You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FileValidation.allowedTypes is declared as a single comma-separated string but treated like an array in validation logic, leading to incorrect MIME type checks.
exportinterfaceFileValidation{required?: boolean;allowedTypes: string;// comma separated types e.g. image/jpeg,application/pdfmaxSize: number;// in MB}
Why: The bucket name "garuda-hacks-6-0.firebasestorage.app" is invalid and will break storage operations; switching to the correct AppSpot domain fixes a critical misconfiguration.
High
Correct empty value check
The check for missing fieldValue uses &&, which is always false when one side is truthy. Change it to || to properly catch both undefined and empty string.
} catch (error) {
functions.logger.error("Error when trying to logout", err.message);
// force remove cookies
res.clearCookie("__session", {
httpOnly: true,
sameSite: "strict",
secure: process.env.NODE_ENV === "production",
});
- res.status(500).json({ status, error: "Something went wrong." });+ res.status(500).json({ status: 500, error: "Something went wrong." });
}
Suggestion importance[1-10]: 8
__
Why: The catch block sends { status, error } referencing an undefined status variable, causing runtime errors; replacing it with status: 500 corrects the response payload.
Medium
General
Add CSRF header to CORS
The CSRF middleware checks the x-csrf-token header but CORS only allows X-XSRF-TOKEN. Add x-csrf-token to allowed headers to avoid preflight failures.
Why: The CSRF middleware relies on "x-csrf-token" but CORS only permits "X-XSRF-TOKEN", which may block valid requests; adding it ensures preflight passes.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Type
Enhancement, Documentation
Description
Add session cookie auth and CSRF protection
Implement application endpoints with validation
Support file uploads and Firebase storage
Enhance server CORS, cookies, and logging
Changes walkthrough 📝
3 files
Add Firebase storage bucket configurationEnable CORS and maxInstances for API functionUpdate dependencies and npm scripts15 files
Implement application endpoints and validationAdd session cookies, CSRF, and logout logicValidate session cookies instead of ID tokensIntroduce CSRF token protection middlewareAdd restrictToRole authorization middlewareCreate application-related API routesUpdate auth routes for session loginMount application routes in routerRemove auth middleware from ticket routesUse camelCase conversion for user requestsAdd cookie parsing, CSRF, session auth, loggingAdd application state and question typesAdd TypedRequestBody interfaceExtend fakery to generate application questionsExtract session cookies and UID utility1 files
Define RoleType enum1 files
Document application PATCH endpoint1 files