fix: onboarding errors and protections

[kmendell]

Fixes: #135

Summary by CodeRabbit

• New Features

  • Introduced step-by-step onboarding progress tracking, including welcome, password, and settings steps.
  • Added automatic navigation based on onboarding completion status to guide users through the onboarding flow.

• Enhancements

  • Improved onboarding pages to update and persist onboarding progress in the settings.
  • Updated UI for onboarding steps, including centered and wider submit buttons, and updated button labels.

• Bug Fixes

  • Ensured onboarding steps cannot be skipped by checking completion status before allowing progression.

• Other

  • Updated default directory paths and onboarding state structure for improved consistency.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

This update introduces a step-tracking mechanism to the onboarding process by enhancing the settings store and related types. It adds explicit step completion flags, updates onboarding logic in Svelte components and server-side load functions, and enforces correct navigation between onboarding steps based on these flags. UI adjustments and navigation logic are also included.

Changes

File(s)	Change Summary
src/lib/stores/settings-store.ts	Added initializeSettingsStore function to ensure onboarding state is present and merged into the settings store.
src/lib/types/settings.type.ts	Modified Onboarding interface: made completed required and added optional steps object with welcome, password, and settings boolean flags.
src/routes/onboarding/password/+page.server.ts src/routes/onboarding/settings/+page.server.ts src/routes/onboarding/welcome/+page.server.ts	Added server-side load functions to onboarding pages to fetch settings and redirect based on onboarding step completion status.
src/routes/onboarding/password/+page.svelte	Refactored to use settings store for onboarding step tracking, updated navigation logic, removed back button, and made minor UI changes.
src/routes/onboarding/settings/+page.svelte	Enforced password step completion before accessing settings step, updated onboarding completion logic, changed default directory path, and adjusted UI navigation controls.
src/routes/onboarding/welcome/+page.svelte	Changed button to trigger onboarding step completion via settings store, updated navigation to password step, and adjusted button styling and label.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant WelcomePage
    participant SettingsStore
    participant Server
    participant Router

    User->>WelcomePage: Visit /onboarding/welcome
    WelcomePage->>SettingsStore: Mark onboarding.steps.welcome = true
    WelcomePage->>Server: Persist onboarding step
    WelcomePage->>Router: Navigate to /onboarding/password

    User->>PasswordPage: Visit /onboarding/password
    PasswordPage->>SettingsStore: Check onboarding.steps.password
    alt password completed
        PasswordPage->>Router: Redirect to /onboarding/settings
    else not completed
        User->>PasswordPage: Submit password
        PasswordPage->>SettingsStore: Mark onboarding.steps.password = true
        PasswordPage->>Server: Persist onboarding step
        PasswordPage->>Router: Navigate to /onboarding/settings
    end

    User->>SettingsPage: Visit /onboarding/settings
    SettingsPage->>SettingsStore: Check onboarding.steps.password
    alt password not completed
        SettingsPage->>Router: Redirect to /onboarding/welcome
    else password completed
        User->>SettingsPage: Complete settings
        SettingsPage->>SettingsStore: Mark onboarding.steps.settings = true, completed = true
        SettingsPage->>Server: Persist onboarding completion
        SettingsPage->>Router: Navigate to dashboard
    end

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Prevent error when navigating back after pressing continue in onboarding (#135)	✅

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 9

🔭 Outside diff range comments (2)

src/routes/onboarding/settings/+page.svelte (1)

169-176: 🧹 Nitpick (assertive)

Button type again

Same rationale as in the welcome page.

-			<Button type="submit" disabled={loading} class="h-12 px-8 w-[80%] flex items-center gap-2">
+			<Button type="submit" disabled={loading} class="h-12 px-8 w-[80%] flex items-center gap-2" aria-label="Continue to completion step">

Adding an aria-label also helps screen-reader users.

src/routes/onboarding/password/+page.svelte (1)

75-86: 🧹 Nitpick (assertive)

Security note – don’t ship default credentials to the client

Exposing the default admin password ('arcane-admin') in client-side code lets attackers script password-reset attempts if the endpoint is reachable.

Consider moving the “current password” logic to the server API:

1. Send only the newPassword from the browser.
2. Let the server verify the current password internally.

Although this line predates the PR, touching onboarding security is in scope.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e5d9903 and eae05ee.

📒 Files selected for processing (8)

• src/lib/stores/settings-store.ts (1 hunks)
• src/lib/types/settings.type.ts (1 hunks)
• src/routes/onboarding/password/+page.server.ts (1 hunks)
• src/routes/onboarding/password/+page.svelte (4 hunks)
• src/routes/onboarding/settings/+page.server.ts (1 hunks)
• src/routes/onboarding/settings/+page.svelte (3 hunks)
• src/routes/onboarding/welcome/+page.server.ts (1 hunks)
• src/routes/onboarding/welcome/+page.svelte (2 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (3)

src/routes/onboarding/welcome/+page.server.ts (3)

src/routes/onboarding/settings/+page.server.ts (1)

• load (4-12)

src/routes/onboarding/password/+page.server.ts (1)

• load (4-12)

src/lib/stores/settings-store.ts (1)

• getSettings (68-70)

src/routes/onboarding/password/+page.server.ts (3)

src/routes/onboarding/settings/+page.server.ts (1)

• load (4-12)

src/routes/onboarding/welcome/+page.server.ts (1)

• load (4-12)

src/lib/stores/settings-store.ts (1)

• getSettings (68-70)

src/routes/onboarding/settings/+page.server.ts (3)

src/routes/onboarding/password/+page.server.ts (1)

• load (4-12)

src/routes/onboarding/welcome/+page.server.ts (1)

• load (4-12)

src/lib/stores/settings-store.ts (1)

• getSettings (68-70)

🪛 GitHub Check: ESLint

src/routes/onboarding/settings/+page.svelte

[failure] 20-20: Disallow unused variables
'passwordStepCompleted' is assigned a value but never used.

src/routes/onboarding/password/+page.svelte

[failure] 17-17: Disallow unused variables
'welcomeStepCompleted' is assigned a value but never used.

🔇 Additional comments (6)

src/lib/types/settings.type.ts (1)

14-22: Updated Onboarding interface improves step tracking

The changes to the Onboarding interface implement a more robust step tracking mechanism with these key improvements:

1. Making completed a required field ensures consistent onboarding state management
2. Adding the steps object with granular flags enables step-by-step progression tracking

This approach will help prevent users from skipping steps or encountering navigation issues during the onboarding flow.

src/routes/onboarding/welcome/+page.server.ts (1)

4-12: Server-side flow protection for onboarding welcome page

The load function correctly redirects completed users to the dashboard, preventing unnecessary revisits to onboarding. This is a good implementation of server-side navigation protection.

src/routes/onboarding/password/+page.server.ts (2)

4-12: Server-side protection for password step is correctly implemented

The load function properly prevents unnecessary revisits to the password step by redirecting users who have already completed it to the settings step. This maintains the correct flow through the onboarding process.

---

7-7: 🧹 Nitpick (assertive)

Consider handling edge case when steps object is missing

The current implementation uses optional chaining which works correctly, but it doesn't explicitly handle the case where the steps object itself might be undefined in a new installation.

-	if (settings.onboarding?.steps?.password) {
+	if (settings.onboarding?.steps && settings.onboarding.steps.password) {

Likely an incorrect or invalid review comment.

src/routes/onboarding/settings/+page.server.ts (1)

4-12: Server-side protection prevents skipping the password step

The load function correctly enforces the onboarding sequence by redirecting users back to the welcome page if they haven't completed the password step. This prevents users from accessing the settings page out of order.

src/routes/onboarding/settings/+page.svelte (1)

23-45: Redirect guard may still stomp “settings” flag

Inside the onMount block we set password: true but leave settings untouched.
If the user refreshes mid-way, settings may already be true and will be reset to undefined by the spread:

steps: {
  ...$settingsStore.onboarding?.steps,   // <- ok, keeps existing keys
  password: true                         // but does NOT preserve `settings`
}

Because we don’t explicitly set settings: $settingsStore.onboarding?.steps?.settings ?? false, the key survives; but TypeScript treats an omitted key as deleted when serialised to JSON, so the server might regard it as false.

Consider always specifying every step flag or deep-merging instead of a shallow spread to avoid accidental data loss.