Skip to content

fix: implement server-side auth API calls in signin/signup pages#38

Open
OkiriGabriel wants to merge 1 commit into
NotHarshhaa:masterfrom
OkiriGabriel:fix/auth-server-side-validation
Open

fix: implement server-side auth API calls in signin/signup pages#38
OkiriGabriel wants to merge 1 commit into
NotHarshhaa:masterfrom
OkiriGabriel:fix/auth-server-side-validation

Conversation

@OkiriGabriel

@OkiriGabriel OkiriGabriel commented Jun 26, 2026

Copy link
Copy Markdown

Summary

  • Replace the client-side-only stub (fake 1s timeout + hardcoded abc@gamil.com check) with real fetch calls to the backend auth endpoints in both DevOps-Project-39 and DevOps-Project-40
  • Map frontend username field to the backend name field (fixes field name mismatch)
  • Show backend error messages via toast on failure; navigate home only on success
  • Use the existing VITE_API_PATH env var β€” consistent with every other page (home-page, add-blog, blog-feed, etc.)

Changes

File Change
DevOps-Project-39/.../signup-page.tsx POST to /api/auth/email-password/signup
DevOps-Project-39/.../signin-page.tsx POST to /api/auth/email-password/signin
DevOps-Project-40/.../signup-page.tsx POST to /api/auth/email-password/signup
DevOps-Project-40/.../signin-page.tsx POST to /api/auth/email-password/signin

Type of change

  • Bug fix (resolves TODO: Server-side validation in both projects)

Checklist

  • Tested locally against the Express backend
  • No hardcoded credentials or sensitive data
  • Follows existing code style and env var conventions
  • PR is focused and single-purpose

Made with Cursor

Summary by CodeRabbit

  • New Features

    • Sign-in and sign-up now connect to the server for real authentication instead of using placeholder behavior.
    • Users receive success and error toast messages during account access.
  • Bug Fixes

    • Improved handling of connection failures with clearer feedback.
    • Forms now only reset and redirect after a successful request.

Replace client-side-only stub (fake timeout + hardcoded email check)
with real fetch calls to the backend auth endpoints in both
DevOps-Project-39 and DevOps-Project-40.

- POST /api/auth/email-password/signup for registration
- POST /api/auth/email-password/signin for login
- Map frontend `username` field to backend `name` field
- Show backend error messages via toast on failure
- Navigate to home only on successful response
- Use existing VITE_API_PATH env var (consistent with other pages)

Resolves TODO: Server-side validation comments in both projects

Co-authored-by: Cursor <cursoragent@cursor.com>
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

πŸ“ Walkthrough

Walkthrough

Signin and signup forms in two frontend project copies now call backend email/password endpoints with JSON payloads, handle response status with toast messages, reset on success, navigate to /, and show connection errors in catch blocks.

Changes

Wanderlust frontend auth submissions

Layer / File(s) Summary
Signin request flow
DevOps-Project-39/wanderlust-3tier-project/frontend/src/pages/signin-page.tsx
signin-page.tsx now posts email/password JSON to /api/auth/email-password/signin with credentials: 'include', reads the JSON response, shows toast feedback, and resets plus navigates on success.
Signup request flow
DevOps-Project-39/wanderlust-3tier-project/frontend/src/pages/signup-page.tsx
signup-page.tsx now posts username/email/password JSON to /api/auth/email-password/signup with credentials: 'include', reads the JSON response, shows toast feedback, and resets plus navigates on success.

Mega project frontend auth submissions

Layer / File(s) Summary
Signin request flow
DevOps-Project-40/Devops-Mega-Project-Jenkins-ArgoCD-EKS/frontend/src/pages/signin-page.tsx
signin-page.tsx now posts email/password JSON to /api/auth/email-password/signin with credentials: 'include', reads the JSON response, shows toast feedback, and resets plus navigates on success.
Signup request flow
DevOps-Project-40/Devops-Mega-Project-Jenkins-ArgoCD-EKS/frontend/src/pages/signup-page.tsx
signup-page.tsx now posts username/email/password JSON to /api/auth/email-password/signup with credentials: 'include', reads the JSON response, shows toast feedback, and resets plus navigates on success.

Sequence Diagram(s)

Signin flow

sequenceDiagram
  participant User
  participant SigninPage as signin-page.tsx
  participant AuthAPI as POST /api/auth/email-password/signin
  participant Toast as toast
  participant Router as navigate('/')

  User->>SigninPage: Submit email and password
  SigninPage->>AuthAPI: POST JSON body with credentials: include
  AuthAPI-->>SigninPage: JSON response
  alt response.ok false
    SigninPage->>Toast: toast.error(message)
  else response.ok true
    SigninPage->>Toast: toast.success(...)
    SigninPage->>Router: reset() and navigate('/')
  end
  Note over SigninPage,Toast: catch shows connection error toast
Loading

Signup flow

sequenceDiagram
  participant User
  participant SignupPage as signup-page.tsx
  participant AuthAPI as POST /api/auth/email-password/signup
  participant Toast as toast
  participant Router as navigate('/')

  User->>SignupPage: Submit username, email, and password
  SignupPage->>AuthAPI: POST JSON body with credentials: include
  AuthAPI-->>SignupPage: JSON response
  alt response.ok false
    SignupPage->>Toast: toast.error(result.message or generic message)
  else response.ok true
    SignupPage->>Toast: toast.success(...)
    SignupPage->>Router: reset() and navigate('/')
  end
  Note over SignupPage,Toast: catch shows connection error toast
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A bunny hopped through forms today,
With fetch and toast in bright display.
It nibbled creds, then leapt on home,
No more fake delays to make it roam.
🐰✨

πŸš₯ Pre-merge checks | βœ… 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
βœ… Passed checks (4 passed)
Check name Status Explanation
Description Check βœ… Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check βœ… Passed The title accurately summarizes the main change: replacing client-side stubs with server-side auth API calls in signin and signup pages.
Linked Issues check βœ… Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check βœ… Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
πŸ§ͺ Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❀️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (2)
DevOps-Project-40/Devops-Mega-Project-Jenkins-ArgoCD-EKS/frontend/src/pages/signup-page.tsx (1)

34-44: 🩺 Stability & Availability | πŸ”΅ Trivial | ⚑ Quick win

Non-JSON error responses are misreported as connection failures.

Same issue as the signin page: response.json() is parsed before the response.ok check inside the try, so a non-JSON or empty response body throws and triggers the bare catch's "Unable to connect to the server" toast instead of surfacing the actual signup failure. Guard the parse.

♻️ Suggested guard
-      const result = await response.json();
-      if (!response.ok) {
-        toast.error(result.message ?? 'Sign up failed. Please try again.');
-        return;
-      }
-      toast.success(result.message ?? 'Account created successfully!');
+      const result = await response.json().catch(() => ({}));
+      if (!response.ok) {
+        toast.error(result.message ?? 'Sign up failed. Please try again.');
+        return;
+      }
+      toast.success(result.message ?? 'Account created successfully!');
πŸ€– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@DevOps-Project-40/Devops-Mega-Project-Jenkins-ArgoCD-EKS/frontend/src/pages/signup-page.tsx`
around lines 34 - 44, The signup flow in signup-page.tsx is treating non-JSON or
empty error responses as connection failures because `response.json()` in the
signup handler runs before the `response.ok` check and can throw into the bare
`catch`. Update the submit logic in the signup page’s handler to guard or defer
parsing so non-OK responses are handled without forcing the generic network
toast, and surface the actual API failure message through the existing
`toast.error` path.
DevOps-Project-40/Devops-Mega-Project-Jenkins-ArgoCD-EKS/frontend/src/pages/signin-page.tsx (1)

33-43: 🩺 Stability & Availability | πŸ”΅ Trivial | ⚑ Quick win

Non-JSON error responses are misreported as connection failures.

response.json() is awaited before the response.ok check and inside the same try. If the endpoint returns a non-JSON body (HTML error page, empty 204/304, proxy/gateway error), the parse throws and falls through to the bare catch, showing "Unable to connect to the server" even though the server responded. Guard JSON parsing so the real HTTP status drives the message.

♻️ Suggested guard
-      const result = await response.json();
-      if (!response.ok) {
-        toast.error(result.message ?? 'Sign in failed. Please check your credentials.');
-        return;
-      }
-      toast.success(result.message ?? 'Signed in successfully!');
+      const result = await response.json().catch(() => ({}));
+      if (!response.ok) {
+        toast.error(result.message ?? 'Sign in failed. Please check your credentials.');
+        return;
+      }
+      toast.success(result.message ?? 'Signed in successfully!');
πŸ€– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@DevOps-Project-40/Devops-Mega-Project-Jenkins-ArgoCD-EKS/frontend/src/pages/signin-page.tsx`
around lines 33 - 43, The signin flow in signin-page.tsx is treating any JSON
parse failure as a connection issue because response.json() is awaited inside
the same try before checking response.ok. Update the signin handler so the HTTP
status check in the signin-page submit logic determines success or failure
first, and only parse the response body as JSON when it is actually safe/needed;
if parsing fails or there is no JSON body, still surface the proper server-side
error instead of falling back to the generic network toast. Refer to the signin
submit handler, the response.json() call, and the response.ok branch when making
the change.
πŸ€– Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@DevOps-Project-39/wanderlust-3tier-project/frontend/src/pages/signin-page.tsx`:
- Around line 34-36: The signin error handling in signin-page.tsx is exposing
backend-specific messages from result.message, which can reveal whether an email
exists. Update the failure path in the signin submit flow to always show a
single generic message in the toast.error call, and avoid passing through
backend-auth details from the response. If possible, also align the backend
signin response in the corresponding auth endpoint so it returns the same
generic failure text regardless of whether the email or password is wrong.
- Around line 23-24: The auth API URL fallback is unsafe because signin, signup,
and related pages default to localhost even in production. Update the API URL
resolution in signin-page and the same pattern in signup-page, blog-feed,
home-page, details-page, and add-blog so the localhost fallback is used only
when import.meta.env.DEV is true. In non-dev builds, fail closed by surfacing a
clear configuration error instead of attempting requests without a valid
endpoint. Keep the logic centralized around the existing apiUrl setup so the
behavior is consistent across these page components.

In
`@DevOps-Project-39/wanderlust-3tier-project/frontend/src/pages/signup-page.tsx`:
- Around line 23-24: The signup flow in signup-page.tsx currently falls back to
localhost whenever VITE_API_PATH is missing, which should only happen in
development. Update the logic around the apiUrl used by the signup handler so it
uses the localhost default only in dev mode, and in production it should stop
before the fetch and surface a clear user-facing error if the auth API URL is
unset. Use the existing signup-page.tsx handler and the apiUrl / response flow
to locate the change.

---

Nitpick comments:
In
`@DevOps-Project-40/Devops-Mega-Project-Jenkins-ArgoCD-EKS/frontend/src/pages/signin-page.tsx`:
- Around line 33-43: The signin flow in signin-page.tsx is treating any JSON
parse failure as a connection issue because response.json() is awaited inside
the same try before checking response.ok. Update the signin handler so the HTTP
status check in the signin-page submit logic determines success or failure
first, and only parse the response body as JSON when it is actually safe/needed;
if parsing fails or there is no JSON body, still surface the proper server-side
error instead of falling back to the generic network toast. Refer to the signin
submit handler, the response.json() call, and the response.ok branch when making
the change.

In
`@DevOps-Project-40/Devops-Mega-Project-Jenkins-ArgoCD-EKS/frontend/src/pages/signup-page.tsx`:
- Around line 34-44: The signup flow in signup-page.tsx is treating non-JSON or
empty error responses as connection failures because `response.json()` in the
signup handler runs before the `response.ok` check and can throw into the bare
`catch`. Update the submit logic in the signup page’s handler to guard or defer
parsing so non-OK responses are handled without forcing the generic network
toast, and surface the actual API failure message through the existing
`toast.error` path.
πŸͺ„ Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
βš™οΈ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d58af58a-ebf1-48a4-ab41-a9a312fbbecb

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between a38cc0f and 647b85c.

πŸ“’ Files selected for processing (4)
  • DevOps-Project-39/wanderlust-3tier-project/frontend/src/pages/signin-page.tsx
  • DevOps-Project-39/wanderlust-3tier-project/frontend/src/pages/signup-page.tsx
  • DevOps-Project-40/Devops-Mega-Project-Jenkins-ArgoCD-EKS/frontend/src/pages/signin-page.tsx
  • DevOps-Project-40/Devops-Mega-Project-Jenkins-ArgoCD-EKS/frontend/src/pages/signup-page.tsx

Comment on lines +23 to +24
const apiUrl = import.meta.env.VITE_API_PATH ?? 'http://localhost:5000';
const response = await fetch(`${apiUrl}/api/auth/email-password/signin`, {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ”’ Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
frontend='DevOps-Project-39/wanderlust-3tier-project/frontend'

rg -n 'VITE_API_PATH|localhost:5000|import\.meta\.env\.(DEV|PROD)' "$frontend"

fd -H '^(\.env.*|vite\.config\..*)$' "$frontend" -x sh -c '
  printf "\n--- %s\n" "$1"
  rg -n "VITE_API_PATH|localhost:5000|import\.meta\.env\.(DEV|PROD)" "$1" || true
' sh {}

Repository: NotHarshhaa/DevOps-Projects

Length of output: 1603


Fail closed when the auth API URL is missing.

The fallback to http://localhost:5000 whenever VITE_API_PATH is unset is unsafe for production. In a production build, this causes the app to attempt posting credentials to a local service on the user's machine or fail unexpectedly. The same insecure fallback pattern is found in signup-page.tsx, blog-feed.tsx, home-page.tsx, details-page.tsx, and add-blog.tsx.

Gate the localhost fallback to dev builds only (import.meta.env.DEV) and fail safely in production by surfacing a configuration error when the endpoint is missing.

Suggested fix
-      const apiUrl = import.meta.env.VITE_API_PATH ?? 'http://localhost:5000';
+      const configuredUrl = import.meta.env.VITE_API_PATH?.trim() || (import.meta.env.DEV ? 'http://localhost:5000' : '');
+      if (!configuredUrl) {
+        toast.error('Authentication service endpoint is not configured.');
+        return;
+      }
+      const apiUrl = configuredUrl.replace(/\/+$/, '');
       const response = await fetch(`${apiUrl}/api/auth/email-password/signin`, {
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const apiUrl = import.meta.env.VITE_API_PATH ?? 'http://localhost:5000';
const response = await fetch(`${apiUrl}/api/auth/email-password/signin`, {
const configuredUrl = import.meta.env.VITE_API_PATH?.trim() || (import.meta.env.DEV ? 'http://localhost:5000' : '');
if (!configuredUrl) {
toast.error('Authentication service endpoint is not configured.');
return;
}
const apiUrl = configuredUrl.replace(/\/+$/, '');
const response = await fetch(`${apiUrl}/api/auth/email-password/signin`, {
πŸ€– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@DevOps-Project-39/wanderlust-3tier-project/frontend/src/pages/signin-page.tsx`
around lines 23 - 24, The auth API URL fallback is unsafe because signin,
signup, and related pages default to localhost even in production. Update the
API URL resolution in signin-page and the same pattern in signup-page,
blog-feed, home-page, details-page, and add-blog so the localhost fallback is
used only when import.meta.env.DEV is true. In non-dev builds, fail closed by
surfacing a clear configuration error instead of attempting requests without a
valid endpoint. Keep the logic centralized around the existing apiUrl setup so
the behavior is consistent across these page components.

Comment on lines +34 to +36
if (!response.ok) {
toast.error(result.message ?? 'Sign in failed. Please check your credentials.');
return;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ”’ Security & Privacy | 🟠 Major | ⚑ Quick win

Use a generic signin failure message.

The backend contract shown here returns different messages for β€œemail does not exist” and β€œinvalid password”; Line 35 exposes those directly, enabling account enumeration. Keep signin errors generic on the client, and ideally align the backend response too.

Suggested fix
       if (!response.ok) {
-        toast.error(result.message ?? 'Sign in failed. Please check your credentials.');
+        toast.error('Invalid email or password.');
         return;
       }
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if (!response.ok) {
toast.error(result.message ?? 'Sign in failed. Please check your credentials.');
return;
if (!response.ok) {
toast.error('Invalid email or password.');
return;
πŸ€– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@DevOps-Project-39/wanderlust-3tier-project/frontend/src/pages/signin-page.tsx`
around lines 34 - 36, The signin error handling in signin-page.tsx is exposing
backend-specific messages from result.message, which can reveal whether an email
exists. Update the failure path in the signin submit flow to always show a
single generic message in the toast.error call, and avoid passing through
backend-auth details from the response. If possible, also align the backend
signin response in the corresponding auth endpoint so it returns the same
generic failure text regardless of whether the email or password is wrong.

Comment on lines +23 to +24
const apiUrl = import.meta.env.VITE_API_PATH ?? 'http://localhost:5000';
const response = await fetch(`${apiUrl}/api/auth/email-password/signup`, {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ”’ Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
frontend='DevOps-Project-39/wanderlust-3tier-project/frontend'

rg -n 'VITE_API_PATH|localhost:5000|import\.meta\.env\.(DEV|PROD)' "$frontend"

fd -H '^(\.env.*|vite\.config\..*)$' "$frontend" -x sh -c '
  printf "\n--- %s\n" "$1"
  rg -n "VITE_API_PATH|localhost:5000|import\.meta\.env\.(DEV|PROD)" "$1" || true
' sh {}

Repository: NotHarshhaa/DevOps-Projects

Length of output: 1603


Fail closed when the auth API URL is missing in production

Line 23 in DevOps-Project-39/wanderlust-3tier-project/frontend/src/pages/signup-page.tsx unconditionally falls back to http://localhost:5000 if VITE_API_PATH is missing. In a production build, remote users cannot reach a localhost endpoint, causing failed requests and a poor user experience. Restrict this fallback to development mode only and halt execution with a user-facing error if the API URL is missing in production.

Suggested fix
-      const apiUrl = import.meta.env.VITE_API_PATH ?? 'http://localhost:5000';
+      const configuredApiUrl = import.meta.env.VITE_API_PATH?.trim();
+      const apiUrl = configuredApiUrl || (import.meta.env.DEV ? 'http://localhost:5000' : '');
+      if (!apiUrl) {
+        toast.error('Authentication service is not configured.');
+        return;
+      }
       const response = await fetch(`${apiUrl}/api/auth/email-password/signup`, {
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const apiUrl = import.meta.env.VITE_API_PATH ?? 'http://localhost:5000';
const response = await fetch(`${apiUrl}/api/auth/email-password/signup`, {
const configuredApiUrl = import.meta.env.VITE_API_PATH?.trim();
const apiUrl = configuredApiUrl || (import.meta.env.DEV ? 'http://localhost:5000' : '');
if (!apiUrl) {
toast.error('Authentication service is not configured.');
return;
}
const response = await fetch(`${apiUrl}/api/auth/email-password/signup`, {
πŸ€– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@DevOps-Project-39/wanderlust-3tier-project/frontend/src/pages/signup-page.tsx`
around lines 23 - 24, The signup flow in signup-page.tsx currently falls back to
localhost whenever VITE_API_PATH is missing, which should only happen in
development. Update the logic around the apiUrl used by the signup handler so it
uses the localhost default only in dev mode, and in production it should stop
before the fetch and surface a clear user-facing error if the auth API URL is
unset. Use the existing signup-page.tsx handler and the apiUrl / response flow
to locate the change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant