Skip to content

fix: enhance error handling and user feedback in authentication flow#214

Merged
Saterz merged 1 commit into
mainfrom
fix/handle-auth-errors
Jun 29, 2026
Merged

fix: enhance error handling and user feedback in authentication flow#214
Saterz merged 1 commit into
mainfrom
fix/handle-auth-errors

Conversation

@Saterz

@Saterz Saterz commented Jun 29, 2026

Copy link
Copy Markdown
Member

Why:

Errors in +server.ts shows the default SvelteKit error screen which is not good UX, they cannot easily return to the homepage.
Also when there are auth related errors given in the url parameters, they were not shown to users but could contain important information on the issue and how to fix it.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

What's being changed (if available, include any code snippets, screenshots, or gifs):

  • Made errors occurring in /auth/callback and /auth/confirm redirect to the homescreen and show a toast message.

Checklist:

  • I have performed a self-review of my own code
  • This change requires a documentation update
  • I have performed a self-review of my code
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • New and existing unit tests pass locally with my changes
  • The changes were made with the help or by an LLM

Summary by CodeRabbit

  • New Features

    • Added toast notifications for authentication success and error messages from the URL.
    • Improved sign-in and confirmation flows to show clearer feedback and redirect users appropriately.
  • Bug Fixes

    • Better handling for missing or invalid authentication codes.
    • More reliable profile verification after login, including clearer error handling when account setup or profile updates fail.
    • Successful confirmations now route users to the right destination more consistently.

@netlify

netlify Bot commented Jun 29, 2026

Copy link
Copy Markdown

Deploy Preview for cubeindex ready!

Name Link
🔨 Latest commit 3a2b7bf
🔍 Latest deploy log https://app.netlify.com/projects/cubeindex/deploys/6a42b7c07c45550007f3cfef
😎 Deploy Preview https://deploy-preview-214--cubeindex.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Auth callback and confirm endpoints now handle OAuth error query params, redirect with ?toast_error= on all failure paths (missing code, exchange failure, profile fetch/update errors), and the callback sets verified: true on non-onboarded profiles. The layout reads these toast params on page load, displays them, then cleans the URL.

Changes

Auth Error Redirects and URL-Driven Toast Notifications

Layer / File(s) Summary
URL-driven toast display in layout
src/routes/+layout.svelte
Imports toast and consolidates navigation imports; reads toast_error/toast_success from page.url.searchParams, fires the corresponding toast, then removes the param via goto with replaceState. Toaster updated to use richColors.
Auth callback error handling and profile update
src/routes/(auth)/auth/callback/+server.ts
GET handler now processes error/error_description OAuth params, redirects on missing code and exchange failures with toast params, fetches profile with redirect-on-error, and sets profiles.verified = true for non-onboarded users with redirect-on-failure.
Auth confirm error handling
src/routes/(auth)/auth/confirm/+server.ts
GET handler destructures supabase/log from locals, adds OAuth error param handling, and converts all failure paths (missing code, exchange failure, profile retrieval, missing profile, profile update) from log-only to log-and-redirect with toast error params.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • cubeindex-project/CubeIndex#199: Modifies the same /auth/callback/+server.ts post-session profile/onboarding redirect logic that this PR further updates.

Suggested labels

bug

🐇 When OAuth goes wrong, don't just shrug and log,
Redirect with a toast through the auth fog!
A param in the URL, a message so bright,
Then goto sweeps clean — the URL's just right.
Verified profiles hop, the dashboard in sight! 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main auth-flow bug fix and user-feedback improvements.
Description check ✅ Passed The description matches the template with Why, type of change, changes made, and checklist mostly filled out.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/handle-auth-errors

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/routes/`(auth)/auth/callback/+server.ts:
- Around line 12-25: The redirect branches in the auth callback are being
blocked because `logError(...)` throws before `redirect(303, ...)` can run.
Update the `callback` handler in `src/routes/(auth)/auth/callback/+server.ts` to
use a non-throwing logging path for these error cases, or change the helper
contract before calling it here. Keep the existing `errorMessage` handling, but
ensure the flow can reach each `redirect(...)` after logging instead of
terminating inside `logError(...)`.

In `@src/routes/`(auth)/auth/confirm/+server.ts:
- Around line 12-25: The confirm handler’s failure paths are still calling
logError(...) before redirect(303, ...), but logError is meant to log and then
throw, so the toast redirect never runs. Update the confirm flow in the
+server.ts handler to avoid using logError for branches that should continue
into a redirect, and instead log the error details separately (or otherwise
ensure no throw occurs) before the redirect. Apply the same control-flow fix
across the other failure branches in this handler so the new toast UX
consistently reaches the redirect path.

In `@src/routes/`+layout.svelte:
- Around line 27-46: The toast handling in +layout.svelte is rendering free-form
query-param text from page.url directly through toast.error and toast.success,
which allows crafted links to inject arbitrary copy. Update the URL contract to
use an allowlisted toast code parameter instead of toast_error/toast_success,
then map that code to local message strings inside the layout before calling the
toast helpers. Keep removeToastParam and goto for clearing the query param, but
only after validating the code against the allowed set.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: e292f7b6-5621-4232-9ad7-a6d6f056828b

📥 Commits

Reviewing files that changed from the base of the PR and between a2af51a and 3a2b7bf.

📒 Files selected for processing (3)
  • src/routes/(auth)/auth/callback/+server.ts
  • src/routes/(auth)/auth/confirm/+server.ts
  • src/routes/+layout.svelte

Comment thread src/routes/(auth)/auth/callback/+server.ts
Comment thread src/routes/(auth)/auth/confirm/+server.ts
Comment thread src/routes/+layout.svelte
Comment on lines +27 to +46
const toastError = page.url.searchParams.get("toast_error");
const toastSuccess = page.url.searchParams.get("toast_success");

const removeToastParam = (newUrl: URL) =>
goto((newUrl.pathname + newUrl.search) as ResolvedPathname, {
replaceState: true,
keepFocus: true,
noScroll: true,
});

if (toastError) {
toast.error(toastError);
const newUrl = new URL(page.url);
newUrl.searchParams.delete("toast_error");
removeToastParam(newUrl);
} else if (toastSuccess) {
toast.success(toastSuccess);
const newUrl = new URL(page.url);
newUrl.searchParams.delete("toast_success");
removeToastParam(newUrl);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Don’t render raw toast text from query params.

This now lets any crafted link inject arbitrary success/error copy into a trusted site toast. Please switch the URL contract to an allowlisted toast code (for example toast=auth_exchange_failed) and map that code to local strings instead of displaying free-form query-param text. As per coding guidelines, "Validate all user inputs on both the client and server."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/routes/`+layout.svelte around lines 27 - 46, The toast handling in
+layout.svelte is rendering free-form query-param text from page.url directly
through toast.error and toast.success, which allows crafted links to inject
arbitrary copy. Update the URL contract to use an allowlisted toast code
parameter instead of toast_error/toast_success, then map that code to local
message strings inside the layout before calling the toast helpers. Keep
removeToastParam and goto for clearing the query param, but only after
validating the code against the allowed set.

Source: Coding guidelines

@Saterz Saterz merged commit 48990c9 into main Jun 29, 2026
10 checks passed
@Saterz Saterz deleted the fix/handle-auth-errors branch June 29, 2026 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant