Skip to content

Codebase analysis: no changes made#16

Closed
Copilot wants to merge 1 commit intomainfrom
copilot/analyze-codebase-for-improvements
Closed

Codebase analysis: no changes made#16
Copilot wants to merge 1 commit intomainfrom
copilot/analyze-codebase-for-improvements

Conversation

Copy link
Copy Markdown

Copilot AI commented Feb 25, 2026
edited
Loading

Per request, no code was modified. This PR documents a full codebase audit of Balanced Plate.AI with prioritized findings.

Critical Security Issues

  • Hardcoded SECRET_KEY in backend/config/settings/base.py — default fallback committed to source control
  • OTP verification bypassverify_otp reads email from query param without requiring authentication; anyone can verify OTP for arbitrary emails
  • JWT tokens in localStorage — XSS-exfiltrable; should use httpOnly cookies
  • Auth token in WebSocket query string — visible in browser history, server logs, network traces

High Severity

  • ALLOWED_HOSTS defaults to ["*"], CORS_ALLOW_ALL_ORIGINS defaults to True
  • No rate limiting on OTP verify, login, or email verify endpoints (6-digit OTP = trivially brute-forceable)
  • No file upload size/type validation in file_storage/views.py
  • Token key mismatch: WebSocketContext.tsx reads localStorage.getItem('tokens') but axios.ts stores separate access/refresh keys

Medium Severity

  • Silent except Exception: pass in Celery task error paths (results/tasks.py)
  • N+1 queries in recommendations/tasks.py — iterates all active users with per-user DB hits
  • Fragile Gemini response parsing via string slicing; no JSON schema validation
  • User data injected unsanitized into Gemini prompts (prompt injection risk)
  • console.log of WebSocket messages in production builds
  • any types in useNutritionAnalytics.ts data transformers
  • Empty useGoogleAuth.tsx hook (dead import)

Missing Infrastructure

  • No CI/CD (no GitHub Actions workflows)
  • No tests (backend or frontend)
  • No .env.example files
  • Empty AI model docs (ai/model/food-vision/README.md, ai/model/food-segmentation/README.md)
  • Telegram bot uploads to Cloudinary but never calls the nutrition analysis API
  • API_VERSION defined in settings but unused in URL routing

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@vercel
Copy link
Copy Markdown

vercel bot commented Feb 25, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
balanced-plate Ready Ready Preview, Comment Feb 25, 2026 9:58pm

Copilot AI changed the title [WIP] Review code and suggest improvements for project Codebase analysis: no changes made Feb 25, 2026
@Temake Temake marked this pull request as ready for review February 26, 2026 05:27
@Temake Temake closed this Feb 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Temake Temake

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Temake