Skip to content

Codebase cleanup - auth hardening, component splits, and infra improvements#55

Merged
heyradcode merged 32 commits into
mainfrom
refactor/cleanup-codebase
Jun 18, 2026
Merged

Codebase cleanup - auth hardening, component splits, and infra improvements#55
heyradcode merged 32 commits into
mainfrom
refactor/cleanup-codebase

Conversation

@engdotme

@engdotme engdotme commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Summary

A broad cleanup pass touching security, code organisation, and developer experience across the full stack.

Security & Auth

  • Migrate auth to httpOnly cookies with server-side route protection
  • Add rate limiting to API and auth routes
  • Apply region/VPN restriction to OAuth sign-in; redirect blocked users to /unavailable
  • Prevent X-Forwarded-For spoofing via trust proxy config
  • Fix: retry 401 requests only once after token refresh
  • Fix: only render user-supplied URLs as links when they are http(s)
  • Fix: clear user-scoped localStorage on sign-out; keep registration IP/location out of localStorage

Frontend refactoring

  • Split large page components into focused sub-components (application detail, cohort detail, notification bell, profile form)
  • Extract avatar upload into its own component
  • Rename colocated client views from _name.tsxname-view.tsx convention
  • Create reusable ListPageLayout for admin list pages
  • Wrap axios instance in a singleton ApiClient class with interceptors
  • Enrich SEO metadata across public and private routes
  • Remove unused ProfileSheet component

Backend / infra

  • Enable full TypeScript strict mode + no-floating-promises
  • Migrate Prisma seed config to prisma.config.ts
  • Use Nest Logger for bootstrap logging
  • Fix e2e Jest config and add first unit specs

Test plan

  • Sign in / sign up flows work (including OAuth)
  • Users outside the allowed region / on VPN are redirected to /unavailable
  • Auth cookies are set correctly and protected routes require a valid session
  • Rate limiting activates under repeated rapid requests
  • Admin list pages render correctly with the new ListPageLayout
  • Notification bell, cohort detail, application detail, and profile form render and behave as before
  • Sign-out clears localStorage correctly
  • Run backend unit specs: pnpm test

engdotme added 30 commits June 8, 2026 16:29
@vercel

vercel Bot commented Jun 18, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
forgeng-frontend Ready Ready Preview, Comment Jun 18, 2026 2:11pm

@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown

Backend coverage

Backend coverage

Lines Statements Branches Functions
Coverage: 73%
72.65% (1427/1964) 66.69% (847/1270) 75.06% (271/361)

@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown

Frontend coverage

Frontend coverage

Lines Statements Branches Functions
Coverage: 32%
32.05% (817/2549) 24.88% (390/1567) 25.98% (191/735)

@engdotme engdotme marked this pull request as draft June 18, 2026 13:48

@heyradcode heyradcode left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!
It failed with Lint errors, can you take a look? @engdotme

@engdotme engdotme marked this pull request as ready for review June 18, 2026 14:14
@engdotme engdotme requested a review from heyradcode June 18, 2026 14:14
heyradcode

This comment was marked as off-topic.

@engdotme engdotme requested a review from heyradcode June 18, 2026 16:09
@heyradcode heyradcode merged commit 013add6 into main Jun 18, 2026
4 checks passed
@heyradcode heyradcode deleted the refactor/cleanup-codebase branch June 18, 2026 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants