Cap mobile app#1845
Merged
Merged
Conversation
|
Paragon Review Skipped Hi @richiemcilroy! Your Polarity credit balance is insufficient to complete this review. Please visit https://app.paragon.run to finish your review. |
Member
Author
|
hey @greptileai please re-review the pr |
Member
Author
|
hey @greptileai, please re-review the PR |
Member
Author
|
hey @greptileai, please re-review the PR |
Member
Author
|
hey @greptileai, please re-review the PR |
Member
Author
|
hey @greptileai, please re-review the PR |
Member
Author
|
hey @greptileai, please re-review the PR |
Member
Author
|
hey @greptileai, please re-review the PR |
Member
Author
|
hey @greptileai, please re-review the PR |
Member
Author
|
hey @greptileai, please re-review the PR |
Member
Author
|
hey @greptileai, please re-review the PR |
Member
Author
|
hey @greptileai, please re-review the PR |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements v1 of the Cap mobile app for iOS
Greptile Summary
This PR adds the first iOS version of the Cap mobile app. The main changes are:
Confidence Score: 5/5
This looks safe to merge.
Important Files Changed
Comments Outside Diff (3)
apps/web/app/api/mobile/[...route]/route.ts, line 1586-1591 (link)redirectUrileaks API key to arbitrary URLsThe
requestSessionhandler appends the freshly-mintedapi_keyanduser_idto whateverredirectUrithe caller provides, with no allowlist check. An attacker who tricks an authenticated user into openinghttps://cap.so/api/mobile/session/request?redirectUri=https://attacker.comwill receive that user's permanent API key in the redirect. TheredirectUrishould be validated against the app's registered deep-link scheme (e.g., onlycap://or the deployment-specific scheme fromapp.config.js) before any credentials are appended.Prompt To Fix With AI
apps/web/app/api/mobile/[...route]/route.ts, line 1413-1450 (link)getPlaybackhas no ownership check on the videogetCapByIdenforceseq(Db.videos.ownerId, user.id), butgetPlaybackbypasses it and callsvideos.getByIdForViewingdirectly. IfgetByIdForViewingreturns records for public or org-shared videos that do not belong to the authenticated user, any authenticated mobile user can retrieve signed playback URLs for those videos. Confirm whether this broader access is intentional for the mobile app, or whether an ownership/membership check should be added here.Prompt To Fix With AI
apps/web/app/(org)/login/form.tsx, line 143-162 (link)searchParamsidentity changeThe new
useEffectcallshandleGoogleSignIn()whenevermobileProvider=googleis present in the query string. BecausesearchParamsis a new reference on every navigation update, this effect can fire multiple times during the session redirect lifecycle, potentially triggering extrasignIn("google", ...)calls. Guard the effect with auseRefflag (or router-replace the URL after the first trigger) so it fires exactly once per page load.Prompt To Fix With AI
Reviews (18): Last reviewed commit: "fix: clarify typecheck cleanup" | Re-trigger Greptile
Context used: