Add hackatime trust error failed to fetch fix #40
Conversation
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
| await fetch(`https://hackatime.hackclub.com/api/v1/users/${slack_id}/trust_factor`, { | ||
| headers: env.RACK_ATTACK_BYPASS | ||
| ? { | ||
| RACK_ATTACK_BYPASS: env.RACK_ATTACK_BYPASS | ||
| } | ||
| : {} | ||
| }) | ||
| ).json() | ||
| )['trust_level']; |
There was a problem hiding this comment.
Bug: The fetch call to the Hackatime API does not check for a successful response before calling .json(), which can cause unhandled errors or incorrect logic for API failures.
Severity: MEDIUM | Confidence: High
🔍 Detailed Analysis
The fetch call to the Hackatime API at https://hackatime.hackclub.com/api/v1/users/${slack_id}/trust_factor does not check if the response was successful before attempting to parse it as JSON. Unlike other fetch calls in the same file that validate the response.ok property, this one proceeds directly to response.json(). If the API returns an error status (e.g., 404, 429, 5xx) with a non-JSON body, such as an HTML error page, the .json() call will throw a SyntaxError, leading to an unhandled promise rejection. While the SvelteKit framework may catch this and render a generic error page, it bypasses the intended logic. If the API returns an error with a JSON body that lacks the trust_level key, the code incorrectly treats the API error as a 'user not found' case, redirecting them to create an account.
💡 Suggested Fix
Check the response.ok property after the fetch call to the Hackatime API. If the response is not ok, handle the error explicitly, for example by redirecting to an auth failure page, similar to how other API calls are handled in this file. This ensures that network or server errors are not misinterpreted as a missing user account and prevents potential crashes from parsing non-JSON error responses.
🤖 Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: src/routes/auth/callback/+server.ts#L135-L143
Potential issue: The `fetch` call to the Hackatime API at
`https://hackatime.hackclub.com/api/v1/users/${slack_id}/trust_factor` does not check if
the response was successful before attempting to parse it as JSON. Unlike other `fetch`
calls in the same file that validate the `response.ok` property, this one proceeds
directly to `response.json()`. If the API returns an error status (e.g., 404, 429, 5xx)
with a non-JSON body, such as an HTML error page, the `.json()` call will throw a
`SyntaxError`, leading to an unhandled promise rejection. While the SvelteKit framework
may catch this and render a generic error page, it bypasses the intended logic. If the
API returns an error with a JSON body that lacks the `trust_level` key, the code
incorrectly treats the API error as a 'user not found' case, redirecting them to create
an account.
Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 7555739
No description provided.