Auto send to google sheets

[marisa07]

No description provided.

[coderabbitai]

Summary by CodeRabbit

• New Features

  • Google Sheets integration is now enabled for data submissions.
  • Submit button remains active during the submission process.

• Chores

  • Updated event configuration defaults.
  • Refreshed API authentication credentials.

Walkthrough

Updates API credentials, enables Google Sheets integration via a global flag, modifies data submission to use TSV format instead of key-value pairs, and adjusts button state and UI reset timing during form submission. Configuration event data is also updated.

Changes

Cohort / File(s)	Summary
API and Config Updates 2026/rebuilt_config.js, resources/js/TBAInterface.js	Updated Event entry defaultValue in config and refreshed The Blue Alliance API authentication key credential.
Google Sheets Integration resources/js/googleSheets.js, resources/js/scoutingPASS.js	Enabled Google Sheets feature flag globally; updated submission script URL and refactored data handling to use TSV format, with button state managed via explicit disabled = false and UI reset deferred to end of flow.

Sequence Diagram

sequenceDiagram
    participant User
    participant scoutingPASS as scoutingPASS.js
    participant googleSheets as googleSheets.js
    participant GAS as Google Apps<br/>Script

    User->>scoutingPASS: Submit form (enableGoogleSheets = true)
    scoutingPASS->>googleSheets: Trigger submission
    googleSheets->>googleSheets: Disable button
    googleSheets->>googleSheets: getData("tsv")
    googleSheets->>GAS: POST TSV data (no-cors)
    GAS-->>googleSheets: Response
    googleSheets->>googleSheets: Enable button (disabled = false)
    googleSheets->>googleSheets: Update label
    googleSheets-->>User: Show success alert

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~18 minutes

Poem

🐰 The sheets now glow with TSV delight,
Credentials renewed, fresh and bright,
With Google's script and buttons that stay,
The data flows in a brand new way! 📊✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to evaluate whether it relates to the changeset.	Add a pull request description explaining the purpose, benefits, and any relevant context for enabling Google Sheets auto-send functionality.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Auto send to google sheets' is directly related to the main changes which enable Google Sheets integration and update the corresponding functionality.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch auto-send-gs

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

resources/js/googleSheets.js (1)

13-21: ⚠️ Potential issue | 🟡 Minor

no-cors makes server-side errors invisible; alert() silently drops its second argument.

Two related issues:

1. alert() accepts exactly one argument — response (an opaque Response object) and error.message passed as the second argument are both silently discarded. The error details are never shown to the user. The fix above addresses this with string concatenation for the error case.

2. With mode: 'no-cors', the response is always opaque — .then() fires for every server response, including HTTP 4xx/5xx. alert('Success!') will show even if the Apps Script fails to write the row. If reliable delivery confirmation is needed, configure the Apps Script to return proper CORS headers and switch to mode: 'cors' so the response status can be inspected.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@resources/js/googleSheets.js` around lines 13 - 21, The fetch call in
googleSheets.js currently uses mode: 'no-cors' and alerts with multiple
arguments, which hides server errors and makes responses opaque; change mode to
'cors' (after ensuring the Apps Script returns proper CORS headers) and handle
the response by checking response.ok or response.status and reading the body
(e.g., response.text()/response.json()) before alerting; also update the .then
and .catch handlers that reference scriptURL and fd so alerts/logs concatenate a
single string with the response details or error.message (e.g., "Success: " +
responseText or "Error: " + error.message) instead of passing multiple arguments
to alert.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@2026/rebuilt_config.js`:
- Line 18: The defaultValue currently set to "2025casf" in rebuilt_config.js is
stale; update the defaultValue for the event code (the "defaultValue" field) to
the correct 2026 event code string or set it to an empty string to force
explicit entry by users before submission so records aren't tagged to the wrong
event.

In `@resources/js/googleSheets.js`:
- Line 9: The submit handler currently leaves the button enabled (btn.disabled =
false) and resets the label and re-enables the button immediately after calling
fetch(), causing double-submits; change the initial disable to btn.disabled =
true when starting the submission and move the UI reset (re-enabling btn and
restoring the button text) into the async completion paths—either inside the
fetch().then(...) and fetch().catch(...) callbacks or a fetch().finally(...)
handler so the button is only re-enabled after the network request completes;
update references to btn and the fetch call in resources/js/googleSheets.js
accordingly.
- Line 2: The hardcoded deployment URL (scriptURL) in
resources/js/googleSheets.js should be removed and loaded from a configuration
source instead; replace direct use of the scriptURL constant with a
runtime-config value (e.g., an env/config loader or a user-configurable setting
in the app like the existing TBA auth key handling) and ensure the config file
or env file is excluded via .gitignore. Update any code that references
scriptURL to read from the new config API (maintain the same identifier name
scriptURL or use a getter function) and add validation/sanitization for the URL
before making POST requests. Finally, document where to set the URL in
configuration and add a safe default or a clear error when the config is
missing.

In `@resources/js/TBAInterface.js`:
- Line 4: Remove the hardcoded TBA auth key in the authKey variable in
TBAInterface.js and replace it with a runtime-injected value (e.g., read from an
environment/config variable or a JSON config loaded at startup that is
gitignored); update the code that references authKey to read
process.env.TBA_AUTH_KEY or a config getter instead, ensure the new config file
is added to .gitignore and document how to supply the key in deployment/build
steps, and rotate the compromised key immediately so the code no longer contains
the secret.

---

Outside diff comments:
In `@resources/js/googleSheets.js`:
- Around line 13-21: The fetch call in googleSheets.js currently uses mode:
'no-cors' and alerts with multiple arguments, which hides server errors and
makes responses opaque; change mode to 'cors' (after ensuring the Apps Script
returns proper CORS headers) and handle the response by checking response.ok or
response.status and reading the body (e.g., response.text()/response.json())
before alerting; also update the .then and .catch handlers that reference
scriptURL and fd so alerts/logs concatenate a single string with the response
details or error.message (e.g., "Success: " + responseText or "Error: " +
error.message) instead of passing multiple arguments to alert.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Stale 2025 event code as default in a 2026 config.

"2025casf" is a past event. Any scout who doesn't manually update this field will submit data tagged to the wrong event. Update the default to the actual 2026 event code before deployment, or leave it blank to force explicit entry.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@2026/rebuilt_config.js` at line 18, The defaultValue currently set to
"2025casf" in rebuilt_config.js is stale; update the defaultValue for the event
code (the "defaultValue" field) to the correct 2026 event code string or set it
to an empty string to force explicit entry by users before submission so records
aren't tagged to the wrong event.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Hardcoded Google Apps Script URL in source.

If this repository is public, the deployment URL is visible to anyone, which could allow unsolicited POST requests to the connected Sheet. Consider loading the URL from a config file excluded by .gitignore or from a user-configurable field in the app, consistent with how the TBA auth key should be handled.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@resources/js/googleSheets.js` at line 2, The hardcoded deployment URL
(scriptURL) in resources/js/googleSheets.js should be removed and loaded from a
configuration source instead; replace direct use of the scriptURL constant with
a runtime-config value (e.g., an env/config loader or a user-configurable
setting in the app like the existing TBA auth key handling) and ensure the
config file or env file is excluded via .gitignore. Update any code that
references scriptURL to read from the new config API (maintain the same
identifier name scriptURL or use a getter function) and add
validation/sanitization for the URL before making POST requests. Finally,
document where to set the URL in configuration and add a safe default or a clear
error when the config is missing.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Button is never actually disabled during submission, and the re-enable runs before the fetch resolves.

Line 9 sets btn.disabled = false (a no-op — it's already enabled), so there is zero double-submit protection. It should be true. Lines 23–24 are outside the .then()/.catch() chain, so they run synchronously immediately after fetch() is initiated — the button is re-enabled and the label is reset before the network request completes. The user sees "Sending..." for a fraction of a second and can re-click while the first request is still in flight.

Move the reset inside both callbacks and disable on submission:

🐛 Proposed fix for button state and async ordering

     form.addEventListener('submit', e => {
       e.preventDefault()
-      btn.disabled = false
+      btn.disabled = true
       btn.innerHTML = "Sending..."

       let fd = getData("tsv");
       fetch(scriptURL, {
         method: "POST",
         mode: 'no-cors',
         body: fd
       })
         .then(response => {
-              alert('Success!', response) })
+              alert('Success!')
+              btn.disabled = false
+              btn.innerHTML = "Send to Google Sheets"
+         })
         .catch(error => {
-              alert('Error!', error.message)})
-
-      btn.disabled = false
-      btn.innerHTML = "Send to Google Sheets"
+              alert('Error! ' + error.message)
+              btn.disabled = false
+              btn.innerHTML = "Send to Google Sheets"
+         })
     })

Also applies to: 23-24

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@resources/js/googleSheets.js` at line 9, The submit handler currently leaves
the button enabled (btn.disabled = false) and resets the label and re-enables
the button immediately after calling fetch(), causing double-submits; change the
initial disable to btn.disabled = true when starting the submission and move the
UI reset (re-enabling btn and restoring the button text) into the async
completion paths—either inside the fetch().then(...) and fetch().catch(...)
callbacks or a fetch().finally(...) handler so the button is only re-enabled
after the network request completes; update references to btn and the fetch call
in resources/js/googleSheets.js accordingly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Rotate this key — API credentials must not be committed to source.

The TBA auth key is hardcoded and committed to a public repository. Gitleaks confirms this as a high-severity secret leak. Since the key is now in git history, it should be treated as compromised and rotated immediately.

Move the key out of source: inject it at runtime via a config file excluded by .gitignore, a build-time environment variable, or a user-provided input on the scouting page.

🧰 Tools

🪛 Gitleaks (8.30.0)

[high] 4-4: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@resources/js/TBAInterface.js` at line 4, Remove the hardcoded TBA auth key in
the authKey variable in TBAInterface.js and replace it with a runtime-injected
value (e.g., read from an environment/config variable or a JSON config loaded at
startup that is gitignored); update the code that references authKey to read
process.env.TBA_AUTH_KEY or a config getter instead, ensure the new config file
is added to .gitignore and document how to supply the key in deployment/build
steps, and rotate the compromised key immediately so the code no longer contains
the secret.