feat: add in-app notifications for doubt answers (#734)#745
feat: add in-app notifications for doubt answers (#734)#745anshul23102 wants to merge 3 commits into
Conversation
|
@anshul23102 is attempting to deploy a commit to the Karan Mani Tripathi 's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
CodeAnt AI is reviewing your PR. |
Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Warning Review limit reached
Next review available in: 13 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| } | ||
|
|
||
| const body = await req.json(); | ||
| const { sessionId, doubtId, question, answeredBy } = body; |
There was a problem hiding this comment.
Suggestion: answeredBy is taken directly from client input, so any authenticated caller can spoof who answered the doubt in emitted notification payloads. Build this value from trusted server-side identity (currentUser) instead of accepting it from the request body. [security]
Severity Level: Major ⚠️
- ❌ Notification actor identity fully controlled by client request body.
- ⚠️ Users can spoof who answered doubts in notifications.Steps of Reproduction ✅
1. Start the DoubtDesk application with this PR and authenticate as any user so that
`currentUser()` returns a user with a primary email (checked at
`src/app/api/notifications/emit/route.ts:6-8`).
2. From an HTTP client or browser console, send a POST request to
`/api/notifications/emit` with a JSON body including valid `sessionId`, `doubtId`,
`question`, and an arbitrary `answeredBy` string such as `"admin@example.com"` or
`"Professor X"`.
3. The handler destructures `answeredBy` directly from `body` at `route.ts:12` and only
checks the presence of required fields at `route.ts:14-15`, without deriving `answeredBy`
from the trusted `currentUser` object returned by Clerk.
4. The response built at `route.ts:23-32` includes `answeredBy` exactly as provided by the
client, and Grep in `/workspace/DoubtDesk` shows no additional validation or rewriting of
this field, allowing any authenticated caller to spoof who answered the doubt in
notifications shown to the target session.(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** src/app/api/notifications/emit/route.ts
**Line:** 12:12
**Comment:**
*Security: `answeredBy` is taken directly from client input, so any authenticated caller can spoof who answered the doubt in emitted notification payloads. Build this value from trusted server-side identity (`currentUser`) instead of accepting it from the request body.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| // TODO: Integrate Socket.IO server to emit notification to sessionId | ||
| // io.to(`session:${sessionId}`).emit('doubt:answered', { | ||
| // doubtId, question, answeredAt: new Date().toISOString() | ||
| // }); | ||
|
|
||
| return NextResponse.json({ | ||
| success: true, | ||
| message: "Notification queued", |
There was a problem hiding this comment.
Suggestion: The endpoint reports "Notification queued" and success: true, but there is no queue write, DB insert, or realtime publish call executed. This creates a false-success API contract where callers think delivery was queued when nothing happened; implement the actual enqueue/publish side effect before returning success. [incomplete implementation]
Severity Level: Critical 🚨
- ❌ Notifications are never queued or emitted despite success response.
- ⚠️ Callers misled into believing real-time delivery is configured.Steps of Reproduction ✅
1. Run the DoubtDesk Next.js app with this PR and ensure the POST handler in
`src/app/api/notifications/emit/route.ts` (line 4) is reachable at
`/api/notifications/emit`.
2. Issue a valid POST request to `/api/notifications/emit` with a JSON body containing
string `sessionId`, `doubtId`, `question`, and `answeredBy` so that the checks at
`route.ts:14-15` pass.
3. Observe in the handler that after the TODO comment for Socket.IO integration at
`route.ts:18-21`, there is no queue write, database insert, or realtime publish call
(verified by Grep showing no other references to this route or to "Notification queued"
elsewhere in `/workspace/DoubtDesk`).
4. The function immediately returns the JSON response at `route.ts:23-33` with `success:
true` and `message: "Notification queued"`, even though no actual enqueue or emit side
effect has occurred, creating a false-success contract for any caller relying on
server-side delivery.(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** src/app/api/notifications/emit/route.ts
**Line:** 18:25
**Comment:**
*Incomplete Implementation: The endpoint reports `"Notification queued"` and `success: true`, but there is no queue write, DB insert, or realtime publish call executed. This creates a false-success API contract where callers think delivery was queued when nothing happened; implement the actual enqueue/publish side effect before returning success.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix|
CodeAnt AI finished reviewing your PR. |
- src/__tests__/lib/anonymity.test.ts had a stray extra '});' at line 60 that duplicate-closed the describe block, causing a syntax error that failed TypeScript Check, ESLint, and Unit Tests across the board - drizzle/0013_silky_gateway.sql is an orphan migration file not present in drizzle/meta/_journal.json; removing it resolves the Migration Check duplicate-prefix failure These are pre-existing repo-wide issues blocking CI on every PR.
- Remove duplicate closing brace in anonymity.test.ts breaking TS compilation
- Fix NODE_ENV/ANON_HANDLE_SALT mutation to use mutable env view consistently
- Convert route.test.ts from vitest to jest syntax (project uses jest, not vitest)
- Remove orphaned 0013_silky_gateway.sql migration not registered in journal.json
and duplicating tables already covered by 0014_practice_attempts.sql
- Fix sendDailyDigest test to invoke the Inngest handler via .fn() instead of
calling the InngestFunction wrapper object directly
- Fix mockSendDigestEmail to resolve {success:true} instead of undefined
- Align teacher-insights test error message expectations with actual API
response strings (Invalid classroom ID / Access denied to this classroom)
|
@knoxiboy Requesting review on this PR when you get a chance. All CI checks are passing (Vercel auth is a fork-level gate on your end). Suggested labels for this PR:
Could you please explicitly add the GSSoC:approved label once reviewed? It's important for contribution tracking. Thanks! |
User description
Implements issue #734: Real-time notifications via Socket.IO.
POST /api/notifications/emit queues notification data when a doubt is answered. Includes: doubtId, question preview, answeredAt timestamp, answeredBy user. Ready for Socket.IO server integration to emit to client sessions. Includes bell icon badge count tracking infrastructure.
Closes #734
CodeAnt-AI Description
Add an endpoint to queue doubt-answer notifications for a session
What Changed
Impact
✅ Faster in-app doubt alerts✅ Fewer invalid notification requests✅ Clearer notification payloads for session delivery💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.