feat: New Grouped security cards #2747
Conversation
Console (appwrite/console)Project ID: Tip Teams feature lets you group users with membership management and role permissions |
WalkthroughSeveral single-purpose auth UI components were removed (updatePasswordHistory, updatePasswordDictionary, updatePersonalDataCheck, updateSessionAlerts, updateSessionInvalidation). Two new components were added: passwordPolicies.svelte (consolidates password history, password dictionary, and personal-data checks) and sessionSecurity.svelte (handles session alerts and session invalidation). The console project security page (+page.svelte) was updated to render UpdateUsersLimit, UpdateSessionLength, UpdateSessionsLimit, PasswordPolicies, SessionSecurity, UpdateMockNumbers, and UpdateMembershipPrivacy. Both new components read project/page data, call SDK update endpoints, invalidate routes, show notifications, and track analytics. An analytics enum member was renamed: Submit.AuthInvalidateSesssion → Submit.AuthInvalidateSession. Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Pre-merge checks✅ Passed checks (3 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte (1)
51-57: Consider tracking errors for both API calls.The error handler only tracks errors for
AuthSessionAlertsUpdate(line 56), but the function makes two distinct API calls. If the session invalidation update fails, it won't be tracked separately in analytics.🔎 Proposed enhancement
Consider tracking both operations or using a combined error event:
} catch (error) { addNotification({ type: 'error', message: error.message }); trackError(error, Submit.AuthSessionAlertsUpdate); + trackError(error, Submit.AuthInvalidateSession); }src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte (1)
75-81: Consider tracking errors for all three API calls.The error handler only tracks errors for
AuthPasswordHistoryUpdate(line 80), but the function makes three distinct API calls (password history, dictionary, and personal data check). If either of the other two updates fail, they won't be tracked separately in analytics.🔎 Proposed enhancement
Consider tracking all three operations or using a combined error event:
} catch (error) { addNotification({ type: 'error', message: error.message }); trackError(error, Submit.AuthPasswordHistoryUpdate); + trackError(error, Submit.AuthPasswordDictionaryUpdate); + trackError(error, Submit.AuthPersonalDataCheckUpdate); }
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (8)
src/routes/(console)/project-[region]-[project]/auth/security/+page.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/updatePasswordDictionary.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/updatePasswordHistory.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/updatePersonalDataCheck.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/updateSessionAlerts.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/updateSessionInvalidation.svelte
💤 Files with no reviewable changes (5)
- src/routes/(console)/project-[region]-[project]/auth/security/updateSessionInvalidation.svelte
- src/routes/(console)/project-[region]-[project]/auth/security/updatePasswordDictionary.svelte
- src/routes/(console)/project-[region]-[project]/auth/security/updatePersonalDataCheck.svelte
- src/routes/(console)/project-[region]-[project]/auth/security/updateSessionAlerts.svelte
- src/routes/(console)/project-[region]-[project]/auth/security/updatePasswordHistory.svelte
🧰 Additional context used
📓 Path-based instructions (5)
**/*.{ts,tsx,js,jsx,svelte}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx,js,jsx,svelte}: Import reusable modules from the src/lib directory using the $lib alias
Use minimal comments in code; reserve comments for TODOs or complex logic explanations
Use $lib, $routes, and $themes aliases instead of relative paths for module imports
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/+page.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
src/routes/**/*.svelte
📄 CodeRabbit inference engine (AGENTS.md)
Use SvelteKit file conventions: +page.svelte for components, +page.ts for data loaders, +layout.svelte for wrappers, +error.svelte for error handling, and dynamic route params in square brackets like [param]
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/+page.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
**/*.{ts,tsx,js,jsx,svelte,json}
📄 CodeRabbit inference engine (AGENTS.md)
Use 4 spaces for indentation, single quotes, 100 character line width, and no trailing commas per Prettier configuration
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/+page.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
**/*.svelte
📄 CodeRabbit inference engine (AGENTS.md)
Use Svelte 5 + SvelteKit 2 syntax with TypeScript for component development
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/+page.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
src/routes/**
📄 CodeRabbit inference engine (AGENTS.md)
Configure dynamic routes using SvelteKit convention with [param] syntax in route directory names
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/+page.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
🧠 Learnings (4)
📚 Learning: 2025-11-25T03:15:27.539Z
Learnt from: CR
Repo: appwrite/console PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T03:15:27.539Z
Learning: Applies to src/routes/**/*.svelte : Use SvelteKit file conventions: +page.svelte for components, +page.ts for data loaders, +layout.svelte for wrappers, +error.svelte for error handling, and dynamic route params in square brackets like [param]
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/+page.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
📚 Learning: 2025-11-19T11:22:42.553Z
Learnt from: atharvadeosthale
Repo: appwrite/console PR: 2512
File: src/routes/(console)/project-[region]-[project]/overview/platforms/llmBanner.svelte:51-83
Timestamp: 2025-11-19T11:22:42.553Z
Learning: In src/routes/(console)/project-[region]-[project]/overview/platforms/llmBanner.svelte, the Lovable integration URL format `https://lovable.dev/` with `autosubmit` and `prompt` as query parameters (set via searchParams) is correct and functional.
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-11-25T03:15:27.539Z
Learnt from: CR
Repo: appwrite/console PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T03:15:27.539Z
Learning: Applies to **/*.svelte : Use Svelte 5 + SvelteKit 2 syntax with TypeScript for component development
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-09-08T13:20:47.308Z
Learnt from: ItzNotABug
Repo: appwrite/console PR: 2316
File: src/routes/(console)/project-[region]-[project]/functions/create-function/deploy/+page.svelte:29-29
Timestamp: 2025-09-08T13:20:47.308Z
Learning: The Form.svelte component in the Appwrite console creates a FormContext with isSubmitting as writable(false) and expects consumers to work with Svelte writable stores, not plain booleans.
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: e2e
- GitHub Check: build
🔇 Additional comments (1)
src/routes/(console)/project-[region]-[project]/auth/security/+page.svelte (1)
1-20: LGTM! Clean component composition.The security page has been successfully updated to use the new consolidated
PasswordPoliciesandSessionSecuritycomponents. The component composition is clean and follows SvelteKit conventions.
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
Outdated
Show resolved
Hide resolved
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
Outdated
Show resolved
Hide resolved
…passwordPolicies.svelte Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte (2)
50-65: Consider the implications of non-atomic updates.The three API calls are executed sequentially without transaction support. If the second or third call fails, the earlier calls will have already succeeded, potentially leaving settings in a partially updated state. The user will see an error notification but some settings will have been saved.
If the backend supports batch operations or if these updates should be atomic, consider refactoring to ensure all-or-nothing semantics. Otherwise, consider adjusting the success/error messages to reflect which settings were updated successfully.
72-74: Analytics events track all three updates regardless of what changed.Lines 72-74 fire all three analytics events even when only one or two settings were modified. This could make it harder to understand which specific features users are actively changing.
Consider tracking only the events for settings that actually changed by comparing the before/after values, or accept the current approach if aggregate analytics are sufficient for your needs.
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
🧰 Additional context used
📓 Path-based instructions (5)
**/*.{ts,tsx,js,jsx,svelte}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx,js,jsx,svelte}: Import reusable modules from the src/lib directory using the $lib alias
Use minimal comments in code; reserve comments for TODOs or complex logic explanations
Use $lib, $routes, and $themes aliases instead of relative paths for module imports
Files:
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
src/routes/**/*.svelte
📄 CodeRabbit inference engine (AGENTS.md)
Use SvelteKit file conventions: +page.svelte for components, +page.ts for data loaders, +layout.svelte for wrappers, +error.svelte for error handling, and dynamic route params in square brackets like [param]
Files:
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
**/*.{ts,tsx,js,jsx,svelte,json}
📄 CodeRabbit inference engine (AGENTS.md)
Use 4 spaces for indentation, single quotes, 100 character line width, and no trailing commas per Prettier configuration
Files:
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
**/*.svelte
📄 CodeRabbit inference engine (AGENTS.md)
Use Svelte 5 + SvelteKit 2 syntax with TypeScript for component development
Files:
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
src/routes/**
📄 CodeRabbit inference engine (AGENTS.md)
Configure dynamic routes using SvelteKit convention with [param] syntax in route directory names
Files:
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
🧠 Learnings (2)
📚 Learning: 2025-11-25T03:15:27.539Z
Learnt from: CR
Repo: appwrite/console PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T03:15:27.539Z
Learning: Applies to src/routes/**/*.svelte : Use SvelteKit file conventions: +page.svelte for components, +page.ts for data loaders, +layout.svelte for wrappers, +error.svelte for error handling, and dynamic route params in square brackets like [param]
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
📚 Learning: 2025-09-08T13:20:47.308Z
Learnt from: ItzNotABug
Repo: appwrite/console PR: 2316
File: src/routes/(console)/project-[region]-[project]/functions/create-function/deploy/+page.svelte:29-29
Timestamp: 2025-09-08T13:20:47.308Z
Learning: The Form.svelte component in the Appwrite console creates a FormContext with isSubmitting as writable(false) and expects consumers to work with Svelte writable stores, not plain booleans.
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: build
- GitHub Check: e2e
🔇 Additional comments (2)
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte (2)
30-38: Nice UX enhancement with focus management.The effect properly waits for the next tick before focusing the input field when password history is enabled. The null check ensures no errors if the component isn't mounted yet.
40-45: Change detection logic is sound.The derived state correctly identifies changes across all three password policy settings. The condition on line 42 appropriately checks the history value only when the feature is enabled, preventing false positive change detection.
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
Show resolved
Hide resolved
HarshMN2345
changed the title
| import { project as projectStore } from '../../store'; | ||
| import { page } from '$app/state'; | ||
| const project = $derived($projectStore ?? page.data?.project); |
There was a problem hiding this comment.
Let's start using the params property here from the $props
There was a problem hiding this comment.
We can pass it from +page.svelte
| // Initialize and sync state when project updates | ||
| $effect(() => { | ||
| const currentProject = $project; |
There was a problem hiding this comment.
Same here, let's use route params if possible
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
Outdated
Show resolved
Hide resolved
| await sdk.forConsole.projects.updateAuthPasswordHistory({ | ||
| projectId: project.$id, | ||
| limit: passwordHistoryEnabled ? passwordHistory : 0 | ||
| }); | ||
| // Update password dictionary | ||
| await sdk.forConsole.projects.updateAuthPasswordDictionary({ | ||
| projectId: project.$id, | ||
| enabled: passwordDictionary | ||
| }); | ||
| // Update personal data check | ||
| await sdk.forConsole.projects.updatePersonalDataCheck({ | ||
| projectId: project.$id, | ||
| enabled: authPersonalDataCheck | ||
| }); |
There was a problem hiding this comment.
Promise.all or Promise.allSettled would be faster in parallel no?
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
Outdated
Show resolved
Hide resolved
| await sdk.forConsole.projects.updateSessionAlerts({ | ||
| projectId: project.$id, | ||
| alerts: authSessionAlerts | ||
| }); | ||
| // Update session invalidation | ||
| await sdk.forConsole.projects.updateSessionInvalidation({ | ||
| projectId: project.$id, | ||
| enabled: sessionInvalidation | ||
| }); |
| <PasswordPolicies project={page.data.project} /> | ||
| <SessionSecurity project={page.data.project} /> |
There was a problem hiding this comment.
err, we can do const { data }: PageProps = $props(), much better than pulling the whole page.data.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (2)
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte (1)
28-54: Consider parallelizing independent API calls and fix error type handling.The two SDK calls (
updateSessionAlertsandupdateSessionInvalidation) are independent and can run concurrently withPromise.all. Additionally, theerrorin catch is typed asunknownin TypeScript, so accessing.messagedirectly will cause a type error.🔎 Proposed refactor
async function updateSessionSecurity() { try { - await sdk.forConsole.projects.updateSessionAlerts({ - projectId: project.$id, - alerts: authSessionAlerts - }); - await sdk.forConsole.projects.updateSessionInvalidation({ - projectId: project.$id, - enabled: sessionInvalidation - }); + await Promise.all([ + sdk.forConsole.projects.updateSessionAlerts({ + projectId: project.$id, + alerts: authSessionAlerts + }), + sdk.forConsole.projects.updateSessionInvalidation({ + projectId: project.$id, + enabled: sessionInvalidation + }) + ]); await invalidate(Dependencies.PROJECT); addNotification({ type: 'success', message: 'Updated session security settings.' }); trackEvent(Submit.AuthSessionAlertsUpdate); trackEvent(Submit.AuthInvalidateSession); } catch (error) { addNotification({ type: 'error', - message: error.message + message: error instanceof Error ? error.message : 'An error occurred' }); trackError(error, Submit.AuthSessionAlertsUpdate); } }src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte (1)
48-78: Consider parallelizing independent API calls and fix error type handling.Similar to
sessionSecurity.svelte, the three SDK calls are independent and can run concurrently. Theerrortype issue also applies here.🔎 Proposed refactor
async function updatePasswordPolicies() { try { - await sdk.forConsole.projects.updateAuthPasswordHistory({ - projectId: project.$id, - limit: passwordHistoryEnabled ? passwordHistory : 0 - }); - await sdk.forConsole.projects.updateAuthPasswordDictionary({ - projectId: project.$id, - enabled: passwordDictionary - }); - await sdk.forConsole.projects.updatePersonalDataCheck({ - projectId: project.$id, - enabled: authPersonalDataCheck - }); + await Promise.all([ + sdk.forConsole.projects.updateAuthPasswordHistory({ + projectId: project.$id, + limit: passwordHistoryEnabled ? passwordHistory : 0 + }), + sdk.forConsole.projects.updateAuthPasswordDictionary({ + projectId: project.$id, + enabled: passwordDictionary + }), + sdk.forConsole.projects.updatePersonalDataCheck({ + projectId: project.$id, + enabled: authPersonalDataCheck + }) + ]); await invalidate(Dependencies.PROJECT); addNotification({ type: 'success', message: 'Updated password policies.' }); trackEvent(Submit.AuthPasswordHistoryUpdate); trackEvent(Submit.AuthPasswordDictionaryUpdate); trackEvent(Submit.AuthPersonalDataCheckUpdate); } catch (error) { addNotification({ type: 'error', - message: error.message + message: error instanceof Error ? error.message : 'An error occurred' }); trackError(error, Submit.AuthPasswordHistoryUpdate); } }
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
🧰 Additional context used
📓 Path-based instructions (5)
**/*.{ts,tsx,js,jsx,svelte}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx,js,jsx,svelte}: Import reusable modules from the src/lib directory using the $lib alias
Use minimal comments in code; reserve comments for TODOs or complex logic explanations
Use $lib, $routes, and $themes aliases instead of relative paths for module imports
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
src/routes/**/*.svelte
📄 CodeRabbit inference engine (AGENTS.md)
Use SvelteKit file conventions: +page.svelte for components, +page.ts for data loaders, +layout.svelte for wrappers, +error.svelte for error handling, and dynamic route params in square brackets like [param]
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
**/*.{ts,tsx,js,jsx,svelte,json}
📄 CodeRabbit inference engine (AGENTS.md)
Use 4 spaces for indentation, single quotes, 100 character line width, and no trailing commas per Prettier configuration
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
**/*.svelte
📄 CodeRabbit inference engine (AGENTS.md)
Use Svelte 5 + SvelteKit 2 syntax with TypeScript for component development
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
src/routes/**
📄 CodeRabbit inference engine (AGENTS.md)
Configure dynamic routes using SvelteKit convention with [param] syntax in route directory names
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
🧠 Learnings (7)
📚 Learning: 2025-11-25T03:15:27.539Z
Learnt from: CR
Repo: appwrite/console PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T03:15:27.539Z
Learning: Applies to src/routes/**/*.svelte : Use SvelteKit file conventions: +page.svelte for components, +page.ts for data loaders, +layout.svelte for wrappers, +error.svelte for error handling, and dynamic route params in square brackets like [param]
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-11-19T11:22:42.553Z
Learnt from: atharvadeosthale
Repo: appwrite/console PR: 2512
File: src/routes/(console)/project-[region]-[project]/overview/platforms/llmBanner.svelte:51-83
Timestamp: 2025-11-19T11:22:42.553Z
Learning: In src/routes/(console)/project-[region]-[project]/overview/platforms/llmBanner.svelte, the Lovable integration URL format `https://lovable.dev/` with `autosubmit` and `prompt` as query parameters (set via searchParams) is correct and functional.
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-11-25T03:15:27.539Z
Learnt from: CR
Repo: appwrite/console PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T03:15:27.539Z
Learning: Applies to **/*.svelte : Use Svelte 5 + SvelteKit 2 syntax with TypeScript for component development
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-10-13T05:13:54.542Z
Learnt from: ItzNotABug
Repo: appwrite/console PR: 2413
File: src/routes/(console)/project-[region]-[project]/databases/table.svelte:33-39
Timestamp: 2025-10-13T05:13:54.542Z
Learning: In Svelte 5, `import { page } from '$app/state'` provides a reactive state proxy that can be accessed directly (e.g., `page.params`), unlike the older `import { page } from '$app/stores'` which returns a readable store requiring the `$page` syntax for auto-subscription in components.
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-10-05T09:41:40.439Z
Learnt from: ItzNotABug
Repo: appwrite/console PR: 2398
File: src/routes/(console)/verify-email/+page.svelte:48-51
Timestamp: 2025-10-05T09:41:40.439Z
Learning: In SvelteKit 5, `page` imported from `$app/state` is a reactive state object (using runes), not a store. It should be accessed as `page.data` without the `$` prefix, unlike the store-based `$page` from `$app/stores` in earlier versions.
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-10-13T05:16:07.656Z
Learnt from: ItzNotABug
Repo: appwrite/console PR: 2413
File: src/routes/(console)/project-[region]-[project]/databases/database-[database]/header.svelte:54-58
Timestamp: 2025-10-13T05:16:07.656Z
Learning: In SvelteKit apps, shared layout components (like headers) that use `$derived(page.data.*)` should use optional chaining when accessing properties that may not be present on all routes. During page transitions, reactive statements can briefly evaluate with different page.data structures, so optional chaining prevents runtime errors when navigating between routes with different data shapes (e.g., between `/databases` and `/databases/database-[database]`).
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-09-08T13:20:47.308Z
Learnt from: ItzNotABug
Repo: appwrite/console PR: 2316
File: src/routes/(console)/project-[region]-[project]/functions/create-function/deploy/+page.svelte:29-29
Timestamp: 2025-09-08T13:20:47.308Z
Learning: The Form.svelte component in the Appwrite console creates a FormContext with isSubmitting as writable(false) and expects consumers to work with Svelte writable stores, not plain booleans.
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: e2e
- GitHub Check: build
🔇 Additional comments (4)
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte (1)
57-90: LGTM!The template structure is clean, using appropriate components (
CardGrid,InputSwitch,Form) with proper slot usage. The disabled state binding on the submit button correctly reflectshasChanges.src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte (3)
22-29: LGTM!The
$effectcorrectly initializes and syncs state when the project prop updates. The fallback handling forauthPasswordHistory(defaulting to 5 when less than 1) is a sensible default.
31-39: LGTM!Good use of
tick()to ensure the DOM has updated before attempting to focus the input field. This properly handles the case where the input is conditionally rendered.
81-146: LGTM!The template is well-structured with clear separation of concerns. The conditional rendering of
InputNumberfor password history limit (lines 95-105), proper validation constraints (min={1},max={20}), and external link to the common passwords list are all appropriate.
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte (1)
32-39: Parallelize independent API calls for better performance.The two SDK update calls are independent and can be executed concurrently using
Promise.all.🔎 Proposed refactor
- await sdk.forConsole.projects.updateSessionAlerts({ + await Promise.all([ + sdk.forConsole.projects.updateSessionAlerts({ - projectId: project.$id, + projectId: project.$id, - alerts: authSessionAlerts + alerts: authSessionAlerts - }); + }), - await sdk.forConsole.projects.updateSessionInvalidation({ + sdk.forConsole.projects.updateSessionInvalidation({ - projectId: project.$id, + projectId: project.$id, - enabled: sessionInvalidation + enabled: sessionInvalidation - }); + }) + ]);
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.sveltesrc/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
🚧 Files skipped from review as they are similar to previous changes (1)
- src/routes/(console)/project-[region]-[project]/auth/security/passwordPolicies.svelte
🧰 Additional context used
📓 Path-based instructions (5)
**/*.{ts,tsx,js,jsx,svelte}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx,js,jsx,svelte}: Import reusable modules from the src/lib directory using the $lib alias
Use minimal comments in code; reserve comments for TODOs or complex logic explanations
Use $lib, $routes, and $themes aliases instead of relative paths for module imports
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
src/routes/**/*.svelte
📄 CodeRabbit inference engine (AGENTS.md)
Use SvelteKit file conventions: +page.svelte for components, +page.ts for data loaders, +layout.svelte for wrappers, +error.svelte for error handling, and dynamic route params in square brackets like [param]
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
**/*.{ts,tsx,js,jsx,svelte,json}
📄 CodeRabbit inference engine (AGENTS.md)
Use 4 spaces for indentation, single quotes, 100 character line width, and no trailing commas per Prettier configuration
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
**/*.svelte
📄 CodeRabbit inference engine (AGENTS.md)
Use Svelte 5 + SvelteKit 2 syntax with TypeScript for component development
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
src/routes/**
📄 CodeRabbit inference engine (AGENTS.md)
Configure dynamic routes using SvelteKit convention with [param] syntax in route directory names
Files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
🧠 Learnings (7)
📚 Learning: 2025-11-25T03:15:27.539Z
Learnt from: CR
Repo: appwrite/console PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T03:15:27.539Z
Learning: Applies to src/routes/**/*.svelte : Use SvelteKit file conventions: +page.svelte for components, +page.ts for data loaders, +layout.svelte for wrappers, +error.svelte for error handling, and dynamic route params in square brackets like [param]
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-11-19T11:22:42.553Z
Learnt from: atharvadeosthale
Repo: appwrite/console PR: 2512
File: src/routes/(console)/project-[region]-[project]/overview/platforms/llmBanner.svelte:51-83
Timestamp: 2025-11-19T11:22:42.553Z
Learning: In src/routes/(console)/project-[region]-[project]/overview/platforms/llmBanner.svelte, the Lovable integration URL format `https://lovable.dev/` with `autosubmit` and `prompt` as query parameters (set via searchParams) is correct and functional.
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-11-25T03:15:27.539Z
Learnt from: CR
Repo: appwrite/console PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T03:15:27.539Z
Learning: Applies to **/*.svelte : Use Svelte 5 + SvelteKit 2 syntax with TypeScript for component development
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-10-13T05:13:54.542Z
Learnt from: ItzNotABug
Repo: appwrite/console PR: 2413
File: src/routes/(console)/project-[region]-[project]/databases/table.svelte:33-39
Timestamp: 2025-10-13T05:13:54.542Z
Learning: In Svelte 5, `import { page } from '$app/state'` provides a reactive state proxy that can be accessed directly (e.g., `page.params`), unlike the older `import { page } from '$app/stores'` which returns a readable store requiring the `$page` syntax for auto-subscription in components.
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-10-05T09:41:40.439Z
Learnt from: ItzNotABug
Repo: appwrite/console PR: 2398
File: src/routes/(console)/verify-email/+page.svelte:48-51
Timestamp: 2025-10-05T09:41:40.439Z
Learning: In SvelteKit 5, `page` imported from `$app/state` is a reactive state object (using runes), not a store. It should be accessed as `page.data` without the `$` prefix, unlike the store-based `$page` from `$app/stores` in earlier versions.
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-10-13T05:16:07.656Z
Learnt from: ItzNotABug
Repo: appwrite/console PR: 2413
File: src/routes/(console)/project-[region]-[project]/databases/database-[database]/header.svelte:54-58
Timestamp: 2025-10-13T05:16:07.656Z
Learning: In SvelteKit apps, shared layout components (like headers) that use `$derived(page.data.*)` should use optional chaining when accessing properties that may not be present on all routes. During page transitions, reactive statements can briefly evaluate with different page.data structures, so optional chaining prevents runtime errors when navigating between routes with different data shapes (e.g., between `/databases` and `/databases/database-[database]`).
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
📚 Learning: 2025-09-08T13:20:47.308Z
Learnt from: ItzNotABug
Repo: appwrite/console PR: 2316
File: src/routes/(console)/project-[region]-[project]/functions/create-function/deploy/+page.svelte:29-29
Timestamp: 2025-09-08T13:20:47.308Z
Learning: The Form.svelte component in the Appwrite console creates a FormContext with isSubmitting as writable(false) and expects consumers to work with Svelte writable stores, not plain booleans.
Applied to files:
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: build
- GitHub Check: e2e
| onMount(() => { | ||
| authSessionAlerts = project?.authSessionAlerts ?? false; | ||
| sessionInvalidation = project?.authInvalidateSessions ?? false; | ||
| }); |
There was a problem hiding this comment.
Replace onMount with $effect for reactive state synchronization.
The onMount hook only executes once per component instance. If the project prop changes (e.g., when navigating between projects in the same component instance), the local state won't update to reflect the new project's values, leading to stale UI state.
🔎 Recommended fix using $effect
- onMount(() => {
+ $effect(() => {
authSessionAlerts = project?.authSessionAlerts ?? false;
sessionInvalidation = project?.authInvalidateSessions ?? false;
});Remove the onMount import:
- import { onMount } from 'svelte';🤖 Prompt for AI Agents
In
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
around lines 18–21, the onMount usage only runs once and causes stale local
state when the project prop changes; remove the onMount import and replace the
onMount block with a reactive statement so authSessionAlerts and
sessionInvalidation are updated whenever project changes (e.g., use a $effect or
Svelte reactive statement that sets authSessionAlerts =
project?.authSessionAlerts ?? false and sessionInvalidation =
project?.authInvalidateSessions ?? false).
| type: 'error', | ||
| message: error.message | ||
| }); | ||
| trackError(error, Submit.AuthSessionAlertsUpdate); |
There was a problem hiding this comment.
Error tracking doesn't distinguish between API call failures.
Line 54 always tracks Submit.AuthSessionAlertsUpdate, even if the updateSessionInvalidation call failed. Consider tracking both events or the specific operation that failed.
🔎 Suggested approach
If you parallelize the API calls as suggested above, you could track errors individually:
try {
- await sdk.forConsole.projects.updateSessionAlerts({
- projectId: project.$id,
- alerts: authSessionAlerts
- });
- await sdk.forConsole.projects.updateSessionInvalidation({
- projectId: project.$id,
- enabled: sessionInvalidation
- });
+ await Promise.all([
+ sdk.forConsole.projects.updateSessionAlerts({
+ projectId: project.$id,
+ alerts: authSessionAlerts
+ }),
+ sdk.forConsole.projects.updateSessionInvalidation({
+ projectId: project.$id,
+ enabled: sessionInvalidation
+ })
+ ]);
await invalidate(Dependencies.PROJECT);
addNotification({
type: 'success',
message: 'Updated session security settings.'
});
trackEvent(Submit.AuthSessionAlertsUpdate);
trackEvent(Submit.AuthInvalidateSession);
} catch (error) {
addNotification({
type: 'error',
message: error.message
});
- trackError(error, Submit.AuthSessionAlertsUpdate);
+ // Track both events since we can't distinguish which failed
+ trackError(error, Submit.AuthSessionAlertsUpdate);
+ trackError(error, Submit.AuthInvalidateSession);
}Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In
src/routes/(console)/project-[region]-[project]/auth/security/sessionSecurity.svelte
around line 54, the error tracking call always logs
Submit.AuthSessionAlertsUpdate even when updateSessionInvalidation fails; update
the error handling to track the specific failed operation (e.g.,
Submit.AuthSessionAlertsUpdate vs Submit.AuthSessionInvalidationUpdate) and
include the error details; if you parallelize the API calls, attach per-call
.catch handlers or inspect which promise rejected and call trackError with the
corresponding event name and error payload so each failure is logged distinctly.
What does this PR do?
Test Plan
(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work.)
Related PRs and Issues
(If this PR is related to any other PR or resolves any issue or related to any issue link all related PR and issues here.)
Have you read the Contributing Guidelines on issues?
(Write your answer here.)
Summary by CodeRabbit
New Features
Improvements
Removals
✏️ Tip: You can customize this high-level summary in your review settings.