Skip to content

Merge master into prod#79

Merged
rohanmathur91 merged 9 commits into
productionfrom
master
Jun 30, 2026
Merged

Merge master into prod#79
rohanmathur91 merged 9 commits into
productionfrom
master

Conversation

@rohanmathur91

Copy link
Copy Markdown
Member

Closes issue:

📜 Summary of changes:

🎥 Demo Video:

Video/Demo:

✅ Checklist:

  • Make sure linting and unit tests pass.
  • No install/build warnings introduced.
  • Verified UI in browser.
  • For UI changes, added/updated analytics events (if applicable).
  • For changes in extension's code, manually tested in Chrome and Firefox.
  • Added/updated unit tests for this change.
  • Raised pull request to update corresponding documentation (if already exists).
  • Added demo video showing the changes in action (if applicable).

🧪 Test instructions:

🔗 Other references:

zeachco and others added 9 commits June 4, 2026 11:57
chore: fixed typo newtwork > network
The header and Manage Account avatars rendered a one-time `photoURL`
snapshot rather than resolving live. Google/SSO accounts stored the Google
photo, while email/password accounts stored either a synthetic gravatar URL
or the all-zeros dummy placeholder (avatar/0000…?d=mp&f=y). As a result,
updates a user made on Gravatar never surfaced in the app.

Add `getUserAvatarUrl(email, providerPhotoURL)`:
- returns the provider photo (e.g. Google) unchanged when present
- otherwise resolves Gravatar live from the current login email, so changes
  made on Gravatar are reflected — and the broken all-zeros snapshot is
  re-pointed to the real md5(email) hash

Wire HeaderUser and the Manage Account profile page to it. parseGravatarImage
is left intact (still used by OrgNotificationBanner).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
CodeQL flagged providerPhotoURL.includes("gravatar.com") as incomplete URL substring sanitization — "gravatar.com" could appear in an unrelated host (gravatar.com.evil.com) or a query string. Parse the URL and match on the hostname instead (host === "gravatar.com" || host.endsWith(".gravatar.com")), falling back to live Gravatar on unparseable values.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
fix(profile): resolve avatar provider-first, else live Gravatar
@rohanmathur91 rohanmathur91 merged commit f4fdb56 into production Jun 30, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants