Skip to content

fix: node-renderer diagnostic improvements#3086

Merged
justin808 merged 1 commit into
mainfrom
jg/3075-node-renderer-diag
Apr 9, 2026
Merged

fix: node-renderer diagnostic improvements#3086
justin808 merged 1 commit into
mainfrom
jg/3075-node-renderer-diag

Conversation

@justin808

@justin808 justin808 commented Apr 9, 2026

Copy link
Copy Markdown
Member

Summary

  • Add credentials to the sensitive-key filtering test (every other key in SENSITIVE_REQUEST_BODY_KEYS already had coverage)
  • Exclude renderingRequest from diagnostic bodyKeys output — it's already reported via the Received type: line, so showing it again is redundant
  • Document that renderer_http_keep_alive_timeout should be set shorter than the node renderer's server-side idle timeout to prevent stale-connection errors

Fixes #3075

Test plan

  • Node renderer worker.test.ts passes (verified locally)
  • RuboCop passes on configuration.rb
  • CI green

🤖 Generated with Claude Code


Note

Low Risk
Low risk: changes are limited to error-message diagnostics/test coverage in the Node renderer and comment-only documentation for a Rails config option.

Overview
Node renderer diagnostics are tightened for malformed renderingRequest requests. The invalid-request message now omits the renderingRequest key from the reported bodyKeys list (it’s already described via Received type:), and tests assert this behavior.

Sensitive key filtering coverage is expanded. Tests add Credentials to ensure case-insensitive filtering matches SENSITIVE_REQUEST_BODY_KEYS.

Rails config docs are clarified. renderer_http_keep_alive_timeout is now documented to be set slightly shorter than the node renderer’s server-side idle timeout to avoid stale-connection reuse errors (and to use HTTPX defaults when nil).

Reviewed by Cursor Bugbot for commit f01cd0f. Bugbot is set up for automated code reviews on this repo. Configure here.

Summary by CodeRabbit

  • Bug Fixes

    • Improved error message clarity for invalid render requests by excluding internal keys from diagnostic output.
  • Documentation

    • Enhanced configuration documentation for HTTP keep-alive timeout settings with recommended values and risk mitigation guidance.

- Add `credentials` to sensitive-key filtering test coverage
- Exclude `renderingRequest` from diagnostic bodyKeys output (already
  reported via the "Received type:" line)
- Document client-side vs server-side keep-alive timeout relationship

Fixes #3075

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Apr 9, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ece815c3-83a5-45b2-881c-fb24291299e8

📥 Commits

Reviewing files that changed from the base of the PR and between 16ac897 and f01cd0f.

📒 Files selected for processing (3)
  • packages/react-on-rails-pro-node-renderer/src/worker.ts
  • packages/react-on-rails-pro-node-renderer/tests/worker.test.ts
  • react_on_rails_pro/lib/react_on_rails_pro/configuration.rb

Walkthrough

Three related improvements to the node-renderer package: renderingRequest is now filtered from diagnostic body-keys output to reduce noise in error messages, sensitive-key filtering test coverage is extended to include Credentials, and configuration documentation clarifies the relationship between client-side and server-side keep-alive timeouts.

Changes

Cohort / File(s) Summary
Node Renderer Implementation & Tests
packages/react-on-rails-pro-node-renderer/src/worker.ts, packages/react-on-rails-pro-node-renderer/tests/worker.test.ts
Worker now filters renderingRequest key from diagnostic body-keys output. Test assertions updated to verify renderingRequest and Credentials do not appear in diagnostic payloads when appropriately filtered.
Configuration Documentation
react_on_rails_pro/lib/react_on_rails_pro/configuration.rb
Documentation for renderer_http_keep_alive_timeout= enhanced to clarify client-side timeout must be shorter than server-side idle timeout and describe behavior when set to nil.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 With filters fine-tuned and key messages clean,
The diagnostics now shine, the clearest we've seen!
Keep-alive timeouts aligned, credentials concealed,
Our documentation's tight, the logic's revealed! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: adding diagnostic improvements to the node renderer, specifically related to filtering and documentation.
Linked Issues check ✅ Passed All three coding objectives from issue #3075 are fully addressed: credentials added to test coverage, renderingRequest excluded from bodyKeys output, and renderer_http_keep_alive_timeout documentation clarified.
Out of Scope Changes check ✅ Passed All changes are directly aligned with the three stated objectives from issue #3075; no unrelated or out-of-scope modifications are present.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch jg/3075-node-renderer-diag

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@greptile-apps

greptile-apps Bot commented Apr 9, 2026

Copy link
Copy Markdown

Greptile Summary

This PR makes three focused diagnostic improvements to the node renderer: it excludes the renderingRequest key from the bodyKeys diagnostic line (since its type is already reported separately), adds test coverage for the credentials key in the sensitive-key filter, and documents the recommended relationship between renderer_http_keep_alive_timeout and the server-side idle timeout. All changes are correct and well-scoped.

Confidence Score: 5/5

Safe to merge — all changes are correct, well-tested, and narrowly scoped to diagnostic output and documentation.

No P0 or P1 findings. The logic change is a simple, correct filter addition; the test additions close a real coverage gap; the Ruby change is documentation-only. All three files look good.

No files require special attention.

Vulnerabilities

No security concerns identified. The PR tightens diagnostic output to avoid accidentally surfacing renderingRequest content, and confirms case-insensitive filtering of credentials — both improvements to security posture.

Important Files Changed

Filename Overview
packages/react-on-rails-pro-node-renderer/src/worker.ts Adds key !== 'renderingRequest' to the bodyKeys filter so the renderingRequest field (already surfaced via "Received type:") is not redundantly listed in the diagnostic output.
packages/react-on-rails-pro-node-renderer/tests/worker.test.ts Adds a regex assertion confirming renderingRequest is absent from bodyKeys, and adds Credentials (mixed-case) to the sensitive-key test to close the one gap in coverage of SENSITIVE_REQUEST_BODY_KEYS.
react_on_rails_pro/lib/react_on_rails_pro/configuration.rb Documentation-only addition explaining that renderer_http_keep_alive_timeout should be set shorter than the node renderer's own idle timeout to avoid stale-connection errors.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[POST /bundles/:ts/render/:digest] --> B{renderingRequest valid?}
    B -- yes --> C[Execute SSR & return 200]
    B -- no --> D[invalidRenderingRequestMessage]
    D --> E["Report: Received type: type"]
    D --> F["Filter body keys"]
    F --> G{key === 'renderingRequest'?}
    G -- yes --> H[Exclude — already in type line]
    G -- no --> I{key in SENSITIVE_REQUEST_BODY_KEYS?}
    I -- yes --> J[Exclude — sensitive]
    I -- no --> K[Include in bodyKeys list]
    E --> L[Return 400 with diagnostic message]
    H --> L
    J --> L
    K --> L
Loading

Reviews (1): Last reviewed commit: "fix: node-renderer diagnostic improvemen..." | Re-trigger Greptile

@claude

claude Bot commented Apr 9, 2026

Copy link
Copy Markdown
Contributor

Review: fix: node-renderer diagnostic improvements

Overall, this is a clean, focused, and low-risk PR. The changes are correct and well-tested. A few observations:

worker.ts — renderingRequest exclusion from bodyKeys

The filter key !== 'renderingRequest' uses an exact, case-sensitive comparison. This is correct for this internal protocol (the key is always camelCase), but it is a semantic departure from the sensitive-key filtering above it, which lowercases before comparing. A comment distinguishing why the exact-match is used here (vs. case-insensitive for sensitive keys) would help future readers understand this isn't an oversight:

// Exclude renderingRequest: it is already described by the 'Received type:' line above.
// Exact-case match is safe here because this is an internal protocol key with a fixed name.
(key) => key !== 'renderingRequest' && !SENSITIVE_REQUEST_BODY_KEYS.has(key.toLowerCase()),

worker.test.ts — regex assertion

expect(res.payload).not.toMatch(/Received body keys:.*renderingRequest/);

.* does not cross newlines by default. This works correctly because bodyKeys.join(', ') produces a single line in the output — but if the output format ever changes to emit keys across multiple lines, the assertion would silently pass for the wrong reason. Adding a comment noting the single-line assumption, or using /Received body keys:[^\n]*renderingRequest/, would make the intent explicit. This is a minor style point, not a bug.

worker.test.ts — Credentials test coverage

Good catch. credentials was the only member of SENSITIVE_REQUEST_BODY_KEYS without a mixed-case test exercising the .toLowerCase() path. The new assertion correctly validates the existing behavior.

configuration.rb — documentation

The added comment is clear and actionable. Documenting that nil defers to the HTTPX default, and explaining why the value should be shorter than the server's timeout, is exactly the right level of detail for a configuration option with non-obvious failure modes.


Verdict: Approve with the inline notes as optional suggestions. No blocking issues.

}
const bodyKeys = Object.keys(body).filter((key) => !SENSITIVE_REQUEST_BODY_KEYS.has(key.toLowerCase()));
const bodyKeys = Object.keys(body).filter(
(key) => key !== 'renderingRequest' && !SENSITIVE_REQUEST_BODY_KEYS.has(key.toLowerCase()),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The exact-case match on 'renderingRequest' is correct for this internal protocol, but juxtaposed with the case-insensitive sensitive-key filter it can look like an inconsistency. A short inline comment would clarify the intent:

Suggested change
(key) => key !== 'renderingRequest' && !SENSITIVE_REQUEST_BODY_KEYS.has(key.toLowerCase()),
(key) => key !== 'renderingRequest' && !SENSITIVE_REQUEST_BODY_KEYS.has(key.toLowerCase()),

Consider something like:

// 'renderingRequest' is already described by the 'Received type:' line; exclude it to avoid
// redundancy. Exact-case match is safe: this key is fixed by the internal protocol.
(key) => key !== 'renderingRequest' && !SENSITIVE_REQUEST_BODY_KEYS.has(key.toLowerCase()),

(Up to you whether a comment adds more than it costs; the logic itself is correct.)

expect(res.statusCode).toBe(400);
expect(res.payload).toContain('Invalid "renderingRequest" field in render request.');
expect(res.payload).toContain('Received type: array.');
expect(res.payload).not.toMatch(/Received body keys:.*renderingRequest/);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The assertion is correct — bodyKeys is joined with ', ' so they all land on one line. But .* doesn't cross newlines, so if the format ever changes to spread keys across lines this assertion would silently stop testing what it claims. Using [^\n]* instead of .* makes the single-line assumption explicit:

Suggested change
expect(res.payload).not.toMatch(/Received body keys:.*renderingRequest/);
expect(res.payload).not.toMatch(/Received body keys:[^\n]*renderingRequest/);

@github-actions

github-actions Bot commented Apr 9, 2026

Copy link
Copy Markdown
Contributor

size-limit report 📦

Path Size
react-on-rails/client bundled (gzip) 62.63 KB (0%)
react-on-rails/client bundled (gzip) (time) 62.63 KB (0%)
react-on-rails/client bundled (brotli) 53.7 KB (0%)
react-on-rails/client bundled (brotli) (time) 53.7 KB (0%)
react-on-rails-pro/client bundled (gzip) 63.56 KB (0%)
react-on-rails-pro/client bundled (gzip) (time) 63.56 KB (0%)
react-on-rails-pro/client bundled (brotli) 54.6 KB (0%)
react-on-rails-pro/client bundled (brotli) (time) 54.6 KB (0%)
registerServerComponent/client bundled (gzip) 127.39 KB (0%)
registerServerComponent/client bundled (gzip) (time) 127.39 KB (0%)
registerServerComponent/client bundled (brotli) 61.52 KB (0%)
registerServerComponent/client bundled (brotli) (time) 61.52 KB (0%)
wrapServerComponentRenderer/client bundled (gzip) 122.02 KB (0%)
wrapServerComponentRenderer/client bundled (gzip) (time) 122.02 KB (0%)
wrapServerComponentRenderer/client bundled (brotli) 56.77 KB (0%)
wrapServerComponentRenderer/client bundled (brotli) (time) 56.77 KB (0%)

@justin808 justin808 merged commit 92c2436 into main Apr 9, 2026
40 checks passed
@justin808 justin808 deleted the jg/3075-node-renderer-diag branch April 9, 2026 05:21
justin808 added a commit that referenced this pull request Apr 12, 2026
## Summary
- Add `credentials` to the sensitive-key filtering test (every other key
in `SENSITIVE_REQUEST_BODY_KEYS` already had coverage)
- Exclude `renderingRequest` from diagnostic `bodyKeys` output — it's
already reported via the `Received type:` line, so showing it again is
redundant
- Document that `renderer_http_keep_alive_timeout` should be set shorter
than the node renderer's server-side idle timeout to prevent
stale-connection errors

Fixes #3075

## Test plan
- [x] Node renderer `worker.test.ts` passes (verified locally)
- [x] RuboCop passes on `configuration.rb`
- [ ] CI green

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: changes are limited to error-message diagnostics/test
coverage in the Node renderer and comment-only documentation for a Rails
config option.
> 
> **Overview**
> **Node renderer diagnostics are tightened for malformed
`renderingRequest` requests.** The invalid-request message now omits the
`renderingRequest` key from the reported `bodyKeys` list (it’s already
described via `Received type:`), and tests assert this behavior.
> 
> **Sensitive key filtering coverage is expanded.** Tests add
`Credentials` to ensure case-insensitive filtering matches
`SENSITIVE_REQUEST_BODY_KEYS`.
> 
> **Rails config docs are clarified.**
`renderer_http_keep_alive_timeout` is now documented to be set slightly
shorter than the node renderer’s server-side idle timeout to avoid
stale-connection reuse errors (and to use HTTPX defaults when `nil`).
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
f01cd0f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved error message clarity for invalid render requests by
excluding internal keys from diagnostic output.

* **Documentation**
* Enhanced configuration documentation for HTTP keep-alive timeout
settings with recommended values and risk mitigation guidance.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
justin808 added a commit that referenced this pull request Apr 12, 2026
## Summary
- Add `credentials` to the sensitive-key filtering test (every other key
in `SENSITIVE_REQUEST_BODY_KEYS` already had coverage)
- Exclude `renderingRequest` from diagnostic `bodyKeys` output — it's
already reported via the `Received type:` line, so showing it again is
redundant
- Document that `renderer_http_keep_alive_timeout` should be set shorter
than the node renderer's server-side idle timeout to prevent
stale-connection errors

Fixes #3075

## Test plan
- [x] Node renderer `worker.test.ts` passes (verified locally)
- [x] RuboCop passes on `configuration.rb`
- [ ] CI green

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: changes are limited to error-message diagnostics/test
coverage in the Node renderer and comment-only documentation for a Rails
config option.
> 
> **Overview**
> **Node renderer diagnostics are tightened for malformed
`renderingRequest` requests.** The invalid-request message now omits the
`renderingRequest` key from the reported `bodyKeys` list (it’s already
described via `Received type:`), and tests assert this behavior.
> 
> **Sensitive key filtering coverage is expanded.** Tests add
`Credentials` to ensure case-insensitive filtering matches
`SENSITIVE_REQUEST_BODY_KEYS`.
> 
> **Rails config docs are clarified.**
`renderer_http_keep_alive_timeout` is now documented to be set slightly
shorter than the node renderer’s server-side idle timeout to avoid
stale-connection reuse errors (and to use HTTPX defaults when `nil`).
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
f01cd0f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved error message clarity for invalid render requests by
excluding internal keys from diagnostic output.

* **Documentation**
* Enhanced configuration documentation for HTTP keep-alive timeout
settings with recommended values and risk mitigation guidance.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
justin808 added a commit that referenced this pull request Apr 12, 2026
## Summary
- Add `credentials` to the sensitive-key filtering test (every other key
in `SENSITIVE_REQUEST_BODY_KEYS` already had coverage)
- Exclude `renderingRequest` from diagnostic `bodyKeys` output — it's
already reported via the `Received type:` line, so showing it again is
redundant
- Document that `renderer_http_keep_alive_timeout` should be set shorter
than the node renderer's server-side idle timeout to prevent
stale-connection errors

Fixes #3075

## Test plan
- [x] Node renderer `worker.test.ts` passes (verified locally)
- [x] RuboCop passes on `configuration.rb`
- [ ] CI green

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: changes are limited to error-message diagnostics/test
coverage in the Node renderer and comment-only documentation for a Rails
config option.
> 
> **Overview**
> **Node renderer diagnostics are tightened for malformed
`renderingRequest` requests.** The invalid-request message now omits the
`renderingRequest` key from the reported `bodyKeys` list (it’s already
described via `Received type:`), and tests assert this behavior.
> 
> **Sensitive key filtering coverage is expanded.** Tests add
`Credentials` to ensure case-insensitive filtering matches
`SENSITIVE_REQUEST_BODY_KEYS`.
> 
> **Rails config docs are clarified.**
`renderer_http_keep_alive_timeout` is now documented to be set slightly
shorter than the node renderer’s server-side idle timeout to avoid
stale-connection reuse errors (and to use HTTPX defaults when `nil`).
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
f01cd0f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved error message clarity for invalid render requests by
excluding internal keys from diagnostic output.

* **Documentation**
* Enhanced configuration documentation for HTTP keep-alive timeout
settings with recommended values and risk mitigation guidance.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
justin808 added a commit that referenced this pull request Apr 12, 2026
…ages

* origin/main: (44 commits)
  Consolidate CSP nonce sanitization into shared module (#2828)
  Add comprehensive --rsc-pro generator tests (#3098)
  fix: cross-env validation and docs for renderer password (#3090)
  Improve package metadata and Pro upgrade CTAs (#3112)
  docs: standardize warning syntax to GFM alert format (#3115)
  docs: improve react-intl documentation for React Server Components (#3085)
  Fix generator CI SSR regression on main (#3110)
  Refocus GitHub README on docs navigation (#3113)
  Add manual dev environment testing checklist for coding agents (#3074)
  Bump version to 16.6.0
  Update CHANGELOG.md for 16.6.0 (#3078)
  fix: node-renderer diagnostic improvements (#3086)
  fix: pin third-party npm deps in generator to prevent peer dep conflicts (#3083)
  chore(deps): bump lodash from 4.17.23 to 4.18.1 in the npm-security group across 1 directory (#2920)
  fix: refactor formatExceptionMessage to accept generic request context (#2877)
  Bump version to 16.6.0.rc.1
  Update CHANGELOG.md for 16.6.0.rc.1 (#3079)
  Update CHANGELOG.md unreleased section (#3077)
  Fix Content-Length mismatch and null renderingRequest errors in node renderer (#3069)
  Improve memory debugging docs with simpler heap snapshot approach (#3072)
  ...

# Conflicts:
#	docs/pro/home-pro.md
#	docs/pro/react-on-rails-pro.md
#	docs/sidebars.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Follow-up: node-renderer diagnostic improvements from PR #3069 review

1 participant