Replace Core UI server actions with Better Call API#261
Conversation
Co-authored-by: Cursor <cursoragent@cursor.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 02efc3e. Configure here.
| const identity = options.auth.getIdentity(session); | ||
| const user = await options.hackkit.users.ensureUser({ authId, ...identity }); | ||
| await options.afterCurrentUser?.(user, options.hackkit); | ||
| return authId; |
There was a problem hiding this comment.
Mutations overwrite profile from session
High Severity
Each Core UI API call runs ensureUser with Better Auth session identity before invoking mutations. The previous Server Action path only resolved authId from the session. ensureUser updates existing users’ email, firstName, and lastName from that identity, so unrelated mutations can revert profile edits when session names differ from the database.
Reviewed by Cursor Bugbot for commit 02efc3e. Configure here.
| code: "CSRF_ORIGIN_MISMATCH", | ||
| message: "This request origin is not allowed.", | ||
| }); | ||
| } |
There was a problem hiding this comment.
Proxy breaks origin CSRF check
Medium Severity
The new cookie-mutation CSRF guard treats the browser Origin as allowed only when it matches new URL(request.url).origin (unless allowedApiOrigins is set). Behind a reverse proxy or misconfigured host, the request URL origin often differs from the public origin the browser sends, so authenticated Core UI POSTs can consistently return 403 even for same-site users.
Reviewed by Cursor Bugbot for commit 02efc3e. Configure here.
|
@MKorolyova @Rufat00 This is a potential change that could clean up some of the jank caused by server actions (by removing server actions). Basically, it removes server actions in favor of using better-call which gives us better-auth style rpc. It really cleans up the nextjs seam and I'm not sure we need to use server actions, so I'd like to know what y'all think |


Note
High Risk
All Core UI mutations (roles, bans, RSVP, settings, check-in) now go through a new cookie-authenticated HTTP surface; integration apps must supply
resolveSessionand mount the route correctly or auth/CSRF behavior will break.Overview
Core UI mutations move off Next Server Actions onto a centralized Better Call registry at
/api/hackkit, with apps mounting a thin route adapter and wiring the browser throughcreateHackkitUIActionsClient()from@hackkit/next/client.@hackkit/nextdropshackKitUIActions,actions.ts, andaction-map.tsin favor ofcreateHackkitApi, stable endpoint paths,toNextJsHandler, and a new./clientexport. Runtime creation now requiresresolveSession(headers)so API calls resolve Better Auth from request headers (separate from ambientgetSession()used by RSC/guards). Endpoints still delegate tocreateHackKitMutations, with Zod validation, same-originOriginchecks on mutating requests, and HTTP 401/403/400 for auth, CSRF, and validation failures while preserving the{ ok, message }UI contract for domain errors.test-web deletes app-local
_hackkit/server-actionsandui-action-map, addsapp/api/hackkit/[...all]/route.ts, marksproviders.tsxas a client component using the typed API client, and documents the new boundary. Tests shift from server-action parity to endpoint registry, API auth/origin behavior, client fetch, and the Next handler adapter.Reviewed by Cursor Bugbot for commit 02efc3e. Configure here.