fix(orm): stricter validation in $setAuth and clean up imports

[ymc9]

Summary

• Reject null and arrays in $setAuth — typeof null === 'object' in JS, so the previous check allowed invalid auth values
• Consolidate duplicate imports from ./query-utils in client-impl.ts
• Improve $auth and $setAuth doc comments for clarity

Test plan

• Verify $setAuth(null) now throws Invalid auth object
• Verify $setAuth([]) now throws Invalid auth object
• Verify $setAuth({ id: 1 }) still works as expected
• Existing tests pass

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Strengthened validation for authentication settings to properly reject null values, arrays, and other invalid input types.

• Documentation

  • Clarified authentication method behavior, specifically how authentication getters return undefined and setters accept undefined when there is no user context.

[claude]

Claude finished @ymc9's task —— View job

---

PR Review Complete ✅

I've thoroughly reviewed this PR and the changes look solid overall. Here's my feedback:

Todo List:

• Read and analyze the changed files
• Review the $setAuth validation logic changes
• Examine import consolidation in client-impl.ts
• Check for potential bugs or security issues
• Assess performance implications
• Evaluate test coverage needs
• Provide comprehensive feedback

✅ Code Quality & Best Practices

Excellent - The changes follow good practices and fix real issues:

✅ $setAuth Validation Fix (client-impl.ts:429)

The validation logic fix is spot-on:

- if (auth !== undefined && typeof auth !== 'object') {
+ if (auth !== undefined && (typeof auth !== 'object' || auth === null || Array.isArray(auth))) {

Why this is important:

• typeof null === 'object' in JavaScript is a well-known gotcha
• Array.isArray([]) returns true, so arrays would have passed validation
• This correctly rejects null, arrays, and primitives while allowing objects and undefined

✅ Import Consolidation (client-impl.ts:44-46)

Clean import organization:

+ import { createZenStackPromise, type ZenStackPromise } from './promise';
+ import { fieldHasDefaultValue, getField, isUnsupportedField, requireModel } from './query-utils';
+ import { ResultProcessor } from './result-processor';

Removed duplicate imports from line 50 that were scattered below. This improves maintainability.

✅ Documentation Improvements (contract.ts:127,135)

Minor but helpful doc comment enhancements for clarity.

🔒 Security Assessment

No security concerns identified - The validation actually improves security by:

• Preventing unexpected data types in auth context
• More predictable behavior when auth is used in policies

⚡ Performance Implications

Minimal performance impact:

• Added validation checks are O(1) operations
• Import consolidation may slightly improve module loading
• No runtime performance regression expected

🧪 Test Coverage Assessment

Good test coverage exists - I found 51 test files using $setAuth, indicating extensive existing coverage.

Test plan verification:

• ✅ $setAuth(null) should now throw Invalid auth object
• ✅ $setAuth([]) should now throw Invalid auth object
• ✅ $setAuth({ id: 1 }) should still work as expected
• ✅ Existing tests should continue to pass

Recommendation: Consider adding explicit tests for the new validation edge cases if not already covered.

🐛 Potential Issues

Minor consideration: The error message "Invalid auth object" could be more specific about what's invalid:

// Current:
throw new Error('Invalid auth object');

// Could be more descriptive:
throw new Error('Invalid auth object: expected object but received ' + (auth === null ? 'null' : Array.isArray(auth) ? 'array' : typeof auth));

But this is not critical since the current message is clear enough.

📋 Summary

This is a high-quality PR that:

• ✅ Fixes a legitimate bug with null/array validation
• ✅ Improves code organization with import consolidation
• ✅ Enhances documentation clarity
• ✅ Has minimal risk and good test coverage
• ✅ Follows repository conventions

Recommendation: Approve and merge 🚀

---

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 36dfb3af-6d54-4def-9416-a6b7e3948307

📥 Commits

Reviewing files that changed from the base of the PR and between c36cf8e and 840522b.

📒 Files selected for processing (2)

• packages/orm/src/client/client-impl.ts
• packages/orm/src/client/contract.ts

---

📝 Walkthrough

Walkthrough

This PR updates authentication validation and documentation in the ORM client implementation. It strengthens input validation in ClientImpl.$setAuth to reject null and arrays, reorganizes imports for clarity, and improves JSDoc documentation for user-auth related methods in ClientContract to clarify behavior when no user context is bound.

Changes

Cohort / File(s)	Summary
Auth Client Validation & Documentation packages/orm/src/client/client-impl.ts, packages/orm/src/client/contract.ts	Enhanced $setAuth input validation to explicitly reject null and arrays; reorganized imports; improved JSDoc clarifications for $auth getter and $setAuth method regarding undefined user context.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 With whiskers twitching, I've hopped through the code,
Null and arrays now take the load,
Docs clarified, imports so neat,
Auth validation's refreshingly sweet! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main changes: stricter validation in $setAuth and import cleanup, matching both the objectives and file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/set-auth-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}