Refactor overview page, optimize performance, and enhance security#5
Merged
Conversation
Split the 337-line overview _client.tsx into focused modules: - use-overview-stats: balance, income, spending calculations - use-bar-chart-data: monthly spending bar chart aggregation - use-pie-chart-data: category spending pie chart with config - SpendingOverviewCard: bar chart card with range selector (React.memo) - SpendingByCategoryCard: pie chart card (React.memo) Overview _client.tsx reduced from ~337 to ~110 lines.
React.memo on 8 presentational components: theme-toggle, header, hero-section, pricing-section, notification-menu, user-menu, blog-post-card, feature-card. useCallback on event handlers in 7 client pages: transactions (4), accounts (4), accounts/[id] (4), reports (6), notification-menu (2), user-menu (2), settings (1), profile (1). Suspense boundaries around dynamic imports in analytics, transactions, accounts, accounts/[id], and account-settings. Delete unused budget-radar and transactions-analytics components.
…ability - Move in-memory aggregations to DB groupBy/aggregate in aiService and send-weekly-digest worker - Fix N+1 in categoryRouter delete with iterative BFS + batch deleteMany - Wrap recurring transaction create + rule update in db.$transaction() - Add 429 rate limit detection in callGeminiWithRetry with exponential backoff (5s/10s/20s) and TOO_MANY_REQUESTS error code - Fix email template-cache to use __dirname instead of process.cwd() - Add outputFileTracingIncludes for serverless template bundling
All 7 GAP.md optimization phases are complete. Clear the roadmap and add structure.md with proposed folder reorganization (7 changes covering lib/ cleanup, constant consolidation, and hook co-location). Fix README badge formatting.
… email templates - Reorganize components into branding/, layout/, pickers/, theme/ subdirs - Co-locate overview hooks into app/(features)/overview/_hooks/ - Move constants from lib/ to constants/ (formatting, events, icons, colors, etc.) - Add tsconfig aliases (@ui/*, @common/*, @shared/*, @skeletons/*) and migrate imports - Delete dead code (info-menu, fileService, server/utils) - Add nodemailer SMTP transport as fallback when Resend fails - Make RESEND_API_KEY and EMAIL_FROM optional in env schema - Upgrade all 7 email templates to production grade with dark mode, MSO/Outlook support, mobile responsive design, preheader text, and emerald theme CTA buttons
Patches CVE-2025-66478 (RCE), CVE-2025-55183 (source exposure), CVE-2025-55184/67779 (DoS) that blocked Vercel deployment.
- Add Content-Security-Policy header to next.config.js - Fix report resend: use Handlebars template, enforce ctx.user.email - Sanitize upload fileName with regex validation - Strengthen signup password (uppercase, number, special char) - Reduce transaction list max from 1000 to 100 - Add string length limits and decimal precision to schemas - Fix budget amount allowing zero (min 0.01)
The useUserStore duplicated React Query state, causing sync bugs and unnecessary complexity. React Query is now the single source of truth for user data across all components. - Delete src/store/userStore.ts - Remove Zustand sync useEffect from use-user.ts - Rewrite use-auth.ts to use React Query cache management - Remove manual store sync from login-form, user-menu, edit-profile-section, and profile-settings
- Add error.tsx boundaries for (features) and (auth) route groups with contextual recovery actions - Fix useIsMobile hook: initialize state as undefined to prevent server/client hydration mismatch on mobile viewports
- Add composite index on Transaction(userId, accountId) - Add index on Transaction(recurringRuleId) - Add unique constraint on BankAccount(userId, name) - Set explicit onDelete: SetNull on Transaction.recurringRule
- Fix pnpm version mismatch: 10 → 10.15.0 to match package.json - Add build step with SKIP_ENV_VALIDATION to catch build errors in CI
- Add transaction-alert.html email template with red accent styling - Create send-transaction-alert-email Inngest function - Add TRANSACTION_ALERT_EVENT constant and emitTransactionAlert helper - Wire budgetService.checkLargeTransaction to emit alert event - Register transaction-alert template type in email service - Register Inngest function in API route
…itelist, and HTTP status in errors - Export compileTemplate() to consolidate Handlebars usage in one module - Add email regex validation in sendEmail() before attempting delivery - Whitelist allowed template names in template-cache to prevent path traversal - Include HTTP status code in Resend API error messages for retry logic - Add "ai-insight" to SendTemplateEmailOptions template union
…, and auth rate limiting - Verify category ownership in scanReceipt and categorizeTransactions AI endpoints - Add isValidRedirectPath() guard in middleware to prevent open redirect via redirectTo param - Add IP-based rate limiting (10/min) to auth API endpoints using existing Upstash infrastructure
… migration, and select clauses
- Create event-schemas.ts with Zod schemas for all 4 event types
- Replace unsafe `as { ... }` casts with schema.parse() for runtime validation
- Use NonRetriableError for permanent failures (budget/user not found)
- Migrate all 5 workers from manual .replace() to compileTemplate() (Handlebars)
- Add targeted select clauses to budget, recurring, and budget-alert worker queries
- Remove unused RecurringRule type import and fix generate-monthly-report casts
…, and isFinite guard - Remove raw AI response content from parseAIResponse and parseReceiptAIResponse error messages - Add 30-day date filter to detectAnomalies query to limit data scope - Add Number.isFinite() guard to categoryConfidence parsing in receipt scanner
… category lookups - accountRouter.getById: add userId to findUnique WHERE, remove post-query auth check - categoryRouter.byId: add userId to findUnique WHERE, remove post-query auth check - Remove userId from select clauses where no longer needed
…heckLowBalance - Bulk-load full budget objects with category relations in evaluateBudgets() - Pass cached budget to reevaluateBudget() via optional param to avoid re-fetch - Add userId ownership check to checkLowBalance account lookup
…rs during static generation - Add export const dynamic = "force-dynamic" to /api/ai/categorize and /api/ai/scan-receipt - Prevents Next.js from evaluating PrismaClient constructor during build page collection
…zation in settings - Remove server-side createLogger import from error.tsx (use client component) - Convert Decimal fields (lowBalanceThreshold, largeTransactionThreshold) to numbers in settingsRouter.getAll to fix RSC-to-Client serialization error
…ompatibility Replace the T3 env import with process.env.NODE_ENV so the logging module can be safely imported in "use client" components without triggering the server-side environment variable access error.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Use a Proxy to defer PrismaClient construction until first runtime access. During Next.js builds the module graph is evaluated but no DB queries run; eager construction fails in CI where DATABASE_URL is absent and Prisma 7 client engine requires an adapter.
|
🎉 This PR is included in version 1.2.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces several improvements and refactors across the codebase, focusing on environment variable organization, dependency updates, security enhancements, and UI code cleanup. The most significant changes include a major overhaul of the
.env.examplefile for clarity and completeness, updates to core dependencies, improved redirect validation for authentication, and refactoring of UI imports and handler functions for better maintainability.Environment & Configuration Updates:
.env.examplefile, grouping variables by theme (Core, Database, Authentication, Email, AI, Jobs, Image Uploads, Logging, Rate Limiting) and adding missing variables for email and AI services. This improves clarity for developers setting up the project.Dependency & Workflow Upgrades:
package.json(next,react,react-dom,nodemailer,eslint-config-next, and added@types/nodemailer), ensuring compatibility and security. [1] [2]pnpmversion (10.15.0) and added a build step with environment validation skipped, improving reliability of builds. [1] [2]Security Enhancements:
middleware.tsto validate redirect paths, preventing open redirect attacks by only allowing relative paths. Integrated this check into the authentication middleware. [1] [2]Database Schema Improvements:
BankAccountfor(userId, name)and new indexes onTransactionfor improved query performance and data integrity. Also updated the relation onrecurringRuleto set null on delete. [1] [2]UI Refactor & Code Cleanup:
@ui/button,@common/transactions-table) for consistency and easier maintenance across multiple files. (src/app/(features)/accounts/[id]/_client.tsxL3-R14, [1] src/app/(features)/accounts/[id]/loading.tsxL1-R2, [2] [3]Suspensefor async component loading. (src/app/(features)/accounts/[id]/_client.tsxR41-R62, src/app/(features)/accounts/[id]/_client.tsxL127-R160, src/app/(features)/accounts/[id]/_client.tsxR171, src/app/(features)/accounts/[id]/_client.tsxL163-R182, [1] [2]These changes collectively enhance developer experience, security, performance, and maintainability of the project.