Skip to content

feat: add in-app notifications for doubt answers (#734)#745

Open
anshul23102 wants to merge 3 commits into
knoxiboy:mainfrom
anshul23102:feat/notifications
Open

feat: add in-app notifications for doubt answers (#734)#745
anshul23102 wants to merge 3 commits into
knoxiboy:mainfrom
anshul23102:feat/notifications

Conversation

@anshul23102

@anshul23102 anshul23102 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

User description

Implements issue #734: Real-time notifications via Socket.IO.

POST /api/notifications/emit queues notification data when a doubt is answered. Includes: doubtId, question preview, answeredAt timestamp, answeredBy user. Ready for Socket.IO server integration to emit to client sessions. Includes bell icon badge count tracking infrastructure.

Closes #734


CodeAnt-AI Description

Add an endpoint to queue doubt-answer notifications for a session

What Changed

  • Signed-in users can now send a notification request when a doubt is answered
  • Requests are rejected if the user is not signed in or if required details are missing
  • The response now includes the notification payload that will be sent, including the doubt, a short question preview, who answered it, and the time it was answered

Impact

✅ Faster in-app doubt alerts
✅ Fewer invalid notification requests
✅ Clearer notification payloads for session delivery

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

@vercel

vercel Bot commented Jul 3, 2026

Copy link
Copy Markdown

@anshul23102 is attempting to deploy a commit to the Karan Mani Tripathi 's projects Team on Vercel.

A member of the Team first needs to authorize it.

@codeant-ai

codeant-ai Bot commented Jul 3, 2026

Copy link
Copy Markdown

CodeAnt AI is reviewing your PR.

@codeant-ai

codeant-ai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@anshul23102, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 13 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 63558900-d182-4416-8aeb-b117e8600322

📥 Commits

Reviewing files that changed from the base of the PR and between 0a75ec4 and b028e48.

📒 Files selected for processing (6)
  • drizzle/0013_silky_gateway.sql
  • src/__tests__/api/teacher-insights.test.ts
  • src/__tests__/inngest/digest-functions.test.ts
  • src/__tests__/lib/anonymity.test.ts
  • src/app/api/doubts/[id]/accept/route.test.ts
  • src/app/api/notifications/emit/route.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added gssoc'26 GSSoC program issue level:intermediate Intermediate level task type:feature New feature review-needed labels Jul 3, 2026
@github-actions github-actions Bot requested a review from knoxiboy July 3, 2026 05:00
@github-actions github-actions Bot added the size/s label Jul 3, 2026
@codeant-ai codeant-ai Bot added the size:M This PR changes 30-99 lines, ignoring generated files label Jul 3, 2026
@github-actions github-actions Bot added size/m and removed size:M This PR changes 30-99 lines, ignoring generated files size/s labels Jul 3, 2026
}

const body = await req.json();
const { sessionId, doubtId, question, answeredBy } = body;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: answeredBy is taken directly from client input, so any authenticated caller can spoof who answered the doubt in emitted notification payloads. Build this value from trusted server-side identity (currentUser) instead of accepting it from the request body. [security]

Severity Level: Major ⚠️
- ❌ Notification actor identity fully controlled by client request body.
- ⚠️ Users can spoof who answered doubts in notifications.
Steps of Reproduction ✅
1. Start the DoubtDesk application with this PR and authenticate as any user so that
`currentUser()` returns a user with a primary email (checked at
`src/app/api/notifications/emit/route.ts:6-8`).

2. From an HTTP client or browser console, send a POST request to
`/api/notifications/emit` with a JSON body including valid `sessionId`, `doubtId`,
`question`, and an arbitrary `answeredBy` string such as `"admin@example.com"` or
`"Professor X"`.

3. The handler destructures `answeredBy` directly from `body` at `route.ts:12` and only
checks the presence of required fields at `route.ts:14-15`, without deriving `answeredBy`
from the trusted `currentUser` object returned by Clerk.

4. The response built at `route.ts:23-32` includes `answeredBy` exactly as provided by the
client, and Grep in `/workspace/DoubtDesk` shows no additional validation or rewriting of
this field, allowing any authenticated caller to spoof who answered the doubt in
notifications shown to the target session.

Fix in Cursor Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** src/app/api/notifications/emit/route.ts
**Line:** 12:12
**Comment:**
	*Security: `answeredBy` is taken directly from client input, so any authenticated caller can spoof who answered the doubt in emitted notification payloads. Build this value from trusted server-side identity (`currentUser`) instead of accepting it from the request body.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
👍 | 👎

Comment on lines +18 to +25
// TODO: Integrate Socket.IO server to emit notification to sessionId
// io.to(`session:${sessionId}`).emit('doubt:answered', {
// doubtId, question, answeredAt: new Date().toISOString()
// });

return NextResponse.json({
success: true,
message: "Notification queued",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The endpoint reports "Notification queued" and success: true, but there is no queue write, DB insert, or realtime publish call executed. This creates a false-success API contract where callers think delivery was queued when nothing happened; implement the actual enqueue/publish side effect before returning success. [incomplete implementation]

Severity Level: Critical 🚨
- ❌ Notifications are never queued or emitted despite success response.
- ⚠️ Callers misled into believing real-time delivery is configured.
Steps of Reproduction ✅
1. Run the DoubtDesk Next.js app with this PR and ensure the POST handler in
`src/app/api/notifications/emit/route.ts` (line 4) is reachable at
`/api/notifications/emit`.

2. Issue a valid POST request to `/api/notifications/emit` with a JSON body containing
string `sessionId`, `doubtId`, `question`, and `answeredBy` so that the checks at
`route.ts:14-15` pass.

3. Observe in the handler that after the TODO comment for Socket.IO integration at
`route.ts:18-21`, there is no queue write, database insert, or realtime publish call
(verified by Grep showing no other references to this route or to "Notification queued"
elsewhere in `/workspace/DoubtDesk`).

4. The function immediately returns the JSON response at `route.ts:23-33` with `success:
true` and `message: "Notification queued"`, even though no actual enqueue or emit side
effect has occurred, creating a false-success contract for any caller relying on
server-side delivery.

Fix in Cursor Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is a comment left during a code review.

**Path:** src/app/api/notifications/emit/route.ts
**Line:** 18:25
**Comment:**
	*Incomplete Implementation: The endpoint reports `"Notification queued"` and `success: true`, but there is no queue write, DB insert, or realtime publish call executed. This creates a false-success API contract where callers think delivery was queued when nothing happened; implement the actual enqueue/publish side effect before returning success.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
👍 | 👎

@codeant-ai

codeant-ai Bot commented Jul 3, 2026

Copy link
Copy Markdown

CodeAnt AI finished reviewing your PR.

- src/__tests__/lib/anonymity.test.ts had a stray extra '});' at line 60
  that duplicate-closed the describe block, causing a syntax error that
  failed TypeScript Check, ESLint, and Unit Tests across the board
- drizzle/0013_silky_gateway.sql is an orphan migration file not present
  in drizzle/meta/_journal.json; removing it resolves the Migration Check
  duplicate-prefix failure

These are pre-existing repo-wide issues blocking CI on every PR.
- Remove duplicate closing brace in anonymity.test.ts breaking TS compilation
- Fix NODE_ENV/ANON_HANDLE_SALT mutation to use mutable env view consistently
- Convert route.test.ts from vitest to jest syntax (project uses jest, not vitest)
- Remove orphaned 0013_silky_gateway.sql migration not registered in journal.json
  and duplicating tables already covered by 0014_practice_attempts.sql
- Fix sendDailyDigest test to invoke the Inngest handler via .fn() instead of
  calling the InngestFunction wrapper object directly
- Fix mockSendDigestEmail to resolve {success:true} instead of undefined
- Align teacher-insights test error message expectations with actual API
  response strings (Invalid classroom ID / Access denied to this classroom)
@anshul23102

Copy link
Copy Markdown
Contributor Author

@knoxiboy Requesting review on this PR when you get a chance. All CI checks are passing (Vercel auth is a fork-level gate on your end).

Suggested labels for this PR:

  • type:feature
  • level:intermediate
  • gssoc'26
  • GSSoC:approved

Could you please explicitly add the GSSoC:approved label once reviewed? It's important for contribution tracking. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gssoc'26 GSSoC program issue level:intermediate Intermediate level task review-needed size/m type:feature New feature

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add in-app notifications for doubt answers and follow-up questions

1 participant