fix: extract withAuth() guard and standardize auth checks in Server Actions

[ryota-murakami]

Summary

Closes #63

• Created reusable withAuth() higher-order function in src/lib/actions/auth-guard.ts that wraps Server Actions with Supabase authentication, eliminating repeated 4-line auth boilerplate
• Applied withAuth to 16 mutating Server Actions across 3 files that previously had no authentication check:
  • board.ts (8 functions): updateStatusList, updateStatusListPosition, swapStatusListPositions, batchUpdateStatusListPositions, updateRepoCardPosition, batchUpdateRepoCardOrders, deleteBoard, updateBoard
  • project-info.ts (4 functions): upsertProjectInfo, updateComment, updateCommentColor, deleteComment
  • maintenance-project-info.ts (4 functions): upsertMaintenanceProjectInfo, updateMaintenanceComment, updateMaintenanceCommentColor, deleteMaintenanceComment
• Input validation stays outside withAuth (fail-fast before auth overhead)
• Functions that already had explicit auth checks (e.g., createBoard, toggleBoardFavorite) were left unchanged

Test plan

• pnpm typecheck passes
• pnpm lint passes (zero warnings)
• pnpm build succeeds
• pnpm test — all 85 test files / 1202 tests pass
• Verify protected actions reject unauthenticated requests in E2E

Summary by CodeRabbit

• Refactor
  • Centralized authentication handling for server operations to improve consistency and reliability of access control across the application.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gitbox	Ready	Preview, Comment	Feb 11, 2026 2:39pm

[coderabbitai]

📝 Walkthrough

Walkthrough

A new withAuth wrapper is introduced to centralize server-side authentication logic, eliminating repeated auth boilerplate. Multiple board-related Server Actions are refactored to use this wrapper instead of inline auth checks, ensuring consistent defense-in-depth verification across mutations.

Changes

Cohort / File(s)	Summary
Authentication Guard Utility src/lib/actions/auth-guard.ts	New module exporting a withAuth<T> higher-order function that wraps Server Actions to centralize Supabase client creation, user authentication via supabase.auth.getUser(), and error handling with "Authentication required" message.
Board Actions Refactored src/lib/actions/board.ts	Applies withAuth wrapper across multiple Server Actions (updateStatusList, updateStatusListPosition, swapStatusListPositions, batchUpdateStatusListPositions, updateRepoCardPosition, batchUpdateRepoCardOrders, deleteBoard, updateBoard, etc.), removing direct client creation and explicit auth checks from each function body while preserving existing error handling and Sentry reporting.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: wrap multi-step DB operations in PostgreSQL transactions #90: Modifies the same board action functions in src/lib/actions/board.ts, so merging strategies and interaction points should be validated.

Poem

🛡️ No more auth repeat, four lines gone in every treat,
The guard stands tall, one wrapper to call,
Twenty functions secured with grace, consistent checks throughout the place! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title clearly and concisely summarizes the main change: extracting a withAuth guard and standardizing auth checks across Server Actions, which directly aligns with the changeset.
Linked Issues check	✅ Passed	PR fully addresses issue #63 requirements: implements withAuth higher-order function, applies it to 16 mutating Server Actions lacking explicit auth checks, maintains input validation outside withAuth, leaves already-protected actions unchanged, and achieves estimated ~80 line reduction.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #63: new withAuth guard module and refactoring of specified Server Actions. No unrelated modifications detected in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/withauth-guard-standardize-63

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[morph-subagents]

🤖 Morph Preview Test

⚡ Looks like you hit your rate limits!

Please upgrade your limits here, or wait a few minutes and try again.

If you need help, reach out to support@morphllm.com.

---

_{Automated testing by Morph}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.33%. Comparing base (c62046a) to head (1e3c738).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #89   +/-   ##
=======================================
  Coverage   74.33%   74.33%           
=======================================
  Files         119      119           
  Lines        3873     3873           
  Branches     1062     1030   -32     
=======================================
  Hits         2879     2879           
  Misses        971      971           
  Partials       23       23           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🧪 E2E Coverage Report (Sharded: 12 parallel jobs)

Metric	Coverage
Lines	93.59%
Functions	17.66%
Branches	16.85%
Statements	30.42%

📊 Full report available in workflow artifacts

[ryota-murakami]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[morph-subagents]

🤖 Morph Preview Test

⚡ Looks like you hit your rate limits!

Please upgrade your limits here, or wait a few minutes and try again.

If you need help, reach out to support@morphllm.com.

---

_{Automated testing by Morph}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/lib/actions/board.ts (1)

943-1045: ⚠️ Potential issue | 🟠 Major

updateBoardSettingsAction is a mutating action with no auth check.

This action writes to the board table (line 1032–1035) but never verifies the user is authenticated — it calls createClient() directly at line 975 with no getUser() or withAuth. Every other mutating board action now has an explicit auth guard. This one was likely overlooked.

Consider wrapping the DB read+write portion with withAuth, or at minimum adding a getUser() check before the mutations, consistent with the rest of this file.