refactor(web): centralize OAuth callback cookie contract (fixes #1362)#1430
Conversation
…tter#1362) Replace the duplicated `OAUTH_RESULT_COOKIE` constant and inline payload type across the callback route and connector dialog hook with a shared `contracts/types/oauth.types.ts` module that exports: - OAUTH_RESULT_COOKIE constant - oauthCallbackResultSchema Zod schema - OAuthCallbackResult type (inferred from the schema) - parseOAuthCallbackResult() helper that returns null on invalid JSON or shape mismatch The route handler now uses the shared type to constrain the cookie payload at compile time. The consumer hook validates the cookie value through the helper instead of an unchecked JSON.parse, removing the silent runtime risk when the cookie is tampered with or its shape drifts.
|
@suryo12 is attempting to deploy a commit to the Rohan Verma's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Centralizes the OAuth callback cookie contract (name, schema, parsing) to make the connector dialog’s OAuth result handling safer and consistent between server callback and client UI.
Changes:
- Added shared Zod schema + parser for the
connector_oauth_resultcookie payload. - Updated the connector dialog hook to validate cookie payloads via the shared parser instead of raw
JSON.parse. - Updated the OAuth callback route to reuse the shared cookie constant and strongly type the payload.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| surfsense_web/contracts/types/oauth.types.ts | Introduces shared cookie constant, payload schema, and parsing helper. |
| surfsense_web/components/assistant-ui/connector-popup/hooks/use-connector-dialog.ts | Uses shared cookie parsing/constant to handle OAuth callback results more safely. |
| surfsense_web/app/dashboard/[search_space_id]/connectors/callback/route.ts | Uses shared cookie constant/type when constructing the callback payload. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| /** | ||
| * Safely decode and validate the OAuth callback cookie value. Returns `null` | ||
| * when the value is not valid JSON or does not match the expected shape. | ||
| */ | ||
| export function parseOAuthCallbackResult(raw: string): OAuthCallbackResult | null { | ||
| let parsed: unknown; | ||
| try { | ||
| parsed = JSON.parse(raw); | ||
| } catch { |
| import { OAUTH_RESULT_COOKIE, type OAuthCallbackResult } from "@/contracts/types/oauth.types"; | ||
|
|
Extracts the OAuth callback cookie contract into a single typed module shared by the callback route and the connector dialog hook. Eliminates duplicated cookie name and payload shape across two files.
Description
Adds
surfsense_web/contracts/types/oauth.types.tsexporting:OAUTH_RESULT_COOKIEconstantoauthCallbackResultSchemaZod schemaOAuthCallbackResulttype (inferred from the schema)parseOAuthCallbackResult()helper that returnsnullon invalid JSON or shape mismatchUpdates the two existing files to import from this contract instead of redeclaring locally:
surfsense_web/app/dashboard/[search_space_id]/connectors/callback/route.ts— removed localOAUTH_RESULT_COOKIE; the cookie payload is now annotated withOAuthCallbackResultso the writer side is constrained by the schema at compile time.surfsense_web/components/assistant-ui/connector-popup/hooks/use-connector-dialog.ts— removed localOAUTH_RESULT_COOKIEand inline result type; replaced thetry { JSON.parse() } catch {}block withparseOAuthCallbackResult(). The helper rejects payloads whose shape doesn't match the schema, removing the silent runtime risk when the cookie is tampered with or its shape drifts.Motivation and Context
The cookie name and payload shape were declared in two separate files, so typos and schema drift were undetectable at build time. Centralizing the contract removes the duplication and makes the writer/reader contract enforceable by the type system.
FIX #1362
Screenshots
N/A — refactor, no user-facing behavior change.
API Changes
Change Type
Testing Performed
pnpm exec biome checkpasses on all three files.pnpm exec tsc --noEmitintroduces no new type errors in the touched files. The OAuth flow is already covered end-to-end by the existingtests/connectors/**Playwright journeys; no behavior change expected.Checklist
High-level PR Summary
This PR refactors the OAuth callback cookie handling by extracting the duplicated cookie name and payload structure into a centralized, typed contract module. The new
oauth.types.tscontract module exports a Zod schema, TypeScript types, and a safe parsing helper that both the callback route (writer) and connector dialog hook (reader) now share, eliminating schema drift risk and enforcing compile-time type safety across the OAuth flow.⏱️ Estimated Review Time: 5-15 minutes
💡 Review Order Suggestion
surfsense_web/contracts/types/oauth.types.tssurfsense_web/app/dashboard/[search_space_id]/connectors/callback/route.tssurfsense_web/components/assistant-ui/connector-popup/hooks/use-connector-dialog.ts