cleanup

[ashwin31]

Summary by CodeRabbit

• Bug Fixes

  • Enhanced email validation to reject disposable email domains during authentication requests.

• Chores

  • Updated frontend and backend dependencies to latest stable versions.

• Removed Features

  • Removed email/password login functionality. Authentication now exclusively uses magic links.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3076b16 and bfa40ca.

⛔ Files ignored due to path filters (1)

• frontend/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (11)

• backend/common/middleware/get_company.py
• backend/common/middleware/rls_context.py
• backend/common/serializer.py
• backend/common/tests/test_auth.py
• backend/common/tests/test_multitenancy.py
• backend/common/urls.py
• backend/common/views/auth_views.py
• backend/requirements.txt
• frontend/package.json
• frontend/src/lib/api.js
• mobile/lib/config/api_config.dart

---

📝 Walkthrough

Walkthrough

This PR removes the email/password login endpoint across backend, frontend, and mobile layers. It eliminates the LoginView class and LoginSerializer, removes login/register from JWT and organization context exemptions in middleware, removes related tests, and adds disposable email domain validation to magic-link requests via a new dependency.

Changes

Cohort / File(s)	Summary
Backend Middleware backend/common/middleware/get_company.py, backend/common/middleware/rls_context.py	Removed /api/auth/login/ and /api/auth/register/ from JWT validation and organization context exemption lists. These endpoints now undergo standard authentication checks instead of bypassing them.
Backend Auth Views & Serializers backend/common/views/auth_views.py, backend/common/serializer.py	Removed LoginView class and LoginSerializer. Added validate_email() method to MagicLinkRequestSerializer to block disposable email domains using a new blocklist import.
Backend Routes & Configuration backend/common/urls.py, backend/requirements.txt	Removed LoginView import and /api/auth/login/ URL pattern. Added disposable-email-domains>=0.0.162 dependency.
Backend Tests backend/common/tests/test_auth.py, backend/common/tests/test_multitenancy.py	Removed TestLoginView test suite and TestLoginWithOrgContext test class, eliminating all login endpoint and login-with-org-context tests.
Frontend frontend/src/lib/api.js, frontend/package.json	Removed login() method from auth API object. Updated devDependencies: @sveltejs/kit, @sveltejs/vite-plugin-svelte, @tailwindcss/vite, bits-ui, eslint, svelte, svelte-check, tailwindcss to latest patch/minor versions.
Mobile mobile/lib/config/api_config.dart	Removed static login and register endpoint getter methods from ApiConfig class.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• PR #565: Modifies EXEMPT_PATHS in backend/common/middleware/rls_context.py similarly, altering which auth endpoints bypass org-context checks.
• PR #584: Modifies the same auth-related backend modules (middleware, serializers) affecting JWT validation and auth flow behavior.

Poem

🐰 The login door swings closed today,
Magic links now light the way,
No more passwords, old and weary,
Disposable emails? Too dreary!
The auth flows hop to something new. ✨

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sf_import

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR removes the email/password authentication flow from the application, consolidating authentication to use only magic links and Google OAuth. The cleanup removes unused backend endpoints, serializers, tests, and frontend/mobile API configurations. Additionally, it adds disposable email domain validation to the magic link authentication flow to prevent abuse.

Changes:

• Removed LoginView backend endpoint and all related email/password login functionality
• Removed registration endpoint references from mobile and middleware configurations
• Added disposable email domain blocking to magic link requests using the disposable-email-domains library

Reviewed changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
backend/common/views/auth_views.py	Removed LoginView class that handled email/password authentication
backend/common/urls.py	Removed login endpoint URL pattern and LoginView import
backend/common/serializer.py	Removed LoginSerializer and authenticate import; added disposable email validation to MagicLinkRequestSerializer
backend/common/middleware/rls_context.py	Removed login and register paths from exempt paths list
backend/common/middleware/get_company.py	Removed login and register paths from auth skip paths
backend/common/tests/test_multitenancy.py	Removed TestLoginWithOrgContext test class
backend/common/tests/test_auth.py	Removed TestLoginView test class and updated file docstring
backend/requirements.txt	Added disposable-email-domains>=0.0.162 dependency
frontend/src/lib/api.js	Removed auth.login() method implementation
mobile/lib/config/api_config.dart	Removed login and register endpoint getters

Files not reviewed (1)

• frontend/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The disposable email validation added to MagicLinkRequestSerializer is a good security improvement, but it lacks test coverage. Consider adding tests to verify that disposable email domains are properly rejected and legitimate domains are allowed. This is especially important since the existing test file (backend/common/tests/test_magic_link.py) has comprehensive tests for other aspects of magic link functionality but doesn't test this validation.

[Copilot]

The version specification for disposable-email-domains uses '>=' which is inconsistent with the rest of the requirements.txt file where all other dependencies use exact version pinning with '=='. While using '>=' makes sense for a data-only package that frequently updates its blocklist, it could introduce unexpected changes. Consider using '==' for consistency and predictability, updating the version periodically when needed, or add a comment explaining why this package needs flexible versioning.

Suggested change

	disposable-email-domains>=0.0.162
	disposable-email-domains==0.0.162