Revert "feat: add CI pipeline with lint, typecheck, test, and PR title enforc…"#445
Merged
Merged
Conversation
…e enforc…" This reverts commit c535f20.
Harxhit
approved these changes
Jun 1, 2026
Harxhit
added a commit
that referenced
this pull request
Jun 3, 2026
* docs: add Discord community invitation link to README and CONTRIBUTING.md (#131) * feat: add copy profile link button (#120) Co-authored-by: Amrit <amrit@example.com> * fix: use randomBytes() instead of Math.random() for OAuth state generation (#145) * fix: pass JWT via URL fragment instead of query param in mobile redirect (#146) * feat: add themed custom scrollbar (#169) Replace the default browser scrollbar with a custom themed one that matches DevCard's brand gradient. CSS-only, no JavaScript. - WebKit/Chromium/Safari: gradient thumb (primary -> accent), themed track, hover state with glow. - Firefox: scrollbar-width thin + scrollbar-color using the same theme variables (solid thumb fallback since gradients aren't supported). - Reuses existing --primary/--accent/--bg-secondary/--primary-glow CSS variables so light/dark mode just work. Closes #151. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Improve mobile UI/UX responsiveness and layout consistency (#129) * Improve mobile UI/UX responsiveness and layout consistency * Remove unnecessary package-lock.json * fix(backend): add and configure ESLint for backend workspace (#150) * chore(backend): add and configure ESLint for backend workspace * fix(backend): align Prisma versions * Revert "fix(backend): add and configure ESLint for backend workspace (#150)" (#176) This reverts commit d6afc79. * fix: improve mobile layout for features section (#184) * fix(follow): use boolean flag instead of reply.statusCode for success logging (#172) reply.statusCode defaults to 200 before any response is sent, so the previous check always evaluated to true and logged failed follows as success. followGitHub now returns { success, response } so the caller can log based on the actual API outcome. Closes #148 * feat(events): add event creation, attendee management, and public event APIs (#139) * docs: add Discord community invitation link to README and CONTRIBUTING.md * git commit -m "feat(events-api): implement event management REST API with Prisma models" * fix: revert changes to align with repository tech stack * fix: Revert changes * fix: add location field to schema and update API, validation, and tests * fix: remove accidental schema.prisma file * fix: Updated schema with location in event * chore: add typed Fastify augmentation and global error handler utilities (#192) * fix(backend): add and configure ESLint for backend workspace (#181) * feat: hybrid follow engine — LinkedIn WebView interaction, session management & deep-link fallback (#177) * feat: Layer 2 WebView Follow Engine — LinkedIn In-App Connect + Session Management * fix: resolve TypeScript compilation issues and restore settings navigation * feat: WebView LinkedIn Connect Engine + Follow system (Section 6.9) - Backend: followRoutes returns webview strategy for LinkedIn/Twitter platforms - Backend: POST /api/follow/:platform/:targetUsername/log for telemetry - Backend: DELETE /api/follow/:platform/:targetUsername/log to reset Done state - Backend: public profile now returns followed:true for previously connected links - Backend: auth improvements — encode mobile redirect URI in OAuth state - Mobile: WebViewScreen — full LinkedIn JS injection engine with polling, MutationObserver, visibilitychange, popstate, and injectedJSBeforeContentLoaded - Mobile: DevCardViewScreen — premium UI, emoji icons, brand-colored buttons, Done tile with long-press reset, GitHub browser fallback - Mobile: HomeScreen — username search bar to view any DevCard profile - Mobile: App.tsx — hash fragment token extraction for OAuth deep links - Mobile: config.ts — auto-detects LAN IP via Expo Constants for Expo Go - Mobile: Expo migration — index.js, metro.config.js, babel.config.js, app.json - Tests: new follow.test.ts cases for webview strategy and log endpoint - Docs: README updated with telemetry and fallback overlay details - Config: docker-compose port 5433, .env.example LAN IP placeholders * fix: address PR review comments from Harxhit - prisma.ts: replace authenticate:any with proper typed signature (request: FastifyRequest, reply: FastifyReply) => Promise<void> - auth.ts: replace err as any with instanceof Error check in both GitHub and Google OAuth catch blocks for type-safe error handling - Skeleton.tsx: replace width/height as any with DimensionValue type from react-native to preserve TypeScript safety * fix: address remaining PR review comments from Harxhit - connect.ts: replace err as any with instanceof Error check in GitHub connect catch block (same pattern as auth.ts fix) - MainTabs.tsx: extract WebViewConnect params into standalone exported type WebViewConnectParams for reusability and future maintainability - profiles.test.ts: replace mockPrisma as any with Pick<PrismaClient,'user'> and unknown cast to preserve TypeScript safety in tests * implement rate limiting for public profile endpoints (#72) Signed-off-by: Parth Patidar <parth11.patidar@gmail.com> * Feat/nfc payload endpoint (#189) * feat: add context-card diffing utility and validation layer * feat: add NFC tag payload generation endpoint with card ownership validation * fix: add Zod query validation and improve error handling in NFC route * fix: resolve merge conflicts in app.ts * fix: add typed response schema NfcPayloadResponse * fix: remove typo in import statement in cards.ts * refactor: narrow try catch scope in NFC payload route * fix(connect): add missing randomBytes import and rename parseGoogleState (#211) randomBytes was used in generateState() without being imported from crypto, causing a ReferenceError crash on any GET /connect/github request. Also renamed parseGoogleState to parseOAuthState since the function is exclusively used in the GitHub connect flow — Google connect does not exist in this file. Closes #178 Signed-off-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> Co-authored-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> * pnpm-lock file added (#220) * fix(auth): encrypt OAuth tokens using encryption utility directly (#144) * fix(auth): encrypt OAuth tokens using encryption utility directly auth.ts silently stored GitHub OAuth access tokens as plaintext because the encryption check relied on a non-existent `app.encryption` Fastify decorator - the condition always evaluated false, falling back to the raw token. connect.ts called `app.encryption.encrypt()` directly, throwing a TypeError at runtime and breaking the GitHub connect flow entirely. Both routes now import `encrypt()` directly from utils/encryption.ts, consistent with how follow.ts already imports `decrypt()` from the same module. * fix(auth): isolate OAuth token persistence with focused try/catch Wrap the encrypt + oAuthToken.upsert block in its own try/catch so that a transient DB failure during token storage does not abort the login flow. The platform token is supplementary -- authentication (JWT issuance) proceeds even when persistence fails, and the error is logged for observability. Addresses reviewer feedback on PR #144. --------- Signed-off-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> Co-authored-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> * fix(auth): validate OAuth state cookie to prevent CSRF attacks (#171) Following PA instructions merge conflicts are fixed. * fix: resolve ESLint issues in apps/backend/src/routes/cards.ts (#228) * fix: resolve ESLint issues in apps/backend/src/routes/cards.ts * chore: remove local .eslintrc.json --------- Signed-off-by: Krish Kumar <anuragbraveboy@gmail.com> Co-authored-by: anuragbraveboy-sudo <krishnyk229@gmail.com> * Add mobile loading skeletons and empty states (#138) * fix(cards): verify linkIds belong to authenticated user before creating CardLinks (#210) * backend: add typing and test for /health endpoint (#77) * feat: improve card UI in light mode with better shadows and spacing (#157) * feat: improve card UI in light mode with better shadows and spacing * style: improve card spacing and add smooth hover shadow * feat: add context-card diffing utility and validation layer (#167) * fix: standardize error handling in follow route (#205) Co-authored-by: Prashantkumar Khatri <prashantkhatri202@gmail.com> * fix: improve error handling in public.ts (#209) * fix: improve error handling in public.ts * chore: remove unrelated frontend changes * fix: improve typing and standardized error handling in public.ts * chore: remove unrelated frontend changes * fix: use shared getErrorMessage utility * fix: improve copy toast rendering and timeout handling (#213) Co-authored-by: Dhrupad <24155325@kiit.ac.in> * fix(events): use relative route paths to match Fastify prefix registration (#229) All five route handlers in eventRoutes defined absolute /api/events* paths while app.ts also registered the plugin with prefix: '/api/events'. Fastify concatenates registration prefix and route path, producing double-prefixed endpoints (/api/events/api/events, /api/events/api/events/:slug, etc.) that are unreachable in production. Strip the /api/events prefix from every route definition so paths are relative (/, /:slug, /:slug/join, /:slug/leave, /:slug/attendees), consistent with every other route plugin in the codebase. Update the test buildApp() to register with { prefix: '/api/events' }, matching production. Inject URLs in existing tests already use the full /api/events/* paths and require no changes. Fixes #224. * fix(connect): validate platform param in disconnect route + prior cleanup (#234) * fix(events): use _count for correct attendees pagination total (#236) * docs: add secret generation guidance to .env.example and README (#207) (#254) * fix: improve devcard scrolling behavior (#258) * Update README with contributors and project support (#260) * Implement mobile responsiveness, performance, accessibility, SEO improvements (#261) Signed-off-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> Co-authored-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> * fix(public): validate QR size bounds to prevent unauthenticated DoS (#272) The /:username/qr endpoint accepted an unbounded ?size= query parameter. An unauthenticated caller could request an arbitrarily large raster (e.g. size=99999999) and trigger an out-of-memory condition in the QR rasteriser before any DB lookup or auth check. Changes: - Add MIN_QR_SIZE (1) and MAX_QR_SIZE (2048) constants - Parse size with parseInt() and reject NaN or out-of-range values with 400 before touching the database or allocating any image buffers - Wrap QR generation in try/catch; propagate generation failures as 500 instead of crashing the process - Add regression tests covering: boundary values, NaN input, negative values, extreme values, missing param, SVG format, unknown user, and a generation-failure path Signed-off-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> Co-authored-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> * fix(auth): guard /dev-login endpoint behind NODE_ENV !== productionThe /dev-login route issued a valid 30-day JWT for the demo user withzero authentication. It is now only registered when NODE_ENV is not'production', preventing unauthenticated access on deployed instances.Fixes #247 (#282) * fix(connect): validate OAuth state nonce via Redis to prevent CSRFThe /api/connect/github OAuth flow generated a nonce but never storedor verified it, allowing an attacker to forge a state parameter andattach a GitHub token to an arbitrary user account.Fix:- On initiation, store the nonce in Redis as oauth:nonce:<nonce> with the userId as value and a 10-minute TTL- On callback, look up the nonce in Redis and reject if missing or if the stored userId does not match the decoded state- Consume (delete) the nonce after verification — one-time use onlyFixes #248 (#283) * fix: resolve implicit any in event attendees mapping (#214) * fix: standardize error handling in follow route * fix: resolve implicit any in event attendees mapping * fix: resolve implicit any in attendee map with Prisma type --------- Signed-off-by: Pari Maheshwari <parimaheshwari777@gmail.com> * fix: replace hardcoded localhost URL with BACKEND_URL env var in devcard loader (#218) (#257) The server load function for /devcard/[id] was fetching card data from a hardcoded http://localhost:3000 URL, causing the route to fail silently in all non-local environments (staging, production, Docker). Replace the hardcoded URL with the BACKEND_URL environment variable, falling back to http://localhost:3000 for local development. This matches the existing pattern used by the /u/[username] route. Also improve error handling: wrap the fetch in a try/catch to handle network-level failures with a proper 500 response, distinguish 404 (card not found) from other backend errors, and re-throw SvelteKit HttpError objects so they are not swallowed by the catch block. * Fix: Platform-specific username validation & Unhandled backend exceptions (#252) (#289) * fix(backend): automatically handle default card reassignment on card deletion * feat(shared): add platform-specific regex validation for card handles * fix(backend): catch unhandled errors in card endpoints * refactor(backend): add typed responses and unhandled exception handling per review * feat(backend): implement centralized DB error handling for Prisma exceptions * fix(profiles): handle Prisma P2002 on concurrent username claims (#271) * fix(profiles): handle P2002 on concurrent username claims The username update handler performs a read-before-write uniqueness check (findFirst -> update). Under concurrent requests, both callers can pass the read, race to write, and have Prisma throw P2002 on the losing write — propagating as an unhandled 500. Wrap user.update in a targeted try/catch: P2002 maps to a deterministic 409 Conflict with the same "Username already taken" message the pre-check already returns. Other errors are logged and returned as 500 unchanged. The existing findFirst read is preserved as a fast-path that avoids hitting the write path for clearly taken usernames. The DB unique constraint remains the authoritative guard against the race. Add tests covering: - P2002 on user.update (concurrent race simulation) -> 409 - unexpected DB errors on user.update -> 500 - no findFirst call when no username is in the payload Fixes #227. * refactor(profiles): add explicit ProfileUpdateResponse type to PUT /me Addresses maintainer feedback requesting typed responses. Previously the PUT /me handler returned `updated` typed implicitly through Prisma's deep generic inference (Prisma.UserGetPayload<...>), making the response contract invisible without tracing through generated types. Changes: - Declare `ProfileUpdateResponse` at module scope, following the explicit response-type convention already used in public.ts - Type the `user.update` result variable as `ProfileUpdateResponse` so the ten-field response contract is visible at the call site - Return the named variable rather than the raw Prisma result No logic changes. All 8 tests continue to pass. * fix(backend): automatically handle default card reassignment on card deletion (#285) * fix(backend): automatically handle default card reassignment on card deletion * feat(backend): add limit to card list query * refactor(backend): add try-catch and typed responses per review * feat(backend): add Fastify request schemas for card routes * feat(backend): use Fastify typed request schema generics for card routes * feat(backend): remove manual JSON request schemas, keeping Fastify generic typing * fix(security): fail fast when JWT_SECRET is absent or insecure (closes #186) (#208) The jwt plugin was registered with a hard-coded fallback: secret: process.env.JWT_SECRET || 'dev-secret-change-me' Because the fallback string is committed to the public repository, any attacker could sign arbitrary JWTs for any userId and gain full authenticated access to every protected API endpoint. Changes: utils/validateEnv.ts (new) Exports a synchronous validateEnv() function that checks JWT_SECRET and ENCRYPTION_KEY before the Fastify instance is created. Missing or empty values trigger an immediate process.exit(1). In production (NODE_ENV=production), JWT_SECRET is also compared against the set of known insecure defaults shipped in the repository; a match is treated as a hard failure. All errors are collected and printed in a single exit so operators can fix everything in one deploy cycle. Secret values are never written to any output. app.ts Calls validateEnv() as the very first statement of buildApp(), before the Fastify instance is instantiated and before any plugin is registered. This guarantees that no partially-initialised auth state can exist: if validation fails, JWT is never configured. The now-redundant fallback is removed; process.env.JWT_SECRET! is used instead (the non-null assertion is safe because validateEnv() exits the process before returning when the value is absent). __tests__/validateEnv.test.ts (new) 11 focused tests covering: absent JWT_SECRET, empty JWT_SECRET, insecure default in production, insecure default allowed in dev/test, absent ENCRYPTION_KEY, empty ENCRYPTION_KEY, multi-secret failure (single exit call), happy-path in dev and production, and a check that secret values are never surfaced in console output. * fix(cards): validate platformLink ownership before creating card links (#183) POST /api/cards and PUT /api/cards/:id accepted arbitrary platformLink IDs without verifying they belong to the authenticated user. Because platformLink IDs are exposed in the public profile API, any authenticated user could attach another user's verified social links to their own card, enabling impersonation. Add a pre-flight ownership check before each CardLink write. A single indexed query confirms every requested ID exists with userId = current user. If the count does not match, the request is rejected with 403 before any write occurs. Covered by new tests in src/__tests__/cards.test.ts. * fix: linting issues on app.ts. (#315) * fix: encode dynamic URL parameters in NFC payload generation (#304) * fix: improve light mode panel consistency (#336) * Fix/follow log analytics poisoning (#337) * fix(follow): validate status and layer enums before persisting follow logs POST /:platform/:targetUsername/log accepted free-form `status` and `layer` values and wrote them directly to followLog without validation. Both fields feed analytics counters (totalFollows) and the follower-state dashboard via `status: 'success'` queries, so an authenticated user could fabricate successful follow events, inflate engagement metrics, and manipulate the dashboard. Fix: - Add `followLogSchema` (Zod) in validations/follow.validation.ts with strict enum allowlists: status → 'success' | 'failed' | 'pending' layer → 'foreground' | 'background' - Validate request body with safeParse before any database write; invalid payloads return 400 without touching followLog.create() - Remove unsafe free-form defaults ('success' / 'webview') that silently accepted omitted fields - Response body on validation failure contains only { error } — no Zod internals, paths, or stack traces are exposed Layer 1 (API follow) writes status/layer internally and is unaffected. Tests: 22 cases covering all valid enum combinations, all rejection paths, DB-not-called guarantee on failure, correct payload written to DB, and opaque error responses. Closes #301 * fix(follow): enforce enum validation on follow log status and layer fields * fix: remove unauthenticated public upload access (#350) * feat: add centralized authenticated API request handler for mobile (#338) * feat: add centralized API request abstraction for web frontend (#339) * fix(cards): improve typing, transaction safety, and resolve lint issues (#327) * fix(analytic): resolve analytics lint issues, add route generics, and add tests (#317) * build analytics dashboard page at /devcard/analytics (#73) * build analytics dashboard page at /devcard/analytics * Fix database connection and add dev login bypass for analytics * Add dev login bypass button to frontend analytics lock screen * fix backend typescript compilation and logging errors * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Parth Patidar <parth11.patidar@gmail.com> * Implement daily views interactive charts and secure dev login analytics backend --------- Signed-off-by: Parth Patidar <parth11.patidar@gmail.com> Signed-off-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> Co-authored-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> * Revert "build analytics dashboard page at /devcard/analytics (#73)" (#367) This reverts commit 31bdf09. * fix(security): authenticate connect callback and replace Math.random OAuth state (#162) * fix(auth): validate OAuth state parameter in GitHub and Google callbacks * fix(security): authenticate connect callback and replace Math.random state * fix: feature cards visibility in light mode (#206) (#267) * fix(oauth): isolate follow token from auth token to prevent scope overwrite (#274) The GitHub connect flow (user:follow scope) and the GitHub login flow (read:user user:email scope) both performed an upsert against the same OAuthToken record keyed on (userId, 'github'). Whichever executed last silently replaced the other's access token. The practical effect: every re-authentication destroyed the user's GitHub follow capability. Fix (no schema migration required): - Introduce GITHUB_FOLLOW_PLATFORM = 'github_follow' constant in connect.ts - connect.ts callback: write the follow-capable token to platform='github_follow' instead of platform='github'. The auth flow (auth.ts) continues writing to 'github' — the two records now have independent keys and can never overwrite each other. - follow.ts: resolve the GitHub token lookup to 'github_follow' so the follow route reads from the correct record. All non-GitHub platforms are unaffected. Backward compatibility: - Existing 'github' auth token records remain intact and continue to be used by the login flow. - Users with a pre-existing 'github' follow token will need to re-run the connect flow (one-time action) to populate the new 'github_follow' record. The existing record is not deleted or modified. Tests added (oauth-scope.test.ts): - Connect callback writes to github_follow, never to github - Scope and encrypted token stored correctly in the follow record - Follow route looks up github_follow, never the auth token - Follow route returns 400+requiresAuth when github_follow is absent (no fallback) - Non-GitHub platforms use their own name unchanged - Repeated connect cycles only touch github_follow - Follow succeeds after a connect cycle - Follow survives a simulated re-login cycle - Encrypted token persistence: raw token is never stored verbatim - Follow route decrypts before calling GitHub API * fix(auth): replace console.log with structured logging to prevent state token leaks (#291) Signed-off-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> Co-authored-by: Hari Om <hariom888@users.noreply.github.com> Co-authored-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> * fix(public): merge duplicate nested route registrations in publicRoutesRoutes /:username and /:username/card/:cardId were each registeredtwice — an outer call with rate-limit config but no real handler, andan inner call with the actual logic nested inside it. Fastify registeredthe outer shell and silently ignored the inner handler, meaning thebusiness logic never executed.Merged each pair into a single app.get() call that carries both therate-limit config and the handler body.Fixes #249 (#284) * feat: implement team routes and membership management (#314) * chore: resolve merge conflicts and sync with upstream * feat: Added app.ts * refactor: standardize catch block error naming (#366) This PR only includes name change of the err to error. * feat(workflow): add workflow to unassign inactive issue assignees (#341) * fix: wrap card delete in transaction with count guard and default promotion (#372) Closes #328 - Enforce minimum-one-card invariant: reject DELETE with 400 when the user has only one card remaining - Promote the next oldest card to default atomically if the deleted card was the default - Wrap count check, optional default promotion, and delete in a single Prisma transaction so concurrent requests cannot race past the guard * feat: Redis profile cache and offline QR session tokens (#46) (#354) - Cache public profiles in Redis under profile:<username> with 5-min TTL - Return X-Cache: HIT on cache hit, X-Cache: MISS on DB fetch - Add Cache-Control: public, max-age=300, stale-while-revalidate=60 to all public profile and QR session responses - Add GET /api/public/:username/qr-session returning a signed 10-minute JWT snapshot for offline QR use cases (spec section 5.9) - Invalidate profile cache in PUT /api/profiles/me immediately after a successful update so stale data is never served - Register publicRoutes under /api/public in addition to /api/u - Tests: cache HIT skips DB, MISS queries DB and writes cache, Redis error falls through to DB, qr-session token shape, payload contents, cache back-fill from qr-session DB path Closes #46 Signed-off-by: amritbej.sh <amritbej750@gmail.com> Co-authored-by: Amrit <amrit@example.com> * test(shared): add unit tests for getProfileUrl, getWebViewUrl, getDeepLinkUrl (#296) Closes #10 - tests getProfileUrl('github', 'octocat') → https://github.com/octocat - tests getWebViewUrl('linkedin', 'john') → correct LinkedIn webview URL - tests getDeepLinkUrl('twitter', 'john') → correct Twitter deep link URL - covers null returns for unsupported and unknown platforms - follows existing Vitest describe/it/expect style Co-authored-by: Amrit <amrit@example.com> * feat: done mass cleanup and reafctoring (#383) Refactor public routes to utilize service layer for profile and card retrieval; implement caching and error handling improvements Signed-off-by: Prashantkumar Khatri <prashantkhatri202@gmail.com> * feat(workflows): add first-time contributor welcome workflow and fix script loading (#378) * fix: Fixed linting issues * feat(workflows): add contributor welcome workflow and fix script loading * fix(workflow): add 5-day assignment check and protected assignee handling (#386) * fix: Fixed linting issues * fix(workflow): add 5-day assignment check and protected assignee handling * refactor (#369) * fix: remove duplicate OAuth callback route registrations in auth.ts - Removed duplicate nested app.get('/github/callback') that was registered inside an outer callback handler (caused by a bad merge) - Removed duplicate nested app.get('/google/callback') same issue - Removed dead code blocks (stray authUrl + redirect calls outside handlers) that were left over after the duplicate outer wrappers were stripped - All routes (/github, /github/callback, /google, /google/callback, /me, /logout) are now correctly registered at the top level within authRoutes plugin scope * fix: resolve OAuth CSRF vulnerabilities and add cookie types --------- Signed-off-by: Roshan Kumar Singh <162692544+roshankumar0036singh@users.noreply.github.com> * feat: implement API service layer and refactor network requests across screens (#408) * chore: update dependencies and switch start script from expo to react-native (#414) * feat: add Contacts and Teams modules with associated screens, hooks, and navigation updates (#413) Signed-off-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> * chore: updated package-lock.yaml (#416) * fix: update NFC payload URL to use environment variable (#417) * fix: add cascade delete for TeamMember when Team is deleted (#422) Co-authored-by: prakash meena <prakash.meena@example.com> * Fix first time issue creator workflow trigger (#425) * feat(workflow): add merged PR discord reminder for GSSoC labels (#409) * feat: add CI pipeline with lint, typecheck, test, and PR title enforcement (#323) * fix: wrap card creation in transaction to prevent race condition (#349) Signed-off-by: dinesh <midoriya54378@gmail.com> * Revert "feat: add CI pipeline with lint, typecheck, test, and PR title enforc…" (#445) This reverts commit c535f20. * feat(ci): add selective backend/web/mobile checks with PR comments (#450) * fix: Fixed linting issues * feat(ci): add selective monorepo CI and PR result comments * Revert "fix: wrap card creation in transaction to prevent race condition (#349)" (#451) This reverts commit f6ee844. * fix(ci): improve selective checks and detailed PR comment reporting (#453) * fix: Fixed linting issues * fix(ci): improve selective checks and detailed PR comment reporting * fix(ci): refine workflow execution, reporting, and collaborator handling (#455) * fix: Fixed linting issues * fix(ci): improve workflow reporting and add collaborator support * fix(ci): expose backendTests output and improve smart test execution (#457) * fix: Fixed linting issues * fix(ci): expose backendTests output and improve smart test execution * fix(event): replace organizerId with organizer public fields in GET /:slug response (#346) The event detail endpoint was returning the raw organizer UUID via organizerId, leaking an internal database identifier to unauthenticated callers. Fetch the organizer relation and expose organizerUsername and organizerDisplayName instead. * fix(workflow): use pull_request_target for discord reminder workflow (#459) * fix: Fixed linting issues * fix(workflow): switch discord reminder to pull_request_target for comment permissions * fix(analytics): count inbound follows instead of outbound in totalFollows (#448) * Feat/oauth rate limiting (#446) * feat: add rate limiting to OAuth endpoints - Create oauthRateLimit plugin with per-IP bucket strategy - Apply stricter rate limits to OAuth callback endpoints (5 req/min) - Apply moderate rate limits to OAuth start endpoints (10 req/min) - Prevent brute force attacks and token guessing - Add per-user fallback for authenticated requests - Fixes: No Rate Limiting on OAuth Endpoints * fix: improve OAuth rate limiting implementation - Fix off-by-one error: use >= instead of > for count checks - Add Retry-After HTTP header to 429 responses (standard approach) - Add type declaration merging for decorator properties - Remove as any casts from auth routes - Document cache:10000 reasoning in comments * Revert "Feat/oauth rate limiting (#446)" (#461) This reverts commit 7762fa2. --------- Signed-off-by: Parth Patidar <parth11.patidar@gmail.com> Signed-off-by: Prashantkumar Khatri <96608160+ShantKhatri@users.noreply.github.com> Signed-off-by: Krish Kumar <anuragbraveboy@gmail.com> Signed-off-by: Pari Maheshwari <parimaheshwari777@gmail.com> Signed-off-by: amritbej.sh <amritbej750@gmail.com> Signed-off-by: Prashantkumar Khatri <prashantkhatri202@gmail.com> Signed-off-by: Roshan Kumar Singh <162692544+roshankumar0036singh@users.noreply.github.com> Signed-off-by: dinesh <midoriya54378@gmail.com> Co-authored-by: Harshit Singh Parihar <harsxit04@gmail.com> Co-authored-by: amritbej.sh <amritbej750@gmail.com> Co-authored-by: Amrit <amrit@example.com> Co-authored-by: Mehtab Singh <mehtabsandhu0028@gmail.com> Co-authored-by: Suryansh Mishra <suryansh.mishra.sm6@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Surbhi Mishra <mishrasurbhi744@gmail.com> Co-authored-by: Nazneen Parveen <nazneenparveen687@gmail.com> Co-authored-by: AVDHESH KUMAR DADHICH <aavdhesh.dadhich@gmail.com> Co-authored-by: Parth Patidar <parth11.patidar@gmail.com> Co-authored-by: dinesh <midoriya54378@gmail.com> Co-authored-by: Ridanshi <ridanshiagarwal2@gmail.com> Co-authored-by: Krish Kumar <anuragbraveboy@gmail.com> Co-authored-by: anuragbraveboy-sudo <krishnyk229@gmail.com> Co-authored-by: Jamuna TG <jamunatg2006@gmail.com> Co-authored-by: Pari Maheshwari <parimaheshwari777@gmail.com> Co-authored-by: Dhrupad Paitandy <dhrupadpaitandy@gmail.com> Co-authored-by: Dhrupad <24155325@kiit.ac.in> Co-authored-by: Srejoye Saha <sahasrejoye2005@gmail.com> Co-authored-by: Sweksha Kakkar <sweksha.25bcy10159@vitbhopal.ac.in> Co-authored-by: Patel Bhavika <bhavikapatel4298@gmail.com> Co-authored-by: Rehan Ahmad <rehan.meeh@gmail.com> Co-authored-by: silentguyracer <987sahilkumar123@gmail.com> Co-authored-by: Anshul Jain <167362756+anshul23102@users.noreply.github.com> Co-authored-by: Aman Sayyad <mr.sayyadaman@gmail.com> Co-authored-by: Sahil Sultane <sahilsultane2456@gmail.com> Co-authored-by: Kartikey <kartikeygod26092006@gmail.com> Co-authored-by: hariom888 <hariom880088@gmail.com> Co-authored-by: Hari Om <hariom888@users.noreply.github.com> Co-authored-by: Garima Tiwari <garimatiwari1912@gmail.com> Co-authored-by: Roshan Kumar Singh <162692544+roshankumar0036singh@users.noreply.github.com> Co-authored-by: Prakash Meena <pcmeena511@gmail.com> Co-authored-by: prakash meena <prakash.meena@example.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reverts #323