Cursor/critical correctness bugs 3a41#64
Conversation
Co-authored-by: Cole Collins <DealPatrol@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
There was a problem hiding this comment.
Pull request overview
This PR aims to address critical correctness/security issues in authentication redirects and Stripe webhook processing by adding return URL sanitization, tightening cookie/token validation, and refactoring Stripe webhook handling to persist subscription state and grant credits.
Changes:
- Added
sanitizeReturnToand wired it into GitHub OAuth login/callback to prevent unsafe redirect targets. - Tightened
getCurrentUser()cookie/token validation to avoid accepting a DB user row when the request cookie token doesn’t match. - Refactored Stripe webhook route to map Stripe events into subscription/user billing updates and credit grants.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| lib/auth.ts | Adds return-to sanitization helper and strengthens current-user validation against cookie token mismatches. |
| app/api/auth/github/login/route.ts | Uses sanitizeReturnTo when persisting the OAuth “return to” location in cookies. |
| app/api/auth/github/callback/route.ts | Uses sanitizeReturnTo when reading the OAuth “return to” cookie before redirecting. |
| app/api/stripe/webhook/route.ts | Attempts major webhook refactor, but the file appears to contain unresolved merge/corruption (imports inside functions, duplicate handlers, mismatched braces) that will break compilation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| function parseGithubId(value: string | number | null | undefined): number | null { | ||
| if (value === null || value === undefined) { | ||
| return null | ||
| import { getStripe } from '@/lib/stripe' | ||
| import { upsertSubscription, getSubscriptionByStripeCustomerId, getUserByGithubId } from '@/lib/queries' |
| export async function POST(request: NextRequest) { | ||
| const body = await request.text() | ||
| const signature = request.headers.get('stripe-signature') | ||
|
|
||
| if (!signature || !process.env.STRIPE_WEBHOOK_SECRET || !process.env.STRIPE_SECRET_KEY) { |
Merge to main