Skip to content

fix(web): Fix ask link generation for anonymous access #873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
brendan-kellam merged 2 commits into from
Feb 10, 2026
Merged

fix(web): Fix ask link generation for anonymous access #873

brendan-kellam merged 2 commits into from
Feb 10, 2026

Conversation

@brendan-kellam
Copy link
Contributor

@brendan-kellam brendan-kellam commented Feb 10, 2026
edited by coderabbitai bot
Loading

Fixes #871

Also improves error handling for /api/chat/blocking s.t., errors are actually propagated

Summary by CodeRabbit

  • Bug Fixes
    • Resolved a security vulnerability where session links generated for code analysis operations were accessible to unauthenticated users.
    • Enhanced error handling in chat streaming to provide improved error recovery and reporting.

@github-actions

This comment has been minimized.

Sign in to view
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 10, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

Walkthrough

This PR fixes an issue where unauthenticated chat sessions created via MCP would be marked as PRIVATE with no owner, resulting in 404 errors when accessed. The fix makes chat visibility conditional (PRIVATE when authenticated, PUBLIC otherwise) and refactors error handling in the chat streaming APIs.

Changes

Cohort / File(s) Summary
Chat Session Visibility Fix
packages/web/src/app/api/(server)/chat/blocking/route.ts		 Made chat visibility conditional based on authentication: PRIVATE when a user is present, PUBLIC otherwise. Enhanced error handling in streaming path to convert non-ServiceError exceptions into ServiceErrorException with INTERNAL_SERVER_ERROR.
Error Handling Refactoring
packages/web/src/app/api/(server)/chat/route.ts		 Externalized error handling via new onError callback parameter in CreateMessageStreamResponseProps interface and createMessageStream function, replacing internal errorHandler logic with plumbed callback invocation.
Documentation
CHANGELOG.md		 Added Fixed entry documenting the resolution of session links being accessible to unauthenticated users in ask_codebase MCP calls.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

Suggested reviewers

  • msukkari
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch bkellam/fix-SOU-439

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@brendan-kellam brendan-kellam merged commit 081dc67 into main Feb 10, 2026
9 of 10 checks passed
@github-actions github-actions bot mentioned this pull request Feb 10, 2026
Open
@claude
Copy link

claude bot commented Feb 10, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ask_codebase can return 404 research session links when blocking chats are created unauthenticated

1 participant

@brendan-kellam