fix: 2FA recovery codes display, sync rate limit, taste strip gap, btn-danger#302
Merged
SimplicityGuy merged 3 commits intomainfrom Apr 14, 2026
Merged
fix: 2FA recovery codes display, sync rate limit, taste strip gap, btn-danger#302SimplicityGuy merged 3 commits intomainfrom
SimplicityGuy merged 3 commits intomainfrom
Conversation
…n-danger
- Recovery codes were read from /api/auth/2fa/confirm response which only
returns {message}; now read from cached _setupData.recovery_codes returned
by /api/auth/2fa/setup. Also fixes Copy Codes copying empty string.
- Defined .btn-danger Tailwind component class so the Disable 2FA button
picks up flex centering from btn-base. The class was used by settings.js
but never defined.
- Loosened sync rate limit from 2/10minute to 10/minute and cooldown from
600s to 60s. Frontend now reads 429 message body instead of showing a
generic "Please try again later" alert.
- Hide #tasteStrip when empty so taste-fingerprint timeouts/unavailability
no longer leave a blank gap between the stats cards and the collection
table.
- Removed dead X-Mailin-Track headers from password reset email; Brevo's
v3 transactional API rejects standard email headers per the SDK's own
signature ("Standard email headers are not supported"), so per-message
click tracking control is impossible. Click tracking has to be disabled
in the Brevo dashboard. Added comment explaining why.
- Settings test mocks now match real API contract (setup returns
otpauth_uri + recovery_codes; confirm returns {message}). The wrong
mocks let the recovery codes bug ship.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Clearing the inline `style="display: none;"` to '' should fall back to the Tailwind `flex` class via the cascade, but in some browsers the layout doesn't update until something else triggers a reflow. Setting display explicitly to 'flex' is unambiguous and removes the dependency on cascade ordering for elements with both inline-style hide and class-based show. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add 5 tests for the branches introduced by the sync 429 handling: - 503 returns the service-unavailable message - 429 with empty body falls back to the default cooldown message - generic non-ok with body.detail surfaces the detail text - generic non-ok with body.message surfaces the message text - ok:true success path schedules the four pane reloads via setTimeout Closes the codecov gap on PR #302. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
E2E Coverage (webkit)
|
Contributor
E2E Coverage (chromium)
|
Contributor
E2E Coverage (firefox)
|
Contributor
E2E Coverage (webkit - iPad Pro 11)
|
Contributor
E2E Coverage (webkit - iPhone 15)
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Batch fix for several reported issues with 2FA setup, sync, button styling, and the explore UI.
settings.jsreadrecovery_codesfrom the/api/auth/2fa/confirmresponse, but the backend only returns{message}there. The plaintext codes are returned by/api/auth/2fa/setupand were already cached in_setupData. Now reads from the correct field. Also fixes Copy Codes which was copying an empty string..btn-dangerclass used bysettings.jswas never defined intailwind.input.css. Added a definition matching the otherbtn-*variants so it picks up flex centering frombtn-base.2/10minute→10/minute, Redis cooldown600s→60s. Frontend now reads the 429 message body from the backend instead of showing a generic "Please try again later" alert.#tasteStripwrapper was leaving a blank gap when the taste fingerprint API timed out / was unavailable. Added#tasteStrip:empty { display: none; }.X-Mailin-Track*headers. The Brevo SDK rejects standard email headers (per its own signature: "Standard email headers are not supported"), so per-message click-tracking control is impossible via the v3 transactional API. Click tracking must be turned off in the Brevo dashboard (Senders, Domains & IPs → sending domain → Tracking, or Account Settings → Tracking).settings.test.jsnow mirrors the real API contract (setupreturnsotpauth_uri+recovery_codes;confirmreturns{message}). The previous mocks lied about the contract and let the recovery-codes bug ship.Not in scope
NLQ_ENABLED=trueandNLQ_API_KEYto be set on the API service. Set both env vars and the toggle appears.Test plan
vitest run— 955 / 955 passinguv run pytest tests/api/test_sync.py tests/api/test_notifications.py tests/api/test_auth.py tests/api/test_auth_router.py— 110 / 110 passingtailwind.csswith the new.btn-dangerclass🤖 Generated with Claude Code