Migrate worker.js to pkic.org routes#684
Conversation
There was a problem hiding this comment.
Code Review
This pull request ports the join-membership and sponsor-interest form submissions to the main repository, introducing a new POST endpoint at /api/v1/forms that handles rate limiting, origin validation, and files submissions as GitHub issues. The review feedback identifies two key issues: first, a scalability bottleneck and substring matching bug in checkEmailDomainInIssues which should be resolved by utilizing the GitHub Search API; second, a reliability issue where relying solely on the Referer header for validation and redirection can fail for privacy-conscious browsers, which can be mitigated by falling back to the Origin header and a default redirect URL.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
pkic-org | 36214cd | Commit Preview URL Branch Preview URL |
Jul 10 2026, 03:01 PM |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request ports the membership and sponsor-interest form submission handling from a standalone Cloudflare Worker to the main repository, introducing a new /api/v1/forms API endpoint and updating the frontend forms to use it. The review feedback identifies several critical issues that need to be addressed: a content-type mismatch between the frontend forms and the backend validation that would cause all submissions to fail, potential runtime crashes due to unhandled Referer header parsing and missing defensive guards on the GitHub API response, fragile email domain extraction, and a search query injection vulnerability when querying the GitHub API.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request ports the membership and sponsor-interest form submission logic from a standalone Cloudflare Worker into the main repository, introducing a new POST /api/v1/forms endpoint and updating the corresponding HTML forms. Feedback focuses on improving robustness: first, by ensuring that missing or failing rate limiters (especially during local development) do not block form submissions, and second, by wrapping the GitHub Search API call in a try-catch block so that transient search failures or rate limits do not prevent users from submitting forms.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request ports the join-membership and sponsor-interest form submissions to a new API endpoint /api/v1/forms, which processes form data, enforces rate limits, and creates GitHub issues in the pkic/members repository. The code review feedback suggests several key improvements: adding the apex https://pkic.pages.dev domain to the allowed origins list, gracefully handling missing Referer headers to avoid blocking users, enforcing server-side validation for the required email field, and refining the email domain duplicate check with a regular expression to prevent false-positive matches.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request ports the membership and sponsor-interest form submissions from a standalone Cloudflare Worker to the main repository, routing submissions through a new POST /api/v1/forms endpoint and filing them as GitHub issues. Feedback on these changes suggests using the Bearer authentication scheme instead of token for GitHub API requests to support modern fine-grained personal access tokens, and lowercasing the Content-Type header value to ensure robust, case-insensitive validation.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request ports the membership and sponsor-interest form submission logic from a standalone Cloudflare Worker to the main repository, routing submissions through a new POST /api/v1/forms endpoint that files them as GitHub issues. Feedback is provided to make the parsing of the GitHub Search API response more robust by utilizing optional chaining when accessing nested properties on the search results.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
New files
functions/_lib/services/membership-form-submission.ts— the ported business logic: validates the payload, builds the GitHub issue body, runs the domain-duplicate check (skipped forSponsor interest, per our earlier decision), and POSTs to the GitHub API. Checksresponse.okand throws on failure (the old worker never checked this — silent GitHub failures used to report?status=successanyway). Deliberately never logs the request/response objects, since that's what leaked the token fromworker.jsearlier.functions/api/v1/forms.ts— the route: validates theRefererheader's origin against an allowlist (mirrors the existing pattern infunctions/api/v1/geo.ts) before ever using it as a redirect target — this closes an open-redirect gap the old worker had (it redirected to anyReferervalue with no validation). AppliesIP_RATE_LIMITER(already bound inwrangler.jsoncfor all envs, unused for this purpose until now) to throttle abuse. No GET handler — the debug endpoint is dropped, as agreed. Always resolves to a redirect (?status=success/?status=error), never a JSON error body, since it's a plain form POST, not a fetch call.Wired in
functions/api/v1/router.ts—app.post("/forms", FormsPost_l), so it lives at/api/v1/forms, already covered by the existingrun_worker_first: ["/api/*", ...]in all threewrangler.jsoncenvs — no routing config changes needed.functions/_lib/types.ts— addedGITHUB_TOKEN?: stringtoEnv.layouts/shortcodes/joinform.htmlandsponsorform.html—actionchanged fromhttps://pkic.org/formsto/api/v1/forms.Verified
types.ts,rate-limit.ts,request.ts,logging.ts) withtscusing this project's exacttsconfig.jsonflags (strict,noUnusedLocals,verbatimModuleSyntax, etc.) — clean, no errors.