Skip to content

Address code review comments: security, performance, and bug fixes #969

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ebma merged 8 commits into from
Dec 16, 2025
Merged

Address code review comments: security, performance, and bug fixes #969

ebma merged 8 commits into from
Dec 16, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 15, 2025
edited
Loading

Addresses 10 review comments from PR #912 covering security vulnerabilities, performance bottlenecks, and runtime bugs.

Security

  • Truncate auth tokens in logs to prevent exposure (optionalAuth middleware now logs Bearer eyJhbGc...xyz instead of full token)
  • Add validation requiring authenticated user before creating tax_id records (removes @ts-ignore, adds 401 response)
  • Document localStorage XSS vulnerability with mitigation recommendations

Performance

  • Replace listUsers() scan with direct profile table query in checkUserExists() (O(1) vs O(n))
  • Use PostgreSQL <12 compatible enum value check via pg_enum table

Bug Fixes

  • Fix infinite loop: use useRef to track session restoration instead of isAuthenticated dependency
  • Fix handleUrlTokens() returning incomplete AuthTokens object with empty user_id
  • Fix form submission breaking Enter key: change button to type="submit" with form id reference
  • Use sentinel UUID 00000000-0000-0000-0000-000000000001 for migration placeholder instead of random UUID

UX

  • Increase email OTP rate limit from 2 to 10 per hour

Example of the auth validation fix:

// Before: creates record with potentially undefined userId
await TaxId.create({
  // @ts-ignore
  userId: req.userId  // may be undefined with optionalAuth
});

// After: validates authentication requirement
if (!req.userId) {
  res.status(401).json({ error: "Authentication required" });
  return;
}
await TaxId.create({ userId: req.userId });  // type-safe

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Dec 15, 2025
Open
@netlify
Copy link

netlify bot commented Dec 15, 2025
edited
Loading

Deploy Preview for vortex-sandbox ready!

Name Link
🔨 Latest commit ca868ef
🔍 Latest deploy log https://app.netlify.com/projects/vortex-sandbox/deploys/694112b7edbc390008ab63ec
😎 Deploy Preview https://deploy-preview-969--vortex-sandbox.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copilot AI changed the title [WIP] Add account creation to Vortex Address code review comments: security, performance, and bug fixes Dec 15, 2025
Copilot AI requested a review from ebma December 15, 2025 11:04
@ebma ebma marked this pull request as ready for review December 15, 2025 15:36
@ebma ebma merged commit 70568bd into 882-account-creation-on-vortex Dec 16, 2025
3 of 4 checks passed
@ebma ebma deleted the copilot/sub-pr-912 branch December 16, 2025 08:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ebma ebma ebma approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@ebma ebma

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ebma