Improve mobile UX and harden auth flows

[we09532]

Summary:

• Refines the mobile experience across sign-in, home intro, calendar, workouts, loading, and help center screens.
• Adds a new intro experience and routes it through a settings toggle.
• Hardens auth and data sync paths by removing cleartext token persistence, moving refresh handling server-side, and tightening purchase/user-data flows.

Notes:

• This branch also includes follow-up UI polish and supporting route/component updates needed for the new flows.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
fitbuddyai	Ready	Preview, Comment	May 6, 2026 3:56pm

[Copilot]

Pull request overview

This PR targets two areas of the FitBuddyAI codebase: (1) a broad mobile UX refresh across key screens/components, and (2) an auth/data-sync hardening effort that removes client-side refresh token persistence and moves refresh handling server-side.

Changes:

• Adds a new intro/landing experience (plus a settings toggle) and improves mobile layout/styling across multiple pages.
• Introduces server-side refresh token storage/refresh endpoints and updates client auth flows accordingly.
• Updates shop purchase flow and several data-sync behaviors (cloud backup payload, loading progress telemetry, chat rendering, calendar empty-state behavior).

Reviewed changes

Copilot reviewed 47 out of 48 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
src/services/localStorage.ts	Adds home-intro preference storage + removes persisted auth token fallback/session token persistence.
src/services/cloudBackupService.ts	Adjusts what local keys get included in backup payload.
src/services/authService.ts	Updates sign-in/up flows, password policy helper, purchase endpoint call, server-side refresh storage calls.
src/services/aiService.ts	Updates Gemini model and increases chat context caps / improves fallback messages.
src/server/authServer.js	Adds rate limits, increases JSON body size, moves /api/user/buy to Supabase-backed logic, improves AI endpoint behavior.
src/server/authServer.cjs	Increases JSON body size limit.
src/server/adminRoutes.js	Increases JSON body size limit for admin routes.
src/index.css	Global mobile layout hardening (width/min-width, overflow wrapping, image max-width, mobile padding).
src/components/WorkoutsPage.tsx	Simplifies saved-workout mutations to direct list updates + persistence.
src/components/WorkoutsPage.css	Mobile responsiveness improvements (filters, hero layout, buttons).
src/components/WorkoutModal.tsx	Renders modal via portal to document.body.
src/components/WorkoutModal.css	Raises modal overlay z-index.
src/components/WorkoutCalendar.tsx	Introduces blank calendar plan when no plan exists; improves day header labels for mobile.
src/components/WorkoutCalendar.css	Mobile layout updates; short day headers; improved dark hero-card backdrop filter.
src/components/WelcomePage.tsx	Wires new intro animation component behind a settings toggle.
src/components/WelcomePage.css	Mobile hero/logo layout tweaks; overflow adjustments.
src/components/SignUpPage.tsx	Adds client-side password policy validation when using Supabase.
src/components/SignInPage.tsx	Adds page-level body class for mobile styling; removes username sessionStorage write.
src/components/SignInPage.css	Mobile-first sign-in layout refinements; hides footer on small screens.
src/components/ShopPage.tsx	Removes client-side streak-saver purchase logic; adds local override guard to polling.
src/components/SettingsPage.tsx	Adds toggle UI for enabling/disabling the home intro animation.
src/components/Questionnaire.tsx	Emits structured loading progress events/state to drive the global loading page.
src/components/NewIntroPage.tsx	Adds a new intro/landing page component.
src/components/NewIntroPage.css	Adds styling for new intro/landing page.
src/components/LoadingPage.tsx	Reads loading progress state from storage/events; displays progress bar + stage text.
src/components/LoadingPage.css	Adds progress bar styling + mobile-friendly layout.
src/components/IntroBubbles.tsx	Moves per-bubble motion variables from inline styles to CSS classes.
src/components/IntroBubbles.css	Adds per-bubble CSS variables for motion.
src/components/HomeIntroStorm.tsx	Adds new “storm” intro animation component.
src/components/HomeIntroStorm.css	Adds styling/animation for the new storm intro sequence (with reduced-motion support).
src/components/HelpCenter.css	Full help center CSS redesign with new responsive/theme-aware layout.
src/components/Header.tsx	Refactors explore drawer + adds a mobile bottom nav dock.
src/components/Header.css	Styles new drawer layout + mobile nav dock; hides desktop header elements on mobile.
src/components/GeminiChatPage.tsx	Adds link parsing/rendering for chat output and normalizes demo-mode messaging.
src/components/GeminiChatPage.css	Styles chat links and improves dark-mode scrollbar presentation.
src/components/Footer.css	Adds bottom padding on mobile to accommodate bottom nav dock.
src/components/BlogPage.css	Adds styles used by new blog list layout.
src/components/BlogListPage.tsx	Adds a blog list/landing page.
src/components/AgreementGuard.tsx	Attempts to fetch server acceptance state and persist local acceptance flags.
src/App.tsx	Adds home-intro preference wiring, server-side refresh call, user polling throttling/guards, blog routing changes, and local purchase handling changes.
api/userdata/index.ts	Expands allowed fields for persistence (avatar_url/energy/inventory/streak) and normalizes avatar mapping.
api/user/[id].js	Adds authenticated action=buy purchase flow on user route.
api/auth/index.ts	Adds encrypted refresh-token storage + refresh/revoke endpoints using HttpOnly cookie session id.
api/ai/generate.ts	Updates Gemini model string.
.vscode/settings.json	Adds workspace terminal auto-approve settings for chat tools.
.vscode/mcp.json	Adds Supabase MCP server configuration.
.gitignore	Ignores a local test credentials JSON file.

[Copilot]

handleShopPurchase locally deducts energy/adds items even though purchases are now server-backed, which can double-apply changes (ShopPage already persists updated). It also sets fitbuddyai_local_user_override to disable server polling, but there is no corresponding clear path, so user sync may be permanently disabled. Consider updating state from the server purchase response instead, and if an override is still needed, clear it after the next successful server sync / on navigation / after a timeout.

[Copilot]

The comment says to “include chat history and user data”, but fitbuddyai_user_data is no longer read or added to the backup payload in this function. Update the comment (or restore the behavior) so the implementation and documentation stay consistent.

[Copilot]

.vscode/mcp.json hardcodes a Supabase MCP server URL with a specific project_ref. This can unintentionally expose internal project identifiers and causes contributors' editors to connect to that project by default. Prefer documenting the setup and keeping per-developer MCP configuration out of the repository (or provide an example file).

[Copilot]

store_refresh accepts an arbitrary userId + refresh_token without authenticating the caller, and revokes all existing sessions for that user. This enables trivial account-wide session revocation (DoS) and potentially session fixation. Require proof of identity (e.g., Bearer access token verified via supabase.auth.getUser() and matching userId) before writing/revoking refresh sessions, and avoid revoking all sessions unless explicitly intended/admin-only.

[Copilot]

Purchase handling is not atomic: you read energy, check it, then write energy - price. Two concurrent requests can both pass the check and overspend. Prefer a single conditional update (e.g., update ... where user_id = ? and energy >= ? and verify 1 row updated) or a transaction/RPC so energy can't go negative under concurrency.

[Copilot]

addToPlan/removeFromPlan compute the next saved list from the current mySavedNames closure and then call setMySavedNames(next). This can drop updates under rapid interactions because state updates are async and mySavedNames may be stale. Prefer functional setMySavedNames(prev => ...) and persist based on that computed next to keep UI and storage consistent.

[Copilot]

Raising the global JSON body limit to 20mb for all routes increases DoS risk and memory pressure. If only a subset of endpoints needs larger payloads (e.g., AI generation or plan uploads), apply a larger bodyParser.json({ limit }) only to those routes instead of globally.

[Copilot]

Same as authServer.js: increasing the global JSON body limit to 20mb affects all endpoints. If possible, keep a smaller default and only raise limits for the specific routes that require it.

[Copilot]

/api/user/buy updates Supabase user rows based only on the id in the request body; there is no authentication/authorization check that the caller owns that user id. This allows anyone to spend another user's energy / mutate inventory. Validate the Bearer token (or cookie session) and ensure it matches id before performing the purchase.

[Copilot]

In saveFromAssessment, next is derived from mySavedNames captured before the setTimeout, so it can overwrite newer saves/removals that happen during the delay. Use a functional state update inside the timeout (setMySavedNames(prev => { ... })) to merge picks with the latest list before persisting.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.