Skip to content

Security fixes and improvements #227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
codeunia-dev merged 2 commits into from
Sep 8, 2025
Merged

Security fixes and improvements #227

codeunia-dev merged 2 commits into from
Sep 8, 2025

Conversation

@codeunia-dev
Copy link
Owner

@codeunia-dev codeunia-dev commented Sep 8, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • New Features
    • Added Admin Settings dashboard with cards for Security, Database, Users, Notifications, and General.
    • Added Admin Test Management page integrating the Test Manager.
  • Security
    • Updated Content Security Policy to support Cloudflare Insights and development domains; allows inline/eval scripts where required.
  • Refactor
    • Optimized leaderboard API to reuse a single database client for improved efficiency.
  • Chores
    • Updated CI/CD workflows to use job-level outputs for Lighthouse tests.

Deepak Pandey added 2 commits September 8, 2025 14:16
Fix CSP violations and missing admin routes
5fada3e 
- Updated CSP configuration in lib/security/csp-config.ts to allow Cloudflare Insights
- Added 'unsafe-inline' and 'unsafe-eval' to script-src for Next.js compatibility
- Added https://static.cloudflareinsights.com to script-src for Cloudflare Analytics
- Created missing admin routes: /admin/test and /admin/settings
- Fixed 404 errors for admin navigation links
- This resolves all CSP violations and missing route errors
Fix Lighthouse CI URL reference issue
f39312b 
- Fixed GitHub Actions workflow to use 'needs.deploy-production.outputs.deployment-url' instead of 'steps.deploy-production.outputs.deployment-url'
- Fixed both production and staging Lighthouse CI configurations
- This resolves the 'INVALID_URL' error where Lighthouse was trying to test empty URLs
- The deployment URL is now properly passed from the deployment job to the performance monitoring job
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Sep 8, 2025
edited
Loading

Caution

Review failed

The pull request is closed.

Walkthrough

Updates CI to source deployment URLs via needs.* job outputs. Adds two new admin pages (settings and test). Refactors two leaderboard API routes to use a module-scoped Supabase admin client instead of per-request initialization. Adjusts CSP policies to allow additional script/style sources and Cloudflare Insights.

Changes

Cohort / File(s) Summary of changes
CI: Lighthouse URL sourcing
.github/workflows/ci-cd.yml		 Switched Lighthouse steps from steps.deploy-<env>.outputs.deployment-url to needs.deploy-<env>.outputs.deployment-url in config generation and echo logs; control flow unchanged.
Admin UI pages
app/admin/settings/page.tsx, app/admin/test/page.tsx		 Added stateless Next.js pages: a System Settings dashboard with cards; a Test Management wrapper rendering TestManager.
Leaderboard API: Supabase client singleton
app/api/leaderboard/stats/route-unified.ts, app/api/leaderboard/user/[userId]/route-unified.ts		 Replaced per-request client creation with a module-scoped supabaseAdmin initialized from env vars; handlers now reuse this instance; route logic otherwise unchanged.
Security: CSP adjustments
lib/security/csp-config.ts		 Expanded script-src/style-src: allow 'unsafe-inline'/'unsafe-eval' where specified; added Cloudflare Insights and Vercel live/script domains; updated comments.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor U as User
  participant R as Next.js Route (GET /leaderboard/...)
  participant S as supabaseAdmin (module-scoped)
  participant DB as Database

  Note over R,S: Module load
  R->>S: import supabaseAdmin (initialized from env)
  Note over S: Singleton client

  U->>R: HTTP GET request
  R->>S: Query user_points / profiles
  S->>DB: SQL (select, aggregate)
  DB-->>S: Rows / aggregates
  S-->>R: Data
  R-->>U: JSON response (stats/user data)
Loading 
sequenceDiagram
  autonumber
  participant GH as GitHub Actions
  participant D as deploy-<env> Job
  participant L as Lighthouse Job

  GH->>D: Run deployment
  D-->>GH: Output deployment-url
  GH->>L: Start LHCI with needs.deploy-<env>.outputs.deployment-url
  L->>L: Generate lighthouserc-*.js using needs.* output
  L-->>GH: CI results
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Poem

A bunny taps the pipeline keys,
Needs.* whispers pass with ease.
New pages bloom in admin light,
A singleton sails queries right.
CSP widens, skies grow clear—
Hippity-hop, ship it near! ✨🐇

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8c7d5b6 and f39312b.

📒 Files selected for processing (6)
  • .github/workflows/ci-cd.yml (4 hunks)
  • app/admin/settings/page.tsx (1 hunks)
  • app/admin/test/page.tsx (1 hunks)
  • app/api/leaderboard/stats/route-unified.ts (1 hunks)
  • app/api/leaderboard/user/[userId]/route-unified.ts (1 hunks)
  • lib/security/csp-config.ts (2 hunks)
✨ Finishing Touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch security-fixes-and-improvements

Comment @coderabbitai help to get the list of available commands and usage tips.

@codeunia-dev codeunia-dev merged commit 47bad22 into main Sep 8, 2025
2 of 4 checks passed
@vercel
Copy link

vercel bot commented Sep 8, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
codeunia Building Building Preview Comment Sep 8, 2025 8:49am

@coderabbitai coderabbitai bot mentioned this pull request Sep 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@codeunia-dev