Development

[we09532]

This pull request introduces a secure, server-side refresh token management system for authentication, including encrypted storage of refresh tokens, supporting database migrations, API endpoints, and scheduled cleanup. It also updates the frontend to integrate with this new flow, improving security and reliability for user sessions.

Backend: Secure Refresh Token Management

• Implements encrypted, server-side storage of refresh tokens using AES-256-GCM, with helper functions for encryption/decryption and cookie/session management in api/auth/index.ts [1] [2].
• Adds API endpoints for storing, refreshing, revoking, and cleaning up refresh tokens, including admin-protected actions and JWT-based admin authentication.

Database: Schema & Policies

• Adds a migration to create the fitbuddyai_refresh_tokens table, indexes, and helper functions for cleanup and revocation.
• Sets up Row Level Security (RLS) policies to restrict access to the refresh tokens table to service roles, with guidance for user-specific policies.

Automation: Cleanup

• Adds a scheduled GitHub Actions workflow to regularly clean up old or revoked refresh tokens.
• Provides a script (scripts/cleanup_refresh_tokens.js) to run the cleanup function or fallback deletion via Supabase.

Frontend: Session Handling & Routing

• Updates the frontend (src/App.tsx) to store and clear refresh tokens via the new backend endpoints, and to refresh the access token using the server-side stored refresh token, removing direct client-side refresh token storage [1] [2] [3].
• Updates blog routing to use a new BlogListPage and support dynamic blog slugs [1] [2].

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
fitbuddyai	Ready	Preview, Comment	Dec 19, 2025 3:27pm

[Copilot]

Pull request overview

This pull request implements a secure, server-side refresh token management system for authentication, moving sensitive refresh tokens from client-side storage to encrypted server-side storage. It includes database migrations, API endpoints with admin controls, scheduled cleanup automation, and updates to frontend authentication flows. Additionally, it refactors the blog system to support multiple posts with dynamic routing.

Key changes:

• Introduces AES-256-GCM encrypted storage for refresh tokens with HttpOnly session cookies
• Adds database table, RLS policies, and helper functions for token lifecycle management
• Implements API endpoints for storing, refreshing, revoking, and cleaning up tokens with JWT-based admin authentication
• Migrates frontend from localStorage to sessionStorage for tokens and integrates server-side refresh flow
• Adds blog listing page and refactors blog display to support multiple posts with dynamic slugs

Reviewed changes

Copilot reviewed 18 out of 19 changed files in this pull request and generated 30 comments.

Show a summary per file

File	Description
api/auth/index.ts	Adds encryption helpers and new endpoints for server-side refresh token management with admin controls
src/server/authServer.js	Implements dev-only wrapper for /api/auth endpoints using in-memory storage and adds undefined variable references
sql/migrations/002_create_refresh_tokens.sql	Creates refresh tokens table with indexes and cleanup/revocation helper functions
sql/migrations/003_refresh_tokens_rls.sql	Enables RLS and creates service-role-only policy for refresh tokens table
scripts/cleanup_refresh_tokens.js	Provides cleanup script for automated token maintenance via RPC or fallback query
.github/workflows/refresh-token-cleanup.yml	Schedules daily automated cleanup of old refresh tokens
src/services/localStorage.ts	Migrates token storage from localStorage to sessionStorage to reduce XSS risk
src/services/authService.ts	Updates sign-in/sign-up/sign-out to use server-side token storage endpoints
src/App.tsx	Implements server-side refresh on startup and removes client-side session management
src/components/WelcomePage.tsx	Adds intro overlay scroll locking and cross-component event coordination
src/components/IntroBubbles.tsx	Refactors to use dynamic CSS rules instead of inline styles
src/components/Header.tsx	Adds intro-active state to hide header during intro overlay
src/components/Footer.tsx	Adds intro-active state to hide footer during intro overlay
src/data/blogPosts.ts	Defines blog post data structure and exports multiple blog posts
src/components/BlogPage.tsx	Refactors to display dynamic blog posts by slug with suggested posts
src/components/BlogListPage.tsx	Creates new blog listing page with featured post and grid layout
src/components/BlogPage.css	Updates styles to support dynamic blog post display
src/components/BlogListPage.css	Adds styles for blog listing page layout
tsconfig.json	Excludes express-rate-limit tsconfig to resolve build conflicts

[Copilot]

Pull request overview

Copilot reviewed 30 out of 33 changed files in this pull request and generated 10 comments.

Comments suppressed due to low confidence (2)

sql/migrations/003_refresh_tokens_rls.sql:14

• The RLS policy refresh_tokens_service_only uses USING (true) and WITH CHECK (true), which allows all operations from any role without checking JWT claims. This means the policy doesn't actually restrict access - any authenticated user could potentially access or modify refresh tokens if they bypass the API and call Supabase directly.

The policy should check for current_setting('request.jwt.claims', true)::json->>'role' IN ('service', 'admin') or use Supabase's service role authentication properly to ensure only server-side code with the service role key can access these rows.

CREATE POLICY refresh_tokens_service_only
  ON fitbuddyai_refresh_tokens
  FOR ALL
  USING (true)
  WITH CHECK (true);

src/server/authServer.js:703

• Empty block statement.

      const { password, ...safe } = data || {};

[Copilot]

Pull request overview

Copilot reviewed 32 out of 35 changed files in this pull request and generated 20 comments.

Comments suppressed due to low confidence (1)

api/auth/index.ts:178

• Unexpected any. Specify a different type.

export async function requireAdmin(req: any): Promise<AdminJwtPayload | null> {

[Copilot]

The webhook proxy endpoint accepts a target URL from server configuration only (process.env.SHEET_WEBHOOK_URL), which is good for preventing SSRF. However, the endpoint does not validate or sanitize the configured URL before using it. If an administrator mistakenly sets SHEET_WEBHOOK_URL to a malicious or internal URL (e.g., http://localhost:6379/ for Redis), the server would blindly forward requests to it.

Consider adding URL validation to ensure the target is an allowed external URL (e.g., starts with https://script.google.com/ or matches an allowlist pattern). This provides defense-in-depth against configuration errors.

[Copilot]

The BackupPayload type includes a field fitbuddyai_tos_accepted_v1?: unknown (line 20), which uses the unknown type. Later in the code (line 226), this is used in a Partial<BackupPayload> context where the value is conditionally set.

Using unknown for this field makes it difficult to work with and doesn't provide type safety. Based on usage in tosService.ts (line 95-99 in the diff, not shown but referenced), this appears to be a structured object. Consider defining a proper type for this field, such as:

fitbuddyai_tos_accepted_v1?: Record<string, { tos?: boolean; privacy?: boolean; timestamp?: number }>;

Or at minimum use Record<string, unknown> instead of unknown to indicate it's an object.

[Copilot]

The requireAdmin function is exported (line 178) but it's designed to be called from within the same module's request handler. However, it's not clear if this function is intended to be used by other modules or only internally. If it's meant to be used elsewhere (e.g., in other API routes), the export makes sense. If it's only used within this file, it should not be exported or should be documented as internal-only.

Additionally, the function accepts req: any which loses type safety. Consider defining a request interface or using a more specific type from your framework (e.g., VercelRequest or Request from the framework you're using).

[Copilot]

The refresh endpoint does not return the refresh_token to the client (line 375), which is correct for security. However, on line 287, when attempting to restore a session in the frontend, the code checks for data.refresh_token and only sets the session on the Supabase client if one is present. Since the server never returns a refresh_token, this condition will never be true, and the Supabase client session will never be restored via this flow.

This means the frontend Supabase client will not have a valid session after a refresh, which could cause issues with any client-side Supabase operations. Either the backend should return a refresh_token (reducing security), or the frontend should be updated to handle sessions that only have an access_token, or document that client-side Supabase operations requiring a refresh_token are not supported after server-side refresh.

Suggested change

	if (data.refresh_token) {
	try {
	await supabase.auth.setSession({
	access_token: data.access_token,
	refresh_token: data.refresh_token,
	});
	} catch (e) {
	// Swallow Supabase client errors here; app can still rely on
	// the stored access token for server-side operations.
	}
	try {
	const sessionPayload: any = {
	access_token: data.access_token,
	};
	if (data.refresh_token) {
	sessionPayload.refresh_token = data.refresh_token;
	}
	await supabase.auth.setSession(sessionPayload);
	} catch (e) {
	// Swallow Supabase client errors here; app can still rely on
	// the stored access token for server-side operations.

[Copilot]

The signOutAndRevoke function attempts to use navigator.sendBeacon first, but the payload sent is an empty JSON object {}. The backend endpoint /api/auth?action=clear_refresh expects to extract the session_id from cookies (line 374-375 in authServer.js), not from the request body. However, sendBeacon sends the blob as the request body, and there's no indication that the server reads cookies when processing beacon requests.

Additionally, on line 324, the code sets revoked = false if sendBeacon throws, but then on line 327, it also sets revoked = false in a catch block. Both of these should be unnecessary since revoked is initialized as false at line 319. The logic should be simplified and the sendBeacon payload doesn't need to be sent since the server uses cookies.

[Copilot]

The welcome page locks scrolling when the intro is active by setting document.body.style.position = 'fixed' (line 59) and document.body.style.top = -${introScrollRef.current}px` (line 60). This is a common pattern to prevent background scrolling, but it has a side effect on mobile Safari: the address bar visibility can change when the position becomes fixed, causing a layout shift.

Additionally, the cleanup in the useEffect return (lines 85-100) restores the scroll position using window.scrollTo(0, y) at line 78 and again at line 96. If the component unmounts while the intro is active, both cleanup blocks will attempt to restore scrolling. Consider: 1) Using a single cleanup approach, 2) Adding a check to see if scrolling was already restored, 3) Testing on mobile Safari to ensure no jarring layout shifts occur.