feat(feedback): in-app quick feedback widget (#5662)#7143
Open
MarkusNeusinger wants to merge 2 commits into
Open
feat(feedback): in-app quick feedback widget (#5662)#7143MarkusNeusinger wants to merge 2 commits into
MarkusNeusinger wants to merge 2 commits into
Conversation
Add a global floating widget so non-coder users can send a short note without opening a GitHub issue. Submissions go to a new `feedback` table behind `POST /feedback`, guarded by a honeypot, length cap, reaction allow-list, and per-IP rate limit. Open/submit events fire through the existing Plausible analytics hook. https://claude.ai/code/session_01D5QExULwc4wAGZyHeTiC89
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
CodeQL flagged Math.random() in the newSessionId fallback. The id is an opaque correlation handle (not a credential), but there's no reason to reach for Math.random when crypto.getRandomValues is universally available in any browser that has window.crypto. https://claude.ai/code/session_01D5QExULwc4wAGZyHeTiC89
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an in-app quick feedback flow spanning the React app, FastAPI backend, database schema, tests, and Plausible analytics documentation.
Changes:
- Adds a global floating feedback widget mounted in
RootLayout. - Adds
POST /feedback, persistence via a newFeedbackmodel/repository, and Alembic migration. - Adds backend/frontend tests and documents the new Plausible events.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
app/src/components/FeedbackWidget.tsx |
Implements the floating feedback FAB, popover form, submission, and analytics events. |
app/src/components/FeedbackWidget.test.tsx |
Adds component tests for widget rendering, submission, errors, and honeypot accessibility. |
app/src/components/RootLayout.tsx |
Mounts the feedback widget globally. |
api/routers/feedback.py |
Adds the feedback submission endpoint, validation, rate limiting, and persistence. |
api/routers/__init__.py |
Exports the new feedback router. |
api/main.py |
Registers the feedback router with the FastAPI app. |
api/schemas.py |
Adds feedback request/response schemas. |
core/database/models.py |
Adds the Feedback model and allowed reaction constants. |
core/database/repositories.py |
Adds FeedbackRepository. |
core/database/__init__.py |
Re-exports feedback model/repository symbols. |
alembic/versions/c5d7e9f1a3b2_add_feedback_table.py |
Adds the feedback table migration and indexes. |
tests/unit/api/test_feedback_router.py |
Adds isolated unit coverage for feedback endpoint guard logic. |
tests/integration/api/test_api_endpoints.py |
Adds integration coverage for /feedback. |
tests/integration/test_repositories.py |
Adds integration coverage for FeedbackRepository. |
docs/reference/plausible.md |
Documents feedback analytics events. |
| """Create the feedback table plus indexes for recent-first browsing and rate-limit lookups.""" | ||
| op.create_table( | ||
| "feedback", | ||
| sa.Column("id", sa.String(36), primary_key=True, nullable=False), |
Comment on lines
+74
to
+75
| since = datetime.now(timezone.utc) - RATE_LIMIT_WINDOW | ||
| recent = await repo.count_recent_by_ip(ip_hash, since) |
Comment on lines
+32
to
+36
| """Resolve the client IP, preferring x-forwarded-for (Cloud Run + CF).""" | ||
| forwarded = request.headers.get("x-forwarded-for", "") | ||
| if forwarded: | ||
| # x-forwarded-for can be a comma-separated chain; the first entry is the original client. | ||
| return forwarded.split(",")[0].strip() |
Comment on lines
+73
to
+77
| if ip_hash: | ||
| since = datetime.now(timezone.utc) - RATE_LIMIT_WINDOW | ||
| recent = await repo.count_recent_by_ip(ip_hash, since) | ||
| if recent >= RATE_LIMIT_MAX: | ||
| raise HTTPException(status_code=429, detail="Too many feedback submissions, please slow down") |
Comment on lines
+72
to
+75
|
|
||
| const ensureSessionId = (): string => { | ||
| if (sessionId) return sessionId; | ||
| const fresh = newSessionId(); |
| model = Feedback | ||
| updatable_fields = frozenset() | ||
|
|
||
| async def count_recent_by_ip(self, ip_hash: str, since) -> int: |
Comment on lines
+40
to
+42
| def _hash_ip(ip: str) -> str: | ||
| """SHA-256 of the IP, hex. Used for rate-limit lookups only — never reversed.""" | ||
| return hashlib.sha256(ip.encode("utf-8")).hexdigest() if ip else "" |
Comment on lines
+33
to
+34
| if (RESERVED_TOP_LEVEL.has(segments[0])) return undefined; | ||
| return segments[0]; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
RootLayout. Clicking opens a compact popover with a 500-char message field, optional reaction (👍 👎 🐛 💡 ❤️), optional email, and a "Send" button. After submit users see a "Thanks!" state that auto-closes.POST /feedbackpersists entries to a newfeedbacktable viaFeedbackRepository. Guards: honeypot field, message length cap, reaction allow-list, per-IP rate limit (5/min using a SHA-256 IP hash).feedback_openedandfeedback_submittedvia the existinguseAnalyticshook; documented indocs/reference/plausible.md.Resolves the three open questions in the issue:
Files
core/database/models.py(Feedbackmodel +FEEDBACK_REACTIONS),core/database/repositories.py(FeedbackRepository),core/database/__init__.py(exports),alembic/versions/c5d7e9f1a3b2_add_feedback_table.py(new migration off the current head3a7e1b5c0c4f),api/schemas.py(FeedbackRequest/Response),api/routers/feedback.py,api/routers/__init__.py,api/main.py.app/src/components/FeedbackWidget.tsx,app/src/components/RootLayout.tsx(mounts widget).tests/unit/api/test_feedback_router.py(7), integrationtests/integration/api/test_api_endpoints.py::TestFeedbackEndpoint(8) andtests/integration/test_repositories.py::TestFeedbackRepository(2), frontendapp/src/components/FeedbackWidget.test.tsx(6).docs/reference/plausible.mdadds the two new events.Test plan
uv run ruff check . && uv run ruff format --check .uv run pytest tests/unit tests/integration— 1505 passedyarn tsc --noEmit(clean)yarn test— 465 passed across 53 filesfeedbacktable; trigger 6 submissions in a row from one IP and confirm the 6th returns 429; verify the honeypot path doesn't write.alembic upgrade headthendowngrade -1thenupgrade head).https://claude.ai/code/session_01D5QExULwc4wAGZyHeTiC89
Generated by Claude Code