Skip to content

feat: add structured submission form with draft saving and success state #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Benjtalkshow merged 3 commits into from
Feb 22, 2026
Merged

feat: add structured submission form with draft saving and success state #95

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b9eff96
feat: add structured submission form with draft saving and success state
od-hunter Feb 21, 2026
f966de8
resolve conflits and comments
od-hunter Feb 22, 2026
2fa37b4
feat: submission dialog, server auth, real completion history, claim …
od-hunter Feb 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 73 additions & 39 deletions app/api/bounties/[id]/submit/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,55 +1,89 @@
import { NextResponse } from 'next/server';
import { BountyStore } from '@/lib/store';
import { Submission } from '@/types/participation';
import { NextResponse } from "next/server";
import { BountyStore } from "@/lib/store";
import { Submission } from "@/types/participation";
import { submissionFormSchema } from "@/components/bounty/forms/schemas";

const generateId = () => crypto.randomUUID();

export async function POST(
request: Request,
{ params }: { params: Promise<{ id: string }> }
request: Request,
{ params }: { params: Promise<{ id: string }> },
) {
const { id: bountyId } = await params;
const { id: bountyId } = await params;

try {
const body = await request.json();
const { contributorId, content } = body;
try {
const body = await request.json();
const { contributorId, ...formData } = body;

if (!contributorId || !content) {
return NextResponse.json({ error: 'Missing required fields' }, { status: 400 });
}
if (!contributorId) {
return NextResponse.json(
{ error: "Missing contributor ID" },
{ status: 400 },
);
}

const bounty = BountyStore.getBountyById(bountyId);
if (!bounty) {
return NextResponse.json({ error: 'Bounty not found' }, { status: 404 });
}
const parsed = submissionFormSchema.safeParse(formData);
if (!parsed.success) {
const fieldErrors = parsed.error.flatten().fieldErrors;
return NextResponse.json(
{ error: "Validation failed", fieldErrors },
{ status: 400 },
);
}

const allowedModels = ['single-claim', 'competition', 'multi-winner', 'application'];
if (!allowedModels.includes(bounty.claimingModel)) {
return NextResponse.json({ error: 'Submission not allowed for this bounty type' }, { status: 400 });
}
const bounty = BountyStore.getBountyById(bountyId);
if (!bounty) {
return NextResponse.json({ error: "Bounty not found" }, { status: 404 });
}

const existingSubmission = BountyStore.getSubmissionsByBounty(bountyId).find(
s => s.contributorId === contributorId
);
const allowedModels = [
"single-claim",
"competition",
"multi-winner",
"application",
];
if (!allowedModels.includes(bounty.claimingModel)) {
return NextResponse.json(
{ error: "Submission not allowed for this bounty type" },
{ status: 400 },
);
}

if (existingSubmission) {
return NextResponse.json({ error: 'Duplicate submission' }, { status: 409 });
}
const existingSubmission = BountyStore.getSubmissionsByBounty(
bountyId,
).find((s) => s.contributorId === contributorId);

const submission: Submission = {
id: generateId(),
bountyId,
contributorId,
content,
status: 'pending',
submittedAt: new Date().toISOString(),
};
if (existingSubmission) {
return NextResponse.json(
{ error: "Duplicate submission" },
{ status: 409 },
);
}
Comment on lines +59 to +68
Copy link

@coderabbitai coderabbitai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

TOCTOU race between duplicate check and write allows double submissions.

Under concurrent requests from the same contributor, both can pass the existingSubmission check before either calls BountyStore.addSubmission, resulting in two persisted submissions. The check-then-act on Lines 59–68 and Line 87 is not atomic.

The BountyStore.addSubmission should either perform an atomic conditional insert, or the store layer should enforce uniqueness per (bountyId, contributorId).

💡 Suggested mitigation (store-level guard) 
- BountyStore.addSubmission(submission);
+ const added = BountyStore.addSubmissionIfNotDuplicate(submission);
+ if (!added) {
+   return NextResponse.json({ error: "Duplicate submission" }, { status: 409 });
+ }

Move the uniqueness check inside the store's addSubmission as an atomic operation.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@app/api/bounties/`[id]/submit/route.ts around lines 59 - 68, The current
check-then-act in route.ts using BountyStore.getSubmissionsByBounty plus a later
BountyStore.addSubmission creates a TOCTOU race; move the uniqueness enforcement
into the store layer by updating BountyStore.addSubmission to perform an atomic
conditional insert (or enforce a unique constraint on (bountyId, contributorId))
and return a clear error/boolean when a duplicate exists; update the route
handler to call addSubmission directly and map the store's duplicate response to
a 409 JSON error instead of doing a pre-check with getSubmissionsByBounty.


BountyStore.addSubmission(submission);
const { explanation, walletAddress, githubUrl, demoUrl, attachments } =
parsed.data;

return NextResponse.json({ success: true, data: submission });
const submission: Submission = {
id: generateId(),
bountyId,
contributorId,
content: explanation,
explanation,
walletAddress,
githubUrl: githubUrl || undefined,
demoUrl: demoUrl || undefined,
Comment on lines +70 to +81
Copy link

@coderabbitai coderabbitai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, find and read the route file
find . -name "route.ts" -path "*bounties*submit*" 2>/dev/null | head -5

Repository: boundlessfi/bounties

Length of output: 103

🏁 Script executed:

# Search for the file mentioned in the review
fd -e ts "route" | grep -E "bounties.*submit" | head -10

Repository: boundlessfi/bounties

Length of output: 101

🏁 Script executed:

# Try a broader search
git ls-files | grep -E "(bounties|submit)" | head -20

Repository: boundlessfi/bounties

Length of output: 602

🏁 Script executed:

# Search for getCurrentUser implementation
rg "getCurrentUser" --type ts -l

Repository: boundlessfi/bounties

Length of output: 486

🏁 Script executed:

# Read the submit route file
cat -n app/api/bounties/[id]/submit/route.ts

Repository: boundlessfi/bounties

Length of output: 3418

🏁 Script executed:

# Read the server-auth file to understand getCurrentUser and User type
cat -n lib/server-auth.ts

Repository: boundlessfi/bounties

Length of output: 1132

walletAddress must be sourced from the authenticated user, not the client body.

The submission currently accepts walletAddress from the request body (line 70), allowing any caller to redirect the bounty reward to an arbitrary address. Per the PR context, the wallet address should be "prefilled" from the authenticated user's profile.

However, the User interface returned by getCurrentUser() currently only includes id, name, and email—it lacks a walletAddress field. To properly fix this:

  1. Extend the User interface to include walletAddress (fetched from the user's stored profile/database)
  2. Remove walletAddress from the form schema validation in submissionFormSchema
  3. Assign the wallet address from the authenticated user instead of the parsed form data

The current implementation creates a security vulnerability where reward payments can be intercepted by submitting a different wallet address.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@app/api/bounties/`[id]/submit/route.ts around lines 70 - 81, The submission
currently trusts walletAddress from parsed.data; instead extend the User type
returned by getCurrentUser() to include walletAddress, remove walletAddress from
submissionFormSchema so the form no longer validates/accepts it, and when
building the Submission (the object created in the route handler where you call
generateId() and assign bountyId/contributorId/content/explanation) set
walletAddress = currentUser.walletAddress (retrieved from getCurrentUser())
rather than using parsed.data.walletAddress; update any types/usages that assume
User only had id/name/email to include the new walletAddress field.

attachments: attachments?.length ? attachments : undefined,
status: "pending",
submittedAt: new Date().toISOString(),
};

} catch {
return NextResponse.json({ error: 'Internal Server Error' }, { status: 500 });
}
BountyStore.addSubmission(submission);

return NextResponse.json({ success: true, data: submission });
} catch {
return NextResponse.json(
{ error: "Internal Server Error" },
{ status: 500 },
);
}
Comment on lines +90 to +95
Copy link

@coderabbitai coderabbitai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Catch block silently swallows errors — add logging.

Any unexpected exception disappears with no server-side trace. This makes diagnosing production failures nearly impossible.

🛠️ Proposed fix 
- } catch {
+ } catch (error) {
+   console.error("[POST /api/bounties/:id/submit] Unexpected error:", error);
    return NextResponse.json(
      { error: "Internal Server Error" },
      { status: 500 },
    );
  }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
} catch {
return NextResponse.json(
{ error: "Internal Server Error" },
{ status: 500 },
);
}
} catch (error) {
console.error("[POST /api/bounties/:id/submit] Unexpected error:", error);
return NextResponse.json(
{ error: "Internal Server Error" },
{ status: 500 },
);
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@app/api/bounties/`[id]/submit/route.ts around lines 90 - 95, The catch block
in the submit route silently drops exceptions; update the catch to capture the
error (e.g., catch (error)) and log it before returning the 500 response so
failures are traceable. Specifically, modify the catch near the
NextResponse.json call in route.ts (the submit handler) to log a clear message
and the error (stack) using console.error or the existing application logger
(e.g., console.error("Error in bounty submit:", error) or
processLogger.error(...)), then return the same NextResponse.json({ error:
"Internal Server Error" }, { status: 500 }).

}
Loading
Loading