🔒 Fix missing authentication on card API endpoint

[is0692vs]

🎯 What: Added authentication checks to the src/app/api/card/[username]/route.ts API endpoint.

⚠️ Risk: The API endpoint was previously completely unauthenticated and accessible by anyone. This could be exploited to consume application resources, bypass intended access controls, or expose rate-limiting capacity to unauthorized actors (even though the underlying data fetched is public).

🛡️ Solution: Integrated the existing getAuthenticatedUser() utility to protect the route. If a user is not authenticated, the route now correctly returns a 401 Unauthorized status with a rendered error card image. Modified the route to remove the unsupported Edge runtime declaration (since authentication checks require Node APIs here) and updated the corresponding test suite.

---

PR created automatically by Jules for task 11135183214603674343 started by @is0692vs

Greptile Summary

このPRは /api/card/[username] エンドポイントに getAuthenticatedUser() を使ったセッション認証を追加し、Edge ランタイム宣言を削除、キャッシュヘッダーを public から private に変更し、401・429 レスポンスに no-store を適用する変更です。

• getServerSession ベースの認証を追加し、未認証時に 401 エラーカードを返すよう変更。キャッシュ設定も認証済みコンテキストに合わせて private に統一。
• ReadmeCardUrlSection.tsx がこのエンドポイントの URL を README 埋め込み用に生成しており、セッション認証はクッキーなしのリクエスト（GitHub 画像プロキシ等）に対して機能しないため、埋め込みユースケースが破壊される可能性がある。
• テストスイートに認証モックと beforeEach セットアップを追加し、変更内容を適切にカバーしている。

Confidence Score: 4/5

認証追加自体は正しく実装されているが、ReadmeCardUrlSection.tsx が README 埋め込み用 URL を生成するコンポーネントとして存在しており、セッション認証はその用途と根本的に相容れない。

セッションクッキーに依存する認証が、README 埋め込み（GitHub 画像プロキシ経由）という既存ユースケースを完全に破壊する。ReadmeCardUrlSection コンポーネントが実際にこのエンドポイントへの埋め込み URL を生成しており、このコンポーネントが利用されている限り、ユーザーが生成した README カードは全て壊れた画像として表示されることになる。

src/app/api/card/[username]/route.ts — 認証方式がエンドポイントの埋め込みユースケースと整合しているかを要確認。

Important Files Changed

Filename	Overview
src/app/api/card/[username]/route.ts	認証チェック・キャッシュヘッダー変更・Edge ランタイム削除。ただしセッション認証が README 埋め込みユースケースを破壊する可能性あり。
src/app/api/card/[username]/route.test.ts	認証モックを各 describe ブロックに追加し、キャッシュヘッダーのアサーションを private に更新。テスト自体は適切に記述されている。
.gitignore	/test-results を追加し、テスト出力ファイルのコミットを防ぐ修正。

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Browser as ブラウザ（ログイン済み）
    participant External as 外部クライアント（GitHub画像プロキシ等）
    participant Route as /api/card/[username]
    participant Auth as getAuthenticatedUser()
    participant Fetcher as fetchCardData()

    Browser->>Route: GET（セッションクッキーあり）
    Route->>Auth: getServerSession()
    Auth-->>Route: "{ username, token }"
    Route->>Fetcher: fetchCardData(username)
    Fetcher-->>Route: CardData
    Route-->>Browser: "200 カード画像（private, max-age=1800）"

    External->>Route: GET（クッキーなし）
    Route->>Auth: getServerSession()
    Auth-->>Route: null
    Route-->>External: 401 エラーカード（no-store）
    Note over External,Route: README埋め込みが破壊される

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Browser as ブラウザ（ログイン済み）
    participant External as 外部クライアント（GitHub画像プロキシ等）
    participant Route as /api/card/[username]
    participant Auth as getAuthenticatedUser()
    participant Fetcher as fetchCardData()

    Browser->>Route: GET（セッションクッキーあり）
    Route->>Auth: getServerSession()
    Auth-->>Route: "{ username, token }"
    Route->>Fetcher: fetchCardData(username)
    Fetcher-->>Route: CardData
    Route-->>Browser: "200 カード画像（private, max-age=1800）"

    External->>Route: GET（クッキーなし）
    Route->>Auth: getServerSession()
    Auth-->>Route: null
    Route-->>External: 401 エラーカード（no-store）
    Note over External,Route: README埋め込みが破壊される

Loading

_{Reviews (3): Last reviewed commit: "Merge branch 'main' into jules-111351832..." | Re-trigger Greptile}

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
github-user-summary	Ignored		Jun 25, 2026 2:47am

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[coderabbitai]

Warning

Review limit reached

@is0692vs, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 10 minutes and 17 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f7558b00-76c7-4bfe-b3cd-aeb81e01082f

📥 Commits

Reviewing files that changed from the base of the PR and between dfc4bd2 and 280fe88.

📒 Files selected for processing (5)

• src/app/api/card/[username]/route.test.ts
• src/app/api/card/[username]/route.ts
• src/hooks/__tests__/useThemeColor.test.ts
• src/hooks/useThemeColor.ts
• test-results/.last-run.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jules-11135183214603674343-22eec3bb

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request introduces authentication checks to the GET /api/card/[username] API route using getAuthenticatedUser, returning a 401 Unauthorized response if the user is not authenticated. It also adds corresponding unit tests to verify this behavior and updates existing tests to mock a successful authentication. Additionally, the Edge runtime configuration was removed from the route. Feedback indicates that a temporary test execution artifact (test-results/.last-run.json) was accidentally committed and should be removed and added to .gitignore.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

The test-results/.last-run.json file is a temporary test execution artifact and should not be committed to the repository. Please remove this file and add test-results/ to your .gitignore file to prevent it from being tracked in the future.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[is0692vs]

@greptile review

[is0692vs]

@greptile review

[is0692vs]

Closing because the branch keeps re-applying a stale bot commit after fixes and after updating from main. The current diff is no longer the reviewed card API auth/cache fix; it reintroduces test-results/.last-run.json and unrelated files, so it is not safe to merge as-is.

[google-labs-jules]

Closing because the branch keeps re-applying a stale bot commit after fixes and after updating from main. The current diff is no longer the reviewed card API auth/cache fix; it reintroduces test-results/.last-run.json and unrelated files, so it is not safe to merge as-is.

Understood. Acknowledging that this work is now obsolete and stopping work on this task.