fix: redirect anonymous commenters to login instead of crashing

[GoodVaibhs]

The comment POST handler in post() read session['username'] directly without checking it was set. Any unauthenticated POST to /post/ with a comment field (and no delete button fields) raised an unhandled KeyError / 500 instead of failing gracefully.

Add the same not-logged-in guard already used for the post-delete and comment-delete paths in this codebase, redirecting to the login page with a return path, consistent with the &-delimited redirect convention used elsewhere (see login.py, edit_post.py).

Summary by CodeRabbit

• Bug Fixes
  • Users must now be logged in to post comments. Unauthenticated submission attempts are redirected to login. Functionality for logged-in users remains unchanged.

[coderabbitai]

Warning

Review limit reached

@GoodVaibhs, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 14 minutes and 31 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3a405d1d-1a6f-4463-9fb7-ea0a4c93b9c3

📥 Commits

Reviewing files that changed from the base of the PR and between 86e1fd0 and 75a866a.

📒 Files selected for processing (2)

• app/routes/post.py
• app/utils/sanitize_for_log.py

📝 Walkthrough

Walkthrough

The comment POST handler in app/routes/post.py gains an authentication guard: if session["username"] is not present, the handler logs an error with the client's IP address and redirects to the login page for the given url_id, leaving all existing logged-in comment logic unchanged.

Changes

Unauthenticated Comment Guard

Layer / File(s)	Summary
Session check and redirect in comment POST handler app/routes/post.py	Adds a guard at the start of comment processing: missing session["username"] triggers an error log with request.remote_addr and a redirect to the login redirect endpoint for url_id.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hop hop, no sneaking past the gate,
A session check now guards the comment slate.
No username found? We log your IP with care,
Then bounce you off to login — go on, dare!
The warren is safe, only members post here. 🌿

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description is comprehensive and covers the issue, the fix, and consistency with existing patterns, but it does not follow the required template structure with a 'Fixes #' reference.	Add the issue reference following the template format (e.g., 'Fixes #123') and organize content under 'Proposed Changes' section for full template compliance.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding authentication checks for commenters to redirect to login instead of crashing with a 500 error.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/routes/post.py`:
- Line 53: The session authentication check in the conditional statement is
using the incorrect key name "username" when it should use "userName" to align
with the established coding guidelines. Update the condition that checks `if
"username" not in session` to use the correct session key `"userName"` instead,
ensuring the authentication guard properly validates the required session state
key as per project standards.
- Around line 54-57: The Log.error call in the post route is logging
request.remote_addr and url_id directly without sanitizing carriage return and
line feed characters, which can allow log forging attacks. Sanitize both
request.remote_addr and url_id by removing or replacing CR/LF characters before
interpolating them into the log message string, then use the sanitized values in
the Log.error call.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aab0b8cb-9844-487c-b8f5-42db68dad3be

📥 Commits

Reviewing files that changed from the base of the PR and between fe7a05a and 86e1fd0.

📒 Files selected for processing (1)

• app/routes/post.py

[DogukanUrker]

lgtm