fix: production CORS 401, guarded bindSupabase, prod WISP_SECRET#62
Conversation
- Add CORS headers to 401 response in /ingest so browser shows real error instead of CORS failure - Guard bindSupabase in try/catch so it doesn't crash when wisp isn't initialized (e.g. VITE_CONVEX_URL not set) - Set WISP_SECRET on production convex deployment precious-crocodile-678 - Deployed backend code to production deployment
|
@Coder-soft is attempting to deploy a commit to the yamura3's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Warning Review limit reached
Next review available in: 50 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR contains two independent small fixes: the ingest HTTP endpoint's unauthorized response now includes CORS headers, and the AuthProvider component wraps its Wisp/Supabase analytics binding in a try/catch to fail gracefully when Wisp isn't initialized. ChangesIngest Endpoint CORS Fix
AuthProvider Wisp Binding Safety
Estimated code review effort: 1 (Trivial) | ~5 minutes Poem
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| } catch { | ||
| // wisp not initialized — skip analytics identity binding |
There was a problem hiding this comment.
Silent catch masks real
bindSupabase errors
The empty catch block swallows any error thrown by bindSupabase, not just the "wisp not initialized" case. If the library is initialized but throws for a different reason (e.g., incompatible Supabase client version, internal assertion), the failure would disappear silently with no way to diagnose it. At minimum, logging the caught error as a warning preserves observability without breaking the fallback behaviour.
| "Access-Control-Allow-Origin": "*", | ||
| "Access-Control-Allow-Methods": "POST, OPTIONS", | ||
| "Access-Control-Allow-Headers": "Content-Type, x-wisp-token", |
There was a problem hiding this comment.
Redundant CORS response headers on the 401 reply
Access-Control-Allow-Methods and Access-Control-Allow-Headers are only inspected by browsers on preflight (OPTIONS) responses; they have no effect on the actual POST 401 reply. Only Access-Control-Allow-Origin is needed here to let the browser read the response body. The extra headers are harmless, but they're dead weight on every unauthorized request.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
There was a problem hiding this comment.
🧹 Nitpick comments (1)
src/providers/AuthProvider.tsx (1)
13-19: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueLGTM — correctly guards bindSupabase and keeps cleanup safe.
The no-op default combined with try/catch cleanly avoids crashing when Wisp isn't initialized, and
unsubscribeWisp()in cleanup is always safe to call.One optional nit: the catch swallows all errors, not just "Wisp not initialized" ones. A
console.warnwould help distinguish an expected skip from an unexpected failure inbindSupabaseitself.♻️ Optional: log the caught error
try { unsubscribeWisp = bindSupabase(supabase); - } catch { - // wisp not initialized — skip analytics identity binding + } catch (e) { + // wisp not initialized — skip analytics identity binding + console.warn('Wisp bindSupabase skipped:', e); }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/providers/AuthProvider.tsx` around lines 13 - 19, The try/catch around bindSupabase in AuthProvider is swallowing all failures without any visibility, so update the catch block to log the caught error with a warning before falling back to the no-op unsubscribeWisp. Keep the existing safe cleanup behavior, but make the message in AuthProvider clearly distinguish an expected Wisp-not-initialized skip from an unexpected bindSupabase failure.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@src/providers/AuthProvider.tsx`:
- Around line 13-19: The try/catch around bindSupabase in AuthProvider is
swallowing all failures without any visibility, so update the catch block to log
the caught error with a warning before falling back to the no-op
unsubscribeWisp. Keep the existing safe cleanup behavior, but make the message
in AuthProvider clearly distinguish an expected Wisp-not-initialized skip from
an unexpected bindSupabase failure.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 0adbfbfe-0a4d-4804-98be-4d9dacf6d085
📒 Files selected for processing (2)
convex/http.tssrc/providers/AuthProvider.tsx
- Add by_machine_type_time composite index on events (machineId, type, timestamp) - getMachineStats now uses the composite index for both error and pageview queries, removing the .filter() post-scan
Summary by CodeRabbit
/ingestendpoint’s unauthorized response so it now includes CORS headers, helping clients handle failed requests more consistently.