Feature/auth fixes and react sdk tests

[yash-pouranik]

📝 Summary

This PR addresses critical vulnerabilities in the authentication flows, patches a concurrency race condition in the OAuth exchange, stabilizes the @urbackend/react SDK by completing its social auth flow, and introduces comprehensive unit testing for the React components. Furthermore, all SDKs and repository documentation have been updated to reflect the latest state.

🐛 Bug Fixes & Security Patches

• [Security] Prevent Account Enumeration: Fixed a vulnerability in the password reset endpoint where soft-deleted accounts returned a distinct 403 status. The endpoint now returns a generic success response for soft-deleted users, perfectly mimicking non-existent accounts to prevent enumeration attacks.
• [Concurrency] Atomic OAuth Token Exchange: Resolved a critical race condition in the social auth token exchange endpoint (userAuth.controller.js). Replaced the sequential redis.get() and redis.del() logic with an atomic redis.getdel() operation to prevent replay attacks during concurrent requests.
• [React SDK] Complete Social Exchange Flow: Fixed an issue in the <UrProvider /> where rtCode was ignored. The provider now correctly extracts rtCode from query parameters and token from the URL fragment, executing auth.socialExchange({ token, rtCode }) to ensure long-lived sessions are reliably established even in strict cross-site cookie environments.

✨ Enhancements & Testing

• React SDK Unit Tests: Added robust Vitest/JSDOM testing coverage for the @urbackend/react SDK, specifically targeting context.test.tsx (Logic & Auth flows) and UrAuth.test.tsx (UI behavior). All tests are passing.
• Documentation Alignment:
  • Updated Python SDK docs (README.md & auth.py) to correctly reflect that the social auth token relies in the URL fragment (#token=...), not the query string.
  • Corrected JSDoc payload descriptions in the JS/TS @urbackend/sdk (auth.ts).
  • Modernized AGENTS.md with the new SDK ecosystem, testing commands, and atomic Redis patterns.

📦 Chore / Release

• Version Bumps: Bumped versions across packages/*, apps/*, and @urbackend/sdk.
• Reset @urbackend/react version to v0.1.0 following standard urBackend naming conventions for new packages.
• Bumped Python SDK (urbackend) to v0.1.1.

⚠️ Deployment Notes

• Redis Requirement: The backend now relies on the GETDEL command. Please ensure the production Redis instance is running Version 6.2.0 or higher before deploying this PR. No database schema migrations are required.

---

Summary by CodeRabbit

• New Features

  • Added React SDK with authentication, database, and storage modules
  • Added React demo application showcasing SDK integration
  • Implemented API key copy button in dashboard
  • Added account recovery messaging for soft-deleted users

• Bug Fixes

  • Improved atomic operations for social auth token exchange
  • Enhanced soft-deleted user handling across authentication flows

• Style

  • Updated dashboard UI with refined glassmorphism effects and visual polish

• Documentation

  • Updated social auth callback documentation across SDKs

• Chores

  • Version bumps across all packages

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8ab9379d-0a60-4f1c-89aa-53d20e0ab1dd

📥 Commits

Reviewing files that changed from the base of the PR and between 87730ce and d290789.

⛔ Files ignored due to path filters (14)

• examples/react-sdk-demo/package-lock.json is excluded by !**/package-lock.json
• examples/react-sdk-demo/public/favicon.svg is excluded by !**/*.svg
• examples/react-sdk-demo/public/icons.svg is excluded by !**/*.svg
• examples/react-sdk-demo/src/assets/hero.png is excluded by !**/*.png
• examples/react-sdk-demo/src/assets/react.svg is excluded by !**/*.svg
• examples/react-sdk-demo/src/assets/vite.svg is excluded by !**/*.svg
• package-lock.json is excluded by !**/package-lock.json
• sdks/urbackend-react/dist/index.d.mts is excluded by !**/dist/**
• sdks/urbackend-react/dist/index.d.ts is excluded by !**/dist/**
• sdks/urbackend-react/dist/index.js is excluded by !**/dist/**
• sdks/urbackend-react/dist/index.js.map is excluded by !**/dist/**, !**/*.map
• sdks/urbackend-react/dist/index.mjs is excluded by !**/dist/**
• sdks/urbackend-react/dist/index.mjs.map is excluded by !**/dist/**, !**/*.map
• sdks/urbackend-sdk/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (42)

• AGENTS.md
• apps/consumer/package.json
• apps/dashboard-api/package.json
• apps/public-api/package.json
• apps/public-api/src/__tests__/userAuth.social.test.js
• apps/public-api/src/controllers/userAuth.controller.js
• apps/web-dashboard/package.json
• apps/web-dashboard/src/index.css
• apps/web-dashboard/src/pages/ProjectDetails.jsx
• examples/react-sdk-demo/.gitignore
• examples/react-sdk-demo/README.md
• examples/react-sdk-demo/eslint.config.js
• examples/react-sdk-demo/index.html
• examples/react-sdk-demo/package.json
• examples/react-sdk-demo/src/App.css
• examples/react-sdk-demo/src/App.tsx
• examples/react-sdk-demo/src/index.css
• examples/react-sdk-demo/src/main.tsx
• examples/react-sdk-demo/tsconfig.app.json
• examples/react-sdk-demo/tsconfig.json
• examples/react-sdk-demo/tsconfig.node.json
• examples/react-sdk-demo/vite.config.ts
• package.json
• packages/common/package.json
• sdks/urbackend-python/README.md
• sdks/urbackend-python/pyproject.toml
• sdks/urbackend-python/src/urbackend/auth.py
• sdks/urbackend-react/package.json
• sdks/urbackend-react/src/components/Toast.tsx
• sdks/urbackend-react/src/components/UrAuth.tsx
• sdks/urbackend-react/src/context.tsx
• sdks/urbackend-react/src/hooks.ts
• sdks/urbackend-react/src/index.ts
• sdks/urbackend-react/tests/UrAuth.test.tsx
• sdks/urbackend-react/tests/context.test.tsx
• sdks/urbackend-react/tests/setupTests.ts
• sdks/urbackend-react/tsconfig.json
• sdks/urbackend-react/tsup.config.ts
• sdks/urbackend-react/vitest.config.ts
• sdks/urbackend-sdk/package.json
• sdks/urbackend-sdk/src/errors.ts
• sdks/urbackend-sdk/src/modules/auth.ts

---

📝 Walkthrough

Walkthrough

This PR introduces the React SDK package (@urbackend/react) with a complete provider, hooks, and authentication UI components, alongside soft-delete user enforcement across auth endpoints for account recovery, and atomic Redis refresh-token exchange for safety. A demo app illustrates integration.

Changes

React SDK and Auth Enhancements

Layer / File(s)	Summary
User soft-delete rejection in auth endpoints apps/public-api/src/controllers/userAuth.controller.js, apps/public-api/src/__tests__/userAuth.social.test.js	checkUserSoftDeleted() helper returns HTTP 403 with account recovery info. Soft-deleted users are blocked from login, signup social-linking, profile access, and password reset.
Atomic refresh token exchange with redis.getdel apps/public-api/src/controllers/userAuth.controller.js, apps/public-api/src/__tests__/userAuth.social.test.js, sdks/urbackend-sdk/src/modules/auth.ts, sdks/urbackend-python/src/urbackend/auth.py	Switches exchangeSocialRefreshToken from separate redis.get/redis.del to atomic redis.getdel. SDK and Python docs updated to clarify rtCode (query) and token (URL fragment) payload shape.
SDK error parsing improvements sdks/urbackend-sdk/src/errors.ts	parseApiError now extracts message from error or message fields, with fallback to JSON.stringify for complex values.
React SDK provider, hooks, and context sdks/urbackend-react/package.json, sdks/urbackend-react/src/context.tsx, sdks/urbackend-react/src/hooks.ts, sdks/urbackend-react/src/index.ts, sdks/urbackend-react/tests/context.test.tsx	UrProvider initializes SDK client, detects social-auth callback parameters (rtCode + token), performs token setup/exchange, and exposes context via useUrContext(). Hooks useAuth, useDb, useStorage manage state and provide memoized action callbacks.
React SDK auth UI components sdks/urbackend-react/src/components/Toast.tsx, sdks/urbackend-react/src/components/UrAuth.tsx, sdks/urbackend-react/tests/UrAuth.test.tsx	UrAuth renders signin/signup/forgot/reset modes with email/password/name/OTP inputs, social login buttons (Google/GitHub), and error toast display. Toast shows auto-dismissing notifications with slide animations.
React SDK demo application examples/react-sdk-demo/ (package.json, tsconfig, vite.config, App.tsx, main.tsx, index.html, styles)	Complete working demo showing conditional render (loading → signin → profile), user profile card with avatar/name/email/ID, sign-out button, and inline UI effects. Wires UrProvider with environment-based config.
Documentation, config, and version updates AGENTS.md, sdks/urbackend-python/README.md, apps/web-dashboard/src/index.css, apps/web-dashboard/src/pages/ProjectDetails.jsx, package.json, packages/common/package.json, sdks/urbackend-sdk/package.json, sdks/urbackend-react/ config files	AGENTS.md documents SDK packages and test expectations. Dashboard CSS updates glassmorphism theme (blur, border, colors) and adds key-copy button with toast. Version bumps across packages and monorepo. React demo configs (ESLint, TypeScript, Vite, vitest) complete.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• geturbackend/urBackend#81: Implements the social auth endpoint and refresh-token exchange architecture that this PR improves with atomic redis.getdel consumption.
• geturbackend/urBackend#110: Updates JSDoc for socialExchange parameter/token documentation in the same SDK auth module.
• geturbackend/urBackend#118: Modifies the same dark-theme CSS glassmorphism styling in apps/web-dashboard/src/index.css.

Suggested labels

enhancement, documentation, frontend, level-2, NSOC'26

Poem

🐰 A React SDK hops into view,
With soft-deleted users turned away true.
Atomic tokens dance in the Redis store,
While toasts and auth UI shine evermore!
From provider to hooks, the foundation is laid—
A demo app blooms where the SDK is played. 🌿

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/auth-fixes-and-react-sdk-tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.