🥅 server: handle no panda user on card create by cruzdanilo · Pull Request #791 · exactly/exa

cruzdanilo · 2026-02-16T22:33:47Z

Summary by CodeRabbit

Bug Fixes
- Standardized and simplified card API error responses (consistent codes for missing users, cards, credentials, and approval states).
- Improved handling for card creation/upsert flows, including clearer responses when panda user is missing or unapproved.
Tests
- Expanded tests covering missing/unapproved panda user scenarios, create-card failure paths, and error-capture behavior.
Chores
- Added release notes entries for a patch release addressing legacy response fields.

changeset-bot · 2026-02-16T22:33:51Z

🦋 Changeset detected

Latest commit: 70ad3dc

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@exactly/server	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

gemini-code-assist · 2026-02-16T22:34:03Z

Summary of Changes

Hello @cruzdanilo, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the server's card creation process by introducing robust error handling for unapproved Panda users. It ensures that when a user attempts to create a card but their associated Panda account lacks approval, the API responds with a precise 403 Forbidden status, providing clearer feedback and preventing unexpected system behavior. The changes also include a refactoring of error code constants for improved maintainability and new tests to cover these specific error conditions.

Highlights

Improved Error Handling for Unapproved Panda Users: Implemented specific error handling in the card creation flow to gracefully manage scenarios where a Panda user is not approved, returning a 403 Forbidden status with a clear 'no panda' error code.
Refactored Error Code Constants: Replaced the BadRequestCodes constant with direct string literals for error responses across the card.ts API, simplifying error code management.
Enhanced Panda API Error Parsing: Modified the createCard utility function to parse specific 403 error messages from the external Panda API, rethrowing a standardized 'panda user not approved' error for consistent handling.
Added Comprehensive Test Coverage: Introduced new test cases to validate the server's behavior when a Panda user is unapproved and when the createCard function encounters other types of 403 errors from the external service.

Changelog

.changeset/quiet-otter-map.md
- Added a new changeset file for the patch.
server/api/card.ts
- Removed the BadRequestCodes constant and replaced its usages with string literals.
- Updated card creation logic to catch and handle 'panda user not approved' errors specifically, returning a 403 status.
server/test/api/card.test.ts
- Added two new test cases to validate the server's response when a Panda user is unapproved.
- Added a test case to ensure the server throws a 500 error for other unexpected 403 errors from the createCard function.
server/utils/panda.ts
- Wrapped the request call in createCard with a try-catch block to parse 403 error messages from the Panda API.
- Implemented logic to identify and rethrow a standardized 'panda user not approved' error if a specific message is matched.

Activity

The pull request was initiated.
Devin AI provided a review.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

coderabbitai · 2026-02-16T22:34:05Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

Refactors Card API error handling to use inline string codes (e.g., "no panda", "no card"), replaces legacy response builders with direct schemas, adds a noUser helper for mapping user-resolution errors, and simplifies card creation/response shapes. Tests updated to match new error responses and additional edge cases added.

Changes

Cohort / File(s)	Summary
Card API `server/api/card.ts`	Replaced BadRequestCodes with inline string codes in responses; simplified response schemas to `{ code: literal(...) }`; introduced `noUser` helper; streamlined card creation/upsertion to return direct payloads; adjusted mutex/error flows and push notification conditional logic.
Tests `server/test/api/card.test.ts`	Updated expectations for 403/404 to new `{ code: "no panda" }` / `{ code: "no card" }` formats; added tests for panda user approval/missing-user and createCard failure paths; added Sentry capture mocks.
Changesets `.changeset/calm-otter-map.md`, `.changeset/shy-areas-flash.md`	Added two patch-level changeset entries documenting handling of missing Panda user and removal of legacy card response fields.

Sequence Diagram(s)

sequenceDiagram
  participant Client as Client
  participant Server as Server (card endpoint)
  participant Panda as Panda/User Service
  participant DB as Database
  participant Sentry as Sentry

  rect rgba(200,200,255,0.5)
  Client->>Server: GET/POST /card
  Server->>Panda: resolve user/credential
  Panda-->>Server: user found / not found / unapproved
  end

  alt user found & approved
    Server->>DB: read/create card
    DB-->>Server: card payload
    Server->>Client: 200/201 { ...card payload... }
  else user missing or unapproved
    Server->>Sentry: captureException (conditional)
    Server->>Client: 403 { code: "no panda" }
  else other error
    Server->>Client: 500 { code: "internal_error" }
  end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

🥅 server: handle misc panda errors from sentry #736 — Modifies card.ts handling for missing/invalid Panda users and aligns tests with standardized error responses.
✨ server: add pax for platinum to signature card upgrades #670 — Changes card creation/issuance/upsertion flow in card.ts, including created-card return behavior.
✨ server: integrate sardine #594 — Refactors card issuance/response shapes and integrates post-creation operations in the card pipeline.

Suggested reviewers

nfmelendez

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: handling 'no panda' user scenarios on the card creation endpoint, which is the central focus of the refactoring.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch card

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

sentry · 2026-02-16T22:35:36Z

Sentry Issue: SERVER-J5

sentry · 2026-02-16T22:36:00Z

Codecov Report

❌ Patch coverage is 84.09091% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.31%. Comparing base (072708d) to head (70ad3dc).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
server/api/card.ts	84.09%	9 Missing and 5 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #791      +/-   ##
==========================================
+ Coverage   68.99%   69.31%   +0.31%     
==========================================
  Files         207      207              
  Lines        7032     7175     +143     
  Branches     2222     2299      +77     
==========================================
+ Hits         4852     4973     +121     
- Misses       2001     2016      +15     
- Partials      179      186       +7

Flag	Coverage Δ
e2e	`68.94% <68.18%> (+16.05%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

gemini-code-assist

Code Review

This pull request correctly handles a specific user not approved error from the Panda API during card creation by returning a 403 status, including specific error parsing and new tests. No specific vulnerabilities or critical issues were found. There are a couple of suggestions to improve code maintainability and clarity.

I am having trouble creating individual review comments. Click here to see my feedback.

server/api/card.ts (48-53)

The BadRequestCodes constant object was removed, and its values are now hardcoded as strings. Using constants for such values is generally better for maintainability as it prevents typos, provides a single source of truth, and makes the code easier to refactor. Since these codes are used in multiple places, I'd recommend re-introducing this constant object.

server/utils/panda.ts (71-93)

The error handling logic in this catch block is a bit complex due to manual string parsing and variable declarations. This can be simplified for better readability and robustness, reducing the chance of bugs if the upstream error format changes slightly.

  } catch (error) {
    if (error instanceof Error) {
      const separator = error.message.indexOf(" ");
      if (separator !== -1) {
        const status = Number.parseInt(error.message.slice(0, separator), 10);
        if (status === 403) {
          try {
            const payload = JSON.parse(error.message.slice(separator + 1)) as { error?: string; message?: string };
            if (payload.error === "ForbiddenError" && payload.message === "User exists, but is not not approved") {
              throw new Error("panda user not approved");
            }
          } catch {
            // Not JSON or doesn't match, fall through to rethrow original error
          }
        }
      }
    }
    throw error;
  }

sentry · 2026-02-16T22:36:13Z

Sentry Issue: SERVER-JC

sentry · 2026-02-16T23:29:19Z

Sentry Issue: SERVER-JE

sentry · 2026-02-16T23:29:39Z

Sentry Issue: SERVER-JE

sentry · 2026-02-16T23:29:48Z

Sentry Issue: SERVER-JE

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bb37db14ab

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

devin-ai-integration

Devin Review found 1 new potential issue.

View 8 additional findings in Devin Review.

sentry · 2026-02-17T20:16:28Z

Issues attributed to commits in this pull request

This pull request was merged and Sentry observed the following issues:

‼️ Error: 400 {"message":"Cannot retrieve details for... in production
‼️ Error: 404 {"message":"Not Found","error":"NotFoun... in production
‼️ Error: 400 {"message":"Postal code length is too l... in production
‼️ Error: 400 {"message":"Cannot update a canceled ca... in base-sepolia
‼️ NotFoundError: 404 {"message":"Not Found","error":... in production

cruzdanilo requested a review from nfmelendez as a code owner February 16, 2026 22:33

gemini-code-assist Bot reviewed Feb 16, 2026

View reviewed changes