Skip to content

Fix project setup#1043

Open
Gerviba wants to merge 1 commit into
stagingfrom
fix-project-setup
Open

Fix project setup#1043
Gerviba wants to merge 1 commit into
stagingfrom
fix-project-setup

Conversation

@Gerviba

@Gerviba Gerviba commented Jun 27, 2026

Copy link
Copy Markdown
Member

No description provided.

@vercel

vercel Bot commented Jun 27, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cmsch-cst Ready Ready Preview, Comment Jun 27, 2026 9:49pm
cmsch-felezobal Ready Ready Preview, Comment Jun 27, 2026 9:49pm
cmsch-golyakorte Ready Ready Preview, Comment Jun 27, 2026 9:49pm
cmsch-seniortabor Ready Ready Preview, Comment Jun 27, 2026 9:49pm
cmsch-skktv Ready Ready Preview, Comment Jun 27, 2026 9:49pm
cmsch-snyt Ready Ready Preview, Comment Jun 27, 2026 9:49pm
cmsch-vitorlaskupa Ready Ready Preview, Comment Jun 27, 2026 9:49pm

Request Review

@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
{"name":"HttpError","status":404,"request":{"method":"PATCH","url":"https://api.github.com/repos/kir-dev/cmsch/issues/comments/4822103778","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.6 Node.js/24","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- review_stack_entry_start -->\n\n[![Review Change Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/kir-dev/cmsch/pull/1043?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)\n\n<!-- review_stack_entry_end -->\n<!-- walkthrough_start -->\n\n<details>\n<summary>📝 Walkthrough</summary>\n\n<!--review_stack_artifact-->\n\n## Walkthrough\n\nRemoves `NovaIntegrationController` and `NovaIntegrationService` from the backend. Relaxes `MutableIterable` to `Iterable` in `EntityPageDataSource`, `ManualRepository`, and `LocationService`. Adds runtime environment variable injection for the frontend: `window.__env__` is populated at container startup via `entrypoint.sh`, replacing build-time-only `import.meta.env` reads.\n\n**Nova Integration Removal**\n\n| Layer / File(s) | Summary |\n|---|---|\n| **Delete Nova controller and service** <br> `backend/.../addon/nova/NovaIntegrationController.kt`, `backend/.../addon/nova/NovaIntegrationService.kt` | All `/api/nova` REST endpoints and the underlying transactional service (submission updates, avatar/CV resolution, payment/details/task status setters) are deleted entirely. |\n\n**Iterable Contract Relaxation**\n\n| Layer / File(s) | Summary |\n|---|---|\n| **Interface and implementations** <br> `backend/.../repository/EntityPageDataSource.kt`, `backend/.../repository/ManualRepository.kt`, `backend/.../component/location/LocationService.kt` | `findAll()` and `saveAll()` signatures change from `MutableIterable` to `Iterable` across the interface and both implementations; `toMutableList()` call is also removed. |\n\n**Frontend Runtime Environment Injection**\n\n| Layer / File(s) | Summary |\n|---|---|\n| **TypeScript types and config reading** <br> `frontend/src/vite-env.d.ts`, `frontend/src/util/configs/environment.config.ts` | `Window` is augmented with `__env__`, and all exported config constants now read from `window.__env__` first, falling back to `import.meta.env`. |\n| **Dev placeholder and HTML script tag** <br> `frontend/public/env-config.js`, `frontend/index.html` | `env-config.js` initializes `window.__env__` to `{}` for local dev; `index.html` loads it before the app entry module. |\n| **Dockerfile and entrypoint** <br> `frontend/Dockerfile`, `frontend/entrypoint.sh` | Dockerfile adds `ARG`/`ENV` wiring and a `sed` step for placeholder rewriting, installs `gettext`, copies `entrypoint.sh`, and switches to `ENTRYPOINT`. `entrypoint.sh` runs `envsubst` on `index.html` and writes `env-config.js` with all runtime values before starting nginx. |\n\n## Estimated code review effort\n\n🎯 3 (Moderate) | ⏱️ ~20 minutes\n\n## Suggested reviewers\n\n- albi005\n- SzBeni2003\n\n## Poem\n\n> 🐇 Hop hop, the Nova's gone away,\n> No more controllers to lead astray.\n> `MutableIterable`? Nay, just read-only now,\n> And env vars injected — but how?\n> At runtime, dear friend, via `window.__env__`,\n> The rabbit builds configs that never go stale!\n\n</details>\n\n<!-- walkthrough_end -->\n<!-- pre_merge_checks_walkthrough_start -->\n\n<details>\n<summary>🚥 Pre-merge checks | ✅ 3 | ❌ 2</summary>\n\n### ❌ Failed checks (1 warning, 1 inconclusive)\n\n|     Check name     | Status         | Explanation                                                                                                                | Resolution                                                                                                    |\n| :----------------: | :------------- | :------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------ |\n| Docstring Coverage | ⚠️ Warning     | Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.                                       | Write docstrings for the functions missing them to satisfy the coverage threshold.                            |\n|     Title check    | ❓ Inconclusive | The title is too generic and doesn't convey the main change, which spans frontend runtime config and backend API removals. | Use a specific title like \"Switch frontend config to runtime env vars and remove Nova integration endpoints\". |\n\n<details>\n<summary>✅ Passed checks (3 passed)</summary>\n\n|         Check name         | Status   | Explanation                                                              |\n| :------------------------: | :------- | :----------------------------------------------------------------------- |\n|      Description Check     | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled.              |\n|     Linked Issues check    | ✅ Passed | Check skipped because no linked issues were found for this pull request. |\n| Out of Scope Changes check | ✅ Passed | Check skipped because no linked issues were found for this pull request. |\n\n</details>\n\n</details>\n\n<!-- pre_merge_checks_walkthrough_end -->\n<!-- finishing_touch_checkbox_start -->\n\n<details>\n<summary>✨ Finishing Touches</summary>\n\n<details>\n<summary>📝 Generate docstrings</summary>\n\n- [ ] <!-- {\"checkboxId\": \"7962f53c-55bc-4827-bfbf-6a18da830691\"} --> Create stacked PR\n- [ ] <!-- {\"checkboxId\": \"3e1879ae-f29b-4d0d-8e06-d12b7ba33d98\"} --> Commit on current branch\n\n</details>\n<details>\n<summary>🧪 Generate unit tests (beta)</summary>\n\n- [ ] <!-- {\"checkboxId\": \"f47ac10b-58cc-4372-a567-0e02b2c3d479\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Create PR with unit tests\n- [ ] <!-- {\"checkboxId\": \"6ba7b810-9dad-11d1-80b4-00c04fd430c8\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Commit unit tests in branch `fix-project-setup`\n\n</details>\n\n</details>\n\n<!-- finishing_touch_checkbox_end -->\n<!-- tips_start -->\n\n---\n\nThanks for using [CodeRabbit](https://coderabbit.ai?utm_source=oss&utm_medium=github&utm_campaign=kir-dev/cmsch&utm_content=1043)! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.\n\n<details>\n<summary>❤️ Share</summary>\n\n- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)\n- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)\n- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)\n- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)\n\n</details>\n\n\n<sub>Comment `@coderabbitai help` to get the list of available commands.</sub>\n\n<!-- tips_end -->"},"request":{"retryCount":1,"signal":{}}},"response":{"url":"https://api.github.com/repos/kir-dev/cmsch/issues/comments/4822103778","status":404,"headers":{"access-control-allow-origin":"*","access-control-expose-headers":"ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset, Warning","content-encoding":"gzip","content-security-policy":"default-src 'none'","content-type":"application/json; charset=utf-8","date":"Sat, 27 Jun 2026 21:54:22 GMT","referrer-policy":"origin-when-cross-origin, strict-origin-when-cross-origin","server":"github.com","strict-transport-security":"max-age=31536000; includeSubdomains; preload","transfer-encoding":"chunked","vary":"Accept-Encoding, Accept, X-Requested-With","x-accepted-github-permissions":"issues=write; pull_requests=write","x-content-type-options":"nosniff","x-frame-options":"deny","x-github-api-version-selected":"2022-11-28","x-github-media-type":"github.v3; format=json","x-github-request-id":"8712:16396F:2E357:A5623:6A40468E","x-ratelimit-limit":"11000","x-ratelimit-remaining":"10977","x-ratelimit-reset":"1782600475","x-ratelimit-resource":"core","x-ratelimit-used":"23","x-xss-protection":"0"},"data":{"message":"Not Found","documentation_url":"https://docs.github.com/rest/issues/comments#update-an-issue-comment","status":"404"}}}

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/entrypoint.sh`:
- Around line 15-35: The env-config generation in entrypoint.sh is splicing raw
environment values into quoted JavaScript literals, which can break
env-config.js or allow script injection. Update the env-config.js creation logic
to serialize the settings object as JSON rather than concatenating
shell-expanded strings, and keep the same keys from the current window.__env__
block so all existing VITE_* values are emitted safely.

In `@frontend/src/util/configs/environment.config.ts`:
- Line 5: The APP_CONFIG_CACHE_TTL_SECONDS assignment in environment.config.ts
exceeds the 140-character lint limit. Wrap the long Number(...) expression
across multiple lines by splitting the env.VITE_APP_CONFIG_CACHE_TTL_SECONDS
fallback chain into a readable multi-line form while keeping the same logic and
symbol name.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 83e2fb33-31e9-4385-8cb4-6102471b2f5f

📥 Commits

Reviewing files that changed from the base of the PR and between f4b0b49 and cc3548c.

📒 Files selected for processing (11)
  • backend/src/main/kotlin/hu/bme/sch/cmsch/addon/nova/NovaIntegrationController.kt
  • backend/src/main/kotlin/hu/bme/sch/cmsch/addon/nova/NovaIntegrationService.kt
  • backend/src/main/kotlin/hu/bme/sch/cmsch/component/location/LocationService.kt
  • backend/src/main/kotlin/hu/bme/sch/cmsch/repository/EntityPageDataSource.kt
  • backend/src/main/kotlin/hu/bme/sch/cmsch/repository/ManualRepository.kt
  • frontend/Dockerfile
  • frontend/entrypoint.sh
  • frontend/index.html
  • frontend/public/env-config.js
  • frontend/src/util/configs/environment.config.ts
  • frontend/src/vite-env.d.ts
💤 Files with no reviewable changes (2)
  • backend/src/main/kotlin/hu/bme/sch/cmsch/addon/nova/NovaIntegrationController.kt
  • backend/src/main/kotlin/hu/bme/sch/cmsch/addon/nova/NovaIntegrationService.kt

Comment thread frontend/entrypoint.sh
Comment on lines +15 to +35
cat > "$NGINX_HTML/env-config.js" <<EOF
window.__env__ = {
VITE_API_BASE_URL: "${VITE_API_BASE_URL:-http://localhost:8080}",
VITE_CLIENT_BASE_URL: "${VITE_CLIENT_BASE_URL:-http://localhost:3000}",
VITE_NAME: "${VITE_NAME:-CMSch Web}",
VITE_DESCRIPTION: "${VITE_DESCRIPTION:-CMSch Web}",
VITE_THEME_COLOR: "${VITE_THEME_COLOR:-#ffffff}",
VITE_DISABLE_APP_CONFIG_CACHE: "${VITE_DISABLE_APP_CONFIG_CACHE:-false}",
VITE_APP_CONFIG_CACHE_TTL_SECONDS: "${VITE_APP_CONFIG_CACHE_TTL_SECONDS:-600}",
VITE_PASS_SERVER_URL: "${VITE_PASS_SERVER_URL:-https://pass.kir-dev.hu}",
VITE_PASS_TEMPLATE: "${VITE_PASS_TEMPLATE:-generic}",
VITE_OFFICIAL_LANGUAGE: "${VITE_OFFICIAL_LANGUAGE:-false}",
VITE_NEW_RIDDLE_ENDPOINTS: "${VITE_NEW_RIDDLE_ENDPOINTS:-true}",
VITE_HIDE_KIR_DEV_IN_FOOTER: "${VITE_HIDE_KIR_DEV_IN_FOOTER:-false}",
VITE_PLAUSIBLE_URL: "${VITE_PLAUSIBLE_URL:-}",
VITE_FIREBASE_PROJECT_ID: "${VITE_FIREBASE_PROJECT_ID:-}",
VITE_FIREBASE_API_KEY: "${VITE_FIREBASE_API_KEY:-}",
VITE_FIREBASE_SENDER_ID: "${VITE_FIREBASE_SENDER_ID:-}",
VITE_FIREBASE_APP_ID: "${VITE_FIREBASE_APP_ID:-}",
VITE_FIREBASE_WEB_PUSH_PUBLIC_KEY: "${VITE_FIREBASE_WEB_PUSH_PUBLIC_KEY:-}"
};

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Escape runtime values before emitting env-config.js.

Lines 17-34 splice raw env vars into quoted JS literals. A value containing ", \, or a newline will break the file, and a hostile config value can become script injection for every client. Please serialize this object as JSON instead of hand-building JavaScript strings.

💡 Safer pattern
-RUN apk add --no-cache gettext
+RUN apk add --no-cache gettext jq
jq -n \
  --arg apiBaseUrl "${VITE_API_BASE_URL:-http://localhost:8080}" \
  --arg clientBaseUrl "${VITE_CLIENT_BASE_URL:-http://localhost:3000}" \
  '{
    VITE_API_BASE_URL: $apiBaseUrl,
    VITE_CLIENT_BASE_URL: $clientBaseUrl
    # ...repeat for the remaining keys...
  }' \
  | sed '1s/^/window.__env__ = /; $s/$/;/' > "$NGINX_HTML/env-config.js"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/entrypoint.sh` around lines 15 - 35, The env-config generation in
entrypoint.sh is splicing raw environment values into quoted JavaScript
literals, which can break env-config.js or allow script injection. Update the
env-config.js creation logic to serialize the settings object as JSON rather
than concatenating shell-expanded strings, and keep the same keys from the
current window.__env__ block so all existing VITE_* values are emitted safely.

@kir-dev kir-dev deleted a comment from coderabbitai Bot Jun 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant