fixed background image not showing at desktop application (electron)

[yumesha]

The Breaking Commit:
d68de99
Author: Test User test@example.com
Date: Mon Dec 29 16:16:28 2025 -0500
"adding more security to api endpoints to require api token for all access, no by passing"

What Changed:
Before this commit, the auth middleware had:
// If no API key is configured, allow all requests
if (!API_KEY) {
next();
return;
}

After this commit, authentication became mandatory for all /api routes - no more bypassing. The middleware now auto-generates an API key and requires either:

1. X-API-Key header
2. Session cookie
3. apiKey query parameter (fallback)

Timeline:

• Dec 12-13, 2025: Board background feature added (commits 28328d7, ebd928e, 8b2b766) - worked fine with optional auth
• Dec 29, 2025: Commit d68de99 made auth mandatory - broke image loading because frontend wasn't updated to include auth credentials in image URLs

The board background code built URLs like:
/api/fs/image?path=...&projectPath=...

But browsers can't send custom headers when loading images, and the code didn't include the apiKey query parameter, so requests got 401.

Summary by CodeRabbit

• Refactor

  • Centralized authenticated image URL handling across backgrounds, dropzones, and board views for consistent image loading.
  • Cache-busting now prefers an explicit image version when available; image URLs include authentication and optional versioning.

• Tests

  • End-to-end image tests now use a dedicated authentication helper for reliable test setup.

• Chores

  • Minor lint script formatting cleanup (no behavior change).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaces ad-hoc server URL building with a new getAuthenticatedImageUrl helper and updates UI components and a test to use it for authenticated image URLs and consistent cache-busting behavior.

Changes

Cohort / File(s)	Summary
New utility apps/ui/src/lib/api-fetch.ts	Added getAuthenticatedImageUrl(path, projectPath, version?) to build image URLs including path, projectPath, optional v (version/cache-bust), and apiKey when present.
Board background modal apps/ui/src/components/dialogs/board-background-modal.tsx	Replaced manual server URL + query param construction with getAuthenticatedImageUrl(...); changed cache-bust to imageVersion ?? Date.now().toString(); removed getServerUrlSync usage; retained getHttpApiClient import; added imageVersion to useEffect deps.
Description image dropzone apps/ui/src/components/ui/description-image-dropzone.tsx	Switched saved-image URL creation from environment/getServerUrlSync-based composition to getAuthenticatedImageUrl(imagePath, projectPath); updated imports from @/lib/http-api-client to @/lib/api-fetch.
Board view hook apps/ui/src/components/views/board-view/hooks/use-board-background.ts	Replaced inline server URL assembly with getAuthenticatedImageUrl(...) and used the result for backgroundImage; removed old server URL dependency.
Tests apps/ui/tests/context/add-context-image.spec.ts	Replaced conditional runtime login/API-key flow with a direct authenticateForTests(page) call; added Buffer import.
Scripts (whitespace only) scripts/lint-lockfile.mjs	Only blank-line/whitespace adjustments; no behavioral changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through code with nimble paws,
One helper stitched the winding laws.
Three files now fetch with tidy grace,
Tests wink, no longer chase the race.
🥕 Small fixes, bigger smiles across the place.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: fixing background images in the desktop (Electron) application by introducing authenticated image URL construction to handle mandatory authentication.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 818d8af and 46cb6fa.

📒 Files selected for processing (1)

• apps/ui/tests/context/add-context-image.spec.ts

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Always import from shared packages (@automaker/*), never from old relative paths

Files:

• apps/ui/tests/context/add-context-image.spec.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Use resolveModelString() from @automaker/model-resolver to convert model aliases (haiku, sonnet, opus) to full model names

Files:

• apps/ui/tests/context/add-context-image.spec.ts

🧬 Code graph analysis (1)

apps/ui/tests/context/add-context-image.spec.ts (1)

apps/ui/tests/utils/api/client.ts (1)

• authenticateForTests (357-361)

🔇 Additional comments (2)

apps/ui/tests/context/add-context-image.spec.ts (2)

8-8: LGTM! Buffer import fixes the runtime error.

The explicit import from the 'buffer' package ensures Buffer is available in environments where it's not globally defined (such as certain Electron/browser contexts), directly addressing the "Buffer is not defined" error mentioned in the commit message.

---

122-122: Proper authentication integration for the new auth requirements.

The authenticateForTests call is correctly placed after project setup and before navigation, ensuring the test session is authenticated before making any API requests. This aligns with the breaking auth middleware change that now requires authentication for all /api routes.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @yumesha, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a critical issue in the Electron desktop application where background images failed to load due to a recent change enforcing mandatory API authentication. By introducing a new utility function to construct image URLs with authentication credentials embedded as query parameters, the application can now correctly fetch and display images, bypassing the limitation of browsers not sending custom headers for image requests.

Highlights

• Issue Resolution: This pull request fixes a bug that prevented background images from displaying in the Electron desktop application.
• Root Cause: The issue was caused by a recent security update that enforced mandatory API authentication for /api routes, which traditional image loading mechanisms (without custom headers) could not satisfy.
• New Utility Function: A new utility function, getAuthenticatedImageUrl, has been introduced in api-fetch.ts to construct image URLs that include the apiKey as a query parameter, enabling authenticated image loading.
• Integration: Existing image loading logic across board-background-modal.tsx, description-image-dropzone.tsx, and use-board-background.ts has been updated to utilize this new authenticated image URL generation method.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[yumesha]

@coderabbitai generate docstrings

[coderabbitai]

✅ Actions performed

Initiated docstring generation; will generate only if new commits exist.

[coderabbitai]

Note

Docstrings generation - SUCCESS
Generated docstrings for this pull request at #343

[gemini-code-assist]

Code Review

This pull request effectively resolves a critical bug where background images were not loading in the Electron application due to newly enforced authentication on API endpoints. The fix is well-designed, introducing a centralized helper function getAuthenticatedImageUrl to construct image URLs with the necessary API key as a query parameter. This is the correct approach for authenticating requests made via <img> tags or CSS properties. The new function is cleanly implemented and has been consistently applied across all relevant components, improving code maintainability while fixing the authentication issue.

[webdevcody]

@claude try to fix the e2e tests on this pr

[claude]

Claude finished @webdevcody's task in 5m 12s —— View job

---

E2E Test Fix - Ready for Manual Application

Root Cause Identified

The failing test was tests/context/add-context-image.spec.ts:119 - "should import an image file to context".

Problem: The test used manual UI-based authentication instead of the authenticateForTests() helper, causing timing issues where the context view never appeared.

Solution

Update lines 119-136 in apps/ui/tests/context/add-context-image.spec.ts:

Replace this:

  test('should import an image file to context', async ({ page }) => {
    await setupProjectWithFixture(page, getFixturePath());

    await page.goto('/');
    await waitForNetworkIdle(page);

    // Check if we're on the login screen and authenticate if needed
    const loginInput = page.locator('input[type="password"][placeholder*="API key"]');
    const isLoginScreen = await loginInput.isVisible({ timeout: 2000 }).catch(() => false);
    if (isLoginScreen) {
      const apiKey = process.env.AUTOMAKER_API_KEY || 'test-api-key-for-e2e-tests';
      await loginInput.fill(apiKey);
      await page.locator('button:has-text("Login")').click();
      await page.waitForURL('**/', { timeout: 5000 });
      await waitForNetworkIdle(page);
    }

    await navigateToContext(page);

With this:

  test('should import an image file to context', async ({ page }) => {
    await setupProjectWithFixture(page, getFixturePath());
    await authenticateForTests(page);
    await page.goto('/');
    await waitForNetworkIdle(page);

    await navigateToContext(page);

This aligns with how other working context tests (like delete-context-file.spec.ts) handle authentication.

Why I Couldn't Push

This PR appears to be from a fork (yumesha:main -> AutoMaker-Org:main). The GitHub action checked out the upstream main branch instead of the PR branch, and I don't have the necessary git permissions to fetch from the fork and push there.

@webdevcody or @yumesha - Please apply the above fix manually to the PR branch. It's a simple 13-line reduction that replaces manual auth with the proper helper function.

---

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/ui/tests/context/add-context-image.spec.ts (1)

121-121: Verify authentication succeeded.

The authenticateForTests function returns a boolean indicating success, but this return value is not checked. If authentication fails silently, the test will fail later with less actionable error messages when image upload requests receive 401 responses.

🔎 Suggested improvement

-    await authenticateForTests(page);
+    const authenticated = await authenticateForTests(page);
+    expect(authenticated).toBe(true);

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8d5e7b0 and 818d8af.

📒 Files selected for processing (1)

• apps/ui/tests/context/add-context-image.spec.ts

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Always import from shared packages (@automaker/*), never from old relative paths

Files:

• apps/ui/tests/context/add-context-image.spec.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Use resolveModelString() from @automaker/model-resolver to convert model aliases (haiku, sonnet, opus) to full model names

Files:

• apps/ui/tests/context/add-context-image.spec.ts

🧬 Code graph analysis (1)

apps/ui/tests/context/add-context-image.spec.ts (1)

apps/ui/tests/utils/api/client.ts (1)

• authenticateForTests (357-361)

🔇 Additional comments (1)

apps/ui/tests/context/add-context-image.spec.ts (1)

119-148: Test structure and authentication flow look good.

The authentication is correctly positioned after project setup and before navigation. The test properly handles file creation/cleanup and uses appropriate Playwright patterns for waiting and assertions.