Describe the bug
Collaboration room membership uses session.user.name as the current user's identifier and stores raw github_username invite input. GitHub usernames are case-insensitive, and session.user.name may be a display name rather than the stable GitHub login used elsewhere in the app.
This can cause room access checks and duplicate-member detection to behave inconsistently.
Affected files
src/app/api/rooms/route.tssrc/app/api/rooms/[roomId]/route.tssrc/app/api/rooms/[roomId]/messages/route.tssrc/app/api/rooms/[roomId]/invite/route.tssrc/lib/supabase.tssrc/components/rooms/InviteModal.tsx
Current behavior
- Room listing and creation use
session.user.name.
- Room access checks use
session.user.name.
- Invite input is only trimmed client-side and checked for emptiness server-side.
- Duplicate member checks compare raw strings exactly:
if (members.some((m) => m.github_username === github_username))
return NextResponse.json({ error: 'User is already a member' }, { status: 409 });This means values such as Octocat and octocat can be treated as different members, even though GitHub treats usernames case-insensitively.
Expected behavior
Room membership should use a stable, canonical GitHub identity:
- Use
session.githubLogin for the signed-in user instead of session.user.name.
- Normalize invited usernames before lookup/storage.
- Prevent case-insensitive duplicates.
- Store or compare a canonical username value consistently.
Why this matters
Rooms are permissioned resources. If the app uses display names in one path and GitHub logins in another, legitimate users may fail access checks or duplicate memberships can be created. This can make room membership unreliable and harder to reason about.
Suggested fix
- Replace
session.user.name with session.githubLogin in room API routes.
- Validate invited usernames with the existing GitHub username normalization helper.
- Use the canonical
login returned by the GitHub /users/{username} response when adding members.
- Make duplicate checks case-insensitive or store a canonical lowercase lookup value.
- Consider a database uniqueness constraint on
(room_id, lower(github_username)) if supported by the current schema/migration style.
- Add focused tests for:
- display name differing from GitHub login,
- mixed-case invites,
- duplicate invite attempts with different casing.
Acceptance criteria
Describe the bug
Collaboration room membership uses
session.user.nameas the current user's identifier and stores rawgithub_usernameinvite input. GitHub usernames are case-insensitive, andsession.user.namemay be a display name rather than the stable GitHub login used elsewhere in the app.This can cause room access checks and duplicate-member detection to behave inconsistently.
Affected files
src/app/api/rooms/route.tssrc/app/api/rooms/[roomId]/route.tssrc/app/api/rooms/[roomId]/messages/route.tssrc/app/api/rooms/[roomId]/invite/route.tssrc/lib/supabase.tssrc/components/rooms/InviteModal.tsxCurrent behavior
session.user.name.session.user.name.This means values such as
Octocatandoctocatcan be treated as different members, even though GitHub treats usernames case-insensitively.Expected behavior
Room membership should use a stable, canonical GitHub identity:
session.githubLoginfor the signed-in user instead ofsession.user.name.Why this matters
Rooms are permissioned resources. If the app uses display names in one path and GitHub logins in another, legitimate users may fail access checks or duplicate memberships can be created. This can make room membership unreliable and harder to reason about.
Suggested fix
session.user.namewithsession.githubLoginin room API routes.loginreturned by the GitHub/users/{username}response when adding members.(room_id, lower(github_username))if supported by the current schema/migration style.Acceptance criteria
session.githubLogin.Octocatandoctocatcannot be added as separate room members.