fix: address team review findings

Vayun Godara · claude · Vayun Godara · commit 5c60ceb012bb · 2026-03-16T18:11:37.000+01:00
Security:
- Add user_id filter to focus_sessions query (defense in depth, not just RLS)

Performance:
- Clean up XPBar flash setTimeout on unmount via ref

Architecture:
- Change /login redirect from permanent (301) to temporary (302)
- Remove dead metadata export from not-found.js (Next.js ignores it)
- Move CI e2e env vars to job level so Playwright dev server inherits them

Accessibility:
- Add forced-colors media query so 404 heading is visible in High Contrast Mode
- Add :focus-visible style on 404 CTA link for keyboard users
- Use &lt;main&gt; landmark on 404 page for screen readers

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -29,6 +29,9 @@ jobs:
   e2e:
     runs-on: ubuntu-latest
     needs: build-and-lint
+    env:
+      NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
+      NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
     steps:
       - uses: actions/checkout@v4
 
@@ -42,6 +45,3 @@ jobs:
       - run: npx playwright install --with-deps chromium
 
       - run: npm run test:e2e
-        env:
-          NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
-          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
diff --git a/app/dashboard/focus/FocusPageClient.js b/app/dashboard/focus/FocusPageClient.js
@@ -38,6 +38,7 @@ export default function FocusPageClient({ user }) {
       const { data, error } = await supabase
         .from('focus_sessions')
         .select('*')
+        .eq('user_id', user.id)
         .order('started_at', { ascending: false })
         .limit(10);
 
diff --git a/app/not-found.js b/app/not-found.js
@@ -1,18 +1,16 @@
 import Link from 'next/link';
 import styles from './not-found.module.css';
 
-export const metadata = { title: '404 | LockIn' };
-
 export default function NotFound() {
   return (
     <div className={styles.container}>
-      <div className={styles.content}>
+      <main className={styles.content}>
         <h1 className={styles.heading}>404</h1>
         <p className={styles.message}>This page could not be found.</p>
         <Link href="/" className={styles.link}>
           Go home
         </Link>
-      </div>
+      </main>
     </div>
   );
 }
diff --git a/app/not-found.module.css b/app/not-found.module.css
@@ -42,7 +42,20 @@
   transition: transform var(--transition-base), box-shadow var(--transition-base);
 }
 
-.link:hover {
+.link:hover,
+.link:focus-visible {
   transform: translateY(-2px);
   box-shadow: var(--shadow-lg);
 }
+
+.link:focus-visible {
+  outline: 2px solid var(--text-primary, #fff);
+  outline-offset: 2px;
+}
+
+@media (forced-colors: active) {
+  .heading {
+    -webkit-text-fill-color: currentColor;
+    background: none;
+  }
+}
diff --git a/components/XPBar.js b/components/XPBar.js
@@ -12,6 +12,7 @@ export default function XPBar({ userId, refreshKey }) {
   const [level, setLevel] = useState(1);
   const [xpChanged, setXpChanged] = useState(false);
   const prevXpRef = useRef(null);
+  const flashTimerRef = useRef(null);
   const supabase = useMemo(() => createClient(), []);
 
   useEffect(() => {
@@ -25,8 +26,9 @@ export default function XPBar({ userId, refreshKey }) {
       if (data) {
         const newXP = data.total_xp || 0;
         if (prevXpRef.current !== null && newXP > 0 && newXP !== prevXpRef.current) {
+          if (flashTimerRef.current) clearTimeout(flashTimerRef.current);
           setXpChanged(true);
-          setTimeout(() => setXpChanged(false), 600);
+          flashTimerRef.current = setTimeout(() => setXpChanged(false), 600);
         }
         prevXpRef.current = newXP;
         setXP(newXP);
@@ -36,6 +38,12 @@ export default function XPBar({ userId, refreshKey }) {
     if (userId) fetchXP();
   }, [userId, supabase, refreshKey]);
 
+  useEffect(() => {
+    return () => {
+      if (flashTimerRef.current) clearTimeout(flashTimerRef.current);
+    };
+  }, []);
+
   const progress = getProgressToNextLevel(xp);
 
   return (
diff --git a/next.config.mjs b/next.config.mjs
@@ -17,7 +17,7 @@ const nextConfig = {
       {
         source: '/login',
         destination: '/',
-        permanent: true,
+        permanent: false,
       },
     ];
   },

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ const nextConfig = {`
`17`	`17`	`{`
`18`	`18`	`source: '/login',`
`19`	`19`	`destination: '/',`
`20`		`- permanent: true,`
	`20`	`+ permanent: false,`
`21`	`21`	`},`
`22`	`22`	`];`
`23`	`23`	`},`