Dev

[TatevikGr]

Summary

• configure coderabbit

Unit test

Are your changes covered with unit tests, and do they not break anything?

You can run the existing unit tests using this command:

vendor/bin/phpunit tests/

Code style

Have you checked that you code is well-documented and follows the PSR-2 coding
style?

You can check for this using this command:

vendor/bin/phpcs --standard=PSR2 src/ tests/

Other Information

If there's anything else that's important and relevant to your pull
request, mention that information here. This could include benchmarks,
or other information.

If you are updating any of the CHANGELOG files or are asked to update the
CHANGELOG files by reviewers, please add the CHANGELOG entry at the top of the file.

Thanks for contributing to phpList!

Summary by CodeRabbit

Release Notes

• New Features
  • Added interactive dashboard with key performance indicators, campaign performance charts, and recent campaigns overview.
  • Introduced new subscribers management interface featuring advanced search, filtering, bulk import/export, and detailed subscriber editing.
  • Redesigned login page with improved visual design and user experience.
  • Enhanced UI components and navigation sidebar for improved application usability.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request modernizes the phpList web frontend by migrating from a legacy setup to a Vue 3 single-page application (SPA) architecture. The changes introduce Vue Router for client-side routing, replace the deprecated custom ApiClient with a dedicated REST API client library, build out a comprehensive component library (base components, charts, dashboard, and subscriber management features), implement session-based authentication with security gates, and transition styling from Bootstrap to Tailwind CSS. The backend controllers are refactored to serve the SPA with proper API token and URL wiring, while old test coverage for deprecated code is removed and new tests are added to validate the updated authentication and controller behavior.

Sequence Diagram(s)

sequenceDiagram
    participant User as User/Browser
    participant AuthCtrl as AuthController
    participant SessionAuth as SessionAuthenticator
    participant Session as Session Store
    participant AuthClient as AuthClient
    
    User->>AuthCtrl: POST /login (credentials)
    AuthCtrl->>AuthClient: login(username, password)
    AuthClient->>AuthClient: Validate credentials
    AuthClient-->>AuthCtrl: Return token, id, expiry
    AuthCtrl->>Session: Store auth_token, auth_id, auth_expiry_date
    AuthCtrl-->>User: Redirect to /
    
    User->>AuthCtrl: GET / (with session)
    AuthCtrl->>SessionAuth: supports(Request)
    SessionAuth->>Session: Read auth_token
    Session-->>SessionAuth: Token found
    SessionAuth->>SessionAuth: Create UserBadge with ROLE_ADMIN
    SessionAuth-->>AuthCtrl: SelfValidatingPassport
    AuthCtrl->>AuthCtrl: Render SPA with token & baseUrl
    AuthCtrl-->>User: Serve spa.html.twig

Loading

sequenceDiagram
    participant VueApp as Vue App
    participant SubscribersCtrl as SubscribersController
    participant SubClient as SubscribersClient
    participant ApiSessionLstr as ApiSessionListener
    participant RestApiClient as REST API Client
    
    VueApp->>ApiSessionLstr: Request mounted
    ApiSessionLstr->>RestApiClient: setSessionId(auth_token)
    RestApiClient-->>ApiSessionLstr: Session ID configured
    
    VueApp->>SubscribersCtrl: GET /subscribers?confirmed=1
    SubscribersCtrl->>SubscribersCtrl: Build SubscribersFilterRequest
    SubscribersCtrl->>SubClient: getCollection(filter)
    SubClient->>RestApiClient: Make authenticated request
    RestApiClient-->>SubClient: Return subscriber data
    SubClient-->>SubscribersCtrl: Mapped collection
    SubscribersCtrl->>SubscribersCtrl: Compute pagination metadata
    SubscribersCtrl-->>VueApp: Return JSON with items & metadata
    VueApp->>VueApp: Render SubscriberDirectory

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Feat: subscribers #78 — Directly related code-level changes covering the same Vue routing setup, component architecture, authentication refactoring, and controller updates for the SPA migration.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title "Dev" is too vague and generic, providing no meaningful information about the changeset's primary purpose or scope.	Use a descriptive title that captures the main change, such as "Add Vue-based dashboard and authentication refactoring" or "Migrate to REST API client and implement SPA dashboard".
Docstring Coverage	⚠️ Warning	Docstring coverage is 2.63% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 20

🧹 Nitpick comments (13)

assets/vue/components/base/BaseProgressBar.vue (1)

3-8: Add progressbar ARIA semantics.

Consider exposing role="progressbar" with aria-valuemin, aria-valuemax, and aria-valuenow so assistive tech can interpret the indicator.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/base/BaseProgressBar.vue` around lines 3 - 8, Add
proper ARIA semantics to the progress bar by giving the progress container (the
element with class "progress" or the inner "progress__fill") role="progressbar"
and binding aria-valuemin, aria-valuemax, and aria-valuenow to the component
props; ensure the component exposes/uses props named value (current), min
(default 0) and max (default 100) and bind :aria-valuemin="min",
:aria-valuemax="max", :aria-valuenow="value" so assistive tech can interpret the
indicator (keep visual behavior unchanged).

.husky/pre-commit (1)

4-11: Prefer opt-out over fully disabling local checks.

Commenting all checks removes fast local feedback. Since CI still enforces them, a lightweight pattern is to keep them on by default and allow explicit skip (SKIP_LOCAL_QA=1) when needed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.husky/pre-commit around lines 4 - 11, Restore the local QA commands
(phpstan, phpmd, phpcs) instead of fully commenting them out and make them
opt-out using an environment variable; wrap the existing commands (the php
vendor/bin/phpstan, php vendor/bin/phpmd, and php vendor/bin/phpcs lines) in a
conditional that skips execution when SKIP_LOCAL_QA=1 (for example: if [
"$SKIP_LOCAL_QA" != "1" ]; then <command> || exit 1; fi) so checks run by
default but can be disabled explicitly.

package.json (1)

9-9: file-loader appears to be unused; consider removing it from dependencies.

While Webpack 5 is in use, file-loader isn't explicitly configured in the webpack config—assets are handled via Webpack Encore's copyFiles() instead. This dependency can likely be safely removed as dead weight, rather than needing migration to native asset modules.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 9, The package.json contains an unused dependency
"file-loader"—remove the "file-loader" entry from package.json dependencies, run
your package manager (npm install or yarn install) to update lockfiles, and
verify there are no runtime references by searching for "file-loader" in the
repo (e.g., any webpack/Encore config or imports). If CI or build scripts
reference it, update them to rely on Encore's copyFiles()/Webpack 5 asset
handling instead; then run the build locally to confirm nothing breaks.

composer.json (1)

19-22: Pin the custom VCS package dependency to a commit hash instead of a branch reference.

The tatevikgr/rest-api-client package uses the branch reference "dev-ISSUE-357" (composer.json, line 54), which can cause dependency drift across environments. Even though composer.lock is appropriately gitignored, pinning to a specific commit hash in composer.json ensures deterministic builds.

Instead of "dev-ISSUE-357", use a commit hash reference like:

"tatevikgr/rest-api-client": "dev-ISSUE-357#commit-hash-here"

Or verify the branch is stable and document the build process so composer.lock is committed in CI environments.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@composer.json` around lines 19 - 22, The dependency entry for
"tatevikgr/rest-api-client" uses a branch ref ("dev-ISSUE-357") which can drift;
update the version string in composer.json to pin to a specific commit by
appending the commit hash (e.g. "dev-ISSUE-357#<commit-hash>") for deterministic
installs, or alternatively replace the branch ref with a proper tag if one
exists; locate the "tatevikgr/rest-api-client" requirement in composer.json and
change its version value accordingly and run composer update to regenerate
composer.lock in CI.

assets/vue/components/dashboard/KpiGrid.vue (1)

27-29: Align trend values with the card contract.

Line 28 uses trend: 'neutral', while assets/vue/components/dashboard/KpiCard.vue documents trend as "up" | "down" (Line 27). Please align these so variants don’t silently fall through styling/behavior.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/dashboard/KpiGrid.vue` around lines 27 - 29, The KPI
items in KpiGrid.vue set trend: 'neutral', which does not match the KpiCard.vue
contract ("up" | "down"); update the trend values in the KPI object(s) (the
trend property in the object with keys change/trend/icon) to use "up" or "down"
instead of "neutral" — e.g., map zero/positive changes to "up" and negative
changes (leading '-' in change like '-1.2%') to "down", or choose a default "up"
if you prefer, so styling/behavior in KpiCard.vue receives only "up" or "down".

assets/vue/RecentCampaignsCard.vue (1)

13-26: Unify this card’s data contract with the dashboard variant.

This version hardcodes rows, while assets/vue/components/dashboard/RecentCampaignsCard.vue expects rows via props. Keeping both patterns will drift and complicate reuse.

Refactor sketch

 <script setup>
 import BaseCard from './components/base/BaseCard.vue'
 import CampaignsTable from './CampaignsTable.vue'
 
-const rows = [
-  {
-    id: 1,
-    name: 'Monthly Newsletter - June',
-    status: 'Sent',
-    date: '2024-06-01',
-    openRate: '24.5%',
-    clickRate: '3.2%',
-  },
-  // ...
-]
+const props = defineProps({
+  rows: {
+    type: Array,
+    default: () => [],
+  },
+})
 </script>

-    <CampaignsTable :rows="rows" />
+    <CampaignsTable :rows="props.rows" />

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/RecentCampaignsCard.vue` around lines 13 - 26, The
RecentCampaignsCard.vue file currently hardcodes a local const rows which
diverges from the dashboard variant; change RecentCampaignsCard.vue to accept
rows as a prop (e.g., add a props declaration for rows with an Array type and a
sensible default like []), remove the hardcoded const rows, and pass that prop
into the internal CampaignsTable (or use the same prop name the dashboard
variant uses) so both cards share the same data contract; update any references
to the local rows variable to use the prop instead (look for the
RecentCampaignsCard component, the rows const, and where CampaignsTable is
used).

assets/app.js (1)

1-1: Drop debug console.log from entrypoint before merge.

This is useful locally, but noisy in production/devtools for all users.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/app.js` at line 1, Remove the transient debug statement from the
entrypoint: locate the console.log('app.js loaded') call in assets/app.js and
delete it (or replace it with a conditional debug/log-level call behind an
environment check such as process.env.NODE_ENV === 'development' or a
logger.debug call) so the noisy message is not emitted in production/devtools.

assets/vue/DashboardView.vue (1)

16-16: Consider wiring rows from parent state.

Right now this renders the card without data input, so it will rely on an empty fallback. Passing rows here will make dashboard behavior explicit and easier to swap to API data later.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/DashboardView.vue` at line 16, RecentCampaignsCard is being
rendered without its expected rows prop; wire the component to pass dashboard
state (e.g., the parent data/computed property holding campaign rows such as
recentCampaigns, recentCampaignRows, or similar) into the RecentCampaignsCard
via a rows prop so the card receives explicit data instead of falling back to
empty defaults—update the template where <RecentCampaignsCard /> is used to
<RecentCampaignsCard :rows="yourRowsState" /> and ensure the referenced state
(recentCampaigns/recentCampaignRows) is defined and populated in the parent
component.

assets/vue/SystemOverviewCard.vue (1)

1-50: Consolidate duplicate SystemOverviewCard implementations.

There are two separate SystemOverviewCard.vue files (assets/vue/SystemOverviewCard.vue and assets/vue/components/dashboard/SystemOverviewCard.vue) with overlapping responsibility but different markup. This is a maintenance trap.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/SystemOverviewCard.vue` around lines 1 - 50, There are duplicate
SystemOverviewCard implementations; consolidate them by choosing one canonical
component (the one that includes the props queuePercent and remaining and uses
BaseCard, BaseBadge, BaseProgressBar, BaseButton) and merge any missing
markup/props from the other implementation into it, then remove the other file
and update any imports to point to the single SystemOverviewCard component;
ensure the canonical component exports the same props (queuePercent, remaining)
and preserves used child components (BaseCard, BaseBadge, BaseProgressBar,
BaseButton) so every reference across the app continues to work.

src/EventSubscriber/AuthGateSubscriber.php (1)

14-18: Consider retiring this temporary gate now that security is configured.

This duplicates authentication decisions already handled by the firewall/authenticator and can drift over time. Consolidating auth flow in one place will reduce maintenance risk.

Also applies to: 33-49

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/EventSubscriber/AuthGateSubscriber.php` around lines 14 - 18,
AuthGateSubscriber's temporary auth logic is now duplicative; remove or disable
the class so Symfony SecurityBundle handles auth centrally: locate the
AuthGateSubscriber class and its onKernelRequest method (and any
getSubscribedEvents/static subscription) and either delete the class or
unregister it from DI/event subscriber registration, and remove any
redirect-to-login logic and public-path checks (e.g., methods/properties
handling publicPaths) so authentication decisions are solely handled by the
firewall/authenticator.

config/packages/security.yaml (1)

18-19: Tighten the public login matcher to an exact route.

Line 18 uses ^/login, which also matches /login-anything. If only the login page should be public, anchor it to the exact path.

Proposed fix

-    - { path: ^/login, roles: PUBLIC_ACCESS }
+    - { path: ^/login$, roles: PUBLIC_ACCESS }
     - { path: ^/, roles: ROLE_ADMIN }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/packages/security.yaml` around lines 18 - 19, The public login path
matcher currently uses the regex '^/login' which also matches '/login-anything';
update the matcher for the login route (the entry with path '^/login' and roles
'PUBLIC_ACCESS') to anchor it to the exact path (e.g., require the end-of-string
anchor) so only '/login' is public while keeping the admin rule for the root
('^/') unchanged.

src/Controller/DashboardController.php (1)

23-25: Remove dead commented auth logic.

Line 23-Line 25 is stale commented code; dropping it keeps the controller clean and avoids confusion about where auth is enforced.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Controller/DashboardController.php` around lines 23 - 25, Remove the
stale commented authentication check inside DashboardController (the commented
block that checks $request->getSession()->has('auth_token') and redirects to
'login'); delete those commented lines so the controller no longer contains
dead/commented auth logic and rely on actual middleware/security layers instead.

templates/base.html.twig (1)

19-19: Remove the empty class attribute on <main>.

Line 19 has class="", which adds markup noise without effect.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/base.html.twig` at line 19, Remove the redundant empty class
attribute from the <main> element in templates/base.html.twig by deleting the
class="" so the tag is simply <main>; update the <main> element usage wherever
referenced to avoid leaving an empty attribute.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@assets/router/index.js`:
- Around line 3-5: The router currently created by createRouter has an empty
routes array so navigation targets like "/dashboard" won't resolve; add route
objects to the routes array (e.g., { path: '/', name: 'Home', component: Home },
{ path: '/dashboard', name: 'Dashboard', component: Dashboard }, etc.), import
the corresponding components (Dashboard, Home, NotFound) and include a catch-all
404 route as needed in the same file where router is defined (reference: router
/ createRouter / routes). Also ensure your main layout component (e.g.,
AppSidebar.vue or App.vue) includes the Vue Router outlet by adding a
<router-view /> placeholder where routed components should render so navigation
has a render target (reference: AppSidebar.vue / router-view).

In `@assets/vue/App.vue`:
- Around line 2-51: App.vue is missing a RouterView so routed pages never render
and the sidebar configuration is duplicated and inconsistent with
AppSidebar.vue; add a <RouterView /> in App.vue's template where main content
should render, remove the duplicated sections array from App.vue and instead
import the canonical sidebar configuration from AppSidebar.vue (or a new shared
module) so both components use the same data, and reconcile differences in the
sections data (ensure items like "Campaigns" have the same badge and icons such
as 'chart' vs 'chart-bar') — update references to the sections constant and keep
usage of SidebarNavSection and SidebarLogo unchanged.

In `@assets/vue/CampaignsTable.vue`:
- Around line 23-27: Guard the use of row.status before calling toLowerCase in
CampaignsTable.vue: update the class binding that uses
`row.status.toLowerCase()` to handle null/undefined/non-string values (for
example by checking typeof or using a safe default like an empty string) so it
never calls toLowerCase on a non-string; ensure the interpolation `{{ row.status
}}` stays unchanged but the computed/class expression that builds
`campaigns-table__status--${...}` uses a safe expression (e.g., `typeof
row.status === 'string' ? row.status.toLowerCase() : 'unknown'`) to prevent
runtime errors during render.

In `@assets/vue/components/base/BaseCard.vue`:
- Line 15: variantClass is currently a static string and won't update when
props.variant changes; change its definition to a Vue computed that returns
`base-card--${props.variant}` (use the computed() API) so the class reacts to
prop updates, ensure computed is imported from 'vue' and that any template or
class binding uses the new computed ref (variantClass) instead of the static
variable in BaseCard.vue.

In `@assets/vue/components/base/BaseIcon.vue`:
- Around line 14-40: The icon registry contains trailing non-SVG markup that
will corrupt injected HTML: remove the stray "<span class=\"font-medium
text-sm\">" suffixes from the users, plane, grid, list, and layout entries and
remove the stray "</button>" from the edit entry in the BaseIcon.vue icons
object so each value ends exactly with the closing </svg>; locate the icons by
their keys (users, plane, grid, list, layout, edit) and update their string
values to contain only valid SVG markup.

In `@assets/vue/components/base/BaseProgressBar.vue`:
- Around line 6-7: Clamp the incoming progress prop before using it in the
template: create a computed (or method) such as clampedValue that bounds the
component prop value to 0..100 and use clampedValue in the style binding instead
of raw value; update both places where ":style=\"{ width: value + '%' }\""
appears (the inline width on the progress bar and the alternate instance around
lines 12-17) to reference clampedValue so out-of-range numbers cannot produce
invalid widths or visual glitches.

In `@assets/vue/components/charts/LineChart.vue`:
- Around line 62-75: The code that builds SVG points (using props.series,
allValues, max, min, range, pointCount, normalized, x, y) assumes every
series.data item is a finite number and can produce NaN; fix by normalizing each
series.data to a cleaned numeric array (map values through Number(value) or
parseFloat and filter with Number.isFinite), compute allValues from those
cleaned arrays (guarding for empty by returning an empty array from the function
or an empty string for that series), protect range from zero/NaN by using a
fallback (e.g., range = max === min || !isFinite(range) ? 1 : range), and ensure
pointCount is computed from the cleaned data (and guard pointCount <= 1) so x
and normalized computations never produce NaN; return sensible empty outputs for
series with no valid points.

In `@assets/vue/components/dashboard/PerformanceChartCard.vue`:
- Around line 9-17: The PerformanceChartCard component is missing props and the
real chart render: add a defineProps declaration to accept the passed-in props
(labels and series) and update the template to render the LineChart instead of
the placeholder; specifically, in the PerformanceChartCard component that
currently imports BaseCard, declare defineProps({ labels: Array, series: Array
}) (or appropriate types), import/register the LineChart used by the root-level
assets/vue/PerformanceChartCard.vue, and replace the <div
class="pc-chart-placeholder"> block with the LineChart element bound to
:labels="labels" and :series="series" so DashboardView.vue’s bindings are
consumed.

In `@assets/vue/components/dashboard/SystemOverviewCard.vue`:
- Around line 13-14: Clamp the queuePercent value to the 0–100 range before
binding it to the style so the progress bar cannot render with negative or >100
widths; update the usage of queuePercent in SystemOverviewCard.vue (the
computed/prop/variable named queuePercent used in the element with class
"sys-progress-fill") to compute a clampedQueuePercent = Math.min(100,
Math.max(0, queuePercent)) and use that clamped value in the :style width
expression.

In `@assets/vue/DashboardView.vue`:
- Line 24: The import for KpiGrid in DashboardView.vue uses an incorrect
absolute path; update the import statement that references KpiGrid so it uses
the same relative path style as the other components (e.g., change import
KpiGrid from '/components/dashboard/KpiGrid.vue' to the relative
'./components/dashboard/KpiGrid.vue' pattern used elsewhere) so the module
resolver can find the KpiGrid component.

In `@assets/vue/SidebarLogo.vue`:
- Around line 4-8: The img tag in SidebarLogo.vue uses a generic alt="Logo";
update the template to bind the alt attribute to a meaningful value (e.g., a new
or existing prop like altText or the app name) or set alt="" when adjacent text
already conveys the branding; change the <img ... :src="logo" alt="Logo" /> to
use a bound attribute (e.g., :alt="altText || 'YourAppName'") and add a
prop/interface for altText in the SidebarLogo component so consumers can provide
accessible, descriptive alt text.

In `@src/Controller/AuthController.php`:
- Line 53: The login flow in AuthController.php is inconsistent: the post-login
branch redirects to redirectToRoute('dashboard') while the already-authenticated
branch sends users to redirectToRoute('empty_start_page'); update the
already-authenticated branch to use redirectToRoute('dashboard') so both
branches use the same target. Locate the method handling the /login route (e.g.,
login() in AuthController) and replace the redirectToRoute('empty_start_page')
call with redirectToRoute('dashboard') to unify the authenticated redirect
behavior.

In `@src/Controller/DashboardController.php`:
- Around line 15-18: DashboardController currently assigns $this->apiClient in
__construct without a declared property; either declare it using PHP 8.1
constructor property promotion (e.g., change __construct(AuthClient $apiClient)
to __construct(private AuthClient $apiClient)) or remove the parameter and
assignment if DashboardController does not use AuthClient; reference the
DashboardController class, its __construct method and the AuthClient type
(compare to AuthController's private AuthClient $apiClient) to locate and apply
the change.

In `@src/Security/SessionAuthenticator.php`:
- Around line 39-49: The code currently grants ROLE_ADMIN whenever
$session->has('auth_token'); instead, retrieve the token value
($session->get('auth_token')) and validate it (expiry, signature or remote
introspection) before creating the UserBadge and SelfValidatingPassport. Replace
the unconditional UserBadge creation in the SessionAuthenticator authenticate
method with a call to a token validation helper or injected
TokenIntrospector/TokenValidator service (e.g., validateAuthToken or
introspectAuthToken) and throw AuthenticationException when validation fails;
derive roles from the token claims instead of always assigning ['ROLE_ADMIN'] so
UserBadge('session-user', ...) uses the validated roles. Ensure the authenticate
method returns the passport only for a validated token.
- Around line 25-33: The supports(Request $request) method currently only skips
/login and should also skip public/debug asset routes; update the supports()
function to return false when $request->getPathInfo() starts with any of the
known public/debug prefixes (e.g. '/build/', '/_profiler', '/_wdt') or other
static endpoints you need (favicon/robots etc.), either by adding individual
str_starts_with checks or by iterating an array of prefixes and returning false
if any match; keep the existing /login skip and otherwise return true.

In `@templates/auth/login.html.twig`:
- Line 42: Replace the no-op anchor links that use href="#" in
templates/auth/login.html.twig (notably the "Forgot password?" anchor at line
with class "small text-decoration-none" and the group at lines 63-66) with real
destinations or non-link elements: update the anchors to point to the correct
route names/URLs (e.g., password reset, help, or terms) using your template
route helper, or convert them to <button> or <span> with appropriate
classes/role and click handlers if they trigger JS actions; ensure the unique
anchor instances (the "Forgot password?" anchor and the anchors in the 63-66
block) no longer use href="#" to avoid jump-to-top behavior.
- Around line 31-58: The login form currently posts credentials without CSRF
protection; add a hidden input field inside the <form> (alongside the username
and password inputs) that contains the CSRF token value (use your framework/Twig
CSRF helper, e.g. the token for the authentication action) and ensure the
server-side login handler validates that token (check the expected request
parameter name and use the same token id/intent as generated in the template)
before accepting credentials; update the login handler to return an error on
invalid/missing tokens.
- Around line 10-13: The template uses Bootstrap 5 utility classes that don’t
exist in the loaded Bootstrap 4.5.2; update the class names in
templates/auth/login.html.twig (e.g., the <img> tag using "me-2 mr-2" and the
<h1> using "fs-4 fw-bold") and the other referenced locations (lines referenced
in the review) to Bootstrap 4 equivalents: replace me-* with mr-*, ms-* with
ml-*, replace fw-bold / fw-semibold with Bootstrap 4 font-weight classes (e.g.,
font-weight-bold or font-weight-normal) and replace fs-* with appropriate
Bootstrap 4 utilities (use heading/display classes like display-4 or standard h*
tags or add a small custom CSS rule if an exact size is required); apply these
same substitutions for the other occurrences noted (lines 22-23, 49-50, 63-67).

In `@templates/base.html.twig`:
- Around line 14-16: The template double-loads the Webpack Encore app bundle:
the javascripts block already calls encore_entry_script_tags('app'), but the
template later also statically includes build/runtime.js and build/app.js;
remove (or conditionally skip) the manual script tags so the app is only
initialized once — locate the javascripts block and the static script tags
referencing build/runtime.js and build/app.js and delete the redundant static
includes (or replace them with a single call to
encore_entry_script_tags('app')).

In `@templates/dashboard/index.html.twig`:
- Line 1: The header comment in the template incorrectly references
templates/security/login.html.twig; update the top-of-file comment in
templates/dashboard/index.html.twig (the existing comment string "{#
templates/security/login.html.twig #}") to either the correct path "{#
templates/dashboard/index.html.twig #}" or remove the misleading header entirely
so it accurately reflects this template's location.

---

Nitpick comments:
In @.husky/pre-commit:
- Around line 4-11: Restore the local QA commands (phpstan, phpmd, phpcs)
instead of fully commenting them out and make them opt-out using an environment
variable; wrap the existing commands (the php vendor/bin/phpstan, php
vendor/bin/phpmd, and php vendor/bin/phpcs lines) in a conditional that skips
execution when SKIP_LOCAL_QA=1 (for example: if [ "$SKIP_LOCAL_QA" != "1" ];
then <command> || exit 1; fi) so checks run by default but can be disabled
explicitly.

In `@assets/app.js`:
- Line 1: Remove the transient debug statement from the entrypoint: locate the
console.log('app.js loaded') call in assets/app.js and delete it (or replace it
with a conditional debug/log-level call behind an environment check such as
process.env.NODE_ENV === 'development' or a logger.debug call) so the noisy
message is not emitted in production/devtools.

In `@assets/vue/components/base/BaseProgressBar.vue`:
- Around line 3-8: Add proper ARIA semantics to the progress bar by giving the
progress container (the element with class "progress" or the inner
"progress__fill") role="progressbar" and binding aria-valuemin, aria-valuemax,
and aria-valuenow to the component props; ensure the component exposes/uses
props named value (current), min (default 0) and max (default 100) and bind
:aria-valuemin="min", :aria-valuemax="max", :aria-valuenow="value" so assistive
tech can interpret the indicator (keep visual behavior unchanged).

In `@assets/vue/components/dashboard/KpiGrid.vue`:
- Around line 27-29: The KPI items in KpiGrid.vue set trend: 'neutral', which
does not match the KpiCard.vue contract ("up" | "down"); update the trend values
in the KPI object(s) (the trend property in the object with keys
change/trend/icon) to use "up" or "down" instead of "neutral" — e.g., map
zero/positive changes to "up" and negative changes (leading '-' in change like
'-1.2%') to "down", or choose a default "up" if you prefer, so styling/behavior
in KpiCard.vue receives only "up" or "down".

In `@assets/vue/DashboardView.vue`:
- Line 16: RecentCampaignsCard is being rendered without its expected rows prop;
wire the component to pass dashboard state (e.g., the parent data/computed
property holding campaign rows such as recentCampaigns, recentCampaignRows, or
similar) into the RecentCampaignsCard via a rows prop so the card receives
explicit data instead of falling back to empty defaults—update the template
where <RecentCampaignsCard /> is used to <RecentCampaignsCard
:rows="yourRowsState" /> and ensure the referenced state
(recentCampaigns/recentCampaignRows) is defined and populated in the parent
component.

In `@assets/vue/RecentCampaignsCard.vue`:
- Around line 13-26: The RecentCampaignsCard.vue file currently hardcodes a
local const rows which diverges from the dashboard variant; change
RecentCampaignsCard.vue to accept rows as a prop (e.g., add a props declaration
for rows with an Array type and a sensible default like []), remove the
hardcoded const rows, and pass that prop into the internal CampaignsTable (or
use the same prop name the dashboard variant uses) so both cards share the same
data contract; update any references to the local rows variable to use the prop
instead (look for the RecentCampaignsCard component, the rows const, and where
CampaignsTable is used).

In `@assets/vue/SystemOverviewCard.vue`:
- Around line 1-50: There are duplicate SystemOverviewCard implementations;
consolidate them by choosing one canonical component (the one that includes the
props queuePercent and remaining and uses BaseCard, BaseBadge, BaseProgressBar,
BaseButton) and merge any missing markup/props from the other implementation
into it, then remove the other file and update any imports to point to the
single SystemOverviewCard component; ensure the canonical component exports the
same props (queuePercent, remaining) and preserves used child components
(BaseCard, BaseBadge, BaseProgressBar, BaseButton) so every reference across the
app continues to work.

In `@composer.json`:
- Around line 19-22: The dependency entry for "tatevikgr/rest-api-client" uses a
branch ref ("dev-ISSUE-357") which can drift; update the version string in
composer.json to pin to a specific commit by appending the commit hash (e.g.
"dev-ISSUE-357#<commit-hash>") for deterministic installs, or alternatively
replace the branch ref with a proper tag if one exists; locate the
"tatevikgr/rest-api-client" requirement in composer.json and change its version
value accordingly and run composer update to regenerate composer.lock in CI.

In `@config/packages/security.yaml`:
- Around line 18-19: The public login path matcher currently uses the regex
'^/login' which also matches '/login-anything'; update the matcher for the login
route (the entry with path '^/login' and roles 'PUBLIC_ACCESS') to anchor it to
the exact path (e.g., require the end-of-string anchor) so only '/login' is
public while keeping the admin rule for the root ('^/') unchanged.

In `@package.json`:
- Line 9: The package.json contains an unused dependency "file-loader"—remove
the "file-loader" entry from package.json dependencies, run your package manager
(npm install or yarn install) to update lockfiles, and verify there are no
runtime references by searching for "file-loader" in the repo (e.g., any
webpack/Encore config or imports). If CI or build scripts reference it, update
them to rely on Encore's copyFiles()/Webpack 5 asset handling instead; then run
the build locally to confirm nothing breaks.

In `@src/Controller/DashboardController.php`:
- Around line 23-25: Remove the stale commented authentication check inside
DashboardController (the commented block that checks
$request->getSession()->has('auth_token') and redirects to 'login'); delete
those commented lines so the controller no longer contains dead/commented auth
logic and rely on actual middleware/security layers instead.

In `@src/EventSubscriber/AuthGateSubscriber.php`:
- Around line 14-18: AuthGateSubscriber's temporary auth logic is now
duplicative; remove or disable the class so Symfony SecurityBundle handles auth
centrally: locate the AuthGateSubscriber class and its onKernelRequest method
(and any getSubscribedEvents/static subscription) and either delete the class or
unregister it from DI/event subscriber registration, and remove any
redirect-to-login logic and public-path checks (e.g., methods/properties
handling publicPaths) so authentication decisions are solely handled by the
firewall/authenticator.

In `@templates/base.html.twig`:
- Line 19: Remove the redundant empty class attribute from the <main> element in
templates/base.html.twig by deleting the class="" so the tag is simply <main>;
update the <main> element usage wherever referenced to avoid leaving an empty
attribute.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dba409ed-a83e-4043-94f8-96700fdcb1e8

📥 Commits

Reviewing files that changed from the base of the PR and between d6333ed and 83ba923.

⛔ Files ignored due to path filters (3)

• assets/images/logo-48.png is excluded by !**/*.png
• assets/images/logo.png is excluded by !**/*.png
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (41)

• .husky/pre-commit
• assets/app.js
• assets/router/index.js
• assets/vue/App.vue
• assets/vue/AppSidebar.vue
• assets/vue/BaseCard.vue
• assets/vue/CampaignsTable.vue
• assets/vue/DashboardView.vue
• assets/vue/PerformanceChartCard.vue
• assets/vue/RecentCampaignsCard.vue
• assets/vue/SidebarLogo.vue
• assets/vue/SidebarNavItem.vue
• assets/vue/SidebarNavSection.vue
• assets/vue/SystemOverviewCard.vue
• assets/vue/components/base/BaseBadge.vue
• assets/vue/components/base/BaseButton.vue
• assets/vue/components/base/BaseCard.vue
• assets/vue/components/base/BaseIcon.vue
• assets/vue/components/base/BaseProgressBar.vue
• assets/vue/components/charts/LineChart.vue
• assets/vue/components/dashboard/KpiCard.vue
• assets/vue/components/dashboard/KpiGrid.vue
• assets/vue/components/dashboard/PerformanceChartCard.vue
• assets/vue/components/dashboard/RecentCampaignsCard.vue
• assets/vue/components/dashboard/SystemOverviewCard.vue
• assets/vue/layouts/DashboardLayout.vue
• composer.json
• config/packages/framework.yaml
• config/packages/security.yaml
• config/services.yml
• package.json
• src/Controller/AuthController.php
• src/Controller/DashboardController.php
• src/EventSubscriber/AuthGateSubscriber.php
• src/Security/SessionAuthenticator.php
• src/Service/ApiClient.php
• templates/auth/login.html.twig
• templates/base.html.twig
• templates/dashboard/index.html.twig
• tests/Unit/Service/ApiClientTest.php
• webpack.config.js

💤 Files with no reviewable changes (2)

• tests/Unit/Service/ApiClientTest.php
• src/Service/ApiClient.php

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify router declarations and route outlet presence
rg -n "createRouter|routes\\s*:" assets/router/index.js
rg -n "path:\\s*'/dashboard'|DashboardView" --glob '*.js' assets
rg -n "<router-view\\b" --glob '*.vue' assets

Repository: phpList/web-frontend

Length of output: 194

---

🏁 Script executed:

# Check if DashboardView.vue exists and find related files
fd "DashboardView|dashboard" assets/ --type f

# Check the structure of assets/vue directory
fd . assets/vue --type f 2>/dev/null | head -20

# Look for main.js or app initialization that uses the router
fd "main\.js|app\.js" assets/ --type f -x cat -n {}

Repository: phpList/web-frontend

Length of output: 1185

---

🏁 Script executed:

# Check App.vue for router-view
cat -n assets/vue/App.vue

# Check the full router/index.js file
cat -n assets/router/index.js

# Look for any other router-related files
fd . assets/router --type f

Repository: phpList/web-frontend

Length of output: 1872

---

🏁 Script executed:

# List all Vue files with App in the name
fd "App\.vue" assets/ -x cat -n {}

# Search for router-view in all Vue files
rg -n "<router-view" assets/vue --glob '*.vue' -A 2

Repository: phpList/web-frontend

Length of output: 1644

---

🏁 Script executed:

# Look for index.html
find assets -name "*.html" -o -name "index.*" | head -10

# List all files in assets root
ls -la assets/

# Search for any file with router-view
rg "router-view" assets/

Repository: phpList/web-frontend

Length of output: 418

---

Add route definitions and router outlet — navigation currently has nowhere to go.

The routes array is empty, so sidebar navigation targets like /dashboard won't resolve. Additionally, there's no <router-view> component in the app to display the routed content. Both need to be fixed.

Suggested patch

 import { createRouter, createWebHistory } from 'vue-router';
+import DashboardView from '../vue/DashboardView.vue';

 export const router = createRouter({
     history: createWebHistory(),
-    routes: [ /* ... */ ],
+    routes: [
+        { path: '/', redirect: '/dashboard' },
+        { path: '/dashboard', name: 'dashboard', component: DashboardView },
+    ],
 });

Also add <router-view /> to your main layout (likely in AppSidebar.vue or a wrapper component) so routed components can render.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/router/index.js` around lines 3 - 5, The router currently created by
createRouter has an empty routes array so navigation targets like "/dashboard"
won't resolve; add route objects to the routes array (e.g., { path: '/', name:
'Home', component: Home }, { path: '/dashboard', name: 'Dashboard', component:
Dashboard }, etc.), import the corresponding components (Dashboard, Home,
NotFound) and include a catch-all 404 route as needed in the same file where
router is defined (reference: router / createRouter / routes). Also ensure your
main layout component (e.g., AppSidebar.vue or App.vue) includes the Vue Router
outlet by adding a <router-view /> placeholder where routed components should
render so navigation has a render target (reference: AppSidebar.vue /
router-view).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Guard row.status before calling toLowerCase().

Line 25 can throw when status is null/undefined/non-string, which would break rendering for the whole table.

Suggested fix

-:class="`campaigns-table__status--${row.status.toLowerCase()}`"
+:class="`campaigns-table__status--${String(row.status ?? 'unknown').toLowerCase()}`"
 ...
-{{ row.status }}
+{{ row.status ?? 'Unknown' }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<span
	class="campaigns-table__status"
	:class="`campaigns-table__status--${row.status.toLowerCase()}`"
	>
	{{ row.status }}
	<span
	class="campaigns-table__status"
	:class="`campaigns-table__status--${String(row.status ?? 'unknown').toLowerCase()}`"
	>
	{{ row.status ?? 'Unknown' }}
	</span>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/CampaignsTable.vue` around lines 23 - 27, Guard the use of
row.status before calling toLowerCase in CampaignsTable.vue: update the class
binding that uses `row.status.toLowerCase()` to handle null/undefined/non-string
values (for example by checking typeof or using a safe default like an empty
string) so it never calls toLowerCase on a non-string; ensure the interpolation
`{{ row.status }}` stays unchanged but the computed/class expression that builds
`campaigns-table__status--${...}` uses a safe expression (e.g., `typeof
row.status === 'string' ? row.status.toLowerCase() : 'unknown'`) to prevent
runtime errors during render.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Find dynamic variant usage sites that would be affected by non-reactive derived class strings.
rg -nP --type=vue '<BaseCard[^>]*:variant=' assets/vue

Repository: phpList/web-frontend

Length of output: 91

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# First, check if the file exists and read it
if [ -f "assets/vue/components/base/BaseCard.vue" ]; then
  echo "=== BaseCard.vue content ==="
  cat -n "assets/vue/components/base/BaseCard.vue"
else
  echo "File not found at assets/vue/components/base/BaseCard.vue"
  # Try to find it
  find . -name "BaseCard.vue" 2>/dev/null || echo "Could not find BaseCard.vue"
fi

Repository: phpList/web-frontend

Length of output: 840

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Search for BaseCard usage with :variant binding (without --type=vue)
echo "=== Searching for BaseCard with :variant binding ==="
rg -n '<BaseCard[^>]*:variant=' --type-add 'vue:*.vue' -t vue assets/vue 2>/dev/null || \
rg -n '<BaseCard[^>]*:variant=' assets/vue 2>/dev/null || \
echo "No matches found or rg doesn't support custom types; trying alternative search"

# Fallback: search all files
rg -n ':variant=' assets/vue --glob="*.vue" 2>/dev/null | head -20

Repository: phpList/web-frontend

Length of output: 195

---

Make variantClass reactive to prop updates.

Line 15 assigns variantClass statically, so if the variant prop changes at runtime, the CSS class won't update. This is a Vue 3 reactivity issue—use computed() to make it responsive to prop changes:

Reactive fix

 <script setup>
+import { computed } from 'vue'
+
 const props = defineProps({
   variant: {
     type: String,
     default: "default", // "default", "subtle", "danger", etc.
   },
 });
 
-const variantClass = `base-card--${props.variant}`;
+const variantClass = computed(() => `base-card--${props.variant}`);
 </script>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/base/BaseCard.vue` at line 15, variantClass is
currently a static string and won't update when props.variant changes; change
its definition to a Vue computed that returns `base-card--${props.variant}` (use
the computed() API) so the class reacts to prop updates, ensure computed is
imported from 'vue' and that any template or class binding uses the new computed
ref (variantClass) instead of the static variable in BaseCard.vue.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Find and examine base.html.twig
fd base.html.twig

Repository: phpList/web-frontend

Length of output: 88

---

🏁 Script executed:

# Find and examine login.html.twig
fd login.html.twig

Repository: phpList/web-frontend

Length of output: 94

---

🏁 Script executed:

# Read base.html.twig, focusing on line 9 and surrounding context
head -20 templates/base.html.twig

Repository: phpList/web-frontend

Length of output: 672

---

🏁 Script executed:

# Read login.html.twig to examine the utility classes at specified lines
cat -n templates/auth/login.html.twig

Repository: phpList/web-frontend

Length of output: 4774

---

Bootstrap 5 utilities used with Bootstrap 4.5.2 loaded.

The template uses Bootstrap 5 utilities (me-*, ms-*, fs-4, fs-5, fw-semibold), but templates/base.html.twig line 9 loads Bootstrap 4.5.2. These utilities don't exist in Bootstrap 4 and won't apply—causing styling inconsistencies.

Also applies to: 22-23, 49-50, 63-67

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/auth/login.html.twig` around lines 10 - 13, The template uses
Bootstrap 5 utility classes that don’t exist in the loaded Bootstrap 4.5.2;
update the class names in templates/auth/login.html.twig (e.g., the <img> tag
using "me-2 mr-2" and the <h1> using "fs-4 fw-bold") and the other referenced
locations (lines referenced in the review) to Bootstrap 4 equivalents: replace
me-* with mr-*, ms-* with ml-*, replace fw-bold / fw-semibold with Bootstrap 4
font-weight classes (e.g., font-weight-bold or font-weight-normal) and replace
fs-* with appropriate Bootstrap 4 utilities (use heading/display classes like
display-4 or standard h* tags or add a small custom CSS rule if an exact size is
required); apply these same substitutions for the other occurrences noted (lines
22-23, 49-50, 63-67).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add CSRF protection to the login form.

The form posts credentials without a CSRF token. Please add a token field here and validate it server-side in the login handler.

Proposed template fix

 <form method="post">
+    <input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}">
     <div class="mb-3">
         <label for="username" class="form-label small fw-semibold">Login</label>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<form method="post">
	<div class="mb-3">
	<label for="username" class="form-label small fw-semibold">Login</label>
	<div class="input-group">
	<input type="text" class="form-control border-start-0" name="username" id="username" required autofocus/>
	</div>
	</div>
	<div class="mb-2">
	<div class="d-flex justify-content-between align-items-center">
	<label for="password" class="form-label small fw-semibold mb-1">Password</label>
	<a href="#" class="small text-decoration-none">Forgot password?</a>
	</div>
	<div class="input-group">
	<input type="password" class="form-control border-start-0" id="password" name="password" required/>
	</div>
	</div>
	<button type="submit" class="btn btn-primary btn-block">Sign in</button>
	</form>
	<div class="d-grid mb-2 mt-4">
	<button type="submit" class="btn btn-primary fw-semibold w-100">
	Sign In
	</button>
	</div>
	<p class="text-center text-muted small mb-0">
	Access is restricted to authorised administrators only.
	</p>
	</form>
	<form method="post">
	<input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}">
	<div class="mb-3">
	<label for="username" class="form-label small fw-semibold">Login</label>
	<div class="input-group">
	<input type="text" class="form-control border-start-0" name="username" id="username" required autofocus/>
	</div>
	</div>
	<div class="mb-2">
	<div class="d-flex justify-content-between align-items-center">
	<label for="password" class="form-label small fw-semibold mb-1">Password</label>
	<a href="#" class="small text-decoration-none">Forgot password?</a>
	</div>
	<div class="input-group">
	<input type="password" class="form-control border-start-0" id="password" name="password" required/>
	</div>
	</div>
	<div class="d-grid mb-2 mt-4">
	<button type="submit" class="btn btn-primary fw-semibold w-100">
	Sign In
	</button>
	</div>
	<p class="text-center text-muted small mb-0">
	Access is restricted to authorised administrators only.
	</p>
	</form>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/auth/login.html.twig` around lines 31 - 58, The login form
currently posts credentials without CSRF protection; add a hidden input field
inside the <form> (alongside the username and password inputs) that contains the
CSRF token value (use your framework/Twig CSRF helper, e.g. the token for the
authentication action) and ensure the server-side login handler validates that
token (check the expected request parameter name and use the same token
id/intent as generated in the template) before accepting credentials; update the
login handler to return an error on invalid/missing tokens.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Replace href="#" placeholders with real destinations (or non-link elements).

Line 42 and Line 63-Line 66 currently trigger a no-op jump-to-top behavior instead of meaningful actions.

Also applies to: 63-66

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/auth/login.html.twig` at line 42, Replace the no-op anchor links
that use href="#" in templates/auth/login.html.twig (notably the "Forgot
password?" anchor at line with class "small text-decoration-none" and the group
at lines 63-66) with real destinations or non-link elements: update the anchors
to point to the correct route names/URLs (e.g., password reset, help, or terms)
using your template route helper, or convert them to <button> or <span> with
appropriate classes/role and click handlers if they trigger JS actions; ensure
the unique anchor instances (the "Forgot password?" anchor and the anchors in
the 63-66 block) no longer use href="#" to avoid jump-to-top behavior.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid double-loading the Encore app bundle.

Line 15 already injects the JS entry, but build/runtime.js and build/app.js are still loaded at Line 26 and Line 27. That can initialize the app twice.

Proposed fix

 {% block javascripts %}
     {{ encore_entry_script_tags('app') }}
 {% endblock %}
@@
-<script src="{{ asset('build/runtime.js') }}"></script>
-<script src="{{ asset('build/app.js') }}"></script>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/base.html.twig` around lines 14 - 16, The template double-loads the
Webpack Encore app bundle: the javascripts block already calls
encore_entry_script_tags('app'), but the template later also statically includes
build/runtime.js and build/app.js; remove (or conditionally skip) the manual
script tags so the app is only initialized once — locate the javascripts block
and the static script tags referencing build/runtime.js and build/app.js and
delete the redundant static includes (or replace them with a single call to
encore_entry_script_tags('app')).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix misleading file header comment.

The comment references templates/security/login.html.twig, but this file is templates/dashboard/index.html.twig.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/dashboard/index.html.twig` at line 1, The header comment in the
template incorrectly references templates/security/login.html.twig; update the
top-of-file comment in templates/dashboard/index.html.twig (the existing comment
string "{# templates/security/login.html.twig #}") to either the correct path
"{# templates/dashboard/index.html.twig #}" or remove the misleading header
entirely so it accurately reflects this template's location.

[coderabbitai]

Actionable comments posted: 18

♻️ Duplicate comments (3)

templates/auth/login.html.twig (2)

38-38: ⚠️ Potential issue | 🟡 Minor

href="#" placeholder for "Forgot password?" — still needs a real destination.

This was noted in a previous review. Either wire it to an actual password reset route or remove the link if the feature doesn't exist yet.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/auth/login.html.twig` at line 38, The "Forgot password?" anchor
uses a placeholder href="#" and must be wired to a real route or removed; update
the anchor in templates/auth/login.html.twig so its href calls the correct
password-reset route (e.g., use Twig's path('password_reset') or the actual
route name used by your app) or remove the <a> entirely if password reset isn't
implemented yet, and ensure the class/text remain unchanged.

---

29-52: ⚠️ Potential issue | 🟠 Major

CSRF token still missing from login form.

This was flagged in a previous review and remains unaddressed. The form submits credentials without CSRF protection, which is a security concern.

🔒 Add CSRF token

 <form method="post">
+    <input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}">
     <div class="mb-4">

Make sure the server-side login handler validates this token.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/auth/login.html.twig` around lines 29 - 52, The login form in
login.html.twig is missing a CSRF token input; add the framework's CSRF hidden
field inside the <form> (e.g., insert the Twig CSRF token helper or a hidden
input named like csrf_token) and ensure the server-side login handler (the
route/controller that processes the form submission) validates this token before
authenticating the user; reference the form element in the template and the
login handler method to implement token generation, insertion, and validation.

templates/base.html.twig (1)

12-14: ⚠️ Potential issue | 🟠 Major

Double-loading the app bundle — still needs fixing.

The encore_entry_script_tags('app') at Line 13 already injects runtime.js and app.js. The manual script tags at Lines 21-22 load them again, which will initialize the Vue app twice.

Remove the static script tags at the end of the body.

Proposed fix

 </main>
 
-<script src="{{ asset('build/runtime.js') }}"></script>
-<script src="{{ asset('build/app.js') }}"></script>
 </body>
 </html>

Also applies to: 21-22

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/base.html.twig` around lines 12 - 14, The template currently
double-loads the app bundle: keep the Twig block that calls
encore_entry_script_tags('app') inside the javascripts block and remove the
duplicate manual <script> tags that statically include runtime.js and app.js at
the end of the body; locate the static tags near the bottom of
templates/base.html.twig and delete them so the Vue app is only initialized via
encore_entry_script_tags('app').

🧹 Nitpick comments (27)

apache/web-frontend.conf (2)

21-25: Hardcoded PHP-FPM socket version.

The socket path /run/php/php8.1-fpm.sock locks this to PHP 8.1. If someone runs a different PHP version, requests will fail silently (proxy error).

♻️ Consider a more flexible approach

     <IfModule proxy_fcgi_module>
         <FilesMatch \.php$>
-            SetHandler "proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost"
+            # Adjust socket path to match your PHP-FPM version
+            SetHandler "proxy:unix:/run/php/php-fpm.sock|fcgi://localhost"
         </FilesMatch>
     </IfModule>

Alternatively, add a comment noting the version requirement, or use an environment variable via Define.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apache/web-frontend.conf` around lines 21 - 25, The SetHandler in the
FilesMatch block currently hardcodes the PHP-FPM socket path
"proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost", which will break if PHP
is upgraded; update the FilesMatch/SetHandler usage to reference a configurable
Define or environment-provided variable (e.g., PHP_FPM_SOCK) instead of the
literal path, or document the required PHP version and instruct maintainers to
create a stable symlink (/run/php/php-fpm.sock) that points to the active
version; adjust the SetHandler reference in the FilesMatch block accordingly so
the socket path is not tied to "php8.1" directly.

---

1-2: HTTP-only VirtualHost — confirm this is intentional for local dev.

This config uses port 80 without TLS. Fine for local development (frontend.phplist.local), but ensure there's a separate HTTPS config or reverse proxy for production deployments.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apache/web-frontend.conf` around lines 1 - 2, This VirtualHost is configured
for HTTP only (VirtualHost *:80 with ServerName frontend.phplist.local); if this
is only for local dev, add a clear comment stating that and restrict access
(e.g., bind to localhost or local-only network), otherwise create a matching
HTTPS VirtualHost (VirtualHost *:443) with TLS settings (certificate, SSLEngine
on) or ensure a production reverse proxy handles TLS so production is not served
over plain HTTP.

assets/vue/components/dashboard/CampaignsTable.vue (1)

47-53: Unused props variable.

defineProps returns the props object but it's assigned to props which is never referenced. The statusClass function receives status as a parameter instead of reading from props.rows.

♻️ Simplified props declaration

 <script setup>
-const props = defineProps({
+defineProps({
   rows: {
     type: Array,
     default: () => [],
   },
 })

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/dashboard/CampaignsTable.vue` around lines 47 - 53, The
code assigns defineProps(...) to a never-used variable "props"; remove the
unused variable by replacing "const props = defineProps({ ... })" with a direct
call "defineProps({ ... })" so props are declared for the component without
creating an unused identifier, and verify that statusClass continues to accept a
status parameter (no change needed) rather than trying to read props.rows.

assets/vue/components/sidebar/SidebarLogo.vue (1)

4-9: Conflicting height classes on the image element.

The <img> has both h-full (line 5) and h-auto (also line 5) applied. These conflict — h-auto will override h-full but the intent is unclear. If you want the image to fill the container, drop h-auto; if you want natural aspect ratio, drop h-full.

♻️ Suggested fix (assuming fill container)

      <img
-          class="w-full h-full max-w-full h-auto block"
+          class="w-full h-full block"
          :src="logo"
          alt="Logo"
          style="object-fit: contain;"
      />

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/sidebar/SidebarLogo.vue` around lines 4 - 9, The img in
SidebarLogo.vue has conflicting Tailwind height classes on the same element
(class="... h-full h-auto ..."); decide the intended behavior and remove the
other class: if you want the logo to fill its container keep h-full and remove
h-auto, or if you want natural aspect ratio keep h-auto and remove h-full;
update the class attribute on the <img> in the SidebarLogo component
accordingly.

package.json (1)

24-24: Consider pinning vue-router to a more specific version.

Using "vue-router": "4" lets any 4.x.x release through, which can include unexpected updates. Vue Router's minor versions have introduced API changes, so tighter pinning is safer.

♻️ Suggested fix

-    "vue-router": "4"
+    "vue-router": "~4.6.4"

The latest 4.x release is 4.6.4. The tilde (~) locks to patch updates only, preventing accidental breaking changes in minor releases. If you prefer less strict versioning, "^4.6.4" works too, but ~ is more predictable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 24, Update the package.json dependency entry for
"vue-router" to pin a more specific version to avoid pulling unintended minor
releases; locate the "vue-router" entry in package.json and change its version
string from "4" to a fixed or more conservative range such as "~4.6.4" (or
"^4.6.4" if you prefer less strictness) so only safe patch updates are allowed.

assets/vue/components/dashboard/RecentCampaignsCard.vue (1)

20-51: Mock data baked into component defaults — consider externalizing.

The rows prop defaults to hardcoded sample campaigns with 2023 dates. Since DashboardView.vue (lines 18-22) uses this component without passing any props, users will always see this stale mock data. The TODO on line 21 acknowledges this.

A couple of options to clean this up:

• Fetch real data from the backend API in DashboardView and pass it down
• Or at minimum, default to an empty array and show the table's empty state until real data arrives

Not blocking, but worth tracking as a follow-up.

Want me to open an issue to track wiring this up to fetch campaigns from the backend?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/dashboard/RecentCampaignsCard.vue` around lines 20 -
51, Replace the baked-in mock campaign data in the RecentCampaignsCard.vue props
so the component no longer defaults to stale samples: change the defineProps({
rows: { ... default: (...) }}) to default to an empty array (or remove the
default) and ensure the component (RecentCampaignsCard) handles an empty rows
array via its empty state; then wire DashboardView to fetch real campaign data
from the backend and pass it into the rows prop (or open an issue to track
adding a fetch in DashboardView if you prefer to defer implementation).

assets/vue/components/subscribers/SubscriberFilters.vue (1)

27-35: Clicking active filter sets it to null — is that intentional UX?

When clicking the currently active filter, activeFilter becomes null (line 29). This means no filter button is highlighted, and null is emitted to the parent.

If null should behave differently from 'all', that's fine. But if they're meant to be equivalent, consider keeping 'all' selected instead of allowing a "no selection" state that might confuse users:

const toggleFilter = (filterId) => {
  // Option: always keep 'all' as fallback instead of null
  activeFilter.value = activeFilter.value === filterId ? 'all' : filterId
  emit('filter-change', activeFilter.value)
}

Just a UX thought — feel free to disregard if the null state is intentional.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/subscribers/SubscriberFilters.vue` around lines 27 -
35, The current toggleFilter function sets activeFilter.value to null when the
user clicks the already-active filter, creating a "no selection" state; change
toggleFilter so that when activeFilter.value === filterId it falls back to the
default 'all' (i.e., activeFilter.value = 'all') instead of null, and continue
to emit('filter-change', activeFilter.value) so the parent always receives a
valid filter value; update the logic in the toggleFilter function and any usages
relying on null to expect 'all' instead.

composer.json (1)

50-54: Using dev-* branches for dependencies — be mindful of stability.

Both phplist/core: dev-dev and tatevikgr/rest-api-client: dev-main point to moving targets. This is fine during active development, but consider:

• Pinning to specific commits or tags before release
• Documenting which commit hashes are known to work

Just a heads-up for when things stabilize.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@composer.json` around lines 50 - 54, The composer.json currently depends on
moving branches "phplist/core": "dev-dev" and "tatevikgr/rest-api-client":
"dev-main"; replace those unstable refs with either a specific tagged version
(e.g., "1.2.3") or a commit-pinned ref (e.g., "dev-main#<commit-hash>") for
production releases, update the dependency entries for phplist/core and
tatevikgr/rest-api-client accordingly, regenerate and commit composer.lock, and
document in the repo (README or RELEASE notes) the chosen commit hashes or tags
that are known to work.

assets/vue/components/sidebar/SidebarNavSection.vue (1)

6-8: Use a stable unique key for nav items.

Using item.label as the key is fragile if labels repeat. Prefer item.route (or an explicit id) to avoid patching glitches.

Suggested tweak

-    <SidebarNavItem
-        v-for="item in items"
-        :key="item.label"
-        :item="item"
-    />
+    <SidebarNavItem
+        v-for="item in items"
+        :key="item.route"
+        :item="item"
+    />

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/sidebar/SidebarNavSection.vue` around lines 6 - 8, The
v-for in SidebarNavSection.vue uses a fragile key (:key="item.label"); change
the key to a stable unique identifier such as :key="item.route" or an explicit
:key="item.id" (ensure each item in items has that property) so the list
rendering for items remains stable and avoids patching glitches; update any data
construction that builds items to include a unique id if necessary.

assets/vue/components/subscribers/SubscriberTable.vue (2)

130-139: Dead code: formatDate is never called.

This helper function is defined but not used anywhere in the template. The dates are rendered directly via {{ subscriber.createdAt }} without formatting.

Either remove formatDate if it's not needed, or wire it up in the template to format the dates:

-            {{ subscriber.createdAt }}
+            {{ formatDate(subscriber.createdAt) }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/subscribers/SubscriberTable.vue` around lines 130 -
139, The helper function formatDate is dead code because the template renders
raw dates with {{ subscriber.createdAt }}; either remove formatDate or wire it
into the template so dates are formatted. To fix, either delete the unused
formatDate function, or update the template where subscriber.createdAt is
displayed to call the formatter (e.g., use the formatDate helper or map it via a
computed/ method) so createdAt is passed to formatDate (and optionally set
isIso) before rendering; ensure any import/registration needed for formatDate in
the component options is added if you choose to keep it.

---

112-112: Unused import.

The inject import from Vue isn't used anywhere in this component.

🧹 Proposed fix

-import { inject } from 'vue'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/subscribers/SubscriberTable.vue` at line 112, The file
imports Vue's inject but doesn't use it; remove the unused import to clean up
SubscriberTable.vue by deleting "inject" from the import statement (or remove
the entire import line if nothing else is imported), ensuring no references to
inject remain in the component (check for symbols like inject or provide/inject
usage) before committing.

tests/Integration/Auth/LoginTest.php (2)

23-26: Inconsistent connection timeouts between tests.

testLoginPageFormFieldsAreVisible uses 10000ms while testLoginFormSubmission uses 20000ms. If the longer timeout was needed for reliability, consider using the same value in both tests to avoid flaky runs.

Also applies to: 43-46

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/Integration/Auth/LoginTest.php` around lines 23 - 26, Both tests use
inconsistent Panther client connection timeouts; update the createPantherClient
calls in LoginTest (used in testLoginPageFormFieldsAreVisible and
testLoginFormSubmission) so they use the same timeout value (choose the longer
20000ms for reliability) or define a shared constant (e.g.,
DEFAULT_CONNECTION_TIMEOUT_MS) and use it in both places to avoid flaky runs.

---

55-55: Brittle selector: Tailwind utility classes.

Using .bg-red-50.border-red-200.text-red-600 as a selector is fragile—any styling tweak will break this test. Consider adding a dedicated test ID or semantic class to the error alert element.

In the template, add a test hook:

<div class="bg-red-50 border-red-200 text-red-600 ..." data-testid="login-error">

Then in the test:

-        $this->assertSelectorExists('.bg-red-50.border-red-200.text-red-600');
+        $this->assertSelectorExists('[data-testid="login-error"]');

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/Integration/Auth/LoginTest.php` at line 55, The test uses a brittle
Tailwind selector in LoginTest.php (the assertSelectorExists call with
'.bg-red-50.border-red-200.text-red-600'); change the app template to add a
stable test hook (e.g., data-testid="login-error" on the error alert div) and
update the test to assertSelectorExists('[data-testid="login-error"]') instead
of the utility-class selector so styling changes won't break the test.

assets/vue/components/subscribers/SubscriberModal.vue (1)

202-204: Consider resetting state when modal closes.

When the modal closes, subscriber, formData, and error retain their previous values. If the user reopens the modal quickly (before the watcher triggers fetch), they might briefly see stale data.

🧹 Proposed enhancement

 const close = () => {
+  subscriber.value = null
+  error.value = null
   emit('close')
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/subscribers/SubscriberModal.vue` around lines 202 -
204, The close() handler currently only emits 'close' but leaves local state
(subscriber, formData, error) intact, causing stale values to flash if the modal
is reopened; update the close function to reset subscriber to its initial empty
value, reset formData to the initial form shape, and clear error before emitting
'close' (or emit after resetting) so the modal always starts with a clean state;
reference the close() function and the subscriber, formData, and error
reactive/state variables when making this change.

tailwind.config.js (2)

6-8: Redundant content glob patterns.

./assets/vue/**/*.vue (Line 7) already matches everything that ./assets/vue/*.vue (Line 6) and ./assets/vue/**/**/*.vue (Line 8) would match. You can simplify to just the double-star pattern.

Simplified content array

   content: [
     "./templates/**/*.twig",
     "./themes/**/**/*.twig",
-    "./assets/vue/*.vue",
     "./assets/vue/**/*.vue",
-    "./assets/vue/**/**/*.vue",
   ],

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tailwind.config.js` around lines 6 - 8, The content globs in
tailwind.config.js are redundant: remove the single-star ("./assets/vue/*.vue")
and the triple-star ("./assets/vue/**/**/*.vue") entries and keep the recursive
double-star pattern ("./assets/vue/**/*.vue") only; update the exported content
array so it contains the simplified pattern to avoid duplicate scanning and
potential maintenance confusion.

---

10-17: Custom breakpoints replace Tailwind defaults.

Defining screens directly in theme (not extend) removes default breakpoints like 2xl. If that's intentional, all good. If you need 2xl (1536px) later, move this into extend.screens instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tailwind.config.js` around lines 10 - 17, You replaced Tailwind's default
breakpoints by declaring theme.screens directly; if you want to keep the
defaults (including 2xl at 1536px) move your custom screens into
theme.extend.screens instead of theme.screens so Tailwind merges them rather
than overwriting—update the screens definition used in the tailwind.config.js
(the theme and screens keys) to theme.extend.screens to preserve built-in
breakpoints.

templates/base.html.twig (1)

8-8: Potential duplicate CSS loading.

Line 8 directly links build/app.css while Line 10 uses encore_entry_link_tags('styles'). If both reference the same stylesheet, you're loading it twice. Consider removing the direct asset() link if Encore handles it.

Also applies to: 10-10

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/base.html.twig` at line 8, The template is potentially loading the
same stylesheet twice: remove the direct <link rel="stylesheet" href="{{
asset('build/app.css') }}"> if your Webpack Encore entry uses
encore_entry_link_tags('styles'); inspect the Encore entry named 'styles'
(encore_entry_link_tags('styles')) and, if it outputs build/app.css, delete the
asset() link to avoid duplicate CSS; if the Encore entry does not include that
file, keep the asset() link or adjust the Encore configuration so the stylesheet
is emitted via the 'styles' entry.

assets/vue/components/subscribers/ImportResult.vue (1)

71-79: Redundant default with required: true.

If importResult is required, the default value is never used. Consider removing either required: true (if a default makes sense) or the default function.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/subscribers/ImportResult.vue` around lines 71 - 79, The
importResult prop currently declares required: true while also providing a
default value, which is redundant; decide whether this component should accept a
missing prop or enforce it—either remove the default function from the
importResult prop to keep required: true, or remove required: true and keep the
default object ({ imported: 0, skipped: 0, errors: []}) so the component can
operate without the parent passing importResult; update the importResult prop
declaration accordingly in ImportResult.vue.

src/Controller/AuthController.php (2)

53-57: Redundant exception catch.

GuzzleException extends Throwable (not Exception), but the catch order here means the Exception block at Line 53 won't catch Guzzle exceptions anyway. However, both blocks have identical handling.

Consider consolidating into a single catch for Throwable:

Simplified exception handling

-            } catch (Exception $e) {
-                $error = 'Invalid credentials or server error: ' . $e->getMessage();
-            } catch (GuzzleException $e) {
+            } catch (Exception | GuzzleException $e) {
                 $error = 'Invalid credentials or server error: ' . $e->getMessage();
             }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Controller/AuthController.php` around lines 53 - 57, Consolidate the
redundant exception handlers in AuthController by replacing the two identical
catches with a single catch(Throwable $e) (or a combined union type) so all
errors including GuzzleException are handled uniformly; update the catch block
that sets $error = 'Invalid credentials or server error: ' . $e->getMessage();
and remove the duplicate catch for GuzzleException to keep the error handling
concise and correct.

---

68-71: Consider handling logout API errors.

If authClient->logout() fails, the user is still logged out locally (session cleared) but the API token might remain valid. Depending on security requirements, you might want to log failures or show a warning.

For most use cases, silent failure is acceptable here.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Controller/AuthController.php` around lines 68 - 71, In AuthController,
wrap the call to $this->authClient->logout() in error handling so failures are
not silently ignored: catch exceptions (or check the logout result) from
authClient->logout() and log the error via your logger (or add a user-facing
flash notice) after the session removals
($request->getSession()->remove('auth_token') / remove('auth_id')). Ensure you
reference AuthController's authClient->logout() and getSession() so the handler
records the failure (and optionally retains behavior of local logout) without
changing session-clearing order.

assets/vue/components/subscribers/SubscriberDirectory.vue (3)

230-237: Debounce works but consider cleanup.

The debounce pattern is fine, but searchTimeout isn't cleared on component unmount. For long-lived SPAs this is usually fine, but you could add an onUnmounted hook to clear pending timeouts.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/subscribers/SubscriberDirectory.vue` around lines 230 -
237, The debounce uses a module-level/closure variable searchTimeout in
handleSearch but never clears it on component teardown; add an onUnmounted hook
that checks and clears searchTimeout (clearTimeout(searchTimeout) and set
searchTimeout = null) to prevent pending callbacks calling fetchSubscribers
after the component is destroyed; locate handleSearch, searchTimeout and
fetchSubscribers in SubscriberDirectory.vue and add the onUnmounted cleanup
referencing the same searchTimeout variable.

---

290-294: Hardcoded listId: 0 in import.

The import always uses listId: 0. If subscribers should be imported into a specific list, this should be configurable. If 0 means "no list" by design, consider adding a comment.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/subscribers/SubscriberDirectory.vue` around lines 290 -
294, The import call in SubscriberDirectory.vue hardcodes listId: 0; change it
to use a configurable value (e.g., a reactive selectedListId, a component prop
like importListId, or the currently selected list from your store) and pass that
variable into subscribersClient.importSubscribers instead of 0 (or, if 0 is
intentionally used to mean “no list”, replace the literal with a well-named
constant like NO_LIST_ID and add a comment explaining the semantics). Update any
UI/state (e.g., a dropdown or prop) to allow selecting the target list and
ensure importSubscribers is invoked with that selectedListId (or the named
constant) so imports go to the intended list.

---

306-322: Remove the exportSubscribers function or wire it up to an export button.

The function is implemented but has zero references in the codebase—it's dead code. Either remove it entirely or add a UI button that calls it. As is, it's just taking up space.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/subscribers/SubscriberDirectory.vue` around lines 306 -
322, The exportSubscribers function is unused dead code; either delete the
exportSubscribers function from SubscriberDirectory.vue, or add a clickable UI
element that invokes it (e.g., a button in the component template with
`@click`="exportSubscribers"). If you choose wiring, ensure the method is exported
in the component's methods/setup (exportSubscribers) and the template button is
only shown when export is allowed (respecting
currentFilter/searchColumn/pagination state) so it triggers the existing
params->window.location.href logic correctly.

tests/Unit/Controller/AuthControllerTest.php (1)

217-240: Good coverage for the new about() endpoint.

Test properly mocks the Administrator entity and verifies the JsonResponse content. Covers the happy path well.

Consider adding a test for the error path (when getSessionUser() throws) to verify the 503 response.

Would you like me to draft an error-path test case for testAboutError()?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/Unit/Controller/AuthControllerTest.php` around lines 217 - 240, Add a
new test method (e.g., testAboutError) in AuthControllerTest to cover the error
path when authClient->getSessionUser throws: mock
$this->authClient->expects($this->once())->method('getSessionUser')->willThrowException(new
\Exception('some error')), call $this->controller->about(), and assert the
response is a JsonResponse with HTTP 503 status and the expected error
payload/message used by the controller; reference the existing testAbout,
about(), getSessionUser, $this->authClient and $this->controller to place and
structure the new test similarly.

src/Controller/SubscribersController.php (3)

95-102: Filter building logic is duplicated.

The SubscribersFilterRequest construction is identical to lines 42-49 in index(). Extracting to a private helper would keep things DRY.

♻️ Extract to private method

private function buildFilterFromRequest(Request $request): SubscribersFilterRequest
{
    return new SubscribersFilterRequest(
        isConfirmed: $request->query->has('confirmed') ? true :
            ($request->query->has('unconfirmed') ? false : null),
        isBlacklisted: $request->query->has('blacklisted') ? true :
            ($request->query->has('non-blacklisted') ? false : null),
        findColumn: $request->query->get('findColumn'),
        findValue: $request->query->get('findValue'),
    );
}

Then use $filter = $this->buildFilterFromRequest($request); in both methods.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Controller/SubscribersController.php` around lines 95 - 102, Duplicate
SubscribersFilterRequest construction exists in index() and another method;
extract the logic into a private helper (e.g., private function
buildFilterFromRequest(Request $request): SubscribersFilterRequest) that returns
the new SubscribersFilterRequest with the same isConfirmed, isBlacklisted,
findColumn, and findValue logic, then replace both original constructions with
$filter = $this->buildFilterFromRequest($request); to keep SubscribersController
DRY.

---

109-109: No error handling if fopen fails.

fopen() can return false on failure. While php://temp rarely fails, defensive coding would check before calling fputcsv.

🛡️ Defensive check

         $handle = fopen('php://temp', 'r+');
+        if ($handle === false) {
+            return new Response('Failed to create export file.', Response::HTTP_INTERNAL_SERVER_ERROR);
+        }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Controller/SubscribersController.php` at line 109, The fopen call for
'php://temp' in SubscribersController (creating $handle via fopen('php://temp',
'r+')) lacks error handling; verify that $handle is not false before using it
with fputcsv/rewind/stream_get_contents, and if fopen fails handle the error
(e.g., log via the controller logger, throw an exception, or return an error
response) and ensure any resources are cleaned up only when $handle is a valid
resource.

---

53-65: Pagination history could grow unbounded.

The subscribers_history session array keeps growing as users paginate. For long sessions, this could get chunky. Consider capping it or clearing on filter changes.

💡 Optional: limit history size

         $history = $request->getSession()->get('subscribers_history', []);
         if (!in_array($afterId, $history, true)) {
             $history[] = $afterId;
+            // Keep only last 100 entries to prevent unbounded growth
+            if (count($history) > 100) {
+                $history = array_slice($history, -100);
+            }
             $request->getSession()->set('subscribers_history', $history);
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Controller/SubscribersController.php` around lines 53 - 65, The
session-held subscribers_history array ($history) is unbounded; update the code
in SubscribersController (where $history, $afterId, $prevId and array_search are
used) to cap its size and/or clear it on filter changes: after adding $afterId
to $history via getSession()->set('subscribers_history', $history) trim the
array to a fixed MAX_HISTORY (e.g. keep only the last N entries using
array_slice or repeated array_shift) and store it back, and also detect filter
changes (compare a stored filter signature in session or request parameters) and
reset/replace 'subscribers_history' when filters change so old pagination
entries are cleared.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@assets/styles/app.css`:
- Around line 1-2: Remove the obsolete Tailwind v3 directive from your
stylesheet by deleting the line containing "@tailwind utilities" and keep only
the "@import \"tailwindcss\"" directive in the top-level stylesheet (locate the
import block in assets/styles/app.css or the file that contains `@import`
"tailwindcss" and `@tailwind` utilities). Also update your Stylelint config to
avoid false positives: modify the at-rule-no-unknown (or
scss/at-rule-no-unknown) rule to include an ignoreAtRules array with
['theme','source','apply','utility','variant','plugin','config'] or
alternatively install/extend a Tailwind v4-aware config such as
stylelint-config-tailwindcss so Tailwind v4 at-rules are recognized.

In `@assets/vue/api.js`:
- Around line 3-11: When apiBaseUrl is missing (derived from
appElement?.dataset.apiBaseUrl), do not proceed to construct the Client with an
empty string; instead fail fast by throwing an Error or returning early so the
app won't continue in a broken state. Update the module initialization around
apiBaseUrl, apiToken, appElement and the creation of new Client(...) to either
throw a descriptive Error (e.g., including that apiBaseUrl is required) or
prevent creating Client when apiBaseUrl is falsy, ensuring any calling code
cannot proceed with an empty base URL.

In `@assets/vue/components/base/BaseProgressBar.vue`:
- Around line 27-29: wrapperStyle is a plain object created once and won't
update when props.height changes; change wrapperStyle to a reactive computed
that returns { height: props.height } so the style updates when the height prop
changes (update the symbol wrapperStyle in BaseProgressBar.vue to be a computed
using props.height).

In `@assets/vue/components/sidebar/AppSidebar.vue`:
- Around line 46-79: The sidebar's route strings in the sections constant
(sections -> items -> route) don't match the application's registered routes;
update each sections[].items[].route to the exact path or named route used by
the router module (or add the missing route definitions in the router) so clicks
don't fall through to the catch-all; locate the sections array in AppSidebar.vue
and either (A) change every route value (e.g., '/', '/subscribers', '/lists',
'/campaigns', '/templates', '/bounces', '/analytics', '/settings', '/public') to
the canonical paths or named-route identifiers used by the router, or (B) add
corresponding route definitions in the router configuration with those paths so
they resolve correctly; as a temporary safe fallback, set any unresolved items'
route to null or a safe placeholder (so the component can render them disabled)
until the router is updated.

In `@assets/vue/components/subscribers/ImportResult.vue`:
- Line 53: The hover utility uses a non-existent Tailwind color class
`bg-ext-wf3` in the ImportResult.vue button class string, so the hover won't
apply; fix by either adding `ext-wf3` to your Tailwind config colors (e.g., a
darker shade matching `ext-wf1`) or replace `bg-ext-wf3` in ImportResult.vue
with an existing configured color class (for example another `ext-*` shade or a
default Tailwind color) so the hover state resolves correctly; update the
Tailwind config colors block if you add the new token and rebuild CSS so
`bg-ext-wf3` becomes available.

In `@assets/vue/components/subscribers/SubscriberDirectory.vue`:
- Line 37: The hover class on the button in SubscriberDirectory.vue uses an
undefined Tailwind color token `bg-ext-wf3` (same issue as ImportResult.vue);
either replace `bg-ext-wf3` with an existing Tailwind color utility (e.g., a
defined bg-ext-wf2 or a standard color like bg-gray-200) in the class string on
the element using that long class list, or add `ext-wf3` to your Tailwind
config's theme.colors (and rebuild) so `bg-ext-wf3` becomes valid; update any
other occurrences (e.g., ImportResult.vue) to keep styles consistent.

In `@assets/vue/components/subscribers/SubscriberModal.vue`:
- Around line 113-129: The Save button is outside the form so pressing Enter in
inputs (e.g., email) doesn't submit; update the template so the Save button
submits the form by either moving the buttons div into the <form> element that
contains the subscriber fields or keep it outside but add form="subscriber-form"
to the Save button and ensure the form element has id="subscriber-form"; also
confirm the save method (save) remains the submit handler (or change to `@submit`
on the form to call save) and leave the Cancel button (close) behavior
unchanged.

In `@assets/vue/components/subscribers/SubscribersTable.vue`:
- Around line 1-64: This file SubscribersTable.vue is a duplicate of
CampaignsTable.vue (renders campaign columns, uses campaign statuses via the
statusClass function, and has an incorrect empty message) and is unused; remove
the file to avoid confusion, or if you intended it to serve campaigns instead,
move/rename it to the proper location and name (e.g.,
dashboard/CampaignsTable.vue), update the component name/imports where used, and
fix the empty-state text and column headings (or else replace its implementation
with the real SubscriberTable.vue structure which expects ID, Email, Status,
Lists, Created) so that props (rows) and statusClass remain consistent with the
intended table.

In `@assets/vue/components/subscribers/SubscriberTable.vue`:
- Around line 82-84: The mobile status text in the template span using the
expression subscriber.confirmed ? 'active' : 'unconfirmed' is inconsistent with
the desktop wording ("Confirmed" / "Unconfirmed"); change that ternary to output
the same capitalized strings (e.g., 'Confirmed' : 'Unconfirmed') so the mobile
view matches the desktop status wording and casing in SubscriberTable.vue.

In `@assets/vue/layouts/AdminLayout.vue`:
- Around line 35-38: Replace the non-semantic <div> used as the dropdown trigger
with a <button type="button"> while keeping the same class list and
`@click`="toggleDropdown"; add ARIA attributes aria-haspopup="true" and bind
aria-expanded to the dropdown state (e.g., :aria-expanded="isOpen" or the
component's dropdown boolean) so screen readers see the state, and ensure the
existing toggleDropdown method (toggleDropdown) remains the click handler;
remove any JS-only keyboard handling since a native button supports Enter/Space
and preserve visual focus styles for accessibility.

In `@composer.json`:
- Around line 19-22: The composer.json currently lists a VCS repository entry
for "https://github.com/tatevikgr/rss-bundle.git" but the package
"tatevikgr/rss-bundle" is not present in composer.lock; either remove that
repository entry from composer.json if the bundle is no longer needed, or add
the package to the project's dependencies by running composer require
tatevikgr/rss-bundle (or adding it to "require" in composer.json) and then run
composer update to regenerate composer.lock; locate the repository entry in
composer.json and the dependency name "tatevikgr/rss-bundle" when applying the
change.

In `@config/services.yml`:
- Line 4: The default API_BASE_URL currently falls back to an insecure value;
update the env(DEFAULT/API_BASE_URL) fallback so it does not use plain
HTTP—either change env(API_BASE_URL) to an HTTPS default (e.g., 'https://...')
or remove the insecure default entirely and require callers to supply a value;
ensure the env key env(API_BASE_URL) is updated and documented so no insecure
HTTP fallback remains.

In `@postcss.config.js`:
- Around line 1-6: PostCSS config includes autoprefixer but Tailwind v4's
`@tailwindcss/postcss` handles vendor prefixing; remove the
require('autoprefixer') entry from the plugins array in postcss.config.js so
plugins only contains require("@tailwindcss/postcss"), ensuring no other code
paths reference autoprefixer and update any comments accordingly.

In `@src/Controller/SubscribersController.php`:
- Line 136: The current mapping in SubscribersController (the 'lists' =>
implode('|', array_map(...)) expression) assumes every element of
$data->subscribedLists has a 'name' key and will raise undefined index warnings;
update the transformation to first filter out entries missing 'name' (or map
using a null-coalescing fallback) and only pass valid names to implode — locate
the array_map closure around $data->subscribedLists and replace it with a safe
pipeline that either filters with isset($list['name']) or uses $list['name'] ??
'' and then removes empty strings before calling implode so no undefined index
warnings occur.
- Line 31: The Accept header check in SubscribersController (the if that uses
$request->headers->get('Accept') !== 'application/json') is too strict and will
miss valid JSON requests; update the condition to detect JSON more flexibly (for
example use $request->getAcceptableContentTypes() and check for
'application/json' in that array or use strpos on the Accept header) so the
branch that currently tests isXmlHttpRequest() && Accept covers cases like
"application/json, text/html"; modify the if in the controller method
accordingly (keep referencing $request, isXmlHttpRequest(), and the Accept
header check).
- Line 104: The call in SubscribersController using
$request->query->getInt('limit') passes 0 when the parameter is absent which can
cause getSubscribers to return no results; update the SubscribersController
invocation to supply a sensible default (or validate/require the param) before
calling $this->subscribersClient->getSubscribers — e.g. read the limit with
getInt('limit', <defaultLimit>) or compute a default (like 100 or a configured
value) and pass that variable into getSubscribers, and if you choose to require
the param, return a 4xx error when missing instead of using 0.
- Line 74: The DateTimeImmutable construction for $subscriber->createdAt in
SubscribersController (and the similar usage in export) can throw on
null/malformed input; update the code around the 'createdAt' formatting to
defensively handle invalid values by checking if $subscriber->createdAt is
truthy and a valid date string (or wrap the new DateTimeImmutable(...) call in a
try-catch), and on failure return a safe fallback (e.g., null or an empty
string) instead of letting an exception bubble; apply the same defensive
check/try-catch to the export method's createdAt formatting to ensure both code
paths never throw on bad input.

In `@src/EventSubscriber/UnauthorizedSubscriber.php`:
- Around line 36-59: The flash is being added after calling
$session->invalidate() so it may be lost; change the logic in
UnauthorizedSubscriber (around where $request->hasSession(),
$session->invalidate(), $request->isXmlHttpRequest(), and
session->getFlashBag()->add(...) are used) to add the flash message to the
session (via $session->getFlashBag()->add('error', ...)) before calling
$session->invalidate(), and ensure the AJAX branch (where
$event->setResponse(new JsonResponse(...))) still returns immediately without
trying to add a flash; reorder the operations so non-AJAX requests receive the
flash prior to invalidation.

---

Duplicate comments:
In `@templates/auth/login.html.twig`:
- Line 38: The "Forgot password?" anchor uses a placeholder href="#" and must be
wired to a real route or removed; update the anchor in
templates/auth/login.html.twig so its href calls the correct password-reset
route (e.g., use Twig's path('password_reset') or the actual route name used by
your app) or remove the <a> entirely if password reset isn't implemented yet,
and ensure the class/text remain unchanged.
- Around line 29-52: The login form in login.html.twig is missing a CSRF token
input; add the framework's CSRF hidden field inside the <form> (e.g., insert the
Twig CSRF token helper or a hidden input named like csrf_token) and ensure the
server-side login handler (the route/controller that processes the form
submission) validates this token before authenticating the user; reference the
form element in the template and the login handler method to implement token
generation, insertion, and validation.

In `@templates/base.html.twig`:
- Around line 12-14: The template currently double-loads the app bundle: keep
the Twig block that calls encore_entry_script_tags('app') inside the javascripts
block and remove the duplicate manual <script> tags that statically include
runtime.js and app.js at the end of the body; locate the static tags near the
bottom of templates/base.html.twig and delete them so the Vue app is only
initialized via encore_entry_script_tags('app').

---

Nitpick comments:
In `@apache/web-frontend.conf`:
- Around line 21-25: The SetHandler in the FilesMatch block currently hardcodes
the PHP-FPM socket path "proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost",
which will break if PHP is upgraded; update the FilesMatch/SetHandler usage to
reference a configurable Define or environment-provided variable (e.g.,
PHP_FPM_SOCK) instead of the literal path, or document the required PHP version
and instruct maintainers to create a stable symlink (/run/php/php-fpm.sock) that
points to the active version; adjust the SetHandler reference in the FilesMatch
block accordingly so the socket path is not tied to "php8.1" directly.
- Around line 1-2: This VirtualHost is configured for HTTP only (VirtualHost
*:80 with ServerName frontend.phplist.local); if this is only for local dev, add
a clear comment stating that and restrict access (e.g., bind to localhost or
local-only network), otherwise create a matching HTTPS VirtualHost (VirtualHost
*:443) with TLS settings (certificate, SSLEngine on) or ensure a production
reverse proxy handles TLS so production is not served over plain HTTP.

In `@assets/vue/components/dashboard/CampaignsTable.vue`:
- Around line 47-53: The code assigns defineProps(...) to a never-used variable
"props"; remove the unused variable by replacing "const props = defineProps({
... })" with a direct call "defineProps({ ... })" so props are declared for the
component without creating an unused identifier, and verify that statusClass
continues to accept a status parameter (no change needed) rather than trying to
read props.rows.

In `@assets/vue/components/dashboard/RecentCampaignsCard.vue`:
- Around line 20-51: Replace the baked-in mock campaign data in the
RecentCampaignsCard.vue props so the component no longer defaults to stale
samples: change the defineProps({ rows: { ... default: (...) }}) to default to
an empty array (or remove the default) and ensure the component
(RecentCampaignsCard) handles an empty rows array via its empty state; then wire
DashboardView to fetch real campaign data from the backend and pass it into the
rows prop (or open an issue to track adding a fetch in DashboardView if you
prefer to defer implementation).

In `@assets/vue/components/sidebar/SidebarLogo.vue`:
- Around line 4-9: The img in SidebarLogo.vue has conflicting Tailwind height
classes on the same element (class="... h-full h-auto ..."); decide the intended
behavior and remove the other class: if you want the logo to fill its container
keep h-full and remove h-auto, or if you want natural aspect ratio keep h-auto
and remove h-full; update the class attribute on the <img> in the SidebarLogo
component accordingly.

In `@assets/vue/components/sidebar/SidebarNavSection.vue`:
- Around line 6-8: The v-for in SidebarNavSection.vue uses a fragile key
(:key="item.label"); change the key to a stable unique identifier such as
:key="item.route" or an explicit :key="item.id" (ensure each item in items has
that property) so the list rendering for items remains stable and avoids
patching glitches; update any data construction that builds items to include a
unique id if necessary.

In `@assets/vue/components/subscribers/ImportResult.vue`:
- Around line 71-79: The importResult prop currently declares required: true
while also providing a default value, which is redundant; decide whether this
component should accept a missing prop or enforce it—either remove the default
function from the importResult prop to keep required: true, or remove required:
true and keep the default object ({ imported: 0, skipped: 0, errors: []}) so the
component can operate without the parent passing importResult; update the
importResult prop declaration accordingly in ImportResult.vue.

In `@assets/vue/components/subscribers/SubscriberDirectory.vue`:
- Around line 230-237: The debounce uses a module-level/closure variable
searchTimeout in handleSearch but never clears it on component teardown; add an
onUnmounted hook that checks and clears searchTimeout
(clearTimeout(searchTimeout) and set searchTimeout = null) to prevent pending
callbacks calling fetchSubscribers after the component is destroyed; locate
handleSearch, searchTimeout and fetchSubscribers in SubscriberDirectory.vue and
add the onUnmounted cleanup referencing the same searchTimeout variable.
- Around line 290-294: The import call in SubscriberDirectory.vue hardcodes
listId: 0; change it to use a configurable value (e.g., a reactive
selectedListId, a component prop like importListId, or the currently selected
list from your store) and pass that variable into
subscribersClient.importSubscribers instead of 0 (or, if 0 is intentionally used
to mean “no list”, replace the literal with a well-named constant like
NO_LIST_ID and add a comment explaining the semantics). Update any UI/state
(e.g., a dropdown or prop) to allow selecting the target list and ensure
importSubscribers is invoked with that selectedListId (or the named constant) so
imports go to the intended list.
- Around line 306-322: The exportSubscribers function is unused dead code;
either delete the exportSubscribers function from SubscriberDirectory.vue, or
add a clickable UI element that invokes it (e.g., a button in the component
template with `@click`="exportSubscribers"). If you choose wiring, ensure the
method is exported in the component's methods/setup (exportSubscribers) and the
template button is only shown when export is allowed (respecting
currentFilter/searchColumn/pagination state) so it triggers the existing
params->window.location.href logic correctly.

In `@assets/vue/components/subscribers/SubscriberFilters.vue`:
- Around line 27-35: The current toggleFilter function sets activeFilter.value
to null when the user clicks the already-active filter, creating a "no
selection" state; change toggleFilter so that when activeFilter.value ===
filterId it falls back to the default 'all' (i.e., activeFilter.value = 'all')
instead of null, and continue to emit('filter-change', activeFilter.value) so
the parent always receives a valid filter value; update the logic in the
toggleFilter function and any usages relying on null to expect 'all' instead.

In `@assets/vue/components/subscribers/SubscriberModal.vue`:
- Around line 202-204: The close() handler currently only emits 'close' but
leaves local state (subscriber, formData, error) intact, causing stale values to
flash if the modal is reopened; update the close function to reset subscriber to
its initial empty value, reset formData to the initial form shape, and clear
error before emitting 'close' (or emit after resetting) so the modal always
starts with a clean state; reference the close() function and the subscriber,
formData, and error reactive/state variables when making this change.

In `@assets/vue/components/subscribers/SubscriberTable.vue`:
- Around line 130-139: The helper function formatDate is dead code because the
template renders raw dates with {{ subscriber.createdAt }}; either remove
formatDate or wire it into the template so dates are formatted. To fix, either
delete the unused formatDate function, or update the template where
subscriber.createdAt is displayed to call the formatter (e.g., use the
formatDate helper or map it via a computed/ method) so createdAt is passed to
formatDate (and optionally set isIso) before rendering; ensure any
import/registration needed for formatDate in the component options is added if
you choose to keep it.
- Line 112: The file imports Vue's inject but doesn't use it; remove the unused
import to clean up SubscriberTable.vue by deleting "inject" from the import
statement (or remove the entire import line if nothing else is imported),
ensuring no references to inject remain in the component (check for symbols like
inject or provide/inject usage) before committing.

In `@composer.json`:
- Around line 50-54: The composer.json currently depends on moving branches
"phplist/core": "dev-dev" and "tatevikgr/rest-api-client": "dev-main"; replace
those unstable refs with either a specific tagged version (e.g., "1.2.3") or a
commit-pinned ref (e.g., "dev-main#<commit-hash>") for production releases,
update the dependency entries for phplist/core and tatevikgr/rest-api-client
accordingly, regenerate and commit composer.lock, and document in the repo
(README or RELEASE notes) the chosen commit hashes or tags that are known to
work.

In `@package.json`:
- Line 24: Update the package.json dependency entry for "vue-router" to pin a
more specific version to avoid pulling unintended minor releases; locate the
"vue-router" entry in package.json and change its version string from "4" to a
fixed or more conservative range such as "~4.6.4" (or "^4.6.4" if you prefer
less strictness) so only safe patch updates are allowed.

In `@src/Controller/AuthController.php`:
- Around line 53-57: Consolidate the redundant exception handlers in
AuthController by replacing the two identical catches with a single
catch(Throwable $e) (or a combined union type) so all errors including
GuzzleException are handled uniformly; update the catch block that sets $error =
'Invalid credentials or server error: ' . $e->getMessage(); and remove the
duplicate catch for GuzzleException to keep the error handling concise and
correct.
- Around line 68-71: In AuthController, wrap the call to
$this->authClient->logout() in error handling so failures are not silently
ignored: catch exceptions (or check the logout result) from authClient->logout()
and log the error via your logger (or add a user-facing flash notice) after the
session removals ($request->getSession()->remove('auth_token') /
remove('auth_id')). Ensure you reference AuthController's authClient->logout()
and getSession() so the handler records the failure (and optionally retains
behavior of local logout) without changing session-clearing order.

In `@src/Controller/SubscribersController.php`:
- Around line 95-102: Duplicate SubscribersFilterRequest construction exists in
index() and another method; extract the logic into a private helper (e.g.,
private function buildFilterFromRequest(Request $request):
SubscribersFilterRequest) that returns the new SubscribersFilterRequest with the
same isConfirmed, isBlacklisted, findColumn, and findValue logic, then replace
both original constructions with $filter =
$this->buildFilterFromRequest($request); to keep SubscribersController DRY.
- Line 109: The fopen call for 'php://temp' in SubscribersController (creating
$handle via fopen('php://temp', 'r+')) lacks error handling; verify that $handle
is not false before using it with fputcsv/rewind/stream_get_contents, and if
fopen fails handle the error (e.g., log via the controller logger, throw an
exception, or return an error response) and ensure any resources are cleaned up
only when $handle is a valid resource.
- Around line 53-65: The session-held subscribers_history array ($history) is
unbounded; update the code in SubscribersController (where $history, $afterId,
$prevId and array_search are used) to cap its size and/or clear it on filter
changes: after adding $afterId to $history via
getSession()->set('subscribers_history', $history) trim the array to a fixed
MAX_HISTORY (e.g. keep only the last N entries using array_slice or repeated
array_shift) and store it back, and also detect filter changes (compare a stored
filter signature in session or request parameters) and reset/replace
'subscribers_history' when filters change so old pagination entries are cleared.

In `@tailwind.config.js`:
- Around line 6-8: The content globs in tailwind.config.js are redundant: remove
the single-star ("./assets/vue/*.vue") and the triple-star
("./assets/vue/**/**/*.vue") entries and keep the recursive double-star pattern
("./assets/vue/**/*.vue") only; update the exported content array so it contains
the simplified pattern to avoid duplicate scanning and potential maintenance
confusion.
- Around line 10-17: You replaced Tailwind's default breakpoints by declaring
theme.screens directly; if you want to keep the defaults (including 2xl at
1536px) move your custom screens into theme.extend.screens instead of
theme.screens so Tailwind merges them rather than overwriting—update the screens
definition used in the tailwind.config.js (the theme and screens keys) to
theme.extend.screens to preserve built-in breakpoints.

In `@templates/base.html.twig`:
- Line 8: The template is potentially loading the same stylesheet twice: remove
the direct <link rel="stylesheet" href="{{ asset('build/app.css') }}"> if your
Webpack Encore entry uses encore_entry_link_tags('styles'); inspect the Encore
entry named 'styles' (encore_entry_link_tags('styles')) and, if it outputs
build/app.css, delete the asset() link to avoid duplicate CSS; if the Encore
entry does not include that file, keep the asset() link or adjust the Encore
configuration so the stylesheet is emitted via the 'styles' entry.

In `@tests/Integration/Auth/LoginTest.php`:
- Around line 23-26: Both tests use inconsistent Panther client connection
timeouts; update the createPantherClient calls in LoginTest (used in
testLoginPageFormFieldsAreVisible and testLoginFormSubmission) so they use the
same timeout value (choose the longer 20000ms for reliability) or define a
shared constant (e.g., DEFAULT_CONNECTION_TIMEOUT_MS) and use it in both places
to avoid flaky runs.
- Line 55: The test uses a brittle Tailwind selector in LoginTest.php (the
assertSelectorExists call with '.bg-red-50.border-red-200.text-red-600'); change
the app template to add a stable test hook (e.g., data-testid="login-error" on
the error alert div) and update the test to
assertSelectorExists('[data-testid="login-error"]') instead of the utility-class
selector so styling changes won't break the test.

In `@tests/Unit/Controller/AuthControllerTest.php`:
- Around line 217-240: Add a new test method (e.g., testAboutError) in
AuthControllerTest to cover the error path when authClient->getSessionUser
throws: mock
$this->authClient->expects($this->once())->method('getSessionUser')->willThrowException(new
\Exception('some error')), call $this->controller->about(), and assert the
response is a JsonResponse with HTTP 503 status and the expected error
payload/message used by the controller; reference the existing testAbout,
about(), getSessionUser, $this->authClient and $this->controller to place and
structure the new test similarly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

How to configure Stylelint to ignore Tailwind CSS v4 at-rules like @themeand@source?

💡 Result:

To configure Stylelint to ignore Tailwind CSS v4 at-rules like @theme and @source, update your Stylelint configuration file (e.g., stylelint.config.js) to override the "at-rule-no-unknown" rule and list the Tailwind v4 at-rules in the ignoreAtRules array. Example configuration: js module.exports = { extends: [ 'stylelint-config-standard', // or your preferred base config ], rules: { 'at-rule-no-unknown': [ true, { ignoreAtRules: [ 'theme', 'source', 'apply', 'utility', 'variant', 'plugin', 'config', 'reference', 'custom-variant' ] } ] } }; If using SCSS, also disable the base rule and configure the SCSS-specific one: js rules: { 'at-rule-no-unknown': null, 'scss/at-rule-no-unknown': [ true, { ignoreAtRules: [ 'theme', 'source', // ... other rules ] } ] } Optionally, install and extend a Tailwind-specific config like stylelint-config-tailwindcss (npm install --save-dev stylelint-config-tailwindcss), though it may need updates for full v4 support: js { extends: [ 'stylelint-config-recommended', 'stylelint-config-tailwindcss' ] } This prevents Stylelint from flagging Tailwind v4's custom at-rules as unknown. Run stylelint on your CSS files to verify.

Citations:

• 1: https://stackoverflow.com/questions/72161637/unexpected-unknown-at-rule-tailwind-scss-at-rule-no-unknown
• 2: https://coldfusion-example.blogspot.com/2025/12/tailwind-css-v4-upgrade-fixing-unknown.html
• 3: https://tailkits.com/blog/how-to-fix-unknown-at-rule-error-in-tailwind-css/
• 4: https://gist.github.com/stctheproducer/332e1171a1f4eb6647933bc8d3f8aaf6
• 5: https://tailwindcss.com/docs/functions-and-directives
• 6: https://www.w3tutorials.net/blog/unexpected-unknown-at-rule-tailwind-scss-at-rule-no-unknown/
• 7: https://stylelint.io/user-guide/rules/at-rule-no-unknown

---

🌐 Web query:

Tailwind CSS v4 @import "tailwindcss" does it include utilities automatically

💡 Result:

Yes, using @import "tailwindcss"; in Tailwind CSS v4 automatically includes all Tailwind utilities (as well as base styles and theme), replacing the old @tailwind base; @tailwind components; @tailwind utilities; directives from v3. You can then use utility classes like text-xl, bg-blue-500, etc. directly in your HTML.

Citations:

• 1: https://tailwindcss.com/blog/tailwindcss-v4
• 2: https://tailwindcss.com/docs/functions-and-directives/
• 3: https://tailwindcss.com/docs/styling-with-utility-classes
• 4: Tailwind v4 has no `important` option support tailwindlabs/tailwindcss#15866
• 5: https://v3.tailwindcss.com/docs/v4-beta
• 6: https://tailwindcss.com/docs/v4-beta
• 7: https://tailwindcss.com/docs/upgrade-guide

---

🌐 Web query:

Tailwind CSS v4 @tailwindutilities duplicate if used with@import tailwindcss

💡 Result:

No, using @tailwind utilities alongside @import "tailwindcss" does not cause duplicates in Tailwind CSS v4. The @tailwind directives (base, components, utilities) from v3 have been completely removed in v4. The correct and only way to include Tailwind CSS v4 is with a single @import "tailwindcss"; line at the top of your CSS file. Using any @tailwind directive will result in errors or no styles being generated, as confirmed by official docs and upgrade guide. The perceived "duplicate" issue likely stems from misconfigurations during migration or runtime setups where Tailwind is imported/processed multiple times (e.g., build-time CSS + runtime @import "tailwindcss" source(none); without deduplication), leading to regenerated utilities. This is a user setup problem, not inherent to @tailwind utilities with @import. To fix: - Replace all @tailwind base; @tailwind components; @tailwind utilities; with @import "tailwindcss"; - Use npx @tailwindcss/upgrade for automated migration. - For runtime generation without duplicates, avoid re-importing full Tailwind; use targeted @source or @import "tailwindcss/utilities.css" layer(utilities); with source(none) carefully, as shown in GitHub discussions.

Citations:

• 1: https://tailwindcss.com/blog/tailwindcss-v4
• 2: https://tailwindcss.com/docs/functions-and-directives
• 3: https://tailwindcss.com/docs/upgrade-guide
• 4: How to Prevent Duplicate CSS When Merging Tailwind 4 Output at Build and Runtime? tailwindlabs/tailwindcss#18526
• 5: @tailwind base and @tailwind components no longer work in Tailwind v4 tailwindlabs/tailwindcss.com#2076

---

Remove @tailwind utilities — it's not valid in Tailwind CSS v4.

In Tailwind CSS v4, @import "tailwindcss" is the only directive you need. The @tailwind directives from v3 (base, components, utilities) have been completely removed. Having @tailwind utilities on line 2 will cause errors or result in no styles being applied.

🧹 Proposed fix

 `@import` "tailwindcss";
-@tailwind utilities;

For the Stylelint false positives, the web search confirms you can suppress them by updating your Stylelint config to recognize Tailwind v4's at-rules. Add an ignoreAtRules array to the at-rule-no-unknown rule (or scss/at-rule-no-unknown for SCSS) with ['theme', 'source', 'apply', 'utility', 'variant', 'plugin', 'config'], or install and extend stylelint-config-tailwindcss if available for your v4 setup.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@import "tailwindcss";
	@tailwind utilities;
	`@import` "tailwindcss";

🧰 Tools

🪛 Stylelint (17.4.0)

[error] 2-2: Unexpected unknown at-rule "@tailwind" (scss/at-rule-no-unknown)

(scss/at-rule-no-unknown)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/styles/app.css` around lines 1 - 2, Remove the obsolete Tailwind v3
directive from your stylesheet by deleting the line containing "@tailwind
utilities" and keep only the "@import \"tailwindcss\"" directive in the
top-level stylesheet (locate the import block in assets/styles/app.css or the
file that contains `@import` "tailwindcss" and `@tailwind` utilities). Also update
your Stylelint config to avoid false positives: modify the at-rule-no-unknown
(or scss/at-rule-no-unknown) rule to include an ignoreAtRules array with
['theme','source','apply','utility','variant','plugin','config'] or
alternatively install/extend a Tailwind v4-aware config such as
stylelint-config-tailwindcss so Tailwind v4 at-rules are recognized.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Proceeding with empty URL after error log can cause confusing failures.

When apiBaseUrl is missing, the code logs an error but then continues with new Client(''). This means API calls will silently fail or hit unexpected endpoints rather than failing fast with a clear message.

Consider throwing or returning early so the app doesn't limp along in a broken state:

🛠️ Suggested fix

 if (!apiBaseUrl) {
     console.error('API Base URL is not configured.');
+    throw new Error('API Base URL is required for the application to function.');
 }

-const client = new Client(apiBaseUrl || '');
+const client = new Client(apiBaseUrl);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const appElement = document.getElementById('vue-app');
	const apiToken = appElement?.dataset.apiToken;
	const apiBaseUrl = appElement?.dataset.apiBaseUrl;
	if (!apiBaseUrl) {
	console.error('API Base URL is not configured.');
	}
	const client = new Client(apiBaseUrl || '');
	const appElement = document.getElementById('vue-app');
	const apiToken = appElement?.dataset.apiToken;
	const apiBaseUrl = appElement?.dataset.apiBaseUrl;
	if (!apiBaseUrl) {
	console.error('API Base URL is not configured.');
	throw new Error('API Base URL is required for the application to function.');
	}
	const client = new Client(apiBaseUrl);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/api.js` around lines 3 - 11, When apiBaseUrl is missing (derived
from appElement?.dataset.apiBaseUrl), do not proceed to construct the Client
with an empty string; instead fail fast by throwing an Error or returning early
so the app won't continue in a broken state. Update the module initialization
around apiBaseUrl, apiToken, appElement and the creation of new Client(...) to
either throw a descriptive Error (e.g., including that apiBaseUrl is required)
or prevent creating Client when apiBaseUrl is falsy, ensuring any calling code
cannot proceed with an empty base URL.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

wrapperStyle won't react to prop changes.

This is a plain object computed once at setup time. If the parent ever updates the height prop dynamically, the style won't reflect the change. Use a computed to keep it reactive.

🔧 Proposed fix

 <script setup>
+import { computed } from 'vue'
+
 const props = defineProps({
   value: {
     type: Number,
     default: 0,
   },
   height: {
     type: String,
     default: "6px", // allows easy overrides: "4px", "10px", etc.
   },
 })
 
-const wrapperStyle = {
-  height: props.height,
-}
+const wrapperStyle = computed(() => ({
+  height: props.height,
+}))
 </script>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const wrapperStyle = {
	height: props.height,
	}
	<script setup>
	import { computed } from 'vue'
	const props = defineProps({
	value: {
	type: Number,
	default: 0,
	},
	height: {
	type: String,
	default: "6px", // allows easy overrides: "4px", "10px", etc.
	},
	})
	const wrapperStyle = computed(() => ({
	height: props.height,
	}))
	</script>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/base/BaseProgressBar.vue` around lines 27 - 29,
wrapperStyle is a plain object created once and won't update when props.height
changes; change wrapperStyle to a reactive computed that returns { height:
props.height } so the style updates when the height prop changes (update the
symbol wrapperStyle in BaseProgressBar.vue to be a computed using props.height).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Sidebar links are out of sync with registered routes.

Most configured items point to paths that are not currently defined, so they’ll fall through the catch-all redirect and bounce users to /. Please align sections[].items[].route with assets/router/index.js (or add the missing route definitions) before release.

Quick safe fallback (until routes exist)

   {
     id: 'general',
     label: 'General',
     items: [
       { label: 'Dashboard', icon: 'grid', route: '/', badge: null },
       { label: 'Subscribers', icon: 'users', route: '/subscribers' },
-      { label: 'Lists', icon: 'list', route: '/lists' },
     ],
   },
-  {
-    id: 'marketing',
-    label: 'Marketing',
-    items: [
-      { label: 'Campaigns', icon: 'plane', route: '/campaigns' },
-      { label: 'Templates', icon: 'template', route: '/templates' },
-    ],
-  },
-  {
-    id: 'reports',
-    label: 'Reports',
-    items: [
-      { label: 'Bounces', icon: 'warning', route: '/bounces' },
-      { label: 'Analytics', icon: 'chart', route: '/analytics' },
-    ],
-  },
-  {
-    id: 'system',
-    label: 'System',
-    items: [
-      { label: 'Settings', icon: 'settings', route: '/settings' },
-      { label: 'Public pages', icon: 'public', route: '/public' },
-    ],
-  },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const sections = [
	{
	id: 'general',
	label: 'General',
	items: [
	{ label: 'Dashboard', icon: 'grid', route: '/', badge: null },
	{ label: 'Subscribers', icon: 'users', route: '/subscribers' },
	{ label: 'Lists', icon: 'list', route: '/lists' },
	],
	},
	{
	id: 'marketing',
	label: 'Marketing',
	items: [
	{ label: 'Campaigns', icon: 'plane', route: '/campaigns' },
	{ label: 'Templates', icon: 'template', route: '/templates' },
	],
	},
	{
	id: 'reports',
	label: 'Reports',
	items: [
	{ label: 'Bounces', icon: 'warning', route: '/bounces' },
	{ label: 'Analytics', icon: 'chart', route: '/analytics' },
	],
	},
	{
	id: 'system',
	label: 'System',
	items: [
	{ label: 'Settings', icon: 'settings', route: '/settings' },
	{ label: 'Public pages', icon: 'public', route: '/public' },
	],
	},
	const sections = [
	{
	id: 'general',
	label: 'General',
	items: [
	{ label: 'Dashboard', icon: 'grid', route: '/', badge: null },
	{ label: 'Subscribers', icon: 'users', route: '/subscribers' },
	],
	},
	]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/sidebar/AppSidebar.vue` around lines 46 - 79, The
sidebar's route strings in the sections constant (sections -> items -> route)
don't match the application's registered routes; update each
sections[].items[].route to the exact path or named route used by the router
module (or add the missing route definitions in the router) so clicks don't fall
through to the catch-all; locate the sections array in AppSidebar.vue and either
(A) change every route value (e.g., '/', '/subscribers', '/lists', '/campaigns',
'/templates', '/bounces', '/analytics', '/settings', '/public') to the canonical
paths or named-route identifiers used by the router, or (B) add corresponding
route definitions in the router configuration with those paths so they resolve
correctly; as a temporary safe fallback, set any unresolved items' route to null
or a safe placeholder (so the component can render them disabled) until the
router is updated.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Undefined Tailwind color class bg-ext-wf3.

The hover state uses bg-ext-wf3, but only ext-wf1 is defined in tailwind.config.js. This hover effect won't work.

Either add ext-wf3 to your Tailwind config or use a different existing color.

Option 1: Add color to tailwind.config.js

colors: {
  'ext-wf1': '#dc2626',
  'ext-wf3': '#b91c1c', // darker shade for hover
},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@assets/vue/components/subscribers/ImportResult.vue` at line 53, The hover
utility uses a non-existent Tailwind color class `bg-ext-wf3` in the
ImportResult.vue button class string, so the hover won't apply; fix by either
adding `ext-wf3` to your Tailwind config colors (e.g., a darker shade matching
`ext-wf1`) or replace `bg-ext-wf3` in ImportResult.vue with an existing
configured color class (for example another `ext-*` shade or a default Tailwind
color) so the hover state resolves correctly; update the Tailwind config colors
block if you add the new token and rebuild CSS so `bg-ext-wf3` becomes
available.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Accept header check may miss valid JSON requests.

The exact match !== 'application/json' won't catch cases where the client sends multiple accepted types (e.g., application/json, text/html). Consider using a more flexible check.

🔧 Suggested fix

-        if (! $request->isXmlHttpRequest() && $request->headers->get('Accept') !== 'application/json') {
+        if (! $request->isXmlHttpRequest() && !str_contains($request->headers->get('Accept', ''), 'application/json')) {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Controller/SubscribersController.php` at line 31, The Accept header check
in SubscribersController (the if that uses $request->headers->get('Accept') !==
'application/json') is too strict and will miss valid JSON requests; update the
condition to detect JSON more flexibly (for example use
$request->getAcceptableContentTypes() and check for 'application/json' in that
array or use strpos on the Accept header) so the branch that currently tests
isXmlHttpRequest() && Accept covers cases like "application/json, text/html";
modify the if in the controller method accordingly (keep referencing $request,
isXmlHttpRequest(), and the Accept header check).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

DateTimeImmutable could throw on invalid input.

If $subscriber->createdAt is null or malformed, this will throw an exception. Same issue exists at line 129 in the export method. Might want to add a defensive check or try-catch.

🛡️ Suggested defensive approach

-                    'createdAt' => (new DateTimeImmutable($subscriber->createdAt))->format('Y-m-d H:i:s'),
+                    'createdAt' => $subscriber->createdAt
+                        ? (new DateTimeImmutable($subscriber->createdAt))->format('Y-m-d H:i:s')
+                        : null,

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	'createdAt' => (new DateTimeImmutable($subscriber->createdAt))->format('Y-m-d H:i:s'),
	'createdAt' => $subscriber->createdAt
	? (new DateTimeImmutable($subscriber->createdAt))->format('Y-m-d H:i:s')
	: null,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Controller/SubscribersController.php` at line 74, The DateTimeImmutable
construction for $subscriber->createdAt in SubscribersController (and the
similar usage in export) can throw on null/malformed input; update the code
around the 'createdAt' formatting to defensively handle invalid values by
checking if $subscriber->createdAt is truthy and a valid date string (or wrap
the new DateTimeImmutable(...) call in a try-catch), and on failure return a
safe fallback (e.g., null or an empty string) instead of letting an exception
bubble; apply the same defensive check/try-catch to the export method's
createdAt formatting to ensure both code paths never throw on bad input.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Export limit defaults to 0 when not provided.

getInt('limit') returns 0 if the param is missing. Depending on the API behavior, this might return no results or behave unexpectedly. Consider setting a sensible default or requiring the parameter.

🔧 Suggested fix

-        $collection = $this->subscribersClient->getSubscribers($filter, 0, $request->query->getInt('limit'));
+        $limit = $request->query->getInt('limit', 1000); // sensible default for exports
+        $collection = $this->subscribersClient->getSubscribers($filter, 0, $limit);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$collection = $this->subscribersClient->getSubscribers($filter, 0, $request->query->getInt('limit'));
	$limit = $request->query->getInt('limit', 1000); // sensible default for exports
	$collection = $this->subscribersClient->getSubscribers($filter, 0, $limit);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Controller/SubscribersController.php` at line 104, The call in
SubscribersController using $request->query->getInt('limit') passes 0 when the
parameter is absent which can cause getSubscribers to return no results; update
the SubscribersController invocation to supply a sensible default (or
validate/require the param) before calling
$this->subscribersClient->getSubscribers — e.g. read the limit with
getInt('limit', <defaultLimit>) or compute a default (like 100 or a configured
value) and pass that variable into getSubscribers, and if you choose to require
the param, return a 4xx error when missing instead of using 0.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Assumes list array always has 'name' key.

If $data->subscribedLists contains entries without a 'name' key, this will throw an undefined index warning. Worth adding a null-coalesce or filter.

🔧 Safer approach

-                'lists' => implode('|', array_map(fn($list) => $list['name'], $data->subscribedLists)),
+                'lists' => implode('|', array_map(fn($list) => $list['name'] ?? '', $data->subscribedLists)),

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	'lists' => implode('|', array_map(fn($list) => $list['name'], $data->subscribedLists)),
	'lists' => implode('|', array_map(fn($list) => $list['name'] ?? '', $data->subscribedLists)),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Controller/SubscribersController.php` at line 136, The current mapping in
SubscribersController (the 'lists' => implode('|', array_map(...)) expression)
assumes every element of $data->subscribedLists has a 'name' key and will raise
undefined index warnings; update the transformation to first filter out entries
missing 'name' (or map using a null-coalescing fallback) and only pass valid
names to implode — locate the array_map closure around $data->subscribedLists
and replace it with a safe pipeline that either filters with
isset($list['name']) or uses $list['name'] ?? '' and then removes empty strings
before calling implode so no undefined index warnings occur.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Flash message added after session invalidation — message may be lost.

The session is invalidated on line 38, which clears session data. Then on lines 53-58, the code tries to add a flash message to the same session. Depending on how Symfony handles this, the flash message could be lost because invalidate() regenerates/clears the session.

Flip the order so the flash message is added before invalidation:

🐛 Proposed fix

     if ($exception instanceof AuthenticationException) {
         $request = $event->getRequest();
+        $loginUrl = $this->urlGenerator->generate('login');

+        // Add flash message before invalidating session
+        if ($request->hasSession()) {
+            $session = $request->getSession();
+
+            if (method_exists($session, 'getFlashBag')) {
+                $session->getFlashBag()->add('error', 'Your session has expired. Please log in again.');
+            }
+
+            $session->invalidate();
+        }

-        if ($request->hasSession()) {
-            $session = $request->getSession();
-            $session->invalidate();
-        }
-
-        $loginUrl = $this->urlGenerator->generate('login');
-
         if ($request->isXmlHttpRequest()) {
             $event->setResponse(new JsonResponse([
                 'error' => 'session_expired',
                 'message' => 'Your session has expired. Please log in again.',
                 'redirect' => $loginUrl,
             ], 401));

             return;
         }

-        if ($request->hasSession()) {
-            $session = $request->getSession();
-
-            if (method_exists($session, 'getFlashBag')) {
-                $session->getFlashBag()->add('error', 'Your session has expired. Please log in again.');
-            }
-        }
-
         $event->setResponse(new RedirectResponse($loginUrl));
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/EventSubscriber/UnauthorizedSubscriber.php` around lines 36 - 59, The
flash is being added after calling $session->invalidate() so it may be lost;
change the logic in UnauthorizedSubscriber (around where $request->hasSession(),
$session->invalidate(), $request->isXmlHttpRequest(), and
session->getFlashBag()->add(...) are used) to add the flash message to the
session (via $session->getFlashBag()->add('error', ...)) before calling
$session->invalidate(), and ensure the AJAX branch (where
$event->setResponse(new JsonResponse(...))) still returns immediately without
trying to add a flash; reorder the operations so non-AJAX requests receive the
flash prior to invalidation.