Skip to content

fix: raycast org selection based api key creation #447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 3, 2025
Merged

fix: raycast org selection based api key creation #447

merged 1 commit into from
Oct 3, 2025
+8 −2

Conversation

MaheshtheDev
Copy link
Member

No description provided.

@MaheshtheDev MaheshtheDev marked this pull request as ready for review October 2, 2025 20:52
@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Oct 2, 2025
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 supermemory-app c3f1647 Oct 03 2025, 08:02 AM

@graphite-app graphite-app bot requested a review from Dhravya October 2, 2025 20:52
@MaheshtheDev Graphite App
Copy link
Member Author

How to use the Graphite Merge Queue

Add the label Main to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

@claude Claude
Copy link

claude bot commented Oct 2, 2025

Code Review for PR #447

Summary

This PR fixes a race condition in the Raycast API key creation flow by ensuring the organization is loaded before triggering the mutation.

✅ Positive Aspects

  1. Bug Fix: The core issue is correctly identified and fixed - the mutation was being triggered before org?.id was available, which would cause the API key creation to fail or create invalid keys.

  2. Proper Dependency Array: Adding org to the useEffect dependency array follows React best practices and ensures the effect properly responds to org changes.

  3. Guard Condition: The org?.id check in the condition prevents the mutation from running when the organization isn't loaded yet.

🔍 Code Quality Observations

Good:

  • The fix is minimal and focused (apps/web/components/views/integrations.tsx:290-291, 296)
  • Uses optional chaining (org?.id) for safe property access
  • Maintains existing logic flow

Considerations:

  • The mutation function already references org?.id (lines 264, 268), so if org is undefined when the mutation runs, it would create malformed API keys. This fix prevents that scenario.

⚠️ Potential Issues

  1. Race Condition Still Possible: If org becomes undefined after the useEffect check but before the mutation executes, there could still be an issue. Consider adding a guard in the mutation function itself:
mutationFn: async () => {
  if (!org?.id) {
    throw new Error("Organization not loaded")
  }
  const res = await authClient.apiKey.create({
    // ... rest of the code
  })
}
  1. Multiple Triggers: The useEffect will re-run if org changes (e.g., user switches organizations). While hasTriggeredRaycast prevents duplicate triggers, it's not reset if the org changes. This could be intentional, but worth documenting.

🧪 Test Coverage

Observation: No test files found for this component. Consider adding tests for:

  • Raycast API key creation flow
  • Behavior when org is undefined/loading
  • Prevention of duplicate API key creation

🔒 Security

No security concerns. The fix actually improves security by preventing API keys from being created with potentially undefined organization IDs.

📝 Minor: .gitignore Change

The addition of bun.lock to .gitignore seems unrelated to this fix. Typically lock files should be committed to ensure consistent dependency versions across environments. Consider:

  • Removing this change from this PR, or
  • Explaining why bun.lock should be ignored in your project

Recommendation

Approve with minor suggestions. The core fix is solid and addresses the race condition. Consider:

  1. Adding a guard in the mutation function for extra safety
  2. Separating the .gitignore change into a separate PR or reverting it
  3. Adding tests for this component (future work)

🤖 Review generated with Claude Code

@claude Claude
Copy link

claude bot commented Oct 2, 2025

PR Review: Fix Raycast org selection based API key creation

✅ Positive Changes

Good catch on the null check! The fix properly addresses a potential runtime error when org?.id is undefined during API key creation.

🐛 Bugs & Issues

Critical: Race Condition in useEffect
The fix in the useEffect (line 289-300) adds org?.id as a guard, but there's a missing dependency that will cause React warnings and potential stale closure issues:

}, [searchParams, hasTriggeredRaycast, createRaycastApiKeyMutation, org])
//                                                                    ^^^

The dependency org is correct, but you're referencing org?.id in the condition. While this is technically fine, the exhaustive-deps rule might complain. More importantly, the mutation function itself may have stale closure over org if not properly memoized.

Recommendation:

useEffect(() => {
  const qParam = searchParams.get("q")
  if (
    qParam === "raycast" &&
    !hasTriggeredRaycast &&
    !createRaycastApiKeyMutation.isPending &&
    org?.id
  ) {
    setHasTriggeredRaycast(true)
    createRaycastApiKeyMutation.mutate()
  }
}, [searchParams, hasTriggeredRaycast, createRaycastApiKeyMutation, org?.id])
//                                                                     ^^^^^^^
// More precise dependency

🔒 Security Concerns

API Key Creation Without User Confirmation
The automatic API key creation triggered by the ?q=raycast query parameter (lines 289-300) is a security concern:

  1. No user consent: API keys are created silently when users land on the page with ?q=raycast
  2. CSRF potential: An attacker could trick users into visiting https://app.supermemory.ai/integrations?q=raycast and trigger unwanted API key creation
  3. Key proliferation: Each page visit could create a new key before the fix (now protected by hasTriggeredRaycast, but still creates one per session)

Recommendations:

  • Remove automatic creation or require explicit user action (button click)
  • If automatic creation is necessary for UX, add CSRF protection via a signed token in the URL
  • Show a confirmation toast/modal before creating the key

🎯 Code Quality

Inconsistent Error Handling
The createApiKeyMutation (line 235) doesn't validate org?.id like createRaycastApiKeyMutation now does. For consistency:

const createApiKeyMutation = useMutation({
  mutationFn: async () => {
    if (!org?.id) {
      throw new Error("Organization ID is required")
    }
    const res = await authClient.apiKey.create({
      // ... rest of code
    })
  },
  // ...
})

Minor: .gitignore Change
Adding bun.lock to .gitignore is generally not recommended for applications. Lock files should be committed to ensure consistent dependency versions across environments. This is mentioned in the Bun docs.

According to your CLAUDE.md, this is a monorepo using Bun. Unless there's a specific reason (e.g., CI conflicts), the lock file should be committed.

⚡ Performance Considerations

No significant performance issues. The early return guards are good practice and avoid unnecessary API calls.

🧪 Test Coverage

Missing test scenarios:

  1. Test behavior when org?.id is undefined
  2. Test the ?q=raycast auto-trigger flow
  3. Test that hasTriggeredRaycast prevents duplicate key creation
  4. Test error handling for both mutations

Consider adding integration tests for the Raycast flow since it involves auto-triggering behavior.

📝 Summary

Issues to address:

  1. 🔴 High Priority: Remove bun.lock from .gitignore or document why it's necessary
  2. 🔴 High Priority: Consider removing automatic API key creation for security
  3. 🟡 Medium: Add org?.id validation to createApiKeyMutation for consistency
  4. 🟡 Medium: Update useEffect dependency to org?.id for precision
  5. 🟢 Low: Add tests for the new validation logic

The core fix is solid and addresses the immediate issue. The main concerns are around the security implications of automatic key creation and the lock file change.

@graphite-app Graphite App
Copy link

graphite-app bot commented Oct 3, 2025
edited
Loading

Merge activity

@graphite-app Graphite App
Copy link

graphite-app bot commented Oct 3, 2025

Illustrated gif. Closed hand on a yellow background, the thumb pops up, giving a thumbs up and revealing a message in teal blue bubble font, which bursts into pieces. Text, 'Thumbs up!' (Added via Giphy)

@graphite-app graphite-app bot force-pushed the 10-02-fix_raycast_org_selection_based_api_key_creation branch from a5c054c to c3f1647 Compare October 3, 2025 07:56
@claude Claude
Copy link

claude bot commented Oct 3, 2025

Pull Request Review: Raycast Organization Selection API Key Creation

Summary

This PR fixes a bug where Raycast API key creation could fail when the organization ID is not yet available. The changes add proper validation and defensive checks.

✅ Positive Aspects

  1. Good defensive programming - Adding the org?.id check prevents API key creation when organization data isn't loaded
  2. Proper error handling - Throwing an explicit error with a clear message
  3. Dependency array fix - Adding org to the useEffect dependencies (line 300) is correct and prevents stale closures
  4. Consistent pattern - The validation pattern matches similar code elsewhere in the component

🐛 Potential Issues

1. Race Condition Still Exists

The useEffect on lines 289-300 still has a timing issue. If the URL has ?q=raycast but org?.id is not yet loaded:

  • The effect runs, sees !org?.id, and does nothing
  • When org loads later, the effect runs again BUT hasTriggeredRaycast is still false
  • However, the condition now includes org?.id, so it should work

Actually, this looks correct on second review

2. .gitignore Change is Questionable

+bun.lock

The bun.lock file should typically NOT be ignored in a monorepo. Lock files ensure consistent dependencies across all developers and CI/CD. This change seems unrelated to the PR's purpose.

Recommendation: Remove this change unless there's a specific reason documented in the commit message.

🔒 Security Considerations

No security concerns - The changes properly validate organization ID before creating API keys, which is good security practice.

🚀 Performance Considerations

No performance issues - The additional check is negligible overhead.

🧪 Test Coverage

⚠️ Missing tests - Consider adding tests for:

  1. API key creation when org?.id is undefined
  2. Raycast auto-trigger with query param when org loads asynchronously
  3. Error toast display when org is missing

📝 Code Quality Suggestions

1. Inconsistent pattern with iOS shortcut creation

The iOS shortcut API key creation (line 235-258) doesn't have the same org?.id validation:

const createApiKeyMutation = useMutation({
  mutationFn: async () => {
    // ⚠️ No org?.id check here
    const res = await authClient.apiKey.create({
      metadata: {
        organizationId: org?.id, // Could be undefined

Recommendation: Add the same validation to createApiKeyMutation for consistency:

const createApiKeyMutation = useMutation({
  mutationFn: async () => {
    if (!org?.id) {
      throw new Error("Organization ID is required")
    }
    const res = await authClient.apiKey.create({

2. Better user feedback

When the Raycast trigger fails due to missing org, users see no feedback. Consider:

onError: (error) => {
  if (error.message.includes("Organization ID")) {
    toast.error("Please wait for organization to load", {
      description: "Try again in a moment"
    })
  } else {
    toast.error("Failed to create Raycast API key", {
      description: error instanceof Error ? error.message : "Unknown error",
    })
  }
}

📋 Recommendations

Must fix before merge:

  • Remove bun.lock from .gitignore (or provide justification)

Should consider:

  • Add the same org?.id validation to createApiKeyMutation for consistency
  • Add test coverage for the org loading race condition
  • Consider better user feedback for organization loading state

Verdict

The core fix is solid and addresses the issue correctly. The .gitignore change should be removed unless justified. Overall: Approve with minor changes requested.

Review generated with Claude Code

@graphite-app graphite-app bot merged commit c3f1647 into main Oct 3, 2025
3 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Dhravya Dhravya Dhravya approved these changes

Assignees

@MaheshtheDev MaheshtheDev

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MaheshtheDev @Dhravya