Merged
Conversation
Dprof-in-tech
requested review from
5ran6,
chibie and
onahprosper
as code owners
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughRefactors many barrel imports to direct module imports, moves style exports to Changes
Sequence Diagram(s)sequenceDiagram
participant Client as Client
participant Middleware as Edge Middleware
participant Jose as jose verifier
participant JWKS as Privy JWKS Endpoint
participant PrivyAPI as Privy User API
participant Upstream as Upstream Service
Client->>Middleware: HTTP request w/ Authorization: Bearer <token>
Middleware->>Jose: verifyPrivyJWT(token)
Jose->>JWKS: Fetch JWKS (remote)
JWKS-->>Jose: JWKS keys
Jose-->>Middleware: Verified payload (sub => privyUserId)
Middleware->>PrivyAPI: GET /users/{privyUserId} (Basic auth, 3s timeout)
PrivyAPI-->>Middleware: User data (embedded wallets)
Middleware->>Middleware: Select wallet (embedded first, eip155:1 fallback)
Middleware->>Upstream: Forward request with wallet & user headers
Upstream-->>Client: Response
Estimated Code Review Effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly Related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
app/components/index.ts (1)
1-1: Good documentation for the import convention.The comment clearly communicates the preferred import pattern. For stronger enforcement, consider adding an ESLint rule (e.g.,
no-restricted-imports) to warn when importing from this barrel file in new code.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@app/components/index.ts` at line 1, Add an ESLint rule to prevent new code from importing this barrel file: configure the no-restricted-imports rule in your ESLint config to disallow imports from "app/components" (or the exact barrel module specifier used) and include a custom message recommending direct imports from source files; update rules in the top-level ESLint config (or the relevant override that applies to the project files) and run linting to verify the rule flags existing/new imports referencing the barrel so developers are warned to import individual component source paths instead.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@middleware.ts`:
- Around line 21-29: The Privy user lookup in getWalletAddressFromPrivyUserId
uses fetch without a timeout and can hang; wrap the fetch with an
AbortController, start a timer (e.g., 1–3s) that calls controller.abort(), pass
controller.signal to fetch, clear the timer on success, and catch the
abort/timeout error to return/throw a controlled 502-style error (or a specific
TimeoutError) so the middleware fails fast instead of waiting for the platform
timeout.
- Around line 12-18: The verifyPrivyJWT function currently calls
createRemoteJWKSet(new URL(PRIVY_JWKS_URL)) on every invocation which bypasses
the resolver's cache; hoist the JWKS resolver to module scope (e.g., create a
single privyJwks = createRemoteJWKSet(new URL(PRIVY_JWKS_URL)) constant) and
have verifyPrivyJWT call jwtVerify(token, privyJwks, ...), ensuring the resolver
is instantiated once and reused across requests; keep the existing issuer and
algorithms options (PRIVY_JWT_ISSUER, ["ES256"]) when calling jwtVerify.
---
Nitpick comments:
In `@app/components/index.ts`:
- Line 1: Add an ESLint rule to prevent new code from importing this barrel
file: configure the no-restricted-imports rule in your ESLint config to disallow
imports from "app/components" (or the exact barrel module specifier used) and
include a custom message recommending direct imports from source files; update
rules in the top-level ESLint config (or the relevant override that applies to
the project files) and run linting to verify the rule flags existing/new imports
referencing the barrel so developers are warned to import individual component
source paths instead.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3c9bec30-832f-4f0f-a8f3-98bbcfe661a4
📒 Files selected for processing (14)
app/components/AppLayout.tsxapp/components/MobileDropdown.tsxapp/components/WalletDetails.tsxapp/components/index.tsapp/layout.tsxapp/not-found-client.tsxapp/page.tsxapp/pages/TransactionForm.tsxapp/pages/TransactionPreview.tsxapp/privacy-policy/privacy-client.tsxapp/terms/terms-client.tsxmiddleware.tsnext.config.mjspackage.json
… timeout handling
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@middleware.ts`:
- Around line 6-16: The middleware currently hardcodes PRIVY_JWT_ISSUER
("privy.io") and builds PRIVY_JWKS_URL from NEXT_PUBLIC_PRIVY_APP_ID, creating a
divergence from server-side config; update middleware to import and use the same
server-side config values (issuer and jwks URL) used in app/lib/config.ts
instead of hardcoded values, initialize
PRIVY_APP_ID/PRIVY_APP_SECRET/PRIVY_JWKS_URL/PRIVY_JWT_ISSUER from that config,
ensure PRIVY_JWKS is created from the imported JWKS URL and verifyPrivyJWT uses
those, and add fail-fast checks that throw or log and stop initialization if any
required config value is missing.
- Around line 40-49: Define a minimal TypeScript response type for the Privy
REST API (e.g., PrivyUserResponse with linked_accounts?: PrivyAccount[] and
PrivyAccount having type: string, connector_type?: string, chain_id?: string —
using the snake_case property names the API returns), replace the any usage by
casting res.json() to that type (const user = await res.json() as
PrivyUserResponse) and type accounts accordingly, and then use the typed
accounts.find logic to locate wallet; if the same wallet-priority logic exists
in app/lib/privy.ts (lines ~20-46), import and reuse that helper (e.g.,
getPreferredWallet/findPreferredWallet) instead of duplicating the selection
logic.
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@middleware.ts`:
- Around line 48-54: Update the fetch call that looks up users to point to
Privy's primary REST host: change the URL in the fetch invocation that uses
userId (the current `fetch("https://auth.privy.io/api/v1/users/${userId}",
...)`) to `https://api.privy.io/v1/users/${userId}` while leaving the existing
headers (Authorization using PRIVY_APP_ID and PRIVY_APP_SECRET via btoa, and
"privy-app-id") and the signal (controller.signal) intact; locate this in
middleware.ts where the fetch, userId, PRIVY_APP_ID and PRIVY_APP_SECRET are
referenced and replace only the host/path portion of the URL.
- Around line 33-37: The verifyPrivyJWT function currently only checks issuer
and algorithm; update it to validate the token's audience against our Privy app
ID by either passing an audience option to jwtVerify or asserting payload.aud
equals the PRIVY_APP_ID constant after verification. Locate the verifyPrivyJWT
function and add the audience check using the PRIVY_APP_ID (or equivalent
constant), returning or throwing if the audience does not match, while keeping
existing issuer (PRIVY_JWT_ISSUER), algorithm (ES256) and JWKS (PRIVY_JWKS)
checks.
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@middleware.ts`:
- Around line 6-16: The middleware currently throws during module initialization
if PRIVY_APP_ID or PRIVY_APP_SECRET are missing (symbols: PRIVY_APP_ID,
PRIVY_APP_SECRET in middleware.ts), which breaks startup in environments that
only set NEXT_PUBLIC_PRIVY_APP_ID; change the code to avoid throwing at import
time: read process.env.PRIVY_APP_ID || process.env.NEXT_PUBLIC_PRIVY_APP_ID into
a local variable and keep PRIVY_APP_SECRET optional, remove the top-level throw,
and move the validation into the middleware handler (or gracefully
early-return/skip middleware logic) so missing secrets do not crash the process
at module load but are enforced where the middleware actually runs.
- Line 49: The URL is built by interpolating userId directly into the Privy API
path (see the fetch call that uses `userId`), which can produce malformed URLs
when `userId` contains reserved characters; encode the userId with
encodeURIComponent before inserting it into the fetch URL (i.e., replace the raw
`userId` interpolation in the fetch call with an encoded version) and ensure the
encoded value is used consistently wherever the Privy path is constructed.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 0e5d86af-eef2-42e2-80db-d7ef64811e3f
📒 Files selected for processing (5)
app/components/MobileDropdown.tsxapp/components/WalletDetails.tsxapp/pages/TransactionForm.tsxapp/pages/TransactionPreview.tsxmiddleware.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- app/components/WalletDetails.tsx
…possible-runtime-enhancements
onahprosper
requested changes
Mar 25, 2026
…possible-runtime-enhancements
onahprosper
approved these changes
Mar 27, 2026
onahprosper
deleted the
refactor--reducing-production-buildtime-and-possible-runtime-enhancements
branch
onahprosper
added a commit
that referenced
this pull request
Apr 8, 2026
* fix: update migration modal visibility logic * refactor: enhance SUPPORTED_CHAINS structure and improve RPC URL handling * Updated the SUPPORTED_CHAINS object to include network names for better clarity. * Refactored the parseRpcUrl function to utilize the new networkName property for retrieving RPC URLs, improving error handling for unsupported chains. * feat(settings): add theme switch to desktop dropdown Add the existing theme switch to the desktop settings dropdown so users can change theme without relying on the footer. The new section keeps the footer control as a secondary entry point and aligns the dropdown styling with the existing menu items. * refactor: build time enhancements (#414) * refactor: build time enhancements * refactor: optimize JWT verification and enhance user ID fetching with timeout handling * fixes * feat: add audience parameter to JWT verification for enhanced security * change variable --------- Co-authored-by: chibie <chibuotu@gmail.com> Co-authored-by: Prosper <40717516+onahprosper@users.noreply.github.com> * chore: update pnpm-lock.yaml to restore cypress dependency and adjust package versions * Reintroduced cypress dependency with version 15.7.1. * Minor adjustments to package versions and dependencies for consistency. * Merge pull request #432 from jeremy0x/main feat: default balance view to highest-value network after login * refactor: enhance error handling across components (#426) * refactor: enhance error handling across components * fix: improve error handling in TransactionPreview component * fix * refactor: remove liquidity error handling from errorMessages and TransactionForm * fix: enhance error handling for network switching in MobileDropdown and NetworksDropdown components * feat: integrate Sentry for client error reporting --------- Co-authored-by: Prosper <40717516+onahprosper@users.noreply.github.com> * fix: users can use external wallet as main wallet through privy (#428) * fix: users can use external wallet as main wallet through privy * fixes --------- Co-authored-by: Prosper <40717516+onahprosper@users.noreply.github.com> * feat(networks): Scroll and Celo support, token API alignment, and SEO updates (#446) * feat(networks): add Scroll and Celo, align tokens and docs * feat(currency): enable MWK receive currency --------- Co-authored-by: Isaac Onyemaechi <amaechiisaac450@gmail.com> Co-authored-by: jeremy0x <aworetanjeremiah@gmail.com> Co-authored-by: chibie <chibuotu@gmail.com> Co-authored-by: Francis Ocholi <5raan6@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This pull request refactors how components are imported throughout the codebase to favor direct imports from source files instead of barrel (
index.ts) files. This change aims to improve tree-shaking, reduce bundle size, and prevent unnecessary code from being pulled into the module graph. Additionally, it introduces a more lightweight, edge-compatible JWT verification for Privy authentication in the middleware, and makes minor configuration and dependency updates.The most important changes include:
Component Import Refactoring:
import { Navbar } from "./Navbar") instead of importing from theindex.tsbarrel file. This affects many files such asAppLayout.tsx,MobileDropdown.tsx,WalletDetails.tsx,TransactionForm.tsx,TransactionPreview.tsx,privacy-client.tsx,terms-client.tsx, and others. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]app/components/index.tsrecommending direct imports from source files to avoid pulling in the full module graph.Middleware and Authentication Improvements:
middleware.tswith an inline, edge-compatible implementation using thejoselibrary and remote JWKS, removing dependencies on heavier SDKs. Also inlined a helper to fetch wallet addresses from Privy user IDs. [1] [2]Configuration and Dependency Updates:
next.config.mjsto optimize package imports forhugeicons-reactandreact-iconsin addition to existing packages.cypressfrom dependencies to devDependencies inpackage.json. [1] [2]References
Testing
Regression tests done and transfer is working, swap is working, everything looks exactly the same and works how it should and has been working.
Checklist
mainBy submitting a PR, I agree to Paycrest's Contributor Code of Conduct and Contribution Guide.
Summary by CodeRabbit
Refactor
Chores