✅ Code review completed successfully

#1339

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
access-key-management-widget	Ready	Preview, Comment	Mar 2, 2026 4:22pm
audit-management-widget	Ready	Preview, Comment	Mar 2, 2026 4:22pm
role-management-widget	Ready	Preview, Comment	Mar 2, 2026 4:22pm
user-management-widget	Ready	Preview, Comment	Mar 2, 2026 4:22pm
user-profile-widget	Ready	Preview, Comment	Mar 2, 2026 4:22pm

View your CI Pipeline Execution ↗ for commit 7b7be3a

☁️ Nx Cloud last updated this comment at 2026-03-02 16:29:46 UTC

🐕 Shuni Code Review

Summary

This PR adds activity-based session refresh functionality, allowing developers to skip refresh calls for idle users. The feature is well-intentioned and addresses a real need for reducing unnecessary API calls. However, there are several code quality issues that should be addressed before merging, including dead code, missing test coverage, and a memory leak in event listener cleanup.

Findings by Severity

🔴 Critical Issues (0)

No critical security vulnerabilities or data loss risks identified.

🟠 High Priority Issues (3)

1. Dead code - Unused localStorage functions: ACTIVITY_REFRESH_KEY and isActivityRefreshEnabled() are defined but never used. This suggests incomplete implementation or abandoned approach. (helpers.ts:7)

2. Dead code - Unused event listener methods: attachListeners() and detachListeners() are fully implemented but never called, creating confusion about whether activity tracking is automatic or manual. (helpers.ts:64)

3. Memory leak - visibilitychange listener: Event listener added on line 67 of index.ts is never removed, causing memory leak when SDK is recreated or page unmounted. (index.ts:67)

🟡 Medium Priority Issues (2)

1. Missing test coverage: No tests for the new whenActive feature in test/autoRefresh.test.ts. Critical scenarios like activity tracking, idle behavior, and activity-triggered refresh are untested. (index.ts:138)

2. Commented code in production: Lines 17-20 and 46 in App.tsx contain commented-out example code that should be removed or moved to documentation. (App.tsx:17)

🟢 Low Priority Suggestions (2)

1. Unused import: getLocalStorage is imported in helpers.ts but only used in the unused isActivityRefreshEnabled() function.

2. Comment clarity: The comment on line 97 of helpers.ts mentions "visibility change" but markActive() is general-purpose, not specific to visibility changes.

✅ Strengths

• Clear API design: The autoRefresh={{ whenActive: true }} config option is intuitive and well-documented
• Good documentation: README examples are comprehensive and easy to follow
• Backward compatible: Existing autoRefresh={true} behavior is preserved
• Debouncing strategy: 1-second debounce on activity events prevents excessive processing
• Server-side coordination: Works well with Descope's session inactivity feature

Security Assessment

No security vulnerabilities identified. The implementation:

• ✅ Uses passive event listeners correctly
• ✅ Doesn't store sensitive data
• ✅ Doesn't introduce XSS or injection risks
• ✅ Handles JWT expiration safely
• ✅ Preserves existing security patterns

Code Quality Assessment

Architecture: Generally follows existing patterns but has dead code that suggests incomplete refactoring.

Maintainability: Good documentation but dead code reduces clarity.

Performance: Debouncing strategy is appropriate, though unused listener methods suggest potential confusion.

Overall Recommendation

REQUEST CHANGES ⚠️

The feature implementation is solid, but code quality issues should be resolved before merging:

1. Remove dead code (ACTIVITY_REFRESH_KEY, isActivityRefreshEnabled, unused listener methods)
2. Fix memory leak by cleaning up visibilitychange listener
3. Add test coverage for new feature
4. Remove commented code from example files

These are straightforward fixes that will significantly improve code maintainability.

Next Steps

1. Required: Remove dead code and fix memory leak
2. Required: Add test coverage for whenActive feature
3. Required: Remove commented code from App.tsx
4. Recommended: Consider whether automatic event listeners should be implemented or removed entirely
5. Optional: Add JSDoc comments to new public methods (markActive)

🤖 Automated review by Shuni (Claude Opus 4.6)
Note: Oracle agent was unavailable for this review due to model access issues, but comprehensive manual analysis was performed.

1. remove comments from the react smaple app (or think how to configure this)
2. add tests (build fails because coverage in web-js-sdk)