Improvement design#104
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces significant infrastructure and UI updates, including the integration of a new design system, a new authentication flow using backend-issued JWTs, and the addition of the SynthScholar literature review tool. I have provided feedback regarding the security risks of passing tokens in URLs, the potential for session invalidation due to dynamic secret generation, and the maintainability concerns regarding the use of !important in CSS overrides. I also suggested a fix for a race condition in the SSE progress stream cleanup logic.
| onError?: (err: Error) => void, | ||
| ): Promise<() => void> { | ||
| const token = await getMlServiceToken(); | ||
| const url = `${API_BASE}/reviews/${reviewId}/stream?token=${encodeURIComponent(token)}`; |
There was a problem hiding this comment.
Passing sensitive authentication tokens as query parameters in a URL is a security risk. Tokens in URLs can be leaked through browser history, server logs, or Referer headers. While EventSource does not natively support custom headers, it is recommended to use a more secure approach, such as a short-lived one-time use token for establishing the SSE connection, or a library that polyfills header support for EventSource.
|
Important: Before merging this PR to main merge #105 PR. |
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
This PR adds the following features:
Previous


Current

