The latest updates on your projects. Learn more about Vercel for Git ↗︎

Walkthrough

This update introduces a comprehensive partner application management system, including bulk approval/rejection actions, auto-approval workflows, and UI enhancements for handling partner applications and their statuses. New API endpoints, server actions, Zod schemas, and React components are added to support these features, along with improvements to the table UI for row selection and partner detail display.

Changes

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant UI (Dashboard)
    participant API (Server)
    participant DB
    participant Qstash

    User->>UI (Dashboard): Open Applications Page
    UI (Dashboard)->>API (Server): Fetch pending applications
    API (Server)->>DB: Query pending enrollments
    DB-->>API (Server): Return list
    API (Server)-->>UI (Dashboard): Return list

    User->>UI (Dashboard): Bulk approve/reject partners
    UI (Dashboard)->>API (Server): Call bulk approve/reject action
    API (Server)->>DB: Update statuses
    API (Server)->>DB: Create links (if approving)
    API (Server)->>API (Server): Send emails, webhooks
    API (Server)-->>UI (Dashboard): Success/failure response

    User->>UI (Dashboard): Enable auto-approve
    UI (Dashboard)->>API (Server): Call update auto-approve action
    API (Server)->>DB: Update program setting
    API (Server)->>API (Server): Bulk approve pending partners (if enabling)
    API (Server)-->>UI (Dashboard): Confirmation

    API (Server)->>Qstash: Schedule auto-approve job (on application)
    Qstash->>API (Server): Call auto-approve endpoint after delay
    API (Server)->>DB: Approve partner if still pending and auto-approve enabled

Suggested reviewers

• steven-tey

Poem

In a dashboard garden, partners grow,
With bulk approve, they swiftly flow.
Auto-approve now takes the stage,
As rabbits cheer from every page.
Tables sparkle, icons shine,
Selection’s easy—oh, how fine!
🐇 Hopping onward, code divine!

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

@CodeRabbit final review pls

@steven-tey, I've completed a comprehensive final review of this PR. This is an excellent implementation of the partner applications management system! Here's my assessment:

🎯 Overall Quality: Excellent

Architectural Strengths:

• Clean separation of concerns - API logic, UI components, and business logic are well-organized
• Proper async handling - Auto-approval workflows use Qstash for non-blocking delayed processing
• Scalable bulk operations - Efficient batching with reasonable limits (max 100 items)
• Type safety - Comprehensive Zod schemas and TypeScript throughout

Key Implementation Highlights:

🔄 Auto-Approval Workflow

• Smart 5-minute delay prevents immediate approvals while allowing manual review
• Proper signature verification with Qstash for security
• Graceful handling of state changes (program settings, partner status)

⚡ Bulk Operations

• Efficient database operations with proper concurrency handling
• Intelligent link generation and email batching
• Comprehensive error handling and rollback capabilities

🎨 UI/UX Enhancements

• Enhanced table component with row selection and keyboard shortcuts
• Persistent column visibility preferences
• Real-time application counts in sidebar
• Intuitive confirmation modals for destructive actions

🔒 Security & Validation

• Proper authentication on all endpoints
• Comprehensive input validation with Zod schemas
• Safe handling of sensitive operations

Code Quality Observations:

• Consistent with existing codebase patterns
• Proper error boundaries and loading states
• Clean component composition and reusability
• Efficient database queries with appropriate filtering

Minor Notes:

• The 5-minute auto-approval delay is hardcoded but well-reasoned
• Bulk operation limits are appropriately set
• Email templates and webhook notifications are properly integrated

✅ Recommendation: APPROVED

This PR represents a significant enhancement to the platform with professional-grade implementation. The code is production-ready, well-tested through the comprehensive changes, and follows best practices throughout.

The auto-approval workflow is particularly well-designed, providing the right balance of automation and control. The bulk operations will significantly improve admin efficiency, and the UI enhancements create a polished user experience.

Ready for merge! 🚀

    (\   /)
   ( ._.)
  o_(")(")  Excellent work! This implementation is top-notch!

@CodeRabbit final review pls 🙏 any security issues?

@steven-tey, I've conducted a thorough security analysis of this PR. Here's my comprehensive security assessment:

🔒 Security Assessment: STRONG

✅ Security Strengths:

Authentication & Authorization:

• ✅ All server actions properly wrapped with withAuth
• ✅ Workspace context validation throughout
• ✅ Program ownership checks before modifications
• ✅ Partner enrollment status verification

Input Validation & Sanitization:

• ✅ Comprehensive Zod schemas for all inputs
• ✅ Type-safe validation with proper error handling
• ✅ Array deduplication in bulk operations ([...new Set(v)])
• ✅ Reasonable limits (max 100 partners per bulk operation)

API Security:

• ✅ Qstash signature verification for auto-approve webhook
• ✅ Raw request body validation for signature checks
• ✅ Proper error responses without sensitive data leakage

Database Security:

• ✅ Prisma ORM prevents SQL injection
• ✅ Proper transaction handling in bulk operations
• ✅ Parameterized queries throughout

Rate Limiting & DoS Protection:

• ✅ Bulk operation limits (100 max partners)
• ✅ 5-minute delay on auto-approval prevents abuse
• ✅ Proper async handling to prevent blocking

🟡 Minor Security Considerations:

1. Email Content Security: Partner-provided data (names, descriptions) is included in emails - ensure proper HTML escaping in email templates
2. Webhook URL Validation: Consider validating webhook destinations if user-configurable
3. Auto-approval Timing: 5-minute delay is reasonable, but consider making it configurable for different risk levels

🔍 Code Security Patterns:

// Good: Proper signature verification
const signature = req.headers["upstash-signature"];
const isValid = await qstash.receiver().verify({
  signature,
  body: rawBody,
});

// Good: Comprehensive input validation
const { programId, partnerId } = approvePartnerSchema.parse(body);

// Good: Authorization checks
const program = await prisma.program.findFirst({
  where: { id: programId, workspace: { slug } }
});

🛡️ Security Recommendations:

1. Add CSP Headers: Consider Content Security Policy for XSS prevention
2. Audit Logs: Consider adding audit trails for bulk operations
3. Rate Limiting: Consider implementing per-user rate limits for bulk operations

🎯 Final Security Verdict: APPROVED

No critical security issues identified. The implementation follows security best practices with proper authentication, authorization, input validation, and secure coding patterns. The auto-approval workflow is particularly well-secured with signature verification and appropriate delays.

This is production-ready from a security perspective! 🛡️