- Remove unused biome suppression comment in completions.ts
- Remove unnecessary if condition in execute-bootstrap.test.ts
- Add eslint-disable comments for any type assertions in client.test.ts
- Add eslint-disable comments for expect().rejects patterns
- Fix template literal number expression with toString()
- Fix error handling in test-db.ts to avoid object stringify
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add withTransaction helper that gracefully handles nested transactions
(reuses existing transaction in tests, starts new one otherwise)
- Update auth procedures to use withTransaction instead of direct .transaction()
- Add email config to all e2e test contexts (required by merged code)
- Remove duplicate verification token code from signup procedure
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Wrap multiple DB operations in transactions for atomicity:
- login-if-completed: device upsert + session + login_request deletion
- forgot-password: delete old tokens + insert new token
- signup: session + email_verification creation
- Extract reusable DB model operations to packages/db/src/models/:
- sessions.ts: insertSession()
- user-devices.ts: upsertUserDevice(), isDeviceTrusted()
- Update session.ts to use new model functions from @reviq/db
- Fix type narrowing in admin.test.ts
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The extractClientIP() function only checked proxy headers (X-Forwarded-For,
CF-Connecting-IP, etc.) which don't exist when running locally without a proxy.
Changes:
- Add clientIP field to APIContext
- Use Bun's server.requestIP() to get client IP from direct socket connection
- Update getGeoInfo() to accept fallback IP parameter
- Pass context.clientIP to getGeoInfo() in auth procedures
Now sessions will have IP address set even for local development (::1 or 127.0.0.1).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create @reviq/utils package with PBKDF2-SHA256 password hashing
compatible with Cloudflare Workers (uses crypto.subtle)
- Update api-server and CLI to use new utils package for consistent
password hashing format across the codebase
- Add pino logging to api-server for better request debugging
- Make login request tokens cryptographically secure base58 strings
instead of database IDs
- Add migration to make login_requests.token non-nullable with unique
constraint
- Fix RPCLink URL construction for client-side API calls
- Add db:codegen script to root package.json
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use implement(contract).$context<APIContext>() for proper type safety
in all procedure handlers. Create authMiddleware and loginRequestMiddleware
using os.middleware() and apply with .use() on routes requiring auth.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
