Clean up dead auth route guards and mail bootstrap#26
Conversation
Signed-off-by: ruo <ruoliu.dev@gmail.com>
Signed-off-by: ruo <ruoliu.dev@gmail.com>
Signed-off-by: ruo <ruoliu.dev@gmail.com>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request refactors the application's authentication and mail loading mechanisms to align with the current deployment environment. It removes outdated and non-functional server-side authentication checks and data prefetching, which were ineffective due to cross-origin cookie handling. The changes simplify the codebase by moving to a purely client-side authentication bootstrap for the mail workspace, enhancing robustness and maintainability. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Signed-off-by: ruo <ruoliu.dev@gmail.com>
There was a problem hiding this comment.
Pull request overview
Removes stale Next.js server-side auth guards and server-prefetch/bootstrap logic for the mail route, aligning the web UI with the current deployment where the session cookie is set on the API origin (not the Vercel web origin).
Changes:
- Remove server-side auth guard utilities and cookie-based redirects.
- Convert
/mailand/authroutes to a single client-driven session bootstrap flow. - Simplify
MailWorkspaceby dropping unusedinitialSession/initialThreadPageprops and associated bootstrap logic.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/features/src/mail/mail-workspace.tsx | Removes SSR bootstrap inputs and relies on client-side session + initial thread loading. |
| packages/app/src/routes/mail-page.tsx | Drops server fetch/prefetch + redirect guard; passes only initialThreadId into the client workspace. |
| packages/app/src/routes/auth-page.tsx | Removes server-side redirect guard; renders auth UI directly. |
| packages/app/src/routes/auth-guard.ts | Deletes dead cookie-based server auth guard implementation. |
| apps/web/app/page.tsx | Removes cookie-based redirect; always redirects root to /auth. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| if (isMounted) { | ||
| setSessionChecked(true); | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
The mailbox/search change effect clears selectedThreadId unconditionally. On initial mount this will wipe out initialThreadId from the ?thread= URL param, so deep-linking to a specific thread won’t work (the thread fetch started by the initial state gets cancelled once the id is reset to null). Consider preserving the initial selection on first load (e.g., only clear selection when the user changes mailbox/search, or track a “hasInitialized” ref before calling setSelectedThreadId(null)).
| const [threads, setThreads] = useState<ThreadListItem[]>([]); | ||
| const [selectedThreadId, setSelectedThreadId] = useState<string | null>( | ||
| initialThreadId ?? null, | ||
| ); |
There was a problem hiding this comment.
selectedThreadId is initialized from initialThreadId before the session check runs. Now that server-side guards are removed, this can trigger a thread fetch for unauthenticated users (or before session is confirmed), leading to a spurious 401/error flash and an unnecessary request. Consider deferring application of initialThreadId until sessionChecked && session?.authenticated, or gating the thread-loading effect on authenticated session state.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
The code changes remove the authentication logic from the client-side routes and components, specifically removing the use of cookies and server requests to determine session status. The authentication checks and redirects are removed from the landing page (/), the auth-guard file, and the MailPage component. The AuthPage component no longer redirects authenticated users. The MailWorkspace component no longer receives initial session or thread page data as props and initializes its state accordingly.
Signed-off-by: ruo <ruoliu.dev@gmail.com>
Summary
Why
In the current deployment, the auth session cookie lives on the Railway API origin, not the Vercel web origin. That made the server-side guards and bootstrap branches in the route layer misleading at best and wrong at worst. This PR removes those stale paths instead of preserving half-used fallback logic.
Validation