🐛 Fix inverted sendWithoutRequest predicate in HttpClient

[Magmi183]

sendWithoutRequest in Ktor returns true to attach the bearer token preemptively — the canonical example from the docs is request.url.host == "www.googleapis.com", i.e. return true for hosts where you want the token.

The block in HttpClient.kt returned true for unauthorizedEndpoints, which inverts the intent:

• the bearer token was being sent to /api/auth/login and /api/auth/registration
• every authenticated request wasn't sent preemptively — it had to bounce off a 401 first, then retry

Flipped .any → .none so the token is attached to authenticated endpoints and skipped for the auth ones, matching the variable name.

Summary by CodeRabbit

• Bug Fixes
  • Fixed bearer authentication behavior for login and registration endpoints. These critical authentication flows now properly manage token requirements, ensuring users can seamlessly complete initial authentication without encountering unnecessary token validation blocks. This enhances the overall experience for both new and returning users accessing the platform.

[coderabbitai]

Warning

Rate limit exceeded

@Magmi183 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 20 minutes and 49 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b5c525a7-7ec4-47a2-a221-f7e0f4cb421a

📥 Commits

Reviewing files that changed from the base of the PR and between fd7a652 and ed8ffef.

📒 Files selected for processing (1)

• shared/base/src/commonMain/kotlin/kmp/shared/base/data/remote/HttpClient.kt

Walkthrough

The PR inverts the bearer authentication predicate in HTTP client initialization. The sendWithoutRequest condition for handling unauthorizedEndpoints changes from matching any endpoint to matching none, correcting which requests bypass automatic token-loading for authentication flows.

Changes

Bearer Auth Unauthorized Endpoint Predicate

Layer / File(s)	Summary
Bearer auth unauthorized endpoint predicate shared/base/src/commonMain/kotlin/kmp/shared/base/data/remote/HttpClient.kt	The sendWithoutRequest predicate is inverted to correctly prevent automatic bearer token injection on unauthorized endpoints like login and registration paths.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A single line flips the auth gate,
No tokens sent to login's fate,
Endpoints marked forbidden now stay bare,
Bearer logic breathes cleaner air! ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description explains the bug, the fix, and the impact, but does not follow the required template structure with the specified sections.	Restructure the description to match the template with sections: Description, What's new?, What's missing?, and References.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies a bug fix involving an inverted predicate in HttpClient, which directly matches the main change in the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/httpclient-auth

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request modifies the HttpClient configuration by flipping the logic for sending authentication tokens; it now avoids sending tokens only for endpoints not present in the unauthorizedEndpoints list. A critical security concern was raised regarding potential token leakage to external domains, as the current implementation lacks host verification. The reviewer suggested a more robust predicate that includes host validation and path normalization to mitigate this risk.