Push notification and auth improvements#1049
Conversation
|
Warning Review limit reached
Next review available in: 42 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (10)
📝 WalkthroughWalkthroughThe pull request adds SSO login security controls, refactors Firebase notification delivery around cached OAuth credentials and reactive retries, bounds QR image sizes, and updates backend dependencies. ChangesSSO security controls
Push notification delivery
API and build updates
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant IdentityProvider
participant LoginService
participant SecurityConfig
participant EntrypointController
IdentityProvider->>LoginService: provide identity and email verification
LoginService->>SecurityConfig: reject invalid login
SecurityConfig->>EntrypointController: redirect with encoded error
EntrypointController->>EntrypointController: render auth selection
sequenceDiagram
participant PushNotificationService
participant Credentials
participant FCM
participant TokenRepository
PushNotificationService->>TokenRepository: fetch tokens
PushNotificationService->>Credentials: get access token
Credentials->>FCM: refresh OAuth token when needed
PushNotificationService->>FCM: send notifications with retries
FCM-->>PushNotificationService: delivery results
PushNotificationService->>TokenRepository: delete stale tokens
Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
backend/src/main/kotlin/hu/bme/sch/cmsch/component/pushnotification/PushNotificationServiceCredentials.kt (1)
40-50: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winInconsistent null handling and a redundant
"".letwrapper.
project_idfails fast via!!, butclient_emailandprivate_keyuseAny?.toString(), which silently yields the literal string"null"when the key is absent. A missingclient_emailwould then be signed into the JWTissand surface as an opaque token-endpoint rejection rather than a clear configuration error. The outer"".let { }is also a no-op.♻️ Suggested refactor
- private val key: ServiceAccountKey = "".let { - JsonMapper.builder().configure(JsonReadFeature.ALLOW_UNESCAPED_CONTROL_CHARS, true).build() - .readValue<Map<String, Any>>(accountKey).let { node -> - ServiceAccountKey( - projectId = node["project_id"]!!.toString(), - clientEmail = node["client_email"].toString(), - privateKey = node["private_key"].toString(), - tokenUri = node["token_uri"]?.toString() ?: "https://oauth2.googleapis.com/token", - ) - } - } + private val key: ServiceAccountKey = + JsonMapper.builder().configure(JsonReadFeature.ALLOW_UNESCAPED_CONTROL_CHARS, true).build() + .readValue<Map<String, Any>>(accountKey).let { node -> + ServiceAccountKey( + projectId = node["project_id"]?.toString() ?: error("Missing project_id in service account key"), + clientEmail = node["client_email"]?.toString() ?: error("Missing client_email in service account key"), + privateKey = node["private_key"]?.toString() ?: error("Missing private_key in service account key"), + tokenUri = node["token_uri"]?.toString() ?: "https://oauth2.googleapis.com/token", + ) + }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@backend/src/main/kotlin/hu/bme/sch/cmsch/component/pushnotification/PushNotificationServiceCredentials.kt` around lines 40 - 50, The ServiceAccountKey parsing in PushNotificationServiceCredentials should handle missing required fields consistently and remove the redundant empty-string let wrapper. Update the readValue<Map<String, Any>>(accountKey) mapping so projectId, clientEmail, and privateKey all fail fast with a clear configuration error instead of relying on Any?.toString() returning "null". Keep tokenUri defaulting as-is, and use the existing ServiceAccountKey construction path to make the validation explicit and easier to locate.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@backend/src/main/kotlin/hu/bme/sch/cmsch/component/login/LoginService.kt`:
- Around line 94-104: Add the same blank-email guard used in the Keycloak flow
to the Google login path in LoginService so email lookup only happens when
profile.email is not blank. Update the Google branch around the existing
profile.emailVerified / users.findByEmailIgnoreCase logic to skip the lookup and
merge checks for empty emails, keeping behavior consistent with the Keycloak
flow and avoiding accidental matches on blank-email accounts.
---
Nitpick comments:
In
`@backend/src/main/kotlin/hu/bme/sch/cmsch/component/pushnotification/PushNotificationServiceCredentials.kt`:
- Around line 40-50: The ServiceAccountKey parsing in
PushNotificationServiceCredentials should handle missing required fields
consistently and remove the redundant empty-string let wrapper. Update the
readValue<Map<String, Any>>(accountKey) mapping so projectId, clientEmail, and
privateKey all fail fast with a clear configuration error instead of relying on
Any?.toString() returning "null". Keep tokenUri defaulting as-is, and use the
existing ServiceAccountKey construction path to make the validation explicit and
easier to locate.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3c30336d-8c4b-4b72-8d70-e103ba436ef6
📒 Files selected for processing (11)
backend/build.gradle.ktsbackend/src/main/kotlin/hu/bme/sch/cmsch/component/app/ApplicationApiController.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/component/login/LoginComponent.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/component/login/LoginRejectedException.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/component/login/LoginService.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/component/login/keycloak/KeycloakUserInfoResponse.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/component/pushnotification/FirebaseMessagingConfiguration.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/component/pushnotification/PushNotificationService.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/component/pushnotification/PushNotificationServiceCredentials.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/config/SecurityConfig.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/controller/admin/EntrypointController.kt
💤 Files with no reviewable changes (2)
- backend/build.gradle.kts
- backend/src/main/kotlin/hu/bme/sch/cmsch/component/pushnotification/FirebaseMessagingConfiguration.kt
…onfirmation before login
…nt, use custom auth flow instead of Google library
ae53d64 to
bac5d01
Compare
Summary by CodeRabbit
New Features
Bug Fixes