Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 16b6182a85
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (body.action === "approve" || body.action === "reject") { | ||
| if (!body?.requestId) { | ||
| return NextResponse.json({ ok: false, error: "requestId is required" }, { status: 400 }); | ||
| } |
There was a problem hiding this comment.
This handler performs privileged approve/reject actions without verifying the caller, so any unauthenticated client that knows a requestId can change request status and, on approve, trigger addXmtpGroupMember. Because this endpoint is publicly reachable as a Next.js route, it bypasses the owner-only controls used elsewhere (LEXON_OWNER_IDS) and allows unauthorized admission decisions for the coordination group.
Useful? React with 👍 / 👎.
| const updated = updateJoinRequestStatus( | ||
| body.requestId, | ||
| body.action === "approve" ? "approved" : "rejected" | ||
| ); |
There was a problem hiding this comment.
The request is marked approved before addXmtpGroupMember is attempted, so if XMTP membership fails (invalid address, missing group, transient SDK error) the API returns 500 but leaves persisted state as approved. That creates inconsistent state and makes retries harder because the item is no longer pending in the dashboard flow.
Useful? React with 👍 / 👎.
1 participant
Summary
Notes
main