Adjust logging

[elie222]

Summary by CodeRabbit

• Bug Fixes

  • Enhanced error handling and logging for Outlook account linking and token refresh failures.
  • Improved resilience when encountering Azure AD authentication errors during email synchronization.

• Chores

  • Updated version to v2.18.13.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
inbox-zero	Ready	Preview	Nov 9, 2025 11:23pm

[coderabbitai]

Walkthrough

This PR improves error handling and observability across the Outlook authentication and email watching flows. Changes include enhanced error logging for token exchange failures, extended Azure AD error handling (AADSTS7000215), refactored EmailAccount upsert logic, adjusted sensitive field masking in logging, and a minor version bump.

Changes

Cohort / File(s)	Summary
Error handling and observability apps/web/app/api/outlook/linking/callback/route.ts, apps/web/utils/outlook/client.ts	Added exception capture and logging on token exchange failures; added conditional logging for AADSTS7000215 error with user-friendly messaging before rethrowing
Email watching configuration apps/web/utils/email/watch-manager.ts	Extended error handling to skip watching emails when error message contains "AADSTS7000215" (Azure AD invalid client secret)
Authentication refactoring apps/web/utils/auth.ts	Simplified EmailAccount upsert payload by replacing inline field assignments with shared data object
Logging adjustments apps/web/utils/logger.ts	Removed "email" and "userEmail" from SENSITIVE_FIELD_NAMES set, retaining only "from", "sender", and "to"
Version bump version.txt	Updated version from v2.18.11 to v2.18.13

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Multiple files with heterogeneous changes across different concerns (auth, logging, error handling)
• Azure AD error code handling is specific and requires understanding of the context (AADSTS7000215 invalid client secret)
• Logging sensitivity adjustments require verification that removing email fields doesn't impact critical debugging or compliance needs
• apps/web/utils/auth.ts refactoring is straightforward but warrants verification that the upsert behavior remains identical

Possibly related PRs

• Centralised watch emails #923: Modifies apps/web/utils/email/watch-manager.ts for centralized watch manager integration and AADSTS7000215 error handling
• Adjust outlook webhook logger #916: Updates logging utilities (apps/web/utils/logger.ts) with related changes to sensitive field handling

Suggested reviewers

• mosesjames7271-svg

Poem

🐰 A rabbit hops through token streams,
Catching errors, logging dreams,
AADSTS troubles now held tight,
Logs refined, and fields less bright,
Version climbs from "point-one-one"—
Another patch, another run! 🌙

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The title 'Adjust logging' is vague and generic. While logging changes are present, the PR encompasses significant functional changes including error handling improvements, token exchange failures, Azure AD error handling, and version bumping that go beyond simple logging adjustments.	Consider a more descriptive title that captures the main objective, such as 'Improve Outlook token exchange error handling and logging' or 'Enhance Azure AD error handling with improved observability'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/clear-bad-outlook-tokens

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/web/utils/auth.ts (1)

377-391: LGTM!

The refactoring to use a shared data object eliminates duplication and improves maintainability. This follows DRY principles while maintaining identical functionality.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f38f04e and 7a834fa.

📒 Files selected for processing (6)

• apps/web/app/api/outlook/linking/callback/route.ts (2 hunks)
• apps/web/utils/auth.ts (1 hunks)
• apps/web/utils/email/watch-manager.ts (1 hunks)
• apps/web/utils/logger.ts (1 hunks)
• apps/web/utils/outlook/client.ts (1 hunks)
• version.txt (1 hunks)

🧰 Additional context used

📓 Path-based instructions (12)

apps/web/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Path aliases: Use @/ for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Leverage TypeScript inference for better DX

Files:

• apps/web/utils/email/watch-manager.ts
• apps/web/utils/logger.ts
• apps/web/utils/auth.ts
• apps/web/utils/outlook/client.ts
• apps/web/app/api/outlook/linking/callback/route.ts

!{.cursor/rules/*.mdc}

📄 CodeRabbit inference engine (.cursor/rules/cursor-rules.mdc)

Never place rule files in the project root, in subdirectories outside .cursor/rules, or in any other location

Files:

• apps/web/utils/email/watch-manager.ts
• apps/web/utils/logger.ts
• apps/web/utils/auth.ts
• apps/web/utils/outlook/client.ts
• apps/web/app/api/outlook/linking/callback/route.ts
• version.txt

**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/form-handling.mdc)

**/*.ts: The same validation should be done in the server action too
Define validation schemas using Zod

Files:

• apps/web/utils/email/watch-manager.ts
• apps/web/utils/logger.ts
• apps/web/utils/auth.ts
• apps/web/utils/outlook/client.ts
• apps/web/app/api/outlook/linking/callback/route.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/logging.mdc)

**/*.{ts,tsx}: Use createScopedLogger for logging in backend TypeScript files
Typically add the logger initialization at the top of the file when using createScopedLogger
Only use .with() on a logger instance within a specific function, not for a global logger

Import Prisma in the project using import prisma from "@/utils/prisma";

**/*.{ts,tsx}: Don't use TypeScript enums.
Don't use TypeScript const enum.
Don't use the TypeScript directive @ts-ignore.
Don't use primitive type aliases or misleading types.
Don't use empty type parameters in type aliases and interfaces.
Don't use any or unknown as type constraints.
Don't use implicit any type on variable declarations.
Don't let variables evolve into any type through reassignments.
Don't use non-null assertions with the ! postfix operator.
Don't misuse the non-null assertion operator (!) in TypeScript files.
Don't use user-defined types.
Use as const instead of literal types and type annotations.
Use export type for types.
Use import type for types.
Don't declare empty interfaces.
Don't merge interfaces and classes unsafely.
Don't use overload signatures that aren't next to each other.
Use the namespace keyword instead of the module keyword to declare TypeScript namespaces.
Don't use TypeScript namespaces.
Don't export imported variables.
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions.
Don't use parameter properties in class constructors.
Use either T[] or Array consistently.
Initialize each enum member value explicitly.
Make sure all enum members are literal values.

Files:

• apps/web/utils/email/watch-manager.ts
• apps/web/utils/logger.ts
• apps/web/utils/auth.ts
• apps/web/utils/outlook/client.ts
• apps/web/app/api/outlook/linking/callback/route.ts

apps/web/utils/**

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Create utility functions in utils/ folder for reusable logic

Files:

• apps/web/utils/email/watch-manager.ts
• apps/web/utils/logger.ts
• apps/web/utils/auth.ts
• apps/web/utils/outlook/client.ts

apps/web/utils/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

apps/web/utils/**/*.ts: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size

Files:

• apps/web/utils/email/watch-manager.ts
• apps/web/utils/logger.ts
• apps/web/utils/auth.ts
• apps/web/utils/outlook/client.ts

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{js,jsx,ts,tsx}: Don't use elements in Next.js projects.
Don't use elements in Next.js projects.
Don't use namespace imports.
Don't access namespace imports dynamically.
Don't use global eval().
Don't use console.
Don't use debugger.
Don't use var.
Don't use with statements in non-strict contexts.
Don't use the arguments object.
Don't use consecutive spaces in regular expression literals.
Don't use the comma operator.
Don't use unnecessary boolean casts.
Don't use unnecessary callbacks with flatMap.
Use for...of statements instead of Array.forEach.
Don't create classes that only have static members (like a static namespace).
Don't use this and super in static contexts.
Don't use unnecessary catch clauses.
Don't use unnecessary constructors.
Don't use unnecessary continue statements.
Don't export empty modules that don't change anything.
Don't use unnecessary escape sequences in regular expression literals.
Don't use unnecessary labels.
Don't use unnecessary nested block statements.
Don't rename imports, exports, and destructured assignments to the same name.
Don't use unnecessary string or template literal concatenation.
Don't use String.raw in template literals when there are no escape sequences.
Don't use useless case statements in switch statements.
Don't use ternary operators when simpler alternatives exist.
Don't use useless this aliasing.
Don't initialize variables to undefined.
Don't use the void operators (they're not familiar).
Use arrow functions instead of function expressions.
Use Date.now() to get milliseconds since the Unix Epoch.
Use .flatMap() instead of map().flat() when possible.
Use literal property access instead of computed property access.
Don't use parseInt() or Number.parseInt() when binary, octal, or hexadecimal literals work.
Use concise optional chaining instead of chained logical expressions.
Use regular expression literals instead of the RegExp constructor when possible.
Don't use number literal object member names th...

Files:

• apps/web/utils/email/watch-manager.ts
• apps/web/utils/logger.ts
• apps/web/utils/auth.ts
• apps/web/utils/outlook/client.ts
• apps/web/app/api/outlook/linking/callback/route.ts

!pages/_document.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

!pages/_document.{js,jsx,ts,tsx}: Don't import next/document outside of pages/_document.jsx in Next.js projects.
Don't import next/document outside of pages/_document.jsx in Next.js projects.

Files:

• apps/web/utils/email/watch-manager.ts
• apps/web/utils/logger.ts
• apps/web/utils/auth.ts
• apps/web/utils/outlook/client.ts
• apps/web/app/api/outlook/linking/callback/route.ts
• version.txt

apps/web/app/**

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

NextJS app router structure with (app) directory

Files:

• apps/web/app/api/outlook/linking/callback/route.ts

apps/web/app/api/**/route.ts

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/app/api/**/route.ts: Use withAuth for user-level operations
Use withEmailAccount for email-account-level operations
Do NOT use POST API routes for mutations - use server actions instead
No need for try/catch in GET routes when using middleware
Export response types from GET routes

apps/web/app/api/**/route.ts: Wrap all GET API route handlers with withAuth or withEmailAccount middleware for authentication and authorization.
Export response types from GET API routes for type-safe client usage.
Do not use try/catch in GET API routes when using authentication middleware; rely on centralized error handling.

Files:

• apps/web/app/api/outlook/linking/callback/route.ts

**/api/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/api/**/route.ts: ALL API routes that handle user data MUST use appropriate authentication and authorization middleware (withAuth or withEmailAccount).
ALL database queries in API routes MUST be scoped to the authenticated user/account (e.g., include userId or emailAccountId in query filters).
Always validate that resources belong to the authenticated user before performing operations (resource ownership validation).
Use withEmailAccount middleware for API routes that operate on a specific email account (i.e., use or require emailAccountId).
Use withAuth middleware for API routes that operate at the user level (i.e., use or require only userId).
Use withError middleware (with proper validation) for public endpoints, custom authentication, or cron endpoints.
Cron endpoints MUST use withError middleware and validate the cron secret using hasCronSecret(request) or hasPostCronSecret(request).
Cron endpoints MUST capture unauthorized attempts with captureException and return a 401 status for unauthorized requests.
All parameters in API routes MUST be validated for type, format, and length before use.
Request bodies in API routes MUST be validated using Zod schemas before use.
All Prisma queries in API routes MUST only return necessary fields and never expose sensitive data.
Error messages in API routes MUST not leak internal information or sensitive data; use generic error messages and SafeError where appropriate.
API routes MUST use a consistent error response format, returning JSON with an error message and status code.
All findUnique and findFirst Prisma calls in API routes MUST include ownership filters (e.g., userId or emailAccountId).
All findMany Prisma calls in API routes MUST be scoped to the authenticated user's data.
Never use direct object references in API routes without ownership checks (prevent IDOR vulnerabilities).
Prevent mass assignment vulnerabilities by only allowing explicitly whitelisted fields in update operations in AP...

Files:

• apps/web/app/api/outlook/linking/callback/route.ts

apps/web/app/api/**/*.{ts,js}

📄 CodeRabbit inference engine (.cursor/rules/security-audit.mdc)

apps/web/app/api/**/*.{ts,js}: All API route handlers in 'apps/web/app/api/' must use authentication middleware: withAuth, withEmailAccount, or withError (with custom authentication logic).
All Prisma queries in API routes must include user/account filtering (e.g., emailAccountId or userId in WHERE clauses) to prevent unauthorized data access.
All parameters used in API routes must be validated before use; do not use parameters from 'params' or request bodies directly in queries without validation.
Request bodies in API routes should use Zod schemas for validation.
API routes should only return necessary fields using Prisma's 'select' and must not include sensitive data in error messages.
Error messages in API routes must not reveal internal details; use generic errors and SafeError for user-facing errors.
All QStash endpoints (API routes called via publishToQstash or publishToQstashQueue) must use verifySignatureAppRouter to verify request authenticity.
All cron endpoints in API routes must use hasCronSecret or hasPostCronSecret for authentication.
Do not hardcode weak or plaintext secrets in API route files; secrets must not be directly assigned as string literals.
Review all new withError usage in API routes to ensure custom authentication is implemented where required.

Files:

• apps/web/app/api/outlook/linking/callback/route.ts

🧠 Learnings (22)

📚 Learning: 2025-07-20T09:00:41.968Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-07-20T09:00:41.968Z
Learning: Applies to apps/web/app/api/**/*.{ts,js} : Review all new withError usage in API routes to ensure custom authentication is implemented where required.

Applied to files:

• apps/web/utils/email/watch-manager.ts
• apps/web/utils/outlook/client.ts
• apps/web/app/api/outlook/linking/callback/route.ts

📚 Learning: 2025-09-17T22:05:28.646Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm.mdc:0-0
Timestamp: 2025-09-17T22:05:28.646Z
Learning: Applies to apps/web/utils/ai/**/*.{ts,tsx} : Use descriptive scoped loggers for each feature

Applied to files:

• apps/web/utils/logger.ts

📚 Learning: 2025-07-18T15:04:30.467Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-07-18T15:04:30.467Z
Learning: Applies to apps/web/app/api/**/route.ts : Use `withEmailAccount` for email-account-level operations

Applied to files:

• apps/web/utils/auth.ts

📚 Learning: 2025-07-18T17:27:58.249Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/server-actions.mdc:0-0
Timestamp: 2025-07-18T17:27:58.249Z
Learning: Applies to apps/web/utils/actions/*.ts : Use `actionClient` when both authenticated user context and a specific `emailAccountId` are needed. The `emailAccountId` must be bound when calling the action from the client.

Applied to files:

• apps/web/utils/auth.ts

📚 Learning: 2025-07-18T17:27:46.389Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-07-18T17:27:46.389Z
Learning: Applies to **/api/**/route.ts : Use `withEmailAccount` middleware for API routes that operate on a specific email account (i.e., use or require `emailAccountId`).

Applied to files:

• apps/web/utils/auth.ts

📚 Learning: 2025-07-20T09:00:41.968Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-07-20T09:00:41.968Z
Learning: Applies to apps/web/app/api/**/*.{ts,js} : All Prisma queries in API routes must include user/account filtering (e.g., emailAccountId or userId in WHERE clauses) to prevent unauthorized data access.

Applied to files:

• apps/web/utils/auth.ts

📚 Learning: 2025-07-18T17:27:46.389Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-07-18T17:27:46.389Z
Learning: Applies to **/api/**/route.ts : ALL database queries in API routes MUST be scoped to the authenticated user/account (e.g., include userId or emailAccountId in query filters).

Applied to files:

• apps/web/utils/auth.ts

📚 Learning: 2025-10-02T23:23:48.064Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm-test.mdc:0-0
Timestamp: 2025-10-02T23:23:48.064Z
Learning: Applies to apps/web/__tests__/**/*.test.ts : Prefer existing helpers from @/__tests__/helpers.ts (getEmailAccount, getEmail, getRule, getMockMessage, getMockExecutedRule) over custom helpers

Applied to files:

• apps/web/utils/auth.ts

📚 Learning: 2025-07-18T15:05:26.713Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/get-api-route.mdc:0-0
Timestamp: 2025-07-18T15:05:26.713Z
Learning: Applies to app/api/**/route.ts : Always wrap the handler with `withAuth` or `withEmailAccount` for consistent error handling and authentication in GET API routes.

Applied to files:

• apps/web/utils/auth.ts

📚 Learning: 2025-07-18T17:27:46.389Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-07-18T17:27:46.389Z
Learning: Applies to **/api/**/route.ts : ALL API routes that handle user data MUST use appropriate authentication and authorization middleware (withAuth or withEmailAccount).

Applied to files:

• apps/web/utils/auth.ts

📚 Learning: 2025-06-23T12:26:53.882Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/prisma.mdc:0-0
Timestamp: 2025-06-23T12:26:53.882Z
Learning: In this project, Prisma should be imported using 'import prisma from "@/utils/prisma";' in TypeScript files.

Applied to files:

• apps/web/utils/auth.ts

📚 Learning: 2025-09-17T22:05:28.646Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm.mdc:0-0
Timestamp: 2025-09-17T22:05:28.646Z
Learning: Applies to apps/web/utils/ai/**/*.{ts,tsx} : Use proper error types and logging for failures

Applied to files:

• apps/web/utils/outlook/client.ts
• apps/web/app/api/outlook/linking/callback/route.ts

📚 Learning: 2025-07-08T13:14:07.449Z

Learnt from: elie222
Repo: elie222/inbox-zero PR: 537
File: apps/web/app/(app)/[emailAccountId]/clean/onboarding/page.tsx:30-34
Timestamp: 2025-07-08T13:14:07.449Z
Learning: The clean onboarding page in apps/web/app/(app)/[emailAccountId]/clean/onboarding/page.tsx is intentionally Gmail-specific and should show an error for non-Google email accounts rather than attempting to support multiple providers.

Applied to files:

• apps/web/utils/outlook/client.ts

📚 Learning: 2025-07-18T15:05:16.146Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-07-18T15:05:16.146Z
Learning: Applies to apps/web/app/api/**/route.ts : Do not use try/catch in GET API routes when using authentication middleware; rely on centralized error handling.

Applied to files:

• apps/web/app/api/outlook/linking/callback/route.ts

📚 Learning: 2025-07-18T15:05:26.713Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/get-api-route.mdc:0-0
Timestamp: 2025-07-18T15:05:26.713Z
Learning: Applies to app/api/**/route.ts : Do not use try/catch in GET API route handlers, as `withAuth` and `withEmailAccount` handle error catching.

Applied to files:

• apps/web/app/api/outlook/linking/callback/route.ts

📚 Learning: 2025-07-18T15:04:30.467Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-07-18T15:04:30.467Z
Learning: Applies to apps/web/**/*.{ts,tsx} : Use proper error handling with try/catch blocks

Applied to files:

• apps/web/app/api/outlook/linking/callback/route.ts

📚 Learning: 2025-07-18T17:27:46.389Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-07-18T17:27:46.389Z
Learning: Applies to **/api/**/route.ts : Use `withError` middleware (with proper validation) for public endpoints, custom authentication, or cron endpoints.

Applied to files:

• apps/web/app/api/outlook/linking/callback/route.ts

📚 Learning: 2025-07-20T09:00:41.968Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-07-20T09:00:41.968Z
Learning: Applies to apps/web/app/api/**/*.{ts,js} : Error messages in API routes must not reveal internal details; use generic errors and SafeError for user-facing errors.

Applied to files:

• apps/web/app/api/outlook/linking/callback/route.ts

📚 Learning: 2025-07-18T17:27:46.389Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-07-18T17:27:46.389Z
Learning: Applies to **/api/**/route.ts : Cron endpoints MUST capture unauthorized attempts with `captureException` and return a 401 status for unauthorized requests.

Applied to files:

• apps/web/app/api/outlook/linking/callback/route.ts

📚 Learning: 2025-07-18T15:04:44.818Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/data-fetching.mdc:0-0
Timestamp: 2025-07-18T15:04:44.818Z
Learning: Applies to {app,components}/**/*.{ts,tsx} : Use `result?.serverError` with `toastError` and `toastSuccess` for error handling; success toast is optional

Applied to files:

• apps/web/app/api/outlook/linking/callback/route.ts

📚 Learning: 2025-07-18T17:27:58.249Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/server-actions.mdc:0-0
Timestamp: 2025-07-18T17:27:58.249Z
Learning: Applies to apps/web/utils/actions/*.ts : Use `SafeError` for expected/handled errors within actions if needed. `next-safe-action` provides centralized error handling.

Applied to files:

• apps/web/app/api/outlook/linking/callback/route.ts

📚 Learning: 2025-07-18T15:04:30.467Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-07-18T15:04:30.467Z
Learning: Applies to apps/web/utils/actions/**/*.ts : `next-safe-action` provides centralized error handling

Applied to files:

• apps/web/app/api/outlook/linking/callback/route.ts

🧬 Code graph analysis (1)

apps/web/app/api/outlook/linking/callback/route.ts (1)

apps/web/utils/error.ts (1)

• captureException (63-75)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Static Code Analysis Js
• GitHub Check: cubic · AI code reviewer
• GitHub Check: Jit Security
• GitHub Check: test

🔇 Additional comments (5)

version.txt (1)

1-1: LGTM!

Version bump is appropriate for this PR's observability and error handling improvements.

apps/web/utils/outlook/client.ts (1)

141-157: LGTM!

The error handling enhancement properly logs Azure AD client secret rotation issues before rethrowing. The warning message is user-friendly and includes the emailAccountId for traceability, which aligns well with the non-fatal handling added in watch-manager.ts.

apps/web/utils/email/watch-manager.ts (1)

96-96: LGTM!

Treating AADSTS7000215 as a non-fatal error is appropriate. This allows the watch process to skip accounts with rotated Azure AD secrets and continue processing other accounts, which aligns with the conditional warning added in outlook/client.ts.

apps/web/utils/logger.ts (1)

188-188: Verify that removing "email" and "userEmail" from hashing aligns with privacy requirements.

Removing these fields from SENSITIVE_FIELD_NAMES means email addresses in "email" and "userEmail" fields will now be logged in plain text in production (server-side). While this improves debuggability and you're still hashing actual message participants ("from", "sender", "to"), ensure this aligns with your privacy policy and compliance requirements.

apps/web/app/api/outlook/linking/callback/route.ts (1)

79-90: LGTM!

The enhanced error handling improves observability by logging token exchange failures and capturing them for monitoring, while preserving the existing control flow. The error details (including error_description and code) provide valuable context for debugging.

[cubic-dev-ai]

2 issues found across 6 files

Prompt for AI agents (all 2 issues)

Understand the root cause of the following 2 issues and fix them.


<file name="apps/web/utils/logger.ts">

<violation number="1" location="apps/web/utils/logger.ts:188">
Removing &quot;email&quot; and &quot;userEmail&quot; from SENSITIVE_FIELD_NAMES stops us from hashing those fields in production logs, causing raw email addresses to be emitted. Please restore these keys so we continue protecting PII.</violation>
</file>

<file name="apps/web/app/api/outlook/linking/callback/route.ts">

<violation number="1" location="apps/web/app/api/outlook/linking/callback/route.ts:81">
Please avoid logging the raw OAuth authorization code, since it is a credential that should remain confidential.</violation>
</file>

_{React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[cubic-dev-ai]

No issues found across 1 file