Migrate to the new Catroweb - share community platform. by dmetzner · Pull Request #5199 · Catrobat/Catroid

dmetzner · 2026-04-18T11:01:48Z

Summary

https://catrobat.atlassian.net/browse/IDE-317

Migrate Catroid from the old share.catrob.at API (custom 32-char tokens, offset pagination, /api/login/Login.json-style endpoints) to the new share.catrobat.org API v2 (JWT access/refresh tokens, cursor-based pagination, OpenAPI-compliant endpoints).

Prerequisite for the next Catroid release — old API endpoints removed as part of Catroweb API v2 standardization (ADR 2026-04-11).

Authentication

JWT token management: JwtTokenStore (EncryptedSharedPreferences), AuthService (Retrofit), AuthInterceptor (auto Bearer header + transparent 401 refresh), LoginRepository
Login flow: LoginDialogFragment → coroutine-based LoginRepository; Google OAuth simplified to single API call; registration & password reset open share WebView
WebView auth: JWT injected as BEARER cookie; cookie sync stores only access token; exit route (/{flavor}/exit) returns to app
Token validation: LoginRepository.validateToken() checks server-side; upload flow verifies before starting

API & Data

Project listings: Cursor pagination with {data, next_cursor, has_more} envelope, ImageVariants for responsive images, FeaturedProjectApi split from Room entity
Upload: Retrofit multipart POST /api/projects with Bearer auth; sends stored project_id so renamed projects update existing server entry instead of creating duplicates
Rate limit handling (HTTP 429): Upload and other write operations show a user-friendly "Too many requests — please wait and try again" message when the server returns 429, instead of a generic error
Downloads: New DownloadClient.kt with shared executeDownload/buildClientWithProgress helpers; extracts server UUID from URL and writes share URL into code.xml <header><url> for Catroweb remix detection
WebView download fix: shouldInterceptRequest now uses RFC 5987 filename*=utf-8'' parser for Content-Disposition (v2 API returns unquoted filenames); blob URL downloads guarded in DownloadListener
Media library: URLs updated to share.catrobat.org/{flavor}/media-library; proper Content-Disposition parsing (RFC 5987 filename* support)

Domain & URL changes

share.catrob.at → share.catrobat.org across all source files including intent filter
Constants.API_BASE_URL derived from Constants.MAIN_URL_HTTPS — respects WEB_TEST_FLAG/WEB_TEST_URL for test/staging
Community URLs use flavor name (pocketcode, luna, etc.) instead of hardcoded /app/

Security & quality

ErrorInterceptor fixed: .string() instead of .toString() for response body
JwtTokenStore.setAccessTokenOnly() validates JWT format before storing (rejects non-JWT cookies)
LoginRepository uses safeAuthCall helper to extract structured ApiErrorResponse from HTTP errors
DownloadClient.executeDownload wraps response in .use{} block (prevents connection leak)
DownloadClient restricts cleartext HTTP to BuildConfig.DEBUG only
LoginDialogFragment cancels LoginHelper coroutine in onDestroyView
ProjectUploadActivity.verifyUserIdentity() uses coroutine with job cancellation (replaces Thread { runBlocking })
Null-safe listFiles() calls in ProjectUploadService and ProjectUpload

Code cleanup

Extract shared UUID/URL regex to ProjectIdUtils
Convert getTags() to coroutine
Remove redundant downloadedProjectIds SharedPreferences
Remove TOCTOU exists() checks
Remove debug logging

Known issue (Catroweb)

Upload fails with JsonDataException: Expected BEGIN_OBJECT but was BEGIN_ARRAY at path $.tags — PHP returns [] for empty tags but {} for non-empty. Fix needed server-side (cast to object). Tracked separately.

Removed (17 old files)

ServerAuthenticator, LoginTask, RegistrationTask, 6 OAuth/check AsyncTasks, CatrobatServerCalls, HttpRequests, GetTagsTask, GetSurveyTask, DeleteTestUserTask, RegistrationDialogFragment, OAuthUsernameDialogFragment

Companion PR: Catrobat/Catroweb#6761 (adds project_id param to upload API)

Test plan

Build compiles clean (assembleCatroidDebug)
Unit tests pass: AuthInterceptorTest, LoginRepositoryTest, DownloadClientTest, WebViewActivityLoginCookieTest, CookieTest
Test fixtures updated for API v2 response format
CI green: Unit Tests, Code Analysis, Build APK, Instrumented Tests, Testrunner Tests, RTL Tests, SonarCloud
Test download from share with corrected Content-Disposition parsing
Test login end-to-end against share.catrobat.org
Test upload end-to-end (blocked by Catroweb tags fix)
Test all build flavors (luna, create@school, etc.)
Test 429 rate limit response shows user-friendly message

🤖 Generated with Claude Code

github-advanced-security

detekt found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

 import org.catrobat.catroid.web.WebConnectionException;

 import java.io.IOException;
+import kotlin.Lazy;


 import org.catrobat.catroid.utils.Utils;

 import java.util.Date;
+import kotlin.Lazy;


 import org.catrobat.catroid.utils.ToastUtil;
+import org.catrobat.catroid.web.LoginHelper;
+import org.catrobat.catroid.web.LoginRepository;
+import kotlin.Lazy;


-import org.catrobat.catroid.web.ServerCalls;
+import org.catrobat.catroid.web.LoginHelper;
+import org.catrobat.catroid.web.LoginRepository;
+import kotlin.Lazy;


sonarqubecloud · 2026-04-19T19:57:39Z

Quality Gate passed

Issues
12 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

hannesweilharter · 2026-04-27T14:22:52Z

The testcases testProjectCategoriesWithDefaultValues and testProjectCategoriesResponeHasCorrectStructure in CatroidWebServerTest are failing locally:

MainMenuFragmentTest.testCatrobatCommunitySectionIsDisplayed is also failing:

Replace old share.catrob.at API (custom 32-char tokens, offset pagination) with new share.catrobat.org API v2 (JWT access/refresh tokens, cursor-based pagination, OpenAPI-compliant endpoints). Key changes: - JWT token management with EncryptedSharedPreferences, AuthInterceptor for auto Bearer header + transparent 401 refresh - Cursor-based pagination with {data, next_cursor, has_more} envelope - New upload flow: Retrofit multipart POST /api/projects with Bearer auth - Send project_id on upload for re-upload of renamed projects - Store server project UUID in .server_project_id file (survives backup) - Set remix URL in code.xml on download for Catroweb remix detection - Show user-friendly message on HTTP 429 rate limit during upload - Domain migration: share.catrob.at → share.catrobat.org - RFC 5987 Content-Disposition parsing for download filenames - Extract shared UUID/URL regex to ProjectIdUtils - Convert getTags() to coroutine - Remove redundant downloadedProjectIds SharedPreferences - Removed 17 legacy files (ServerAuthenticator, AsyncTasks, etc.) Companion PR: Catrobat/Catroweb#6761 (adds project_id param to upload API) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Copilot

Pull request overview

This PR migrates Catroid’s community integration from the legacy share.catrob.at API to the new share.catrobat.org API v2, including JWT-based authentication, updated Retrofit endpoints/response models, cursor pagination, and revised download/upload flows.

Changes:

Introduces JWT auth stack (token store, auth service, auth-refresh interceptor, repository/helper) and adds targeted unit tests.
Reworks download plumbing (new DownloadClient, progress handling, remix URL injection) and updates URLs/constants to share.catrobat.org.
Updates UI strings/layouts and bumps Room DB to v3 with a migration that clears cached community data.

Reviewed changes

Copilot reviewed 162 out of 163 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
catroid/src/test/java/org/catrobat/catroid/test/web/LoginRepositoryTest.kt	Adds unit tests for JWT login/logout repository behavior.
catroid/src/test/java/org/catrobat/catroid/test/web/DownloadClientTest.kt	Adds unit tests for new `DownloadClient` success/error paths.
catroid/src/test/java/org/catrobat/catroid/test/web/CookieTest.kt	Updates/extends tests for new cookie flags format.
catroid/src/test/java/org/catrobat/catroid/test/web/AuthInterceptorTest.kt	Adds unit tests for bearer header + 401 retry behavior.
catroid/src/test/java/org/catrobat/catroid/test/utiltests/UtilsTest.java	Updates expected remix URLs to new domain.
catroid/src/test/java/org/catrobat/catroid/test/transfers/WebViewActivityLoginCookieTest.java	Updates WebView cookie tests for BEARER/JWT flow.
catroid/src/test/java/org/catrobat/catroid/test/transfers/ProjectDownloaderTest.java	Updates test download URL domain.
catroid/src/standalone/java/org/catrobat/catroid/common/FlavoredConstants.java	Updates flavored community/media-library URLs to new share domain.
catroid/src/pocketCodeBeta/java/org/catrobat/catroid/common/FlavoredConstants.java	Updates flavored community/media-library URLs to new share domain.
catroid/src/phiro/java/org/catrobat/catroid/common/FlavoredConstants.java	Updates flavored community/media-library URLs to new share domain.
catroid/src/mindstorms/java/org/catrobat/catroid/common/FlavoredConstants.java	Updates flavored community/media-library URLs to new share domain.
catroid/src/lunaAndCat/java/org/catrobat/catroid/common/FlavoredConstants.java	Updates flavored community/media-library URLs to new share domain.
catroid/src/embroideryDesigner/java/org/catrobat/catroid/common/FlavoredConstants.java	Updates flavored community/media-library URLs to new share domain.
catroid/src/createAtSchool/java/org/catrobat/catroid/common/FlavoredConstants.java	Updates flavored community/media-library URLs to new share domain.
catroid/src/catroid/java/org/catrobat/catroid/common/FlavoredConstants.java	Updates flavored community/media-library URLs to new share domain.
catroid/src/main/res/values/strings.xml	Adds/updates strings for new community UX + upload errors/progress.
catroid/src/main/res/values-zh-rTW/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-zh-rCN/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-yo-rNG/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-vi/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-uz/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ur/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-uk/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-tw/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-tr/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-tl/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-th/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-te/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ta/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-sw/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-sv/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-sr/strings.xml	Updates `share_website_text` + share URL in legal text.
catroid/src/main/res/values-sr-rSP/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-sr-rCS/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-sq/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-sk/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-si/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-sd/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ru/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ro/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-pt/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-pt-rBR/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ps/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-pl/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-pa-rIN/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-no/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-nl/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ms/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ml/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ml-rIN/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-mk/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-lt/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ko/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-kn/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-kk/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-kab/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ka/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ja/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-iw/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-it/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-in/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ig/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-hr/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-hi/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ha/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-gu/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-gl/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-fr/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-fi/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-fa/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-fa-rIR/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-eu-rES/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-es/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-en-rGB/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-en-rCA/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-en-rAU/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-el/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-de/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-da/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-cs/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-chr/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ca/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-bs/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-bn/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-bg/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-az/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-ar/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/values-af/strings.xml	Updates `share_website_text` domain.
catroid/src/main/res/layout/fragment_project_options.xml	Adds “Upload to community” option in project options.
catroid/src/main/res/layout/fragment_main_menu.xml	Adjusts community/featured section layout and labels.
catroid/src/main/res/layout/dialog_upload_project_progress.xml	Adds determinate upload progress + “processing” UI.
catroid/src/main/java/org/catrobat/catroid/web/requests/HttpRequests.kt	Removes legacy upload request builder (old API).
catroid/src/main/java/org/catrobat/catroid/web/ServerAuthenticator.kt	Removes legacy token-based authenticator (old API).
catroid/src/main/java/org/catrobat/catroid/web/ServerAuthenticationConstants.java	Removes legacy constants; keeps only Google client id.
catroid/src/main/java/org/catrobat/catroid/web/ProjectDownloader.kt	Improves project-name extraction + adds overload param.
catroid/src/main/java/org/catrobat/catroid/web/ProgressResponseBody.java	Decouples download progress callback from removed classes.
catroid/src/main/java/org/catrobat/catroid/web/ProgressRequestBody.kt	Adds upload request-body progress reporting.
catroid/src/main/java/org/catrobat/catroid/web/LoginRepository.kt	Adds coroutine-based auth repository with JWT storage.
catroid/src/main/java/org/catrobat/catroid/web/LoginHelper.kt	Adds coroutine helper for login/logout flows from Java UI.
catroid/src/main/java/org/catrobat/catroid/web/JwtTokenStore.kt	Adds encrypted JWT token storage + basic JWT format validation.
catroid/src/main/java/org/catrobat/catroid/web/DownloadClient.kt	Adds centralized download client with progress + safe `.use {}`.
catroid/src/main/java/org/catrobat/catroid/web/Cookie.kt	Updates cookie generation to include security flags.
catroid/src/main/java/org/catrobat/catroid/utils/Utils.java	Updates logout to clear JWT store + removes legacy token logic.
catroid/src/main/java/org/catrobat/catroid/utils/ProjectIdUtils.kt	Extracts UUID/URL regex helpers for remix/upload logic.
catroid/src/main/java/org/catrobat/catroid/utils/MediaDownloader.java	Updates media download UX/hooks for new download stack.
catroid/src/main/java/org/catrobat/catroid/utils/Extensions.kt	Adapts API models (tags/images/dates) to app domain models.
catroid/src/main/java/org/catrobat/catroid/ui/recyclerview/viewmodel/MainFragmentViewModel.kt	Minor cleanup.
catroid/src/main/java/org/catrobat/catroid/ui/recyclerview/fragment/SpriteListFragment.kt	Supports multi-asset returns from media library downloads.
catroid/src/main/java/org/catrobat/catroid/ui/recyclerview/fragment/MainMenuFragment.kt	Renames and re-wires “Explore share” click handling.
catroid/src/main/java/org/catrobat/catroid/ui/recyclerview/dialog/login/OAuthUsernameDialogFragment.java	Removes legacy OAuth username dialog flow.
catroid/src/main/java/org/catrobat/catroid/ui/recyclerview/dialog/login/LoginDialogFragment.java	Migrates login to coroutine-based `LoginRepository`/`LoginHelper`.
catroid/src/main/java/org/catrobat/catroid/ui/recyclerview/adapter/FeaturedProjectsAdapter.kt	Updates adapter to new featured-project model fields.
catroid/src/main/java/org/catrobat/catroid/ui/fragment/ProjectOptionsFragment.kt	Adds “Upload” action launching `ProjectUploadActivity`.
catroid/src/main/java/org/catrobat/catroid/ui/SpriteActivity.java	Supports multiple downloaded media file paths.
catroid/src/main/java/org/catrobat/catroid/ui/SignInActivity.java	Opens registration via WebView instead of removed dialog.
catroid/src/main/java/org/catrobat/catroid/ui/ProjectActivity.kt	Supports multiple downloaded media file paths.
catroid/src/main/java/org/catrobat/catroid/transfers/project/ProjectDownloadService.kt	Switches to `DownloadClient` + writes remix/share URL metadata.
catroid/src/main/java/org/catrobat/catroid/transfers/RegistrationTask.java	Removes legacy registration async task.
catroid/src/main/java/org/catrobat/catroid/transfers/MediaDownloadService.java	Switches to DI + `DownloadClient` for media downloads.
catroid/src/main/java/org/catrobat/catroid/transfers/LoginTask.java	Removes legacy login async task.
catroid/src/main/java/org/catrobat/catroid/transfers/GoogleLoginHandler.java	Simplifies Google login to single JWT OAuth call.
catroid/src/main/java/org/catrobat/catroid/transfers/GoogleLogInTask.java	Removes legacy Google login async task.
catroid/src/main/java/org/catrobat/catroid/transfers/GoogleExchangeCodeTask.java	Removes legacy exchange-code task (old flow).
catroid/src/main/java/org/catrobat/catroid/transfers/GetTagsTask.java	Removes legacy tags task (replaced by API v2).
catroid/src/main/java/org/catrobat/catroid/transfers/GetSurveyTask.java	Removes legacy survey task (replaced by Retrofit call).
catroid/src/main/java/org/catrobat/catroid/transfers/DeleteTestUserTask.java	Removes legacy server maintenance task.
catroid/src/main/java/org/catrobat/catroid/transfers/CheckUserNameAvailableTask.java	Removes legacy username availability task.
catroid/src/main/java/org/catrobat/catroid/transfers/CheckTokenTask.java	Removes legacy token check task.
catroid/src/main/java/org/catrobat/catroid/transfers/CheckOAuthTokenTask.java	Removes legacy OAuth-token check task.
catroid/src/main/java/org/catrobat/catroid/transfers/CheckEmailAvailableTask.java	Removes legacy email availability task.
catroid/src/main/java/org/catrobat/catroid/sync/ProjectsCategoriesSync.kt	Adapts sync to new response envelope (`data`).
catroid/src/main/java/org/catrobat/catroid/sync/FeaturedProjectsSync.kt	Adapts sync to new response envelope + new model mapping.
catroid/src/main/java/org/catrobat/catroid/retrofit/models/AuthModels.kt	Adds auth request/response/error models for API v2.
catroid/src/main/java/org/catrobat/catroid/retrofit/RetrofitWebServer.kt	Updates Retrofit API: cursor pagination, upload, media, tags, survey.
catroid/src/main/java/org/catrobat/catroid/retrofit/ErrorInterceptor.kt	Fixes error-body extraction (`string()` vs `toString()`).
catroid/src/main/java/org/catrobat/catroid/retrofit/AuthService.kt	Adds Retrofit auth endpoints for JWT login/refresh/logout/check.
catroid/src/main/java/org/catrobat/catroid/retrofit/AuthInterceptor.kt	Adds 401 refresh + retry interceptor for JWT auth.
catroid/src/main/java/org/catrobat/catroid/koin/CatroidKoinHelper.kt	Wires new auth/download components + adds DB migration wiring.
catroid/src/main/java/org/catrobat/catroid/db/DatabaseMigrations.kt	Adds MIGRATION_2_3 to clear cached community tables.
catroid/src/main/java/org/catrobat/catroid/db/AppDatabase.kt	Bumps Room schema version to 3.
catroid/src/main/java/org/catrobat/catroid/content/XmlHeader.java	Updates comments to reflect new share domain.
catroid/src/main/java/org/catrobat/catroid/common/Survey.java	Switches survey retrieval to Retrofit service call.
catroid/src/main/java/org/catrobat/catroid/common/Constants.java	Updates base URLs + adds API base + upload sizing/progress constants.
catroid/src/main/java/org/catrobat/catroid/ProjectManager.java	Minor cleanup in downloaded-projects loading.
catroid/src/debug/java/org/catrobat/catroid/ui/ProjectUploadTestActivity.kt	Updates debug override for new token verification workflow.
catroid/src/androidTest/java/org/catrobat/catroid/uiespresso/ui/fragment/MainMenuFragmentTest.kt	Updates UI test ID for renamed “Explore share” view.
catroid/src/androidTest/java/org/catrobat/catroid/uiespresso/ui/dialog/ReplaceExistingProjectDialogTest.java	Updates test download URL domain.
catroid/src/androidTest/java/org/catrobat/catroid/uiespresso/ui/activity/OpenFromShareLinkTest.java	Updates share link fixtures to new domain.
catroid/src/androidTest/java/org/catrobat/catroid/retrofittesting/CatroidWebServerTest.kt	Updates retrofit integration tests for new envelopes/models/URLs.
catroid/src/androidTest/assets/featured_projects_success_response.json	Updates fixture to API v2 envelope + image variants.
catroid/build.gradle	Updates intent-filter host and adds Moshi Kotlin dependency.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-04-28T12:57:00Z


 class Cookie(private val name: String, private val value: String) {
-    fun generateCookieString(): String = "$name=$value"
+    fun generateCookieString(): String = "$name=$value; HttpOnly; Secure; Path=/; SameSite=Strict"


Cookie.generateCookieString() always adds the Secure attribute. Since the app supports overriding the share base URL via BuildConfig.WEB_TEST_URL, any http:// test/staging URL would silently ignore this cookie and break WebView login. Consider adding Secure only for https URLs (or when you know the target is TLS) so webTestUrl remains usable.

Copilot · 2026-04-28T12:57:00Z

+	public interface DownloadProgressCallback {
+		void onProgress(long progress);
+	}
+
 	private final ResponseBody responseBody;
 	private BufferedSource bufferedSource;
-	private CatrobatServerCalls.DownloadProgressCallback progressCallback;
+	private DownloadProgressCallback progressCallback;

 	ProgressResponseBody(ResponseBody responseBody,
-			CatrobatServerCalls.DownloadProgressCallback progressCallback) {
+			DownloadProgressCallback progressCallback) {
 		this.responseBody = responseBody;


Progress calculation later in this class divides by contentLength(). OkHttp can return 0 or -1 (unknown length), which will cause an ArithmeticException or negative progress. Please guard for contentLength() <= 0 and either skip progress updates or report an indeterminate/bytes-read based progress.

Copilot · 2026-04-28T12:57:01Z

+        builder.networkInterceptors().add { chain ->
+            val originalResponse = chain.proceed(chain.request())
+            val body = ProgressResponseBody(originalResponse.body()) { progress ->
+                progressCallback(progress)
+            }
+            originalResponse.newBuilder().body(body).build()
+        }


The network interceptor wraps the response body with ProgressResponseBody using originalResponse.body(). OkHttp responses can legitimately have a null body (e.g., certain status codes / HEAD requests). If body is null this will crash; please handle the null case by returning the originalResponse unchanged (or by using an empty body) and avoid installing the progress wrapper.

Copilot · 2026-04-28T12:57:01Z

+    private fun setRemixUrlInProject(projectDir: File, serverProjectId: String) {
+        try {
+            val shareUrl = Constants.SHARE_PROJECT_URL + serverProjectId
+            val codeXml = File(projectDir, Constants.CODE_XML_FILE_NAME)
+            if (!codeXml.exists()) return
+
+            val content = codeXml.readText()
+            val updatedContent = content.replace(
+                ProjectIdUtils.URL_TAG_REGEX,
+                "<url>$shareUrl</url>"
+            )
+            codeXml.writeText(updatedContent)


setRemixUrlInProject() only replaces ... but does not handle the self-closing variants ( / ) that are explicitly handled in ProjectUpload.saveProjectId(). If downloaded projects contain an empty/self-closing url tag, the remix URL will never be written. Consider mirroring the same replacement cases here (or updating via an XML parser) to ensure consistent behavior.

PHP's json_encode returns [] for empty associative arrays and {} for non-empty. Add FlexibleMapAdapter (Moshi JsonQualifier) to handle both forms for tags/extensions fields — fixes JsonDataException crash in CatroidWebServerTest and categories sync. Hide featured projects RecyclerView when list is empty. Move assumeTrue before isDisplayed check in MainMenuFragmentTest so the test skips gracefully when no featured projects are available. Remove duplicate MIGRATION_2_3 left over from rebase conflict. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

hannesweilharter · 2026-04-29T14:30:12Z

testDoesNotShowNoInternetMsg and testCatrobatCommunitySectionIsDisplayed are failing here

hannesweilharter

please fix all warnings from github-advanced-security and detekt warnings, and have a look at the new SonarQube issues.

Also make sure to update the copyright year in every file.

dmetzner marked this pull request as draft April 18, 2026 11:03

dmetzner changed the title ~~CATROID-XXX Migrate to Catroweb API v2 with JWT authentication~~ CATROID-XXX Migrate to Catroweb v2 Apr 18, 2026