Add playbook persistence, nudges, and dashboard#4
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| export default async function PlaybookPage({ | ||
| searchParams | ||
| }: { | ||
| searchParams?: { userId?: string }; | ||
| }) { | ||
| const userId = searchParams?.userId ?? fallbackUserId; | ||
|
|
||
| const preference = await prisma.userPreference.findUnique({ | ||
| where: { userId }, | ||
| include: { |
There was a problem hiding this comment.
The page pulls userId straight from searchParams and uses it to load preferences and saved articles. Because there is no authentication or verification, any visitor can hit /playbook?userId=<someone> and retrieve another user’s saved items and opt‑in state, and the value is forwarded to client components where it is later used for mutations. The user identifier should come from the authenticated session (or the query string should be ignored) to avoid leaking account data.
Useful? React with 👍 / 👎.
| export const updateDeliveryOptIns = async (userId: string, payload: OptInPayload) => { | ||
| await prisma.userPreference.update({ | ||
| where: { userId }, | ||
| data: payload | ||
| }); |
There was a problem hiding this comment.
Both server actions accept a userId argument from the client and use it directly in Prisma updates. A malicious caller can invoke these actions with someone else’s ID (e.g. via ?userId= on the dashboard) and change their delivery opt‑ins or saved articles without any ownership check. Instead, derive the user ID from the authenticated request context before running the mutation, or validate that the supplied ID belongs to the current user.
Useful? React with 👍 / 👎.
| export async function GET(request: Request) { | ||
| const { searchParams } = new URL(request.url); | ||
| const userId = searchParams.get('userId'); | ||
|
|
||
| const nudges = await prisma.nudge.findMany({ | ||
| where: userId | ||
| ? { | ||
| preference: { | ||
| userId | ||
| } | ||
| } | ||
| : undefined, | ||
| orderBy: { createdAt: 'desc' }, | ||
| take: 25 | ||
| }); |
There was a problem hiding this comment.
The GET handler executes prisma.nudge.findMany with where: undefined whenever no userId query parameter is provided, returning the latest 25 nudges across every user. Because the route has no authentication, any caller can enumerate other users’ notifications. The handler should reject requests without a user identifier and ensure the identifier belongs to the authenticated user before returning data.
Useful? React with 👍 / 👎.
1 participant
Summary
Testing
https://chatgpt.com/codex/tasks/task_e_690bf5719b10832dad6051a056afa5a2