Skip to content

Add expense tracker app for CodeRabbit review demo#8

Closed
reeder32 wants to merge 1 commit into
mainfrom
demo/coderabbit-review
Closed

Add expense tracker app for CodeRabbit review demo#8
reeder32 wants to merge 1 commit into
mainfrom
demo/coderabbit-review

Conversation

@reeder32

@reeder32 reeder32 commented Mar 4, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Full-stack TypeScript expense tracker (Express + React + SQLite) with intentional bugs for automated review testing
  • Removes Claude and OpenAI GitHub Actions workflows — CodeRabbit is the sole reviewer
  • Bugs span security (SQL injection, auth bypass), logic errors, performance issues, and accessibility violations

What to look for

CodeRabbit should demonstrate:

  • Executive summary with risk assessment
  • Sequence diagrams for complex flows
  • Inline comments on security and performance issues
  • Suggested reviewers and labels
  • Pre-merge quality gate checks

Summary by CodeRabbit

Release Notes

  • New Features

    • Launched Team Expense Tracker application with user authentication.
    • Added expense creation and management with category organization.
    • Introduced dashboard displaying spending summary by category.
    • Added admin approval/rejection workflow for expenses.
    • Implemented reporting features with personal and team spending summaries.
    • Added expense data export capability.
  • Chores

    • Removed automated code review workflows.

Full-stack TypeScript app (Express + React + SQLite) with annotated
bugs across security, logic, performance, and accessibility categories.
Removes Claude and OpenAI GitHub Actions workflows to isolate CodeRabbit
as the sole automated reviewer.
@qodo-code-review

Copy link
Copy Markdown

Review Summary by Qodo

Add expense tracker app with intentional bugs for CodeRabbit review demo

✨ Enhancement 🧪 Tests

Grey Divider

Walkthroughs

Description
• Full-stack TypeScript expense tracker with intentional bugs for code review demonstration
• Removes Claude and OpenAI GitHub Actions workflows, isolating CodeRabbit as sole reviewer
• Backend: Express API with SQL injection, auth bypass, IDOR, race conditions, and CSV injection
  vulnerabilities
• Frontend: React app with XSS, localStorage token storage, missing accessibility landmarks, and
  unsafe HTML rendering
Diagram
flowchart LR
  A["Removed Workflows"] -->|Claude & OpenAI| B["GitHub Actions"]
  C["Backend Express API"] -->|Routes| D["Auth, Expenses, Reports"]
  D -->|Bugs| E["SQL Injection, IDOR, Race Conditions"]
  F["Frontend React App"] -->|Pages| G["Login, Dashboard, ExpenseList"]
  G -->|Bugs| H["XSS, Missing a11y, Unsafe Token Storage"]
  B -->|Replaced by| I["CodeRabbit Reviewer"]
Loading

Grey Divider

File Changes

1. .github/workflows/claude-code-review.yml ⚙️ Configuration changes +0/-40

Removed Claude Code Review workflow

.github/workflows/claude-code-review.yml


2. .github/workflows/openai-code-review.yml ⚙️ Configuration changes +0/-90

Removed OpenAI Code Review workflow

.github/workflows/openai-code-review.yml


3. backend/src/db.ts ✨ Enhancement +30/-0

SQLite database initialization with schema

backend/src/db.ts


View more (15)
4. backend/src/index.ts ✨ Enhancement +30/-0

Express server setup with CORS and error handling

backend/src/index.ts


5. backend/src/middleware/auth.ts 🐞 Bug fix +36/-0

JWT authentication with hardcoded secret and role bypass

backend/src/middleware/auth.ts


6. backend/src/routes/auth.ts 🐞 Bug fix +74/-0

Login and register endpoints with SQL injection vulnerability

backend/src/routes/auth.ts


7. backend/src/routes/expenses.ts 🐞 Bug fix +107/-0

Expense CRUD endpoints with IDOR and race condition bugs

backend/src/routes/expenses.ts


8. backend/src/routes/reports.ts 🐞 Bug fix +58/-0

Report endpoints with CSV injection and memory leak issues

backend/src/routes/reports.ts


9. backend/src/utils/validate.ts 🐞 Bug fix +15/-0

Input validation utilities with permissive regex patterns

backend/src/utils/validate.ts


10. frontend/src/App.tsx 🐞 Bug fix +29/-0

React router setup with token validation bypass

frontend/src/App.tsx


11. frontend/src/api/client.ts 🐞 Bug fix +19/-0

Axios client with localStorage token and missing error handling

frontend/src/api/client.ts


12. frontend/src/components/ExpenseCard.tsx 🐞 Bug fix +49/-0

Expense card component with XSS and accessibility violations

frontend/src/components/ExpenseCard.tsx


13. frontend/src/components/StatusBadge.tsx 🐞 Bug fix +31/-0

Status badge with color-only indication and missing ARIA labels

frontend/src/components/StatusBadge.tsx


14. frontend/src/pages/Dashboard.tsx 🐞 Bug fix +61/-0

Dashboard page with memory leak and accessibility issues

frontend/src/pages/Dashboard.tsx


15. frontend/src/pages/ExpenseForm.tsx 🐞 Bug fix +72/-0

Expense form with loose numeric validation and missing labels

frontend/src/pages/ExpenseForm.tsx


16. frontend/src/pages/ExpenseList.tsx 🐞 Bug fix +69/-0

Expense list with API hammering and missing confirmation dialogs

frontend/src/pages/ExpenseList.tsx


17. frontend/src/pages/Login.tsx 🐞 Bug fix +57/-0

Login page with error leakage and accessibility violations

frontend/src/pages/Login.tsx


18. frontend/src/pages/Reports.tsx 🐞 Bug fix +67/-0

Reports page with silent error handling and null reference bugs

frontend/src/pages/Reports.tsx


Grey Divider

Qodo Logo

@qodo-code-review

Copy link
Copy Markdown

Code Review by Qodo

Grey Divider

Looking for bugs?

Come back again in a few minutes. An AI review agent is analysing this pull request

Grey Divider

Qodo Logo

@coderabbitai

coderabbitai Bot commented Mar 4, 2026

Copy link
Copy Markdown

Caution

Review failed

Pull request was closed or merged during review

Warning

.coderabbit.yaml has a parsing error

The CodeRabbit configuration file in this repository has a parsing error and default settings were used instead. Please fix the error(s) in the configuration file. You can initialize chat with CodeRabbit to get help with the configuration file.

💥 Parsing errors (1)
Validation error: String must contain at most 250 character(s) at "tone_instructions"; Expected array, received object at "reviews.path_filters"
⚙️ Configuration instructions
  • Please see the configuration documentation for more information.
  • You can also validate your configuration using the online YAML validator.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
📝 Walkthrough

Walkthrough

Removes two deprecated GitHub Actions code review workflows and introduces a complete full-stack TypeScript expense tracker application, including SQLite database setup, Express backend with authentication/authorization middleware, CRUD API routes for expenses and reporting, frontend routing, API client integration, and React pages for login, dashboard, expense management, and reporting.

Changes

Cohort / File(s) Summary
CI/CD Workflow Removals
.github/workflows/claude-code-review.yml, .github/workflows/openai-code-review.yml
Deleted GitHub Actions workflows for automated code review integration.
Backend Infrastructure
backend/src/db.ts, backend/src/index.ts
Establishes SQLite database with better-sqlite3 (users and expenses tables), and configures Express app with CORS, JSON parsing, and route mounting at /api/auth, /api/expenses, /api/reports.
Backend Authentication
backend/src/middleware/auth.ts, backend/src/routes/auth.ts
Implements JWT authentication middleware (with hardcoded secret noted) and authentication routes for user registration and login with bcrypt password hashing; includes noted security concerns (hardcoded key, SQL injection in login query).
Backend Validation
backend/src/utils/validate.ts
Provides utility validators for email format, positive numbers, and category enumeration.
Backend Expense Management
backend/src/routes/expenses.ts
Implements CRUD endpoints for expenses with authentication, budget limiting, pagination, and category filtering; includes noted bugs (race condition, SQL injection, IDOR, missing admin guards).
Backend Reporting
backend/src/routes/reports.ts
Adds authenticated and admin-protected reporting endpoints for user summaries, team summaries, and CSV export; includes noted concerns (CSV injection, missing streaming/pagination).
Frontend Infrastructure
frontend/src/App.tsx, frontend/src/api/client.ts
Configures React routing with token-based PrivateRoute protection and axios API client with Bearer token injection from localStorage.
Frontend Components
frontend/src/components/ExpenseCard.tsx, frontend/src/components/StatusBadge.tsx
Introduces reusable ExpenseCard (with noted XSS risk via dangerouslySetInnerHTML) and StatusBadge components with color-coded status indicators.
Frontend Pages
frontend/src/pages/Dashboard.tsx, frontend/src/pages/ExpenseForm.tsx, frontend/src/pages/ExpenseList.tsx, frontend/src/pages/Login.tsx, frontend/src/pages/Reports.tsx
Adds login page, dashboard with category-based summary and budget tracking, expense form, paginated expense list with filtering, and dual-view reports page; includes multiple noted accessibility and UX concerns.

Sequence Diagrams

sequenceDiagram
    actor User
    participant Frontend
    participant AuthMiddleware
    participant AuthRoute
    participant Database
    
    User->>Frontend: Submit login form (email, password)
    Frontend->>AuthRoute: POST /auth/login {email, password}
    AuthRoute->>Database: SELECT * FROM users WHERE email = ?
    Database-->>AuthRoute: User record
    AuthRoute->>AuthRoute: bcrypt.compare(password, hashedPassword)
    AuthRoute->>AuthRoute: Generate JWT token
    AuthRoute-->>Frontend: 200 {token, user}
    Frontend->>Frontend: localStorage.setItem('token', token)
    Frontend->>Frontend: Navigate to /dashboard
    Frontend-->>User: Display dashboard
Loading
sequenceDiagram
    actor User
    participant Frontend
    participant AuthMiddleware
    participant ExpenseRoute
    participant Database
    
    User->>Frontend: Submit new expense form
    Frontend->>ExpenseRoute: POST /api/expenses {amount, description, category}
    ExpenseRoute->>AuthMiddleware: Extract token & validate
    AuthMiddleware-->>ExpenseRoute: Attach user payload to request
    ExpenseRoute->>Database: SELECT SUM(amount) FROM expenses WHERE user_id = ?
    Database-->>ExpenseRoute: Current total
    ExpenseRoute->>ExpenseRoute: Check total + amount <= BUDGET_LIMIT
    ExpenseRoute->>Database: INSERT INTO expenses (user_id, amount, ...)
    Database-->>ExpenseRoute: Inserted record
    ExpenseRoute-->>Frontend: 201 {id, amount, description, category, status}
    Frontend->>Frontend: Navigate to /expenses
    Frontend-->>User: Display updated expense list
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Poem

🐰 A full-stack tracker hops to life,
Expenses tamed, budgets cut with a knife,
Databases whisper, routes dance with grace,
Frontend and backend in an async embrace!
From login to reports, the journey's complete—
One hop, two hops, expenses so neat! 🐇✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding a complete expense tracker app as a CodeRabbit review demo. It is concise, specific, and clearly communicates the primary purpose of the changeset.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch demo/coderabbit-review

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@reeder32 reeder32 closed this Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant