fix: logging in from video page

[ameer2468]

Summary by CodeRabbit

• New Features

  • Two-step email sign-in flow: email entry then 6-digit code verification.
  • Dedicated OTP form with paste support, keyboard navigation, auto-advance, verify/resend with cooldown, and a Back action.

• UI/UX

  • Adjusted OTP input sizing, spacing, and focus flow; logo sizing standardized.
  • Updated helper and consent copy for brevity and clarity.
  • Removed the previous inline Google sign-in path from the multi-step flow.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Introduces a two-step email → OTP sign-in flow in the video comment AuthOverlay, adds a new OtpForm component with verify/resend logic and rate-limiting, and refines UI text, sizing, and layout in the login and verify-otp forms. Removes the embedded Google sign-in path from the overlay.

Changes

Cohort / File(s)	Summary of Changes
Login UI tweaks apps/web/app/(org)/login/form.tsx	Replaced explicit logo width/height with size-12, rendered Google sign-in button directly (removed fragment), and shortened email help copy.
Verify OTP UI refinements apps/web/app/(org)/verify-otp/form.tsx	Reduced heading/paragraph sizes, changed OTP inputs from fixed widths to flexible flex-1 with fixed height, adjusted input container spacing, updated logo sizing and acknowledgment copy.
Auth overlay 2-step flow apps/web/app/s/[videoId]/_components/AuthOverlay.tsx	Reworked to StepOne → OtpForm flow with step, code, lastResendTime state; added Back control to reset state, accessibility id for email, moved logo/consent text, removed embedded Google sign-in, and wired in OtpForm.
New OTP component apps/web/app/s/[videoId]/_components/OtpForm.tsx	Added default-exported OtpForm handling 6-digit inputs (paste, auto-advance, keyboard nav), verify and resend mutations, 30s client-side resend rate limit, focus management, toasts, router refresh, and modal close.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor U as User
  participant AO as AuthOverlay (StepOne)
  participant NA as next-auth signIn("email")
  participant M as Mailer
  participant OF as OtpForm
  participant API as /api/auth/callback/email
  participant S as Session/Router

  U->>AO: Submit email
  AO->>NA: signIn("email", { email })
  NA-->>AO: Ok (email sent)
  AO->>U: Show "Email sent" (step = 2)
  NA-->>M: Trigger email with code
  M-->>U: Deliver 6-digit code

  U->>OF: Enter/paste 6-digit code
  OF->>API: Verify(email, token)
  API-->>OF: Success
  OF->>S: Refresh session/router
  OF->>AO: Close modal

  rect rgba(200,230,255,0.45)
    note right of OF: Resend (client 30s rate-limit)
    U->>OF: Click Resend
    OF->>NA: signIn("email", { email })
    NA-->>OF: Ok (update lastResendTime)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: Add signup page and update navbar #1012 — Modifies apps/web/app/(org)/login/form.tsx, overlapping login UI/copy changes.
• feat: Implement OTP code, replacing magic auth #832 — Touches OTP/email sign-in flow and related frontend files; likely overlaps with step-based verification work.
• fix: onboarding redirect #918 — Alters the same auth UI components and OTP behavior, suggesting closely related edits.

Poem

A rabbit types six numbers neat,
Hops the cursor, skips a beat.
Mailbox hums, the code takes flight,
Overlay opens, then—alright!
Two steps, one hop, the session's bright. 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly describes the primary change by indicating that the pull request fixes the login flow specifically on the video page. It is concise, clear, and directly related to the main objective of the changeset without extra detail or ambiguity. Scanning the commit history, a teammate would immediately understand this PR addresses an issue with video page authentication.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 02dba81 and 37f7880.

📒 Files selected for processing (2)

• apps/web/app/s/[videoId]/_components/AuthOverlay.tsx (2 hunks)
• apps/web/app/s/[videoId]/_components/OtpForm.tsx (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

apps/web/app/s/[videoId]/_components/OtpForm.tsx (1)

52-52: Consider extracting mutation call to avoid auto-submission edge case.

Auto-triggering verification when pasting 6 digits could be unexpected for users who might want to review the pasted code first.

Consider either removing the auto-submit or adding a small delay to give users time to review:

-			if (index + value.length >= 5) handleVerify.mutate(undefined);
+			// Let users review the pasted code before auto-submitting
+			// if (index + value.length >= 5) handleVerify.mutate(undefined);

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3e74068 and 02dba81.

📒 Files selected for processing (4)

• apps/web/app/(org)/login/form.tsx (3 hunks)
• apps/web/app/(org)/verify-otp/form.tsx (3 hunks)
• apps/web/app/s/[videoId]/_components/AuthOverlay.tsx (2 hunks)
• apps/web/app/s/[videoId]/_components/OtpForm.tsx (1 hunks)

🧰 Additional context used

📓 Path-based instructions (6)

apps/web/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

apps/web/**/*.{ts,tsx}: Use TanStack Query v5 for all client-side server state and data fetching in the web app
Web mutations should call Server Actions directly and perform targeted cache updates with setQueryData/setQueriesData rather than broad invalidations
Client code should use useEffectQuery/useEffectMutation and useRpcClient from apps/web/lib/EffectRuntime.ts; do not create ManagedRuntime inside components

Files:

• apps/web/app/(org)/login/form.tsx
• apps/web/app/(org)/verify-otp/form.tsx
• apps/web/app/s/[videoId]/_components/OtpForm.tsx
• apps/web/app/s/[videoId]/_components/AuthOverlay.tsx

apps/web/app/**/*.{tsx,ts}

📄 CodeRabbit inference engine (CLAUDE.md)

Prefer Server Components for initial data in the Next.js App Router and pass initialData to client components

Files:

• apps/web/app/(org)/login/form.tsx
• apps/web/app/(org)/verify-otp/form.tsx
• apps/web/app/s/[videoId]/_components/OtpForm.tsx
• apps/web/app/s/[videoId]/_components/AuthOverlay.tsx

**/*.{ts,tsx,js,jsx,rs}

📄 CodeRabbit inference engine (CLAUDE.md)

Do not add inline, block, or docstring comments in any language; code must be self-explanatory

Files:

• apps/web/app/(org)/login/form.tsx
• apps/web/app/(org)/verify-otp/form.tsx
• apps/web/app/s/[videoId]/_components/OtpForm.tsx
• apps/web/app/s/[videoId]/_components/AuthOverlay.tsx

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Use strict TypeScript and avoid any; leverage shared types from packages

**/*.{ts,tsx}: Use a 2-space indent for TypeScript code.
Use Biome for formatting and linting TypeScript/JavaScript files by running pnpm format.

Files:

• apps/web/app/(org)/login/form.tsx
• apps/web/app/(org)/verify-otp/form.tsx
• apps/web/app/s/[videoId]/_components/OtpForm.tsx
• apps/web/app/s/[videoId]/_components/AuthOverlay.tsx

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx,js,jsx}: Use kebab-case for filenames for TypeScript/JavaScript modules (e.g., user-menu.tsx).
Use PascalCase for React/Solid components.

Files:

• apps/web/app/(org)/login/form.tsx
• apps/web/app/(org)/verify-otp/form.tsx
• apps/web/app/s/[videoId]/_components/OtpForm.tsx
• apps/web/app/s/[videoId]/_components/AuthOverlay.tsx

apps/web/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

On the client, always use useEffectQuery or useEffectMutation from @/lib/EffectRuntime; never call EffectRuntime.run* directly in components.

Files:

• apps/web/app/(org)/login/form.tsx
• apps/web/app/(org)/verify-otp/form.tsx
• apps/web/app/s/[videoId]/_components/OtpForm.tsx
• apps/web/app/s/[videoId]/_components/AuthOverlay.tsx

🧬 Code graph analysis (2)

apps/web/app/(org)/verify-otp/form.tsx (1)

packages/ui/src/components/icons/LogoBadge.tsx (1)

• LogoBadge (1-28)

apps/web/app/s/[videoId]/_components/AuthOverlay.tsx (1)

packages/ui/src/components/icons/LogoBadge.tsx (1)

• LogoBadge (1-28)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Vercel Agent Review
• GitHub Check: Build Desktop (x86_64-pc-windows-msvc, windows-latest)
• GitHub Check: Build Desktop (aarch64-apple-darwin, macos-latest)
• GitHub Check: Analyze (rust)

🔇 Additional comments (9)

apps/web/app/(org)/login/form.tsx (3)

160-161: LGTM! Size class standardization improves maintainability.

Using the predefined size-12 class instead of explicit width/height values (w-[72px] h-[72px]) is more maintainable and ensures consistency across the UI.

---

462-471: LGTM! Fragment removal improves code clarity.

Removing the unnecessary fragment wrapper simplifies the JSX structure without affecting functionality.

---

482-482: Copy improvement enhances clarity.

The simplified message "Please enter your email." is more concise and clearer than the previous longer version.

apps/web/app/(org)/verify-otp/form.tsx (3)

159-159: LGTM! Consistent size class usage.

Using size-12 here maintains consistency with the login form changes.

---

163-168: LGTM! Typography adjustments improve visual hierarchy.

The reduced heading size (text-xl) and body text (text-sm) create better visual balance for the OTP verification form.

---

171-194: LGTM! Flexible input layout improves responsiveness.

The switch from fixed dimensions to flexible sizing (flex-1 with fixed height) creates a more responsive layout that adapts better to different screen sizes.

apps/web/app/s/[videoId]/_components/AuthOverlay.tsx (2)

33-48: LGTM! Well-structured state reset for back navigation.

The back button properly resets all relevant state when returning to the email input step, ensuring a clean user experience.

---

88-107: LGTM! Terms and privacy notice properly positioned.

Moving the legal text outside the form steps ensures it's always visible regardless of the current authentication step.

apps/web/app/s/[videoId]/_components/OtpForm.tsx (1)

73-99: Verify server-side rate limiting on /api/auth/callback/email
The OTP verification mutation currently calls the NextAuth callback with no throttling, allowing unlimited retry attempts—ensure the endpoint is rate-limited server-side (e.g. via middleware or NextAuth customization) and optionally add a small client-side delay to hinder brute-force retries.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Minor inconsistency in copy text.

The text says "By entering your email" but this is the OTP verification form where users are entering a code, not their email. Consider updating to "By verifying your email" to match the context.

-				By entering your email, you acknowledge that you have both read and
+				By verifying your email, you acknowledge that you have both read and

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	By entering your email, you acknowledge that you have both read and
	By verifying your email, you acknowledge that you have both read and

🤖 Prompt for AI Agents

In apps/web/app/(org)/verify-otp/form.tsx around line 224, the copy reads "By
entering your email" which is inconsistent for the OTP verification form; change
the wording to "By verifying your email" (or similar context-appropriate
phrasing) so the message matches that users are entering a verification code
rather than an email, and update any adjacent punctuation/capitalization to
match existing style.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Redundant mutation call in onClick handler.

The button's onClick handler calls handleVerify.mutate(undefined) which is redundant since clicking the button will already trigger the mutation.

The mutation is already bound to the button click, so this explicit call is unnecessary.

🤖 Prompt for AI Agents

In apps/web/app/s/[videoId]/_components/OtpForm.tsx around lines 176 to 178, the
button's onClick handler calls handleVerify.mutate(undefined) redundantly;
remove that explicit call so the button relies on its existing mutation binding
(or form submit handler) to trigger the verify mutation. If any side-effect is
required on click, replace the mutate call with only that side-effect; otherwise
delete the onClick prop entirely to avoid duplicate mutation invocations.