps/web/app/api/**/route.ts
📄 CodeRabbit Inference Engine (apps/web/CLAUDE.md)
apps/web/app/api/**/route.ts: UsewithAuthfor user-level operations
UsewithEmailAccountfor email-account-level operations
Do NOT use POST API routes for mutations - use server actions instead
No need for try/catch in GET routes when using middleware
Export response types from GET routes
apps/web/app/api/**/route.ts: Wrap all GET API route handlers withwithAuthorwithEmailAccountmiddleware for authentication and authorization.
Export response types from GET API routes for type-safe client usage.
Do not use try/catch in GET API routes when using authentication middleware; rely on centralized error handling.
Files:
apps/web/app/api/google/linking/callback/route.tsapps/web/app/api/outlook/linking/callback/route.ts
!{.cursor/rules/*.mdc}
📄 CodeRabbit Inference Engine (.cursor/rules/cursor-rules.mdc)
Never place rule files in the project root, in subdirectories outside .cursor/rules, or in any other location
Files:
apps/web/app/api/google/linking/callback/route.tsapps/web/app/api/outlook/linking/callback/route.ts
**/*.ts
📄 CodeRabbit Inference Engine (.cursor/rules/form-handling.mdc)
**/*.ts: The same validation should be done in the server action too
Define validation schemas using Zod
Files:
apps/web/app/api/google/linking/callback/route.tsapps/web/app/api/outlook/linking/callback/route.ts
**/*.{ts,tsx}
📄 CodeRabbit Inference Engine (.cursor/rules/logging.mdc)
**/*.{ts,tsx}: UsecreateScopedLoggerfor logging in backend TypeScript files
Typically add the logger initialization at the top of the file when usingcreateScopedLogger
Only use.with()on a logger instance within a specific function, not for a global loggerImport Prisma in the project using
import prisma from "@/utils/prisma";
**/*.{ts,tsx}: Don't use TypeScript enums.
Don't use TypeScript const enum.
Don't use the TypeScript directive @ts-ignore.
Don't use primitive type aliases or misleading types.
Don't use empty type parameters in type aliases and interfaces.
Don't use any or unknown as type constraints.
Don't use implicit any type on variable declarations.
Don't let variables evolve into any type through reassignments.
Don't use non-null assertions with the ! postfix operator.
Don't misuse the non-null assertion operator (!) in TypeScript files.
Don't use user-defined types.
Use as const instead of literal types and type annotations.
Use export type for types.
Use import type for types.
Don't declare empty interfaces.
Don't merge interfaces and classes unsafely.
Don't use overload signatures that aren't next to each other.
Use the namespace keyword instead of the module keyword to declare TypeScript namespaces.
Don't use TypeScript namespaces.
Don't export imported variables.
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions.
Don't use parameter properties in class constructors.
Use either T[] or Array consistently.
Initialize each enum member value explicitly.
Make sure all enum members are literal values.
Files:
apps/web/app/api/google/linking/callback/route.tsapps/web/app/api/outlook/linking/callback/route.ts
**/api/**/route.ts
📄 CodeRabbit Inference Engine (.cursor/rules/security.mdc)
**/api/**/route.ts: ALL API routes that handle user data MUST use appropriate authentication and authorization middleware (withAuth or withEmailAccount).
ALL database queries in API routes MUST be scoped to the authenticated user/account (e.g., include userId or emailAccountId in query filters).
Always validate that resources belong to the authenticated user before performing operations (resource ownership validation).
UsewithEmailAccountmiddleware for API routes that operate on a specific email account (i.e., use or requireemailAccountId).
UsewithAuthmiddleware for API routes that operate at the user level (i.e., use or require onlyuserId).
UsewithErrormiddleware (with proper validation) for public endpoints, custom authentication, or cron endpoints.
Cron endpoints MUST usewithErrormiddleware and validate the cron secret usinghasCronSecret(request)orhasPostCronSecret(request).
Cron endpoints MUST capture unauthorized attempts withcaptureExceptionand return a 401 status for unauthorized requests.
All parameters in API routes MUST be validated for type, format, and length before use.
Request bodies in API routes MUST be validated using Zod schemas before use.
All Prisma queries in API routes MUST only return necessary fields and never expose sensitive data.
Error messages in API routes MUST not leak internal information or sensitive data; use generic error messages and SafeError where appropriate.
API routes MUST use a consistent error response format, returning JSON with an error message and status code.
AllfindUniqueandfindFirstPrisma calls in API routes MUST include ownership filters (e.g., userId or emailAccountId).
AllfindManyPrisma calls in API routes MUST be scoped to the authenticated user's data.
Never use direct object references in API routes without ownership checks (prevent IDOR vulnerabilities).
Prevent mass assignment vulnerabilities by only allowing explicitly whitelisted fields in update operations in AP...
Files:
apps/web/app/api/google/linking/callback/route.tsapps/web/app/api/outlook/linking/callback/route.ts
apps/web/app/api/**/*.{ts,js}
📄 CodeRabbit Inference Engine (.cursor/rules/security-audit.mdc)
apps/web/app/api/**/*.{ts,js}: All API route handlers in 'apps/web/app/api/' must use authentication middleware: withAuth, withEmailAccount, or withError (with custom authentication logic).
All Prisma queries in API routes must include user/account filtering (e.g., emailAccountId or userId in WHERE clauses) to prevent unauthorized data access.
All parameters used in API routes must be validated before use; do not use parameters from 'params' or request bodies directly in queries without validation.
Request bodies in API routes should use Zod schemas for validation.
API routes should only return necessary fields using Prisma's 'select' and must not include sensitive data in error messages.
Error messages in API routes must not reveal internal details; use generic errors and SafeError for user-facing errors.
All QStash endpoints (API routes called via publishToQstash or publishToQstashQueue) must use verifySignatureAppRouter to verify request authenticity.
All cron endpoints in API routes must use hasCronSecret or hasPostCronSecret for authentication.
Do not hardcode weak or plaintext secrets in API route files; secrets must not be directly assigned as string literals.
Review all new withError usage in API routes to ensure custom authentication is implemented where required.
Files:
apps/web/app/api/google/linking/callback/route.tsapps/web/app/api/outlook/linking/callback/route.ts
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit Inference Engine (.cursor/rules/ultracite.mdc)
**/*.{js,jsx,ts,tsx}: Don't useelements in Next.js projects.
Don't use elements in Next.js projects.
Don't use namespace imports.
Don't access namespace imports dynamically.
Don't use global eval().
Don't use console.
Don't use debugger.
Don't use var.
Don't use with statements in non-strict contexts.
Don't use the arguments object.
Don't use consecutive spaces in regular expression literals.
Don't use the comma operator.
Don't use unnecessary boolean casts.
Don't use unnecessary callbacks with flatMap.
Use for...of statements instead of Array.forEach.
Don't create classes that only have static members (like a static namespace).
Don't use this and super in static contexts.
Don't use unnecessary catch clauses.
Don't use unnecessary constructors.
Don't use unnecessary continue statements.
Don't export empty modules that don't change anything.
Don't use unnecessary escape sequences in regular expression literals.
Don't use unnecessary labels.
Don't use unnecessary nested block statements.
Don't rename imports, exports, and destructured assignments to the same name.
Don't use unnecessary string or template literal concatenation.
Don't use String.raw in template literals when there are no escape sequences.
Don't use useless case statements in switch statements.
Don't use ternary operators when simpler alternatives exist.
Don't use useless this aliasing.
Don't initialize variables to undefined.
Don't use the void operators (they're not familiar).
Use arrow functions instead of function expressions.
Use Date.now() to get milliseconds since the Unix Epoch.
Use .flatMap() instead of map().flat() when possible.
Use literal property access instead of computed property access.
Don't use parseInt() or Number.parseInt() when binary, octal, or hexadecimal literals work.
Use concise optional chaining instead of chained logical expressions.
Use regular expression literals instead of the RegExp constructor when possible.
Don't use number literal object member names th...
Files:
apps/web/app/api/google/linking/callback/route.tsapps/web/app/api/outlook/linking/callback/route.ts
!pages/_document.{js,jsx,ts,tsx}
📄 CodeRabbit Inference Engine (.cursor/rules/ultracite.mdc)
!pages/_document.{js,jsx,ts,tsx}: Don't import next/document outside of pages/_document.jsx in Next.js projects.
Don't import next/document outside of pages/_document.jsx in Next.js projects.
Files:
apps/web/app/api/google/linking/callback/route.tsapps/web/app/api/outlook/linking/callback/route.ts
🧠 Learnings (3)
📚 Learning: 2025-07-08T13:14:07.449Z
Learnt from: elie222
PR: elie222/inbox-zero#537
File: apps/web/app/(app)/[emailAccountId]/clean/onboarding/page.tsx:30-34
Timestamp: 2025-07-08T13:14:07.449Z
Learning: The clean onboarding page in apps/web/app/(app)/[emailAccountId]/clean/onboarding/page.tsx is intentionally Gmail-specific and should show an error for non-Google email accounts rather than attempting to support multiple providers.
Applied to files:
apps/web/app/api/google/linking/callback/route.ts
📚 Learning: 2025-07-18T15:04:30.467Z
Learnt from: CR
PR: elie222/inbox-zero#0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-07-18T15:04:30.467Z
Learning: Applies to apps/web/app/api/**/route.ts : Use `withEmailAccount` for email-account-level operations
Applied to files:
apps/web/app/api/outlook/linking/callback/route.ts
📚 Learning: 2025-07-18T17:27:46.389Z
Learnt from: CR
PR: elie222/inbox-zero#0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-07-18T17:27:46.389Z
Learning: Applies to **/api/**/route.ts : Use `withEmailAccount` middleware for API routes that operate on a specific email account (i.e., use or require `emailAccountId`).
Applied to files:
apps/web/app/api/outlook/linking/callback/route.ts
🧬 Code Graph Analysis (2)
apps/web/app/api/google/linking/callback/route.ts (1)
apps/web/app/api/outlook/webhook/logger.ts (1)
logger(3-3)
apps/web/app/api/outlook/linking/callback/route.ts (1)
apps/web/app/api/outlook/webhook/logger.ts (1)
logger(3-3)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Static Code Analysis Js
- GitHub Check: Jit Security
🔇 Additional comments (8)
apps/web/app/api/google/linking/callback/route.ts (4)
102-107: Structured warning with contextual fields — goodConsistent message and structured context will make log search far easier. No concerns.
114-119: “Already linked to self” log refactor looks goodClear, stable message with context. Matches the pattern used elsewhere.
128-135: Merge log now uses stable message + useful contextIncludes email, providerAccountId, existingUserId, targetUserId — sufficient for traceability.
154-158: Post-merge reassignment log is clear and actionableContext includes providerAccountId, targetUserId, originalUserId. Looks good.
apps/web/app/api/outlook/linking/callback/route.ts (4)
98-100: Good explicit failure when profile email is absentClear error that’s later mapped to “incomplete_profile”. No issues.
118-120: Merge-failed log matches the agreed structured formatStable string with { email }. Matches prior guidance. LGTM.
127-129: Already-linked log refactor is consistentStable message; context includes email and targetUserId. Good.
158-162: Reassignment log includes the right contextEmail, targetUserId, sourceUserId present. Looks good.
| if (provider === "microsoft") { | ||
| providerOptions.push({ | ||
| label: "Move to folder", | ||
| value: ActionType.MOVE_FOLDER, | ||
| }); | ||
| } |
There was a problem hiding this comment.
i would just inline as anyway if things will be added in the future it's unlikely in the next spot after move to folder
| cc: z.string().nullish(), | ||
| bcc: z.string().nullish(), | ||
| subject: z.string().nullish(), | ||
| folderName: z.string().nullish(), |
There was a problem hiding this comment.
ya folder shouldn't be an option for google. will confuse the ai and can't be used anyway
| case ActionType.DIGEST: | ||
| actions.push("add to digest"); | ||
| break; | ||
| case ActionType.MOVE_FOLDER: |
| .nullish() | ||
| .transform((v) => v ?? null) | ||
| .describe("The webhook URL to call"), | ||
| folderName: z |
| ownerEmail: string, | ||
| folderName: string, | ||
| ): Promise<void> { | ||
| await outlookArchiveThread({ |
There was a problem hiding this comment.
should this be archive? seems like a bad function name?
| return folderIdCache; | ||
| } | ||
|
|
||
| export async function getOrCreateFolderByName( |
There was a problem hiding this comment.
worth adding a test. ai can generate it quickly
3 participants
Summary by CodeRabbit
New Features
Bug Fixes
Refactor
Chores
Documentation