chore: avatar update

[hmbanan666]

Summary by CodeRabbit

• New Features

  • Added subtle vibration feedback when loading more messages in the ticket view.
  • Avatar API endpoints are now publicly accessible for direct avatar retrieval; other API routes remain protected.

• Refactor

  • Replaced an inline click handler with a dedicated action for loading more messages to improve maintainability and consistency.

[coderabbitai]

Walkthrough

Refactors the ticket page’s “Show more” click handling to call a new handler that triggers haptic feedback and increments the counter. Updates server auth middleware to skip authentication for paths starting with /api/avatar while leaving other flows intact.

Changes

Cohort / File(s)	Summary of Changes
Ticket Page Click Handling apps/atrium-telegram/app/pages/ticket/[ticketId]/index.vue	Replaced inline increment with handleClickShowMore(); introduced useFeedback() to obtain vibrate; handler calls vibrate() and adds 10 to shownMessages. No other logic altered.
Auth Middleware Skip Rules apps/web-app/server/middleware/01.auth.ts	Expanded skip-auth condition to include paths starting with "/api/avatar" (including subpaths). Preflight handling and user session logic unchanged.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor User
    participant UI as Ticket Page UI
    participant Feedback as useFeedback.vibrate
    participant State as shownMessages

    User->>UI: Click "Show more"
    UI->>UI: handleClickShowMore()
    UI->>Feedback: vibrate()
    Feedback-->>UI: done
    UI->>State: shownMessages += 10

Loading

sequenceDiagram
    autonumber
    participant Client
    participant MW as Auth Middleware
    participant Session as getUserFromSession
    participant Handler as Route Handler

    Client->>MW: HTTP Request
    alt OPTIONS preflight
        MW-->>Client: 200 (preflight)
    else Path starts with /api/avatar
        MW->>Handler: bypass auth
        Handler-->>Client: Response
    else Other routes
        MW->>Session: getUserFromSession()
        alt No user
            MW-->>Client: 401 Unauthorized
        else User found
            MW->>Handler: attach user to context
            Handler-->>Client: Response
        end
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: show tickets page #170 — Earlier change to the same ticket page added inline shownMessages increment; this PR refactors that into a handler and adds feedback.
• chore: feedback rework #99 — Introduces/updates useFeedback() vibration usage in click handlers; aligns with adding vibrate() in this PR.

Poem

A gentle tap, a subtle cheer,
I boop the button—buzz!—so near.
Ten more tales the tickets show,
While avatars may freely flow.
Hop-hop, code paths neat and bright,
Carrots compiled; all feels right. 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The PR title "chore: avatar update" correctly identifies a real and substantive change in this changeset — the middleware modification that exposes /api/avatar — and is concise rather than vague. The changeset also includes a minor UI update in apps/atrium-telegram (a show-more handler and vibration feedback) which the title does not mention but does not make the title misleading. Because the title accurately references a principal change and is specific, it passes the check.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

apps/atrium-telegram/app/pages/ticket/[ticketId]/index.vue (2)

40-41: Bind the method directly to avoid an unnecessary wrapper call

Minor template nit: no need for parentheses.

-        @click="handleClickShowMore()"
+        @click="handleClickShowMore"

---

81-84: Clamp shownMessages to total count to avoid overshoot

Prevents overshooting when fewer than 10 messages remain.

-function handleClickShowMore() {
-  vibrate()
-  shownMessages.value += 10
-}
+function handleClickShowMore() {
+  vibrate()
+  shownMessages.value = Math.min(
+    shownMessages.value + 10,
+    ticket.value?.messages.length ?? shownMessages.value + 10
+  )
+}

apps/web-app/server/middleware/01.auth.ts (1)

27-29: Restrict /api/avatar to read methods (GET/HEAD) and remove it from the public routes list

apps/web-app/server/middleware/01.auth.ts currently includes '/api/avatar' in routesWithoutAuth and uses startsWith('/api/avatar') (making the whole prefix public). I searched apps//server/api/ and found no exported POST/PUT/PATCH/DELETE handlers for avatar, but gate the prefix by method to prevent future regressions.

-  if (!event.path.startsWith('/api') || event.path.startsWith('/api/avatar') || routesWithoutAuth.includes(event.path)) {
-    return
-  }
+  if (!event.path.startsWith('/api')) {
+    return
+  }
+  // Public avatars: allow only GET/HEAD without auth
+  if (
+    (event.path === '/api/avatar' || event.path.startsWith('/api/avatar/')) &&
+    (event.method === 'GET' || event.method === 'HEAD')
+  ) {
+    return
+  }
+  if (routesWithoutAuth.includes(event.path)) {
+    return
+  }

Also remove '/api/avatar' from routesWithoutAuth in the same file to keep a single source of truth.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 495cac9 and 279cc7d.

📒 Files selected for processing (2)

• apps/atrium-telegram/app/pages/ticket/[ticketId]/index.vue (3 hunks)
• apps/web-app/server/middleware/01.auth.ts (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (1)

apps/atrium-telegram/app/pages/ticket/[ticketId]/index.vue (1)

69-69: Nice UX touch: extracted handler + haptic feedback look good

The composable usage and the dedicated handler are clean and readable.

Also applies to: 81-84