Skip to content

Implement Search and Skill detail page #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JUGALTYAGI wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Implement Search and Skill detail page #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
66aefc5
implement submitnew skills page and mutation
May 16, 2026
43c0648
implement Search
May 16, 2026
ff5248c
implement skillsdetail page
May 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .agents/skills/firebase-firestore/references/enterprise/provisioning.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ content (edit `database` and `location` to match the ones you created above). If
}
```

### 2. Create `firestore.rules`
### 3. Create `firestore.rules`

Create a file named `firestore.rules`. A good starting point (locking down the
database) is:
Expand All @@ -76,7 +76,7 @@ service cloud.firestore {
}
```

*See [security_rules.md](security_rules.md) for how to write actual rules.*
_See [security_rules.md](security_rules.md) for how to write actual rules._

### 3. Create `firestore.indexes.json`
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix duplicate section numbering.

Both "Create firestore.rules" (Line 63) and "Create firestore.indexes.json" (Line 81) are numbered as "### 3". The indexes section should be "### 4" to maintain correct sequential numbering.

📝 Proposed fix 
-### 3. Create `firestore.indexes.json`
+### 4. Create `firestore.indexes.json`
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
### 3. Create `firestore.indexes.json`
### 4. Create `firestore.indexes.json`
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.agents/skills/firebase-firestore/references/enterprise/provisioning.md at
line 81, Update the duplicate heading number for the Firestore indexes section:
locate the "Create `firestore.indexes.json`" heading (currently "### 3") and
change it to "### 4" so the section numbering follows the earlier "Create
`firestore.rules`" heading and maintains correct sequential order.


Expand All @@ -90,7 +90,7 @@ start:
}
```

*See [indexes.md](indexes.md) for how to configure indexes.*
_See [indexes.md](indexes.md) for how to configure indexes._

## Deploy rules and indexes

Expand Down
3 changes: 0 additions & 3 deletions .env.example
View file
Open in desktop

This file was deleted.

2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ dist-ssr
.vinxi
__unconfig*
todos.json
user.json
data.txt

# firebase data connect
.firebase
Expand Down
21 changes: 21 additions & 0 deletions dataconnect/connectors/mutations.gql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
mutation CreateSkill(
$authorClerkId: String!,
$title: String!,
$description: String!,
$tags: [String!]!,
$installCommand: String!,
$promptConfig: String!,
$usageExample: String!
) @auth(level: PUBLIC insecureReason: "Clerk auth is handled on the frontend") {
skill_insert(
data: {
authorClerkId: $authorClerkId
title: $title
description: $description
tags: $tags
installCommand: $installCommand
promptConfig: $promptConfig
usageExample: $usageExample
}
)
}
Comment on lines +1 to +21
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Block public write + client-controlled author identity.

This mutation allows unauthenticated callers to create skills and impersonate any author by sending any authorClerkId. Enforce authenticated access at the connector level and derive author identity from trusted auth context/server-side claims instead of mutation input.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dataconnect/connectors/mutations.gql` around lines 1 - 21, The CreateSkill
mutation currently accepts a client-supplied authorClerkId and is marked PUBLIC;
change it to require authenticated access and derive the author ID from the
trusted server-side auth context instead of the input. Remove the $authorClerkId
variable and the authorClerkId field from the skill_insert input, change the
`@auth` directive to require authenticated users, and in the connector/resolver
that handles CreateSkill (the code path that executes skill_insert) read the
author ID from the server-side auth/claims (e.g., currentUser.id /
session.user.id) and populate the authorClerkId field there before inserting to
prevent client impersonation. Ensure validation/logging handles missing or
invalid server auth.

10 changes: 9 additions & 1 deletion dataconnect/connectors/queries.gql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
query GetSkills($searchTerm: String = "", $limit: Int = 10) @auth(level: PUBLIC insecureReason: "Skills should be visible to everyone") {
query GetSkills($searchTerm: String = "", $limit: Int = 10, $offset: Int = 0) @auth(level: PUBLIC insecureReason: "Skills should be visible to everyone") {
skills(
where: {
_or: [
Expand All @@ -10,8 +10,16 @@ query GetSkills($searchTerm: String = "", $limit: Int = 10) @auth(level: PUBLIC
createdAt: DESC
}],
limit: $limit
offset: $offset,
) {
id title description tags createdAt installCommand
author { username imageUrl clerkId email }
}
Comment on lines 16 to 17
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid exposing author email and clerkId in public queries.

GetSkills/GetSkillById are public, but they return direct identifiers (email, clerkId). This is unnecessary PII exposure for browse/detail endpoints; trim these fields or gate them behind stricter auth.

Also applies to: 22-23

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dataconnect/connectors/queries.gql` around lines 16 - 17, Remove PII fields
from the public GraphQL skill queries by eliminating author.email and
author.clerkId from the GetSkills and GetSkillById query selections in
connectors/queries.gql; update the author selection set to only include
non-sensitive fields (e.g., username, imageUrl) or conditionally include
email/clerkId behind an authenticated/authorized query variant or fragment if
needed (refer to the GetSkills and GetSkillById query definitions and the author
{ username imageUrl email clerkId } selection to locate changes).

}

query GetSkillById($id: UUID!) @auth(level: PUBLIC insecureReason: "Skills should be visible to everyone") {
skill(id: $id) {
id title description tags installCommand promptConfig usageExample createdAt
author { username imageUrl clerkId email }
}
}
Loading