Skip to content

Replace Core UI server actions with Better Call API#261

Open
joshuasilva414 wants to merge 1 commit into
evofrom
hk-250-better-call-api
Open

Replace Core UI server actions with Better Call API#261
joshuasilva414 wants to merge 1 commit into
evofrom
hk-250-better-call-api

Conversation

@joshuasilva414

@joshuasilva414 joshuasilva414 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Note

High Risk
All Core UI mutations (roles, bans, RSVP, settings, check-in) now go through a new cookie-authenticated HTTP surface; integration apps must supply resolveSession and mount the route correctly or auth/CSRF behavior will break.

Overview
Core UI mutations move off Next Server Actions onto a centralized Better Call registry at /api/hackkit, with apps mounting a thin route adapter and wiring the browser through createHackkitUIActionsClient() from @hackkit/next/client.

@hackkit/next drops hackKitUIActions, actions.ts, and action-map.ts in favor of createHackkitApi, stable endpoint paths, toNextJsHandler, and a new ./client export. Runtime creation now requires resolveSession(headers) so API calls resolve Better Auth from request headers (separate from ambient getSession() used by RSC/guards). Endpoints still delegate to createHackKitMutations, with Zod validation, same-origin Origin checks on mutating requests, and HTTP 401/403/400 for auth, CSRF, and validation failures while preserving the { ok, message } UI contract for domain errors.

test-web deletes app-local _hackkit/server-actions and ui-action-map, adds app/api/hackkit/[...all]/route.ts, marks providers.tsx as a client component using the typed API client, and documents the new boundary. Tests shift from server-action parity to endpoint registry, API auth/origin behavior, client fetch, and the Next handler adapter.

Reviewed by Cursor Bugbot for commit 02efc3e. Configure here.

Co-authored-by: Cursor <cursoragent@cursor.com>
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a4634f8b-221f-4945-bfcb-8b6bf8e570e9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch hk-250-better-call-api

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@joshuasilva414 joshuasilva414 self-assigned this Jul 9, 2026

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 02efc3e. Configure here.

Comment thread packages/next/src/api.ts
const identity = options.auth.getIdentity(session);
const user = await options.hackkit.users.ensureUser({ authId, ...identity });
await options.afterCurrentUser?.(user, options.hackkit);
return authId;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mutations overwrite profile from session

High Severity

Each Core UI API call runs ensureUser with Better Auth session identity before invoking mutations. The previous Server Action path only resolved authId from the session. ensureUser updates existing users’ email, firstName, and lastName from that identity, so unrelated mutations can revert profile edits when session names differ from the database.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 02efc3e. Configure here.

Comment thread packages/next/src/api.ts
code: "CSRF_ORIGIN_MISMATCH",
message: "This request origin is not allowed.",
});
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Proxy breaks origin CSRF check

Medium Severity

The new cookie-mutation CSRF guard treats the browser Origin as allowed only when it matches new URL(request.url).origin (unless allowedApiOrigins is set). Behind a reverse proxy or misconfigured host, the request URL origin often differs from the public origin the browser sends, so authenticated Core UI POSTs can consistently return 403 even for same-site users.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 02efc3e. Configure here.

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying hackkit with  Cloudflare Pages  Cloudflare Pages

Latest commit: 02efc3e
Status:🚫  Build failed.

View logs

@joshuasilva414

Copy link
Copy Markdown
Contributor Author

@MKorolyova @Rufat00 This is a potential change that could clean up some of the jank caused by server actions (by removing server actions). Basically, it removes server actions in favor of using better-call which gives us better-auth style rpc. It really cleans up the nextjs seam and I'm not sure we need to use server actions, so I'd like to know what y'all think

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant