ENG-1719 List groups I'm a member of#1011
Conversation
|
Updates to Preview Branch (eng-1719-list-groups-im-a-member-of) ↗︎
Tasks are run on every commit but only new migration files are pushed.
View logs for this Workflow Run ↗︎. |
maparent
force-pushed
the
eng-1719-list-groups-im-a-member-of
branch
3 times, most recently
from
11ba9fb to
bb44e58
Compare
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
PR size/scope checkThis PR is over our review-size guideline.
Please split this into smaller PRs unless there is a clear reason the changes need to land together. If keeping it as one PR, please add a brief justification covering:
|
maparent
force-pushed
the
eng-1719-list-groups-im-a-member-of
branch
2 times, most recently
from
a8e2660 to
042ddb9
Compare
maparent
force-pushed
the
eng-1719-list-groups-im-a-member-of
branch
from
85424fa to
042ddb9
Compare
mdroidian
left a comment
mdroidian
left a comment
There was a problem hiding this comment.
Codex PR Review
Findings
High: apps/website/app/components/auth/LoginWithToken.tsx should not perform the token exchange in a Client Component. The token is removed from the URL only after hydration via useEffect, but PostHogPageView reads searchParams and can capture $current_url before that happens. That risks leaking the one-time token to analytics.
High: router.replace(url) uses a query-derived url without validation. Next.js warns against passing unsanitized URLs to router.push/router.replace. This should be restricted to same-origin relative paths, or default to /auth/group.
Medium: ListGroups.tsx does not appear to need "use client". It is session-aware data fetching plus rendering, and the app already has a cookie-backed Supabase server client. This should be an async Server Component instead of fetching in useEffect.
Recommendation
I would keep client code only where browser APIs are genuinely required. In this PR, /auth/group should be server-rendered:
- Use
~/utils/supabase/serverin an async Server Component. - Fetch the current user, groups, and memberships on the server.
- Render empty/not-logged-in states directly.
- Use a colocated
error.tsxfor unexpected failures. The error boundary itself must be client-side, but that keeps"use client"isolated to error UI.
For /auth/token, I would avoid a Client Component entirely if possible. A Route Handler is a better fit:
- Read
tandurlfrom the request. - Validate the token payload.
- Call
auth.setSessionusing the server Supabase client so cookies are set in the response. - Redirect to a sanitized internal path.
- Avoid exposing the token to hydration, analytics, or browser history.
So: we do need "use client" for a Next error boundary, and we would need it if we keep useSearchParams, useRouter, useEffect, or window.history. But for this flow, the better Next.js-specific approach is Server Components plus a Route Handler, not expanding the client boundary.
maparent
force-pushed
the
eng-1719-list-groups-im-a-member-of
branch
from
6326236 to
59041da
Compare
maparent
force-pushed
the
eng-1719-list-groups-im-a-member-of
branch
from
59041da to
97f32fb
Compare
mdroidian
left a comment
mdroidian
left a comment
There was a problem hiding this comment.
Sorry, it doesn't look like the issues in the review comment were addressed. Could you address those please?
|
Ok, I did not see it. After research, I see it is possible to rewrite all that code as server components, but setting that up is a totally distinct task. I'll create it. |
|
Could you elaborate on why it is a distinct task? |
|
I had to rewrite the token route to work server-side. It's a big PR, I'll try to think of ways to break it up tomorrow. |
maparent
force-pushed
the
eng-1719-list-groups-im-a-member-of
branch
from
97f32fb to
1006c5b
Compare
maparent
force-pushed
the
eng-1719-list-groups-im-a-member-of
branch
from
1006c5b to
319e2c6
Compare
maparent
force-pushed
the
eng-1758-vitest-infrastructure
branch
from
4a8f9bd to
8fde609
Compare
maparent
force-pushed
the
eng-1719-list-groups-im-a-member-of
branch
from
319e2c6 to
dea6c28
Compare
maparent
force-pushed
the
eng-1758-vitest-infrastructure
branch
from
8fde609 to
a5c951e
Compare
maparent
force-pushed
the
eng-1758-vitest-infrastructure
branch
from
8fde609 to
a5c951e
Compare
maparent
force-pushed
the
eng-1719-list-groups-im-a-member-of
branch
from
dea6c28 to
f3988c5
Compare
maparent
force-pushed
the
eng-1758-vitest-infrastructure
branch
from
a5c951e to
66a8fe4
Compare
maparent
force-pushed
the
eng-1719-list-groups-im-a-member-of
branch
from
f3988c5 to
7d5a53a
Compare
maparent
force-pushed
the
eng-1719-list-groups-im-a-member-of
branch
from
7d5a53a to
c07b6d5
Compare
|
We are now using the backend client. Added a test. |
|
Here I'm more embarrassed. Again, the PR is over size; a lot of that is due to testing. I do think it would be counter-productive to separate tests in another PR. I do not think it would be very helpful to split this PR in another way, though I could separate account.ts+tests, then all UI. Would that actually be helpful? But I think a generic argument should be made that tests need not the same level of review than the rest of the code, and should actually reduce the review burden; and that their LoC should be counted separately. What do you think? |
The documented limit is:
This PR is +281 -3 I see that as falling within
|
|
Fair. But I think the question of test size needs to be addressed separately. |
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b561143b28
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| {groupData.map((d) => ( | ||
| <li key={d.id}> | ||
| {adminData[d.id || ""] ? ( | ||
| <Link href={"group/" + d.id!}>{d.name}</Link> |
There was a problem hiding this comment.
Use a root-relative URL here (for example "/group/" + d.id) instead of "group/" + d.id. In Next.js, this current value is resolved relative to the current page (/auth/group), so admins clicking a group name are sent to /auth/group/group/<id> rather than the intended group route, which results in a broken navigation path for the primary admin action on this screen.
Useful? React with 👍 / 👎.
2 participants
https://linear.app/discourse-graphs/issue/ENG-1719/list-groups-im-a-member-of
This creates a vercel page with a group list, which uses the database token set up in ENG-1703.
https://www.loom.com/share/1897670dcaae4908a3fde4ce4cf3c22e