Add support for live favorites

[kixelated]

No description provided.

[claude]

Claude finished @kixelated's task —— View job

---

Code Review: Add support for live favorites

Reviewing for bugs and security issues:

• Read repository guidelines (CLAUDE.md)
• Examine authentication changes in API
• Review room management modifications
• Check frontend favorites implementation
• Analyze configuration changes
• Report findings

Security Issues Found

🚨 Critical: Hardcoded secrets in repository

Location: api/.dev.vars:4-8

• Real OAuth client secrets for Google and Discord are hardcoded
• Apple private key is exposed in the repository
• These should be stored as environment variables or secure secrets, not committed to version control

Impact: Compromised OAuth applications and potential unauthorized access to authentication flows.

Recommendation:

1. Remove these secrets from the repository immediately
2. Rotate all exposed secrets (Google, Discord, Apple)
3. Use proper secret management (environment variables, Cloudflare secrets)

Bugs Found

⚠️ Database: No error handling for database failures

Location: api/src/fave.ts:50-53

const result = await ctx.db.$client
    .prepare("SELECT room, created_at FROM favorites WHERE account_id = ? ORDER BY created_at DESC")
    .bind(account_id)
    .all<{ room: string; created_at: number }>();

If the database query fails, it could crash the worker or expose internal errors to users.

⚠️ Input validation: Missing room name validation

Location: api/src/fave.ts:61
The signPreview function receives room names from database without re-validation before generating JWT tokens. While the names were validated on insert, database corruption or direct DB modifications could bypass this.

⚠️ Potential authorization bypass

Location: api/src/fave.ts:61

const token = await ctx.room.signPreview(favorites.map((f) => f.room));

Generates a preview token for ALL favorited rooms at once. If a user has many favorites, this creates a very broad access token. Consider limiting scope or generating per-room tokens.

Minor Issues

• Type safety: api/src/room.ts:31-38 - signPreview accepts array but internally uses it as a single permission, which could be confusing
• Frontend resilience: Connection cleanup in app/src/fave.tsx:37 is handled correctly

Summary

Critical action needed: Remove hardcoded secrets from repository and rotate them immediately. The authentication-related bugs are lower priority but should be addressed for production robustness.

[claude]

Claude finished @kixelated's task —— View job

---

Code Review: Add support for live favorites

Reviewing for bugs and security issues:

• Read repository guidelines (CLAUDE.md)
• Examine authentication changes in API
• Review room management modifications
• Check frontend favorites implementation
• Analyze configuration changes
• Report findings

Security Issues Found

🚨 Critical: Hardcoded secrets in repository

Location: api/.dev.vars:4-8

• Real OAuth client secrets for Google and Discord are hardcoded
• Apple private key is exposed in the repository
• These should be stored as environment variables or secure secrets, not committed to version control

Impact: Compromised OAuth applications and potential unauthorized access to authentication flows.

Recommendation:

1. Remove these secrets from the repository immediately
2. Rotate all exposed secrets (Google, Discord, Apple)
3. Use proper secret management (environment variables, Cloudflare secrets)

Bugs Found

⚠️ Database: No error handling for database failures

Location: api/src/fave.ts:50-53

const result = await ctx.db.$client
    .prepare("SELECT room, created_at FROM favorites WHERE account_id = ? ORDER BY created_at DESC")
    .bind(account_id)
    .all<{ room: string; created_at: number }>();

If the database query fails, it could crash the worker or expose internal errors to users.

⚠️ Input validation: Missing room name validation

Location: api/src/fave.ts:61
The signPreview function receives room names from database without re-validation before generating JWT tokens. While the names were validated on insert, database corruption or direct DB modifications could bypass this.

⚠️ Potential authorization bypass

Location: api/src/fave.ts:61

const token = await ctx.room.signPreview(favorites.map((f) => f.room));

Generates a preview token for ALL favorited rooms at once. If a user has many favorites, this creates a very broad access token. Consider limiting scope or generating per-room tokens.

Minor Issues

• Type safety: api/src/room.ts:31-38 - signPreview accepts array but internally uses it as a single permission, which could be confusing
• Frontend resilience: Connection cleanup in app/src/fave.tsx:37 is handled correctly

Summary

Critical action needed: Remove hardcoded secrets from repository and rotate them immediately. The authentication-related bugs are lower priority but should be addressed for production robustness.