fix: shared Neon DB compat, Postgres BIGINT, mail label aliases#97
fix: shared Neon DB compat, Postgres BIGINT, mail label aliases#97
Conversation
✅ Deploy Preview for agent-native-fw ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| 🔵 In progress View logs |
agent-native-forms | 01f3fe6 | Commit Preview URL Branch Preview URL |
Mar 27 2026, 07:35 PM |
![builder-io-integration[bot]](https://avatars.githubusercontent.com/in/353721?s=60&v=4){kind=small}
There was a problem hiding this comment.
Builder has reviewed your changes and found 1 potential issue.
Review Details
Code Review Summary
This PR makes a single targeted change to templates/mail/server/handlers/google-auth.ts: in dev mode (when session.email === "local@localhost"), getGoogleStatus now calls getAuthStatus(undefined) instead of getAuthStatus("local@localhost"), making all production-connected OAuth accounts visible locally when sharing a Neon Postgres DB.
Risk: Standard — touches auth/session ownership logic.
Security: The local@localhost sentinel is structurally impossible in production (the Google auth plugin resolves real emails from session cookies), so there is no cross-environment leak risk.
Key Finding:
The fix is incomplete — getGoogleStatus now exposes all accounts in dev, but the rest of the mail backend still filters by the local@localhost owner. disconnectGoogle still calls getAuthStatus(session.email) for its ownership check, so any account owned by a production email will show in the UI but return 403 when you try to disconnect it. Similarly, the email-fetching handlers (listEmails, getThreads, sendEmail, etc.) continue to call isConnected("local@localhost") and getAccountTokens("local@localhost"), so those production-owned accounts won't actually serve mail data. The newly visible accounts are visible but not usable.
Confirmed by: 2 out of 2 code-review agents.
Found using 2 parallel code-review agent calls with randomized file ordering.
Code review by Builder.io
- getAccountTokens skips owner filter for local@localhost (same as other auth fixes) - Suppress Postgres NOTICE messages for CREATE TABLE IF NOT EXISTS
There was a problem hiding this comment.
Builder has reviewed your changes and found 1 potential issue.
Review Details
Incremental Review — PR #97 (3rd pass)
This incremental review covers the latest two commits: getAccountTokens() bypass in emails.ts and Postgres onnotice suppression in packages/core/src/db/client.ts.
Previous finding resolved ✅ — The disconnect (403) issue is fixed via the getAuthStatus() lib-level bypass. The getAccountTokens() bypass now correctly resolves tokens for all accounts in dev mode, fixing label loading.
One gap remains: getClients() in google-auth.ts was not updated with the local@localhost bypass. This creates an internal inconsistency: isConnected("local@localhost") now returns true (any account), but getClients("local@localhost") still calls listOAuthAccountsByOwner("google", "local@localhost") — which returns [] for accounts created in production. listGmailMessages gets zero clients and silently returns { messages: [], errors: [] }, so the inbox appears empty with no error. This is the primary user-visible failure in the shared-Neon scenario the PR targets.
onnotice suppression is safe — postgres.js only routes server NOTICE messages through this callback; query errors are still thrown normally.
Risk: Standard — auth/session ownership logic in mail template backend.
Found using 2 parallel code-review agent calls with randomized file ordering.
Code review by Builder.io
| */ | ||
| export async function isConnected(forEmail?: string): Promise<boolean> { | ||
| if (forEmail) { | ||
| // In dev mode, check all accounts regardless of owner |
There was a problem hiding this comment.
🟡 getClients() still filters by owner in dev mode — inbox silently empty
isConnected() now bypasses the owner filter for local@localhost, but getClients() immediately above it does not. When listEmails runs in dev mode: (1) isConnected("local@localhost") returns true via hasOAuthTokens, (2) listGmailMessages(..., "local@localhost") calls getClients("local@localhost") which still calls listOAuthAccountsByOwner("google", "local@localhost") → [], (3) returns {messages:[], errors:[]} silently. Apply the same forEmail && forEmail !== "local@localhost" guard inside getClients() to complete the fix.
How did I do? React with 👍 or 👎 to help me improve.
1 participant
Summary
Test plan
🤖 Generated with Claude Code