Author page issue

[reddy-vishwanath]

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Resolved an issue affecting the author collection functionality.

• Improvements

  • Enhanced request/response and error logging for better diagnostics.
  • Author-collection requests now enable enhanced logging by default, providing streamlined response payloads when diagnostics are active.

• Chores

  • Bumped package version for this release.

[coderabbitai]

Walkthrough

Adds conditional request/response logging to nativeRequest: when enableLog is true it logs request/response details and returns the response body (otherwise returns the full response). Enhances error logging to include response headers/content when present. getAuthorCollection now calls with enableLog: true. Package version bumped to 2.7.1-author-page-issue.1.

Changes

Cohort / File(s)	Summary
Logging feature index.js	nativeRequest: added enableLog handling — logs request params/headers/body and response details when enabled; returns response.body when enableLog is true, otherwise returns full response. Error path now logs status and, if available, error response headers and content. getAuthorCollection now passes enableLog: true.
Version update package.json	Bumped version from 2.7.0 to 2.7.1-author-page-issue.1.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant nativeRequest
    participant HTTP
    Client->>nativeRequest: call(params, { enableLog: true/false })
    alt enableLog == true
        nativeRequest->>HTTP: send request (logged)
        HTTP-->>nativeRequest: full response
        nativeRequest-->>nativeRequest: log response status/headers/body
        nativeRequest-->>Client: return response.body
    else enableLog == false
        nativeRequest->>HTTP: send request
        HTTP-->>nativeRequest: full response
        nativeRequest-->>Client: return full response
    end
    alt HTTP returns error
        nativeRequest-->>nativeRequest: log status (+ headers/content if present)
        nativeRequest-->>Client: throw or propagate error
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Pay attention to callers that may expect the full response but will now receive body when enableLog is used (e.g., getAuthorCollection).
• Verify that logged data does not leak sensitive headers or bodies.
• Review error logging paths to ensure they handle absent fields safely.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided by the author; all required sections including summary, issue reference, type of change, testing details, and checklist are missing.	Add a comprehensive PR description following the template with issue reference, change type, testing details, and completion of the required checklist.
Title check	❓ Inconclusive	The title 'Author page issue' is vague and does not clearly summarize the main change; it only references the issue number without describing what was actually fixed or implemented.	Provide a more specific title that describes the actual change, such as 'Add debug logging to request handling and enable logging in getAuthorCollection' or similar.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch author-page-issue

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 522e92e and be99fdc.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• index.js (2 hunks)
• package.json (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

package.json (1)

3-3: Reconsider the pre-release version format.

The version 2.7.1-author-page-issue.0 suggests this is a temporary diagnostic release. Pre-release versions with issue identifiers should not be published to production. Consider using a standard semantic version (e.g., 2.7.1) once the issue is resolved and the debugging code is removed.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4d0179e and 522e92e.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• index.js (2 hunks)
• package.json (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

index.js (1)

collection-loader.js (1)

• opts (33-33)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Breaking change and security risks with conditional logging.

This implementation has several critical issues:

1. Breaking change: The function returns different types based on the enableLog flag—response.body when true vs. the full response object when false. This violates the principle of consistent function behavior and will break any code expecting the full response object.

2. Security issue - sensitive data exposure: Logging params, response.headers, and response.body can expose:

   • Authentication tokens (e.g., X-QT-AUTH, qt-internal-apps-key in headers)
   • API keys and secrets
   • PII data such as user emails, identifiers, and other personal information in the request/response body

   This violates security best practices and compliance requirements (GDPR/CCPA).

3. Formatting: Line 917 has inconsistent indentation with extra spaces.

Consider these alternatives:

Option 1 (Recommended): Remove the logging entirely and use proper observability tools (APM, structured logging with PII redaction) for debugging production issues.

Option 2: If temporary debugging is needed, ensure:

• Return value remains consistent (always return the same type)
• Sensitive fields are redacted before logging
• The feature is controlled by an environment variable, not hardcoded
• Add clear documentation that this is for debugging only

Apply this diff to maintain consistent return behavior:

   const params = Object.assign(
     {
       method: "GET",
       uri: uri,
       json: true,
       gzip: true
     },
-    opts?.enableLog ? { resolveWithFullResponse: true } : {},
     opts
   );
   return rp(params)
-      .then(response => {
-        if (opts?.enableLog) {
-          console.log("log--request params", params);
-          console.log(`log--response headers for ${uri}:`, response.headers);
-          console.log(`log--response content for ${uri}:`, response.body);
-          return response.body;
-         }     
-         return response;
-      })
+      .then(response => response)
       .catch(e => {
         console.error(`Error in API ${uri}: Status ${e.statusCode}`);
-        if (e.response) {
-          console.error(`log--error headers for ${uri}:`, e.response.headers);
-          console.error(`log--error content for ${uri}:`, e.response.body);
-        }
     throw e;
   });

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In index.js around lines 907 to 919, the conditional logging block both changes
the function's return type (returning response.body when opts.enableLog is true
vs the full response when false) and logs sensitive request/response data; to
fix, make the function always return the same value (the full response)
regardless of logging, remove or replace the raw console.logs with a controlled
debug path behind an environment flag, redact sensitive headers/body fields
before any logging (eg. mask tokens, API keys, emails, PII), and correct the
inconsistent indentation on line 917; prefer removing logs entirely or routing
through a structured logger that supports PII redaction and is disabled in
production.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Hardcoded debug flag enables unsafe logging in production.

The enableLog: true flag is hardcoded, which means:

1. All author collection requests will trigger verbose logging (including sensitive headers and request/response bodies)
2. This cannot be disabled in production without a code change
3. Combined with the logging implementation in nativeRequest, this will expose sensitive data for every author collection API call

Debug flags should never be hardcoded to true in production code.

Recommended approach: Remove this temporary debugging code entirely:

 getAuthorCollection(authorId, params) {
   return this.request(`/api/v1/authors/${authorId}/collection`, {
-    qs: params,
-    enableLog: true
+    qs: params
   });
 }

If debugging is genuinely needed, control it via an environment variable:

 getAuthorCollection(authorId, params) {
   return this.request(`/api/v1/authors/${authorId}/collection`, {
     qs: params,
-    enableLog: true
+    ...(process.env.DEBUG_AUTHOR_COLLECTION === 'true' && { enableLog: true })
   });
 }

However, given the security issues with the logging implementation, Option 1 (complete removal) is strongly recommended.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	getAuthorCollection(authorId, params) {
	return this.request(`/api/v1/authors/${authorId}/collection`, {
	qs: params
	qs: params,
	enableLog: true
	});
	}
	getAuthorCollection(authorId, params) {
	return this.request(`/api/v1/authors/${authorId}/collection`, {
	qs: params
	});
	}

Suggested change

	getAuthorCollection(authorId, params) {
	return this.request(`/api/v1/authors/${authorId}/collection`, {
	qs: params
	qs: params,
	enableLog: true
	});
	}
	getAuthorCollection(authorId, params) {
	return this.request(`/api/v1/authors/${authorId}/collection`, {
	qs: params,
	...(process.env.DEBUG_AUTHOR_COLLECTION === 'true' && { enableLog: true })
	});
	}

🤖 Prompt for AI Agents

In index.js around lines 1185 to 1190, the request call to
/api/v1/authors/${authorId}/collection hardcodes enableLog: true which forces
verbose/sensitive logging in production; remove the enableLog property entirely
from this call (Option 1) so the request uses the default logging behavior,
ensure no other code paths reintroduce a hardcoded true, and if debugging is
required implement a controlled switch that reads an environment variable (e.g.,
process.env.ENABLE_REQUEST_LOGGING === 'true') before setting enableLog so
logging can be toggled without code changes; update any tests or documentation
referencing this flag.