Skip to content

Improvement design#104

Open
tekrajchhetri wants to merge 45 commits into
mainfrom
improvement_design
Open

Improvement design#104
tekrajchhetri wants to merge 45 commits into
mainfrom
improvement_design

Conversation

@tekrajchhetri

Copy link
Copy Markdown
Collaborator

This PR adds the following features:

  1. Complete re-design of the site.

Previous
image
image

Current
image
image

  1. Provides admin dashboard with features such as configuring roles, permissions and page access.
image 3. User management.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces significant infrastructure and UI updates, including the integration of a new design system, a new authentication flow using backend-issued JWTs, and the addition of the SynthScholar literature review tool. I have provided feedback regarding the security risks of passing tokens in URLs, the potential for session invalidation due to dynamic secret generation, and the maintainability concerns regarding the use of !important in CSS overrides. I also suggested a fix for a race condition in the SSE progress stream cleanup logic.

Comment thread lib/auth.ts Outdated
Comment thread src/hooks/useSynthScholar.ts
onError?: (err: Error) => void,
): Promise<() => void> {
const token = await getMlServiceToken();
const url = `${API_BASE}/reviews/${reviewId}/stream?token=${encodeURIComponent(token)}`;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

Passing sensitive authentication tokens as query parameters in a URL is a security risk. Tokens in URLs can be leaked through browser history, server logs, or Referer headers. While EventSource does not natively support custom headers, it is recommended to use a more secure approach, such as a short-lived one-time use token for establishing the SSE connection, or a library that polyfills header support for EventSource.

Comment thread src/app/globals.css
@tekrajchhetri

Copy link
Copy Markdown
Collaborator Author

Important: Before merging this PR to main merge #105 PR.

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant