Conversation
feat: Add GitHub Actions workflow to prevent merging to main from non…
- Created comprehensive frontend design documentation for the Digital Paper Note application. - Established a color palette and typography guidelines. - Implemented a feature-based architecture for scalability. - Developed authentication components including Login and Register forms. - Integrated form validation using Zod and React Hook Form. - Set up API service for authentication with error handling. - Added reusable UI components (Button, Card, Input, etc.) with Tailwind CSS styling. - Configured shadcn/ui for consistent design across components. - Documented implementation tasks and architecture rules for future developers.
…, and error handling with dedicated pages and components.
- Created error parsing utility to extract field-specific and general errors from backend API responses. - Enhanced LoginForm and RegisterForm components with improved error handling, loading states, and animations. - Updated global styling with deeper yellow color and added smooth animations for better UI/UX. - Improved layout and typography for authentication pages, ensuring a polished note-taking aesthetic. - All changes verified with comprehensive testing scenarios to ensure functionality and responsiveness.
…tion and UI styling
feat/fe/auth-page
Co-authored-by: qodo-code-review[bot] <151058649+qodo-code-review[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
…he UI. Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Feat/fe/auth page
- Add yellow-first color tokens to globals.css - Create 5 section components with professional dark theme design: - HeroSection: Gradient background, amber accents, rounded CTAs - ValuePropsSection: 3 key benefits with slate-900 icon boxes - UseCaseCardsSection: Wallet/PiggyBank/Debt cards with hover effects - WorkflowSection: 4-step process with connected circles - CTAFooterSection: Gradient CTA button with footer links - Implement responsive design (mobile-first) - Add Playwright E2E test infrastructure - Update metadata and accessibility focus states - Vietnamese content throughout Design: Dark slate/navy theme with amber accents Closes: homepage-prelogin-vang-xanh plan
- Restyle HeroSection with rounded top nav + two-column layout - Update all content sections (ValueProps, UseCases, Workflow, CTA) - Apply login-consistent palette: #FFFBEB, #FFFEF5, #F0D25D, #E8CB50 - Convert all homepage copy to English - Update Playwright smoke tests - Add documentation updates to docs/plan and docs/done Closes: homepage-reference-sync-login-yellow plan
- Added TrustLogos and Testimonials components to the homepage for improved social proof. - Redesigned CTA Footer Section with new layout, contact information, and a contact form. - Updated HeroSection with new branding and messaging for clarity and engagement. - Revamped UseCaseCardsSection and ValuePropsSection with concise descriptions and improved messaging. - Overhauled WorkflowSection to present features in a more interactive and visually appealing manner. - Introduced TrustAndTestimonials component to encapsulate trust elements and user testimonials.
…dTestimonials components
- Created comprehensive frontend design documentation for the Digital Paper Note application. - Established a color palette and typography guidelines. - Implemented a feature-based architecture for scalability. - Developed authentication components including Login and Register forms. - Integrated form validation using Zod and React Hook Form. - Set up API service for authentication with error handling. - Added reusable UI components (Button, Card, Input, etc.) with Tailwind CSS styling. - Configured shadcn/ui for consistent design across components. - Documented implementation tasks and architecture rules for future developers.
…, and error handling with dedicated pages and components.
- Created error parsing utility to extract field-specific and general errors from backend API responses. - Enhanced LoginForm and RegisterForm components with improved error handling, loading states, and animations. - Updated global styling with deeper yellow color and added smooth animations for better UI/UX. - Improved layout and typography for authentication pages, ensuring a polished note-taking aesthetic. - All changes verified with comprehensive testing scenarios to ensure functionality and responsiveness.
…tion and UI styling
Co-authored-by: qodo-code-review[bot] <151058649+qodo-code-review[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
- Updated the TransferForm component to include an optional note field for transfers. - Modified the CreateTransferRequest type to accommodate the new note field. - Adjusted the UI to reflect that the note field is optional, changing the placeholder text and label accordingly. - Ensured the note is sent as null if not provided during the transfer process.
…-select default wallet and partner
…log, DebtInfoCard, DeleteTransactionDialog, EditTransactionDialog, NoteCard, TransferDetailsCard, and WalletInfoCard
- Implemented components for wallet details, including WalletHeader, WalletOverviewCard, ChildWalletList, and WalletDialogs. - Created WalletsPage components such as WalletsStats, WalletSearchSort, ParentWalletCard, and EmptyState for better wallet organization and management. - Added functionality for creating, editing, and deleting wallets with appropriate dialogs. - Introduced new input fields for amount and notes in transfer forms. - Enhanced user experience with loading states and conditional rendering based on wallet data.
- Created development setup guide in development.md - Added favicon.svg for branding - Documented frontend architecture in frontend/structure.md - Introduced introduction.md for project overview - Added mint.json for documentation configuration - Created OpenAPI specification in openapi.json - Documented PostgreSQL naming conventions in postgres-rename-inventory.md - Added public assets including favicon and logo SVGs
Feat/fe/quick debt page
Refactor/page ux UI
…o prevent prerender errors
Feat/mobile responsive and deploy
Contributor
|
Important Review skippedToo many files! This PR contains 294 files, which is 144 over the limit of 150. ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (6)
📒 Files selected for processing (294)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
Review Summary by QodoV1.0.0 Release - Complete Debt Tracking Application with Backend API and Frontend Integration
WalkthroughsDescription• **Complete backend API implementation** for debt tracking application with full CRUD operations for wallets, debt partners, and transactions • **Database schema migration to snake_case naming convention** with PostgreSQL compatibility and new audit fields for transaction tracking • **US-03 Quick Deduct feature** with hybrid debt-tagging supporting two payer modes (ToiTra/PartnerTra) and automatic debt notification • **US-04 Debt notification system** with balance tracking and direction indicators (PartnerOwesUser/UserOwesPartner/Settled) • **Transaction management** with update/delete handlers including partner balance rollback and month-based locking policy • **Internal wallet transfer system** with automatic paired transaction generation and audit trail linking • **User profile and preferences management** with default wallet/partner selection • **Monthly statistics dashboard** with expense, income, and debt metrics calculation • **Comprehensive validation pipeline** with FluentValidation and MediatR pipeline behavior integration • **Frontend API clients and hooks** for transaction history, wallets, debt partners, and transfers with pagination and filtering • **Error handling improvements** including NotFoundException and InvalidOperationException support in global exception handler • **CORS configuration** for React frontend with auto-migration support for Development/Staging environments • **Multiple file formatting normalization** (CRLF to LF line endings) across backend codebase Diagramflowchart LR
A["Database Schema<br/>snake_case migration"] --> B["Transaction Entity<br/>with audit fields"]
B --> C["Quick Deduct Handler<br/>US-03 feature"]
C --> D["Debt Notification<br/>US-04 response"]
D --> E["Transaction API<br/>Controller"]
E --> F["Frontend API Client<br/>with pagination"]
F --> G["History Hook<br/>with filtering"]
H["Wallet Management<br/>CRUD operations"] --> E
I["Debt Partner CRUD<br/>with soft delete"] --> E
J["Transfer System<br/>paired transactions"] --> E
K["User Preferences<br/>default wallet/partner"] --> E
L["Month Lock Policy<br/>Vietnam timezone"] --> E
M["Validation Pipeline<br/>MediatR behavior"] --> C
M --> H
M --> I
N["Global Exception Handler<br/>NotFoundException"] --> E
File Changes1. backend/src/Persistence/Migrations/20260214192826_ConvertToSnakeCaseAndRenameBalance.cs
|
Contributor
Code Review by Qodo
1. JWT expiry mismatch
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
+36
to
+40
| return new LoginResponse | ||
| { | ||
| Token = token, | ||
| Expiration = DateTime.UtcNow.AddHours(24) | ||
| }; |
Contributor
There was a problem hiding this comment.
1. Jwt expiry mismatch 🐞 Bug ✓ Correctness
LoginCommandHandler returns an Expiration timestamp of now+24h, but the JWT exp claim is generated from Jwt:ExpirationMinutes (60 by default). Clients relying on the Expiration field will keep using an already-expired token and hit unexpected 401s.
Agent Prompt
## Issue description
`LoginResponse.Expiration` is set to `UtcNow+24h`, but JWT `exp` is set to `UtcNow+ExpirationMinutes`. This mismatch causes clients to treat expired JWTs as still valid.
## Issue Context
JWT expiry is determined in `TokenGenerator` using `Jwt:ExpirationMinutes`.
## Fix Focus Areas
- backend/src/Application/Features/Auth/Login/LoginCommandHandler.cs[34-40]
- backend/src/Application/Common/Security/TokenGenerator.cs[31-37]
- backend/src/API/appsettings.json[15-20]
## Suggested fix
Derive `LoginResponse.Expiration` from the same configured expiration minutes (or remove the field and let clients parse `exp`).
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+15
to
+19
| "Jwt": { | ||
| "Secret": "your-super-secret-key-change-this-in-production-min-32-chars!", | ||
| "Issuer": "MA6Debt", | ||
| "Audience": "MA6DebtUsers", | ||
| "ExpirationMinutes": 60 |
Contributor
There was a problem hiding this comment.
2. Hardcoded jwt secret 🐞 Bug ⛨ Security
The repository contains a concrete JWT signing secret in backend appsettings.json, and docker-compose does not override it for the Production container. Deployments that use this config allow anyone with repo access to forge tokens and bypass authentication.
Agent Prompt
## Issue description
A JWT signing secret is committed in `appsettings.json` and is used by default in Docker production runs, enabling token forgery.
## Issue Context
`Program.cs` reads `Jwt:Secret` and only validates it's non-empty.
## Fix Focus Areas
- backend/src/API/appsettings.json[15-20]
- backend/src/API/Program.cs[47-56]
- docker-compose.yml[33-49]
## Suggested fix
- Remove the concrete secret from `appsettings.json` (use a placeholder or omit it).
- Require `Jwt__Secret` via environment variables/secret manager in Production (optionally fail fast if it matches a known placeholder).
- Set `Jwt__Secret` in deployment configuration (not committed).
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+89
to
107
| else if (exception is InvalidOperationException invalidOperationException) | ||
| { | ||
| _logger.LogError(exception, "An unhandled exception has occurred."); | ||
| _logger.LogWarning("Business rule violation: {Message}", invalidOperationException.Message); | ||
|
|
||
| httpContext.Response.StatusCode = StatusCodes.Status500InternalServerError; | ||
| httpContext.Response.StatusCode = StatusCodes.Status400BadRequest; | ||
|
|
||
| var response = new ValidationErrorResponse | ||
| { | ||
| Type = "https://tools.ietf.org/html/rfc7231#section-6.6.1", | ||
| Title = "Internal Server Error", | ||
| Status = StatusCodes.Status500InternalServerError, | ||
| Type = "https://tools.ietf.org/html/rfc7231#section-6.5.1", | ||
| Title = "Bad Request", | ||
| Status = StatusCodes.Status400BadRequest, | ||
| Errors = new Dictionary<string, string[]> | ||
| { | ||
| { "InternalServerError", new string[] { "An error occurred while processing your request." } } | ||
| { "BusinessRule", new string[] { invalidOperationException.Message } } | ||
| } | ||
| }; | ||
|
|
||
| await httpContext.Response.WriteAsJsonAsync(response, cancellationToken); | ||
| return true; |
Contributor
There was a problem hiding this comment.
3. Exception message disclosure 🐞 Bug ⛨ Security
GlobalExceptionHandler returns InvalidOperationException.Message to the client in a 400 response. This exposes internal business logic/diagnostics in API responses and makes it easier to reverse-engineer server behavior.
Agent Prompt
## Issue description
`InvalidOperationException.Message` is returned to clients, disclosing internal implementation details.
## Issue Context
Handlers use `InvalidOperationException` for business rules and internal invariants.
## Fix Focus Areas
- backend/src/API/Middleware/GlobalExceptionHandler.cs[89-107]
## Suggested fix
Return a generic client-safe message (and optionally a stable error code), while logging the detailed exception message server-side.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
V1.0.0 lets go