fix(auth): prefill device code URL, strip hyphen on copy

[rainxchzed]

Sprint 3 Task 8 + diagnostics. Backend /v1/auth/device/start returns 429 rate_limited (10/hr/IP, ~1hr cooldown) when user retries — current code treated 429 as non-infra and gave no fallback path.

• openGitHub: build prefilled ?user_code= URL client-side when backend omits verification_uri_complete.
• copyCode: strip hyphen so paste lands cleanly on GitHub's split-digit boxes.
• startDeviceFlow: fall back to Direct GitHub on backend 429 (start path only — poll path still respects backend rate limits).
• logger.error with full cause chain + status code + origin on every failure path.

Test plan

• Android compile clean
• 13 locale whatsnew
• Device: sign-in while backend rate-limited → Direct path runs → code page opens

Source: Siddharth Patil + 陈sir + Tao Feng + on-device repro (HTTP 429 confirmed via curl).

Summary by CodeRabbit

• Bug Fixes

  • Sign-in now opens the device-code URL with the code prefilled and copies a paste-friendly code to simplify completing login.
  • Externally linked repositories display a clearer one-tap disconnect banner in the details view for easier unlinking.

• Documentation

  • Localized “What’s New” release notes updated to reflect these fixes across multiple languages.

[greptile-apps]

rainxchzed has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 588a7d80-554d-4b9d-a7e7-40f1d0045f11

📥 Commits

Reviewing files that changed from the base of the PR and between fc4e1f0 and 5de1f1e.

📒 Files selected for processing (2)

• feature/auth/data/src/commonMain/kotlin/zed/rainxch/auth/data/repository/AuthenticationRepositoryImpl.kt
• feature/auth/presentation/src/commonMain/kotlin/zed/rainxch/auth/presentation/AuthenticationViewModel.kt

🚧 Files skipped from review as they are similar to previous changes (2)

• feature/auth/presentation/src/commonMain/kotlin/zed/rainxch/auth/presentation/AuthenticationViewModel.kt
• feature/auth/data/src/commonMain/kotlin/zed/rainxch/auth/data/repository/AuthenticationRepositoryImpl.kt

---

Walkthrough

Adds localized whatsnew bullets in 13 languages and updates auth: ViewModel sanitizes/copies device codes, prefers verificationUriComplete or builds a prefilled verification URL, and repository startDeviceFlow refines fallback eligibility and logging.

Changes

Device code authentication improvements

Layer / File(s)	Summary
Release notes updates across languages core/presentation/.../whatsnew/{18,ar,bn,es,fr,hi,it,ja,ko,pl,ru,tr,zh-CN}/18.json	Adds a FIXED bullet in each localized whatsnew JSON (v1.8.3) describing that sign-in opens a prefilled device-code URL and copies a paste-friendly code.
AuthenticationViewModel device code handling feature/auth/presentation/src/commonMain/kotlin/zed/rainxch/auth/presentation/AuthenticationViewModel.kt	Sanitizes userCode to alphanumeric when copying (start and UI copy), prefers verificationUriComplete, and adds buildPrefilledUrl(verificationUri, userCode) to append user_code with correct ?/& separator for fallback URLs. Also enriches startLogin error logging with root-cause details.
AuthenticationRepositoryImpl startDeviceFlow fallback logic feature/auth/data/src/commonMain/kotlin/zed/rainxch/auth/data/repository/AuthenticationRepositoryImpl.kt	Refactors backend-start failure handling: computes exception metadata, introduces isBackendStartFallbackEligible() (includes infra errors and BackendHttpException 429), logs backend/direct exception details on fallback, and logs distinct non-fallback cases before throwing.

Sequence Diagram

sequenceDiagram
  participant User
  participant AuthenticationViewModel
  participant BackendService
  participant GitHub
  User->>AuthenticationViewModel: startLogin / Start device flow
  AuthenticationViewModel->>AuthenticationViewModel: sanitize userCode (alphanumeric)
  AuthenticationViewModel->>AuthenticationViewModel: copy sanitized code to clipboard
  AuthenticationViewModel->>BackendService: request backend-start (optional)
  BackendService->>AuthenticationViewModel: backend device/start response (verificationUri, verificationUriComplete)
  alt verificationUriComplete available
    AuthenticationViewModel->>GitHub: open verificationUriComplete URL
  else fallback
    AuthenticationViewModel->>AuthenticationViewModel: buildPrefilledUrl(verificationUri, userCode)
    AuthenticationViewModel->>GitHub: open prefilled URL with user_code param
  end
  GitHub->>User: show device code page

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• OpenHub-Store/GitHub-Store#441: Modifies AuthenticationViewModel device-flow sign-in path; related clipboard/URL handling changes.

Poem

🐰 I hopped to tidy login's dance,

Prefilled links and cleaner glance,
I copy codes without the fluff,
Paste-ready strings — quick and enough,
Twelve tongues now sing — a carrot prance!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main changes: prefilling the device code URL and stripping the hyphen from the code on copy, matching the core functional improvements in the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/auth-8digit-code-stuck

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@feature/auth/presentation/src/commonMain/kotlin/zed/rainxch/auth/presentation/AuthenticationViewModel.kt`:
- Around line 626-629: In buildPrefilledUrl(verificationUri: String, userCode:
String) the userCode is concatenated raw into the query string; URL-encode it
using io.ktor.http.encodeURLParameter before appending so the query param is
correctly escaped (follow the same pattern used in FeedbackComposer.kt), and add
the import for encodeURLParameter if missing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3fccf9fd-5238-4bdf-8b94-e8c327ff27ec

📥 Commits

Reviewing files that changed from the base of the PR and between 387750b and 756a44e.

📒 Files selected for processing (14)

• core/presentation/src/commonMain/composeResources/files/whatsnew/18.json
• core/presentation/src/commonMain/composeResources/files/whatsnew/ar/18.json
• core/presentation/src/commonMain/composeResources/files/whatsnew/bn/18.json
• core/presentation/src/commonMain/composeResources/files/whatsnew/es/18.json
• core/presentation/src/commonMain/composeResources/files/whatsnew/fr/18.json
• core/presentation/src/commonMain/composeResources/files/whatsnew/hi/18.json
• core/presentation/src/commonMain/composeResources/files/whatsnew/it/18.json
• core/presentation/src/commonMain/composeResources/files/whatsnew/ja/18.json
• core/presentation/src/commonMain/composeResources/files/whatsnew/ko/18.json
• core/presentation/src/commonMain/composeResources/files/whatsnew/pl/18.json
• core/presentation/src/commonMain/composeResources/files/whatsnew/ru/18.json
• core/presentation/src/commonMain/composeResources/files/whatsnew/tr/18.json
• core/presentation/src/commonMain/composeResources/files/whatsnew/zh-CN/18.json
• feature/auth/presentation/src/commonMain/kotlin/zed/rainxch/auth/presentation/AuthenticationViewModel.kt

[greptile-apps]

rainxchzed has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@feature/auth/data/src/commonMain/kotlin/zed/rainxch/auth/data/repository/AuthenticationRepositoryImpl.kt`:
- Line 51: The start-flow log in AuthenticationRepositoryImpl.kt currently
prints the live device authorization secret (dto.userCode) which must be
removed; update the logger.info calls (the one that logs "Device flow started
via Backend..." and the other occurrence around the same start-flow logic) to
omit dto.userCode and only include non-secret fields (e.g., dto.intervalSec,
dto.expiresInSec, and whether dto.verificationUriComplete is present) so the
active sign-in code is not written to logs.
- Around line 59-63: The current fallback to Direct when
isBackendStartFallbackEligible() is true incorrectly treats backend 4xx
responses (e.g., BackendHttpException with status 429) as infrastructure
failures; update the logic in AuthenticationRepositoryImpl (where backend start
errors are handled and in the similar block at the other occurrence) to only
escalate to Direct for true infra errors (timeouts and 5xx), and explicitly
treat HTTP 4xx (including 429) and GitHub negative responses as definitive
backend answers—either by refining isBackendStartFallbackEligible() to return
false for 4xx statuses or by checking the exception/status (e.g.,
BackendHttpException.status) before calling the fallback path so AuthPath
remains Backend for client errors.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 858dd274-3a34-4a94-967d-34b56e1e69aa

📥 Commits

Reviewing files that changed from the base of the PR and between 756a44e and fc4e1f0.

📒 Files selected for processing (2)

• feature/auth/data/src/commonMain/kotlin/zed/rainxch/auth/data/repository/AuthenticationRepositoryImpl.kt
• feature/auth/presentation/src/commonMain/kotlin/zed/rainxch/auth/presentation/AuthenticationViewModel.kt

[greptile-apps]

rainxchzed has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.