fix: keep user state consistent after login and profile save

[omsherikar]

Merge partial API user payloads in updateUser. Hydrate session from /api/auth/me after login so GitHub and other fields match a full page load.

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Improved authentication reliability by ensuring the login process completes before proceeding with post-login operations.
  • Enhanced OAuth callback handling to properly verify user credentials during the authentication flow.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
refactron	Ready	Preview, Comment	Mar 28, 2026 9:07pm

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 881f7d8.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR converts the login function from synchronous to async, adds token verification via a backend /api/auth/me call, and updates callers to await the async operation. The implementation stores the token in localStorage and attempts verification before falling back to provided user data.

Changes

Cohort / File(s)	Summary
Authentication consumers src/components/LoginForm.tsx, src/components/OAuthCallback.tsx	Both components now await the login() call to handle it as an async operation, ensuring the authentication flow completes before subsequent redirect logic executes.
Authentication hook src/hooks/useAuth.tsx	login() is now async and performs token verification: stores the provided token in localStorage, makes a GET /api/auth/me request with the token, and updates user data from the response if successful; falls back to the provided user data on verification failure.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: implement dashboard redesign, organization dropdown, and profil… #79: Introduced the initial useAuth/login wiring and authentication context structure that this PR modifies.
• fix: update auth state before redirecting in OAuthCallback to prevent… #85: Also modifies OAuthCallback to invoke auth login before redirect, with overlapping changes.
• feat: auth persistence, flash fix, and dashboard UI refinements #86: Modifies the same authentication files (useAuth.tsx and LoginForm.tsx) with related control flow updates.

Suggested labels

type:refactor

Poem

🐰 A token stored, now verified true,
Awaiting flows that see us through,
Backend whispers 'who are you?'
User hydrated, fresh and new! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: keep user state consistent after login and profile save' directly aligns with the main objective of ensuring user state consistency after authentication flows by hydrating session data from /api/auth/me.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/frontend-improvements

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

👋 Thanks for opening this pull request! A maintainer will review it soon. Please make sure all CI checks pass.

[Copilot]

Pull request overview

This PR aims to keep client-side auth/user state consistent after login and profile-related updates by ensuring the app hydrates a complete user object (matching what a full page load would produce).

Changes:

• Make login async and hydrate the user from GET /api/auth/me after storing the access token.
• Update login call sites (password login + OAuth callback) to await login(...) so hydration completes before continuing UI flow.
• Ensure updateUser merges user payloads (per PR intent) to prevent partial responses from overwriting existing user fields.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
src/hooks/useAuth.tsx	Makes login async and hydrates user state from /api/auth/me; updates auth context typing accordingly.
src/components/OAuthCallback.tsx	Awaits login after OAuth callback so auth state is hydrated before redirect flow continues.
src/components/LoginForm.tsx	Awaits login after password login to keep auth state consistent before subsequent navigation logic.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

handleOAuthCallback is typed to return data?: any (see src/utils/oauth.ts), so result.data can exist without accessToken and user. Calling login(result.data.accessToken, result.data.user) in that case can store the string "undefined" in localStorage and set an invalid auth state. Add explicit runtime validation for accessToken and user (and treat missing fields as an error) before calling login.