Staging

[gkorland]

Summary by CodeRabbit

• New Features

  • After Google/GitHub sign-in, users are now taken directly to the Chat page.

• Style

  • Adjusted landing page structure and formatting for improved layout and readability.

• Refactor

  • Streamlined backend user-info handling.
  • Updated backend connection pooling for improved stability under load.

• Chores

  • Deployment targets updated to support configurable runtime port.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Refactors user-result indexing and adds an unused import; switches Redis connection pool to BlockingConnectionPool; OAuth callbacks now redirect to /chat; landing template has DOM-closing tags removed and whitespace changes; Makefile run targets made port-configurable via PORT env var.

Changes

Cohort / File(s)	Summary
Auth user info refactor api/auth/user_management.py	Introduced single_result = result.result_set[0] and replaced repeated result.result_set[0][...] accesses with single_result[...]; added unused from math import log import; no behavioral change.
OAuth redirect changes api/routes/auth.py	Post-auth redirects for Google and GitHub changed from / to /chat; cookie setting and handler logic unchanged.
Redis pool change api/extensions.py	Replaced ConnectionPool.from_url(...) with BlockingConnectionPool.from_url(..., decode_responses=True) and updated import to BlockingConnectionPool; pool passed to FalkorDB via connection_pool=pool.
Landing template structure/formatting app/templates/landing.j2	Whitespace/JS formatting tweaks and removal of a closing </aside> and a container </div>, altering DOM boundaries; no new JS logic.
Run targets port configurability Makefile	run-dev and run-prod updated to use dynamic port via $${PORT:-5000} and adjusted bind addresses (127.0.0.1 for dev, 0.0.0.0 for prod).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant Browser
  participant App as Web App
  participant OAuth as OAuth Provider
  Note over App: OAuth callback now redirects to /chat

  User->>Browser: Click "Sign in with Google/GitHub"
  Browser->>OAuth: Redirect to provider
  OAuth-->>Browser: Redirect back with callback
  Browser->>App: GET /auth/<provider>/authorized?code=...
  App->>App: Process callback (set cookies/session)
  App-->>Browser: 302 Redirect to /chat
  Browser->>App: GET /chat
  App-->>Browser: Serve chat page

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Staging #139 — Appears to contain identical edits across the same files (user_management, extensions, routes, landing template, Makefile).
• Staging #129 — Also modifies api/auth/user_management.py and overlaps on _get_user_info edits.

Poem

I hop through imports, tidy the rows,
A single_result steadies my nose.
Redirects now chatter in /chat’s warm light,
Redis waits blocking through day and night.
Ports take requests — the rabbit’s delight. 🥕🐇

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ed7a836 and 2bba953.

📒 Files selected for processing (1)

• api/routes/auth.py (2 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch staging

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
queryweaver	Ready	Preview	Comment	Aug 26, 2025 4:55pm

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

api/routes/auth.py (2)

171-179: Harden session cookie and align TTL with DB token expiry.

Set samesite="Lax" to reduce CSRF risk and max_age=86400 (24h) to match the token’s expires_at in the graph. Also use the status enum for readability.

Apply:

-                redirect = RedirectResponse(url="/chat", status_code=302)
+                redirect = RedirectResponse(url="/chat", status_code=status.HTTP_302_FOUND)
                 redirect.set_cookie(
                     key="api_token",
                     value=api_token,
                     httponly=True,
-                    secure=True
+                    secure=True,
+                    samesite="Lax",
+                    max_age=86400,
+                    path="/"
                 )

Consider extracting cookie-setting into a small helper to avoid duplication between providers.

---

254-262: Repeat the cookie hardening for GitHub flow.

Same rationale as Google: add samesite and max_age, and prefer the status enum.

Apply:

-                redirect = RedirectResponse(url="/chat", status_code=302)
+                redirect = RedirectResponse(url="/chat", status_code=status.HTTP_302_FOUND)
                 redirect.set_cookie(
                     key="api_token",
                     value=api_token,
                     httponly=True,
-                    secure=True
+                    secure=True,
+                    samesite="Lax",
+                    max_age=86400,
+                    path="/"
                 )

🧹 Nitpick comments (6)

api/extensions.py (2)

6-6: Make import resilient across redis-py versions; alias the pool class.

Some environments may not have redis.asyncio.BlockingConnectionPool (older redis-py). Prefer a compat import that falls back to ConnectionPool. This also simplifies future refactors by using a single alias everywhere.

Apply:

-from redis.asyncio import BlockingConnectionPool
+try:
+    from redis.asyncio import BlockingConnectionPool as AsyncBlockingConnectionPool
+except ImportError:  # older redis-py
+    from redis.asyncio import ConnectionPool as AsyncBlockingConnectionPool

If you want me to verify exact redis-py versions that ship asyncio.BlockingConnectionPool.from_url, I can run a quick web check.

---

19-23: Set sane pool limits/timeouts and use the compat alias.

The default unlimited pool can exhaust connections under load. Add max_connections and an acquisition timeout. Also switch to the alias from the previous comment.

Apply:

-        pool = BlockingConnectionPool.from_url(
-            url,
-            decode_responses=True
-        )
+        pool = AsyncBlockingConnectionPool.from_url(
+            url,
+            decode_responses=True,
+            max_connections=int(os.getenv("REDIS_MAX_CONNECTIONS", "50")),
+            timeout=float(os.getenv("REDIS_POOL_TIMEOUT", "10.0"))
+        )

Optionally, unify both branches (URL present/absent) by always creating a pool via from_url (e.g., default to "redis://localhost:6379"), so behavior (decoding, pooling) is consistent. I can provide a full patch if you want.

api/auth/user_management.py (2)

5-5: Remove unused import (ruff F401 / pylint unused-import).

from math import log is unused.

Apply:

-from math import log

---

39-41: Minor tidy: local alias is good; also handle expired tokens proactively.

Using single_result improves readability. Consider deleting expired tokens here to keep the graph clean and close the TODO loop.

Apply:

-            single_result = result.result_set[0]
-            token_valid = single_result[3]
+            single_result = result.result_set[0]
+            email, name, picture, token_valid = single_result

And extend the logic below:

-            if token_valid:
-                return {
-                    "email": single_result[0],
-                    "name": single_result[1],
-                    "picture": single_result[2]
-                }
+            if token_valid:
+                return {
+                    "email": email,
+                    "name": name,
+                    "picture": picture,
+                }
+            # else: drop expired/invalid token to avoid clutter and accidental reuse
+            await delete_user_token(api_token)

app/templates/landing.j2 (2)

13-13: Optimize hero image for LCP without lazy-loading.

Add decoding="async" and fetchpriority="high" to help rendering; keep it non-lazy since it’s the hero. If you know intrinsic dimensions, adding width/height further reduces CLS.

Apply:

-    <img src="{{ url_for('static', path='icons/queryweaver.webp') }}" alt="QueryWeaver" />
+    <img src="{{ url_for('static', path='icons/queryweaver.webp') }}"
+         alt="QueryWeaver logo"
+         decoding="async"
+         fetchpriority="high" />

---

86-97: Tiny micro-opt: precompile regexes outside the function (optional).

Current code is fine for this page; if you care about micro perf, precompile patterns once to avoid recompilation on every call.

Example (outside function):

<script>
  const RE_SQL_STRING = /('[^']*')/g;
  const RE_SQL_KEYWORD = /\b(SELECT|FROM|JOIN|ON|WHERE|AND|OR|GROUP|BY|ORDER|LIMIT|AS|IN|IS|NULL|INNER|LEFT|RIGHT|OUTER)\b/gi;
  const RE_SQL_FUNC = /\b(COUNT|SUM|AVG|MIN|MAX)\b/gi;
  const RE_NUMBER = /\b(\d+\.?\d*)\b/g;
  // then use out.replace(RE_SQL_STRING, ...), etc.
</script>

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5b4789b and fce241e.

📒 Files selected for processing (4)

• api/auth/user_management.py (2 hunks)
• api/extensions.py (2 hunks)
• api/routes/auth.py (3 hunks)
• app/templates/landing.j2 (3 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.py

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Adhere to pylint standards across all Python files (repository uses make lint)

Files:

• api/auth/user_management.py
• api/routes/auth.py
• api/extensions.py

app/**

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Keep the TypeScript frontend sources in app/ and build them before production runs

Files:

• app/templates/landing.j2

🪛 Ruff (0.12.2)

api/auth/user_management.py

5-5: math.log imported but unused

Remove unused import: math.log

(F401)

🪛 GitHub Actions: Pylint

api/auth/user_management.py

[warning] 76-76: pylint: Line too long (137/100) (line-too-long).

---

[warning] 42-42: pylint: TODO delete invalid token from DB (fixme).

---

[warning] 51-51: pylint: Catching too general exception (broad-exception-caught).

---

[warning] 72-72: pylint: Catching too general exception (broad-exception-caught).

---

[warning] 168-168: pylint: Unnecessary 'elif' after 'return' (no-else-return).

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: e2e-tests
• GitHub Check: e2e-tests

🔇 Additional comments (4)

api/auth/user_management.py (1)

45-47: LGTM: clearer field access.

Using single_result[...] makes the code less noisy without changing behavior.

app/templates/landing.j2 (3)

81-83: LGTM: escaping is correct and used before innerHTML.

escapeHtml is straightforward and called inside highlightSQL, mitigating XSS when injecting highlighted content.

---

102-111: LGTM: null checks improve robustness.

The added guards for qEl, sEl, and successEl prevent runtime errors if the DOM changes.

---

129-129: LGTM: safe incremental rendering during typing.

You continue to route content through highlightSQL (which escapes), so using innerHTML here is safe.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

Makefile (4)

65-70: Optional: prefer a Make variable over shell parameter expansion for PORT

Defining a Make-level default improves portability (no reliance on shell-specific parameter expansion) and makes PORT visible to help/overrides (e.g., make PORT=8080 run-dev).

Apply this diff within these lines:

-	pipenv run uvicorn api.index:app --host 127.0.0.1 --port $${PORT:-5000} --reload
+	pipenv run uvicorn api.index:app --host 127.0.0.1 --port $(PORT) --reload

-	pipenv run uvicorn api.index:app --host 0.0.0.0 --port $${PORT:-5000}
+	pipenv run uvicorn api.index:app --host 0.0.0.0 --port $(PORT)

Add this near the top of the file (outside the selected range):

# Default PORT (can be overridden: `make PORT=8080 run-dev`)
PORT ?= 5000

---

1-1: Fix .PHONY inconsistencies and include run/build/docker targets

.run-dev/run-prod/build-dev/build-prod/test-e2e-debug/docker-* are missing from .PHONY, and .PHONY lists a non-existent build target. Either remove build from .PHONY or add a build alias. Recommend adding the alias and expanding .PHONY to avoid accidental file/dir collisions.

Apply this diff:

-.PHONY: help install test test-unit test-e2e test-e2e-headed lint format clean setup-dev build lint-frontend
+.PHONY: help install setup-dev test test-unit test-e2e test-e2e-headed test-e2e-debug \
+        lint lint-frontend format clean \
+        build build-dev build-prod run-dev run-prod \
+        docker-falkordb docker-stop

---

20-25: Add help descriptions and a build alias so make help is complete

build-dev and build-prod are missing ## docs, so they don’t appear in make help. Also add a build alias to match .PHONY and common workflows.

Apply this diff:

-build-dev:
+build-dev: ## Build frontend for development
 	npm --prefix ./app run build:dev

-build-prod:
+build-prod: ## Build frontend for production
 	npm --prefix ./app run build
+
+# Alias for convenience and to match .PHONY
+build: build-prod ## Build frontend for production (alias)

---

54-56: Replace placeholder format target with actual tools

Implementing real formatters reduces churn in reviews and keeps consistency.

Apply this diff:

-format: ## Format code (placeholder - add black/autopep8 if needed)
-	@echo "Add code formatting tool like black here"
+format: ## Format code (backend: black+isort, frontend: prettier)
+	pipenv run black .
+	pipenv run isort .
+	npm --prefix ./app run format

If the frontend doesn’t have a format script yet, add one in app/package.json using prettier.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between fce241e and ed7a836.

📒 Files selected for processing (1)

• Makefile (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

Makefile

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Provide and maintain Make targets (install, setup-dev, test-unit, test-e2e, lint, run-dev, run-prod, build-prod, clean) as the canonical workflow

Files:

• Makefile

🧠 Learnings (2)

📚 Learning: 2025-08-24T17:15:21.337Z

Learnt from: CR
PR: FalkorDB/QueryWeaver#0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-08-24T17:15:21.337Z
Learning: Applies to Makefile : Provide and maintain Make targets (`install`, `setup-dev`, `test-unit`, `test-e2e`, `lint`, `run-dev`, `run-prod`, `build-prod`, `clean`) as the canonical workflow

Applied to files:

• Makefile

📚 Learning: 2025-08-24T17:15:21.337Z

Learnt from: CR
PR: FalkorDB/QueryWeaver#0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-08-24T17:15:21.337Z
Learning: Applies to Dockerfile : Keep Docker configuration consistent with documented run commands (exposing port 5000, running uvicorn with `api.index:app`)

Applied to files:

• Makefile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: e2e-tests
• GitHub Check: e2e-tests

🔇 Additional comments (1)

Makefile (1)

65-70: LGTM: dynamic PORT with sensible defaults and correct bind addresses

Good change. Using $${PORT:-5000} gives a safe default while allowing overrides, and keeping --reload only in run-dev with 127.0.0.1 vs 0.0.0.0 in run-prod is the right split. Matches our documented uvicorn entrypoint api.index:app.