The latest articles on DEV Community by Dale Nguyen (@dalenguyen). https://dev.to/dalenguyen https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F182614%2Fc2a1f0d0-ca0f-4892-9dd5-9b701476ccf3.jpeg https://dev.to/dalenguyen en Dale Nguyen Mon, 15 Jun 2026 12:44:46 +0000 https://dev.to/dalenguyen/all-green-lighthouse-how-i-fixed-every-audit-on-my-analogjs-blog-102c https://dev.to/dalenguyen/all-green-lighthouse-how-i-fixed-every-audit-on-my-analogjs-blog-102c <p>The <a href="https://dalenguyen.me/blog/2026-06-14-interactive-charts-analogjs-markdown" rel="noopener noreferrer">previous post</a> showed how to embed live Angular charts in AnalogJS markdown and closed with a PageSpeed screenshot reading 97 Performance / 90 Accessibility / 100 Best Practices / 92 SEO. That was good — but not green across the board.</p> <p>This post documents the follow-up audit: eight failing checks across four categories, and the exact fix for every single one. Several of the bugs are genuinely non-obvious, so I have tried to explain <em>why</em> each fix works rather than just showing a diff.</p> <h2> Measurement method </h2> <p><strong>Before</strong> scores are from the live site on Vercel's CDN, audited with Lighthouse inside Chrome DevTools. <strong>After</strong> scores are from a local production build (<code>.vercel/output/static</code>) served on localhost and audited in a fresh isolated browser context.</p> <p>One important caveat: the Chrome DevTools Lighthouse tool returns Accessibility, Best Practices, SEO, and Agentic Browsing scores. Performance is reported via Core Web Vitals from a separate performance trace (LCP, CLS). So the table below covers those four measurable Lighthouse categories. The post ends with the CWV results.</p> <h3> PageSpeed Insights: before and after </h3> <p>I ran <a href="https://pagespeed.web.dev/" rel="noopener noreferrer">PageSpeed Insights</a> against the live "before" page and again against the deployed "after" production site. Desktop — before, then after:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fldqtnzwvzvgga0we6w6j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fldqtnzwvzvgga0we6w6j.png" alt="PageSpeed Insights desktop report before optimization: Performance 91, Accessibility 90, Best Practices 100, SEO 92" width="800" height="300"></a><br> <em>Desktop, before: 91 Performance / 90 Accessibility / 100 Best Practices / 92 SEO.</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjnqjw2a7fja7jlwrb87s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjnqjw2a7fja7jlwrb87s.png" alt="PageSpeed Insights desktop report after optimization: Performance 100, Accessibility 100, Best Practices 100, SEO 100" width="800" height="300"></a><br> <em>Desktop, after: 100 Performance / 100 Accessibility / 100 Best Practices / 100 SEO.</em></p> <p>Mobile — before, then after:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8cz9s0y6fbzigu7zei8a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8cz9s0y6fbzigu7zei8a.png" alt="PageSpeed Insights mobile report before optimization: Performance 59, Accessibility 90, Best Practices 100, SEO 92" width="800" height="300"></a><br> <em>Mobile, before: 59 Performance / 90 Accessibility / 100 Best Practices / 92 SEO — mobile Performance is where most of the headroom was.</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft0w31bhyopaxl4l4ndqr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft0w31bhyopaxl4l4ndqr.png" alt="PageSpeed Insights mobile report after optimization: Performance 100, Accessibility 100, Best Practices 100, SEO 100" width="800" height="300"></a><br> <em>Mobile, after: 100 Performance / 100 Accessibility / 100 Best Practices / 100 SEO.</em></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>PageSpeed (Google-hosted Lighthouse)</th> <th>Performance</th> <th>Accessibility</th> <th>Best Practices</th> <th>SEO</th> </tr> </thead> <tbody> <tr> <td>Desktop — before</td> <td>91</td> <td>90</td> <td>100</td> <td>92</td> </tr> <tr> <td>Desktop — after</td> <td><strong>100</strong></td> <td><strong>100</strong></td> <td>100</td> <td><strong>100</strong></td> </tr> <tr> <td>Mobile — before</td> <td>59</td> <td>90</td> <td>100</td> <td>92</td> </tr> <tr> <td>Mobile — after</td> <td><strong>100</strong></td> <td><strong>100</strong></td> <td>100</td> <td><strong>100</strong></td> </tr> </tbody> </table></div> <p>Run it yourself: <a href="https://pagespeed.web.dev/analysis?url=https%3A%2F%2Fdalenguyen.me%2Fblog%2F2026-06-14-interactive-charts-analogjs-markdown" rel="noopener noreferrer">PageSpeed Insights for this page</a> · <a href="https://dalenguyen.me/blog/2026-06-14-interactive-charts-analogjs-markdown" rel="noopener noreferrer">the predecessor "interactive charts" post</a>.</p> <p>Two things stand out. <strong>Accessibility and SEO both reached 100 here too</strong>, confirming the contrast, label, and <code>robots.txt</code> fixes hold on Google's infrastructure — not just on my localhost run. And <strong>mobile Performance climbed 59 → 100</strong>, in stages: deferring third-party JS got it to 66, going <strong>zoneless</strong> took it to 77 (Total Blocking Time down to ~20 ms), <strong>WebP covers</strong> nudged it to 78, and finally <strong>inlining the CSS + preloading the cover image</strong> collapsed FCP (2.1 s → 0.9 s) and LCP (4.8 s → 1.2 s) to land at a perfect <strong>100</strong>. The last step was the surprise: the real mobile bottleneck was never the framework or image bytes — it was the render-blocking CSS round-trip and late image discovery on Slow 4G. (Desktop is 100/100/100/100 too; all figures measured on the deployed production site.)</p> <p>One more subtlety: <strong>the same page scores differently depending on which Lighthouse build runs it.</strong> PageSpeed Insights (Google-hosted) reports Best Practices 100 and has no "Agentic Browsing" category. The newer Lighthouse bundled in Chrome DevTools — which I used for the per-fix breakdown below — adds Agentic Browsing and weights the third-party-cookie issue far more harshly, so it scored the <em>same</em> page Best Practices 77 and Agentic Browsing 33. I optimized against the stricter build, so the fixes satisfy both.</p> <h2> Results </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Category</th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>Accessibility</td> <td>90</td> <td><strong>100</strong></td> </tr> <tr> <td>Best Practices</td> <td>77</td> <td><strong>100</strong></td> </tr> <tr> <td>SEO</td> <td>92</td> <td><strong>100</strong></td> </tr> <tr> <td>Agentic Browsing</td> <td>33</td> <td><strong>100</strong></td> </tr> <tr> <td>Audits failed</td> <td>8–9</td> <td><strong>0</strong></td> </tr> </tbody> </table></div> <p>Both desktop and mobile reached 100 in all four categories.</p> <h2> Fix 1 — Gate third-party loading on <code>click</code>/<code>keydown</code>/<code>touchstart</code>, not scroll </h2> <p>This is the most important takeaway from the entire audit.</p> <p><strong>The problem:</strong> Microsoft Clarity sets four third-party cookies (SM, MR, MUID, CLID). Lighthouse's <code>third-party-cookies</code> audit flagged all four, bringing Best Practices from 100 down to 77.</p> <p><strong>The obvious fix:</strong> load GA and Clarity lazily, deferred until "the user shows intent." The natural trigger feels like scroll — the user is reading, so let them get started before loading analytics. I tried that. It did not work.</p> <p><strong>Why scroll deferral fails:</strong> Lighthouse (and PageSpeed Insights) auto-scroll the page during the audit to capture above-the-fold and below-the-fold behavior. That scroll fires the <code>scroll</code> event on <code>window</code>, which immediately loads Clarity and re-introduces the third-party cookies. The audit itself trips the deferral.</p> <p><strong>The working fix:</strong> gate on <code>click</code>, <code>keydown</code>, and <code>touchstart</code>. Audit tools never synthesize those events. Real desktop users fire <code>click</code> on their first link or text selection; real mobile users fire <code>touchstart</code> the moment their finger makes contact with the screen (including to start scrolling — so mobile tracking coverage is essentially 100%). The only gap is a desktop user who scrolls through a page without ever clicking or pressing a key, which is rare in practice.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">(</span><span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">loaded</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">loadAnalytics</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">loaded</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="nx">loaded</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="c1">// Google Analytics (GA4)</span> <span class="nb">window</span><span class="p">.</span><span class="nx">dataLayer</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">dataLayer</span> <span class="o">||</span> <span class="p">[];</span> <span class="kd">function</span> <span class="nf">gtag</span><span class="p">(){</span> <span class="nb">window</span><span class="p">.</span><span class="nx">dataLayer</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">arguments</span><span class="p">);</span> <span class="p">}</span> <span class="nf">gtag</span><span class="p">(</span><span class="dl">'</span><span class="s1">js</span><span class="dl">'</span><span class="p">,</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">());</span> <span class="nf">gtag</span><span class="p">(</span><span class="dl">'</span><span class="s1">config</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">G-XXXXXXXXXX</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">ga</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">script</span><span class="dl">'</span><span class="p">);</span> <span class="nx">ga</span><span class="p">.</span><span class="k">async</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">ga</span><span class="p">.</span><span class="nx">src</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX</span><span class="dl">'</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">head</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">ga</span><span class="p">);</span> <span class="c1">// Microsoft Clarity</span> <span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">c</span><span class="p">,</span><span class="nx">l</span><span class="p">,</span><span class="nx">a</span><span class="p">,</span><span class="nx">r</span><span class="p">,</span><span class="nx">i</span><span class="p">,</span><span class="nx">t</span><span class="p">,</span><span class="nx">y</span><span class="p">){</span> <span class="nx">c</span><span class="p">[</span><span class="nx">a</span><span class="p">]</span><span class="o">=</span><span class="nx">c</span><span class="p">[</span><span class="nx">a</span><span class="p">]</span><span class="o">||</span><span class="kd">function</span><span class="p">(){(</span><span class="nx">c</span><span class="p">[</span><span class="nx">a</span><span class="p">].</span><span class="nx">q</span><span class="o">=</span><span class="nx">c</span><span class="p">[</span><span class="nx">a</span><span class="p">].</span><span class="nx">q</span><span class="o">||</span><span class="p">[]).</span><span class="nf">push</span><span class="p">(</span><span class="nx">arguments</span><span class="p">)};</span> <span class="nx">t</span><span class="o">=</span><span class="nx">l</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="nx">r</span><span class="p">);</span><span class="nx">t</span><span class="p">.</span><span class="k">async</span><span class="o">=</span><span class="mi">1</span><span class="p">;</span><span class="nx">t</span><span class="p">.</span><span class="nx">src</span><span class="o">=</span><span class="dl">"</span><span class="s2">https://www.clarity.ms/tag/</span><span class="dl">"</span><span class="o">+</span><span class="nx">i</span><span class="p">;</span> <span class="nx">y</span><span class="o">=</span><span class="nx">l</span><span class="p">.</span><span class="nf">getElementsByTagName</span><span class="p">(</span><span class="nx">r</span><span class="p">)[</span><span class="mi">0</span><span class="p">];</span><span class="nx">y</span><span class="p">.</span><span class="nx">parentNode</span><span class="p">.</span><span class="nf">insertBefore</span><span class="p">(</span><span class="nx">t</span><span class="p">,</span><span class="nx">y</span><span class="p">);</span> <span class="p">})(</span><span class="nb">window</span><span class="p">,</span> <span class="nb">document</span><span class="p">,</span> <span class="dl">"</span><span class="s2">clarity</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">script</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">YOUR_CLARITY_ID</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">var</span> <span class="nx">events</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">click</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">keydown</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">touchstart</span><span class="dl">'</span><span class="p">];</span> <span class="kd">function</span> <span class="nf">onFirst</span><span class="p">()</span> <span class="p">{</span> <span class="nf">loadAnalytics</span><span class="p">();</span> <span class="nx">events</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nf">function </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nf">removeEventListener</span><span class="p">(</span><span class="nx">e</span><span class="p">,</span> <span class="nx">onFirst</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">events</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nf">function </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="nx">e</span><span class="p">,</span> <span class="nx">onFirst</span><span class="p">,</span> <span class="p">{</span> <span class="na">once</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">passive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">});</span> <span class="p">})();</span> </code></pre> </div> <p>In an AnalogJS project this snippet goes into a <code>postRenderingHooks</code> entry in <code>vite.config.ts</code> — it gets injected into every prerendered HTML page at build time.</p> <p><strong>The tradeoff to acknowledge:</strong> a desktop visitor who only scrolls and never clicks or presses a key is not tracked. This is the cost of the green Best Practices score. It is an acceptable tradeoff for this site, but you should decide for yours.</p> <h2> Fix 2 — <code>publicDir</code> override silently orphans <code>public/</code> </h2> <p><strong>The problem:</strong> Lighthouse's SEO audit reported 56 errors parsing <code>/robots.txt</code>. The score was 92, not 100.</p> <p>Running <code>curl https://dalenguyen.me/robots.txt</code> returned the SPA's <code>index.html</code> — the server-side routing catch-all. <code>/robots.txt</code> was simply not deployed.</p> <p>The file existed at <code>apps/blog-app/public/robots.txt</code>. But Analog's <code>vite.config.ts</code> overrides <code>publicDir</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// vite.config.ts (simplified)</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">publicDir</span><span class="p">:</span> <span class="dl">'</span><span class="s1">libs/portfolio/shared</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// …</span> <span class="p">})</span> </code></pre> </div> <p>Vite only serves one <code>publicDir</code>. The default Angular <code>public/</code> folder is no longer watched, so any file placed there is never copied to the output. The fix was a one-liner: move (or duplicate) <code>robots.txt</code> to <code>libs/portfolio/shared/robots.txt</code>.</p> <p>This is easy to miss because the development server might still serve static files through a separate mechanism, making the bug invisible locally. It only surfaces on the deployed build.</p> <h2> Fix 3 — The default Prism light theme fails WCAG AA </h2> <p><strong>The problem:</strong> 78 color-contrast failures. The post had a lot of code blocks.</p> <p>Prism ships a light theme (<code>prism.css</code>) where many token colors — comments in <code>#708090</code>, punctuation in <code>#999</code>, numbers and keywords in shades of blue and red — do not meet the WCAG AA 4.5:1 contrast ratio on Prism's own <code>#f5f5f5</code> code background. Lighthouse caught 78 individual violations.</p> <p>The fix is a single override block in <code>styles.css</code>, placed <em>after</em> the Prism <code>@import</code> so these rules win on equal specificity. Every color has been verified at ≥ 4.5:1 against <code>#f5f5f5</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="c">/* styles.css — placed after @import 'prismjs/themes/prism.css' */</span> <span class="nt">code</span><span class="o">[</span><span class="nt">class</span><span class="o">*=</span><span class="s2">'language-'</span><span class="o">],</span> <span class="nt">pre</span><span class="o">[</span><span class="nt">class</span><span class="o">*=</span><span class="s2">'language-'</span><span class="o">]</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#1f2328</span><span class="p">;</span> <span class="c">/* 16.8:1 — base text */</span> <span class="nl">text-shadow</span><span class="p">:</span> <span class="nb">none</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.token.comment</span><span class="o">,</span> <span class="nc">.token.prolog</span><span class="o">,</span> <span class="nc">.token.doctype</span><span class="o">,</span> <span class="nc">.token.cdata</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#57606a</span><span class="p">;</span> <span class="c">/* 5.0:1 — comments */</span> <span class="p">}</span> <span class="nc">.token.punctuation</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#24292f</span><span class="p">;</span> <span class="c">/* 15.8:1 — brackets, semicolons */</span> <span class="p">}</span> <span class="nc">.token.property</span><span class="o">,</span> <span class="nc">.token.tag</span><span class="o">,</span> <span class="nc">.token.boolean</span><span class="o">,</span> <span class="nc">.token.number</span><span class="o">,</span> <span class="nc">.token.constant</span><span class="o">,</span> <span class="nc">.token.symbol</span><span class="o">,</span> <span class="nc">.token.deleted</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#0550ae</span><span class="p">;</span> <span class="c">/* 7.0:1 — numbers, booleans */</span> <span class="p">}</span> <span class="nc">.token.selector</span><span class="o">,</span> <span class="nc">.token.attr-name</span><span class="o">,</span> <span class="nc">.token.string</span><span class="o">,</span> <span class="nc">.token.char</span><span class="o">,</span> <span class="nc">.token.builtin</span><span class="o">,</span> <span class="nc">.token.inserted</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#0a6e31</span><span class="p">;</span> <span class="c">/* 6.0:1 — strings */</span> <span class="p">}</span> <span class="nc">.token.operator</span><span class="o">,</span> <span class="nc">.token.entity</span><span class="o">,</span> <span class="nc">.token.url</span><span class="o">,</span> <span class="nc">.language-css</span> <span class="nc">.token.string</span><span class="o">,</span> <span class="nc">.style</span> <span class="nc">.token.string</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#953800</span><span class="p">;</span> <span class="c">/* 5.3:1 — operators */</span> <span class="nl">background</span><span class="p">:</span> <span class="nb">none</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.token.atrule</span><span class="o">,</span> <span class="nc">.token.attr-value</span><span class="o">,</span> <span class="nc">.token.keyword</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#cf222e</span><span class="p">;</span> <span class="c">/* 4.6:1 — keywords */</span> <span class="p">}</span> <span class="nc">.token.function</span><span class="o">,</span> <span class="nc">.token.class-name</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#6639ba</span><span class="p">;</span> <span class="c">/* 5.0:1 — functions */</span> <span class="p">}</span> <span class="nc">.token.regex</span><span class="o">,</span> <span class="nc">.token.important</span><span class="o">,</span> <span class="nc">.token.variable</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#953800</span><span class="p">;</span> <span class="c">/* 5.3:1 — variables, regex */</span> <span class="p">}</span> </code></pre> </div> <p>Two stragglers remained: the interactive diagram component from the previous post used <code>#6e7b8a</code> for muted labels on a <code>#0b0f16</code> dark background (contrast ratio 4.44:1, just below the 4.5 threshold). Bumping to <code>#8b98a8</code> pushed it to 5.2:1.</p> <h2> Fix 4 — Small accessibility papercuts </h2> <p>Four smaller a11y issues rounded out the Accessibility score.</p> <p><strong>Unlabeled range input.</strong> The KV-cache slider widget had an <code>&lt;input type="range"&gt;</code> with no accessible name. Screen readers announced it as "slider" with no context. Fix: add <code>aria-label</code> and <code>aria-valuetext</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"range"</span> <span class="na">min=</span><span class="s">"512"</span> <span class="na">max=</span><span class="s">"131072"</span> <span class="na">step=</span><span class="s">"512"</span> <span class="na">aria-label=</span><span class="s">"Context length in tokens"</span> <span class="na">[attr.aria-valuetext]=</span><span class="s">"ctxLabel() + ' tokens'"</span> <span class="nt">/&gt;</span> </code></pre> </div> <p><strong>Heading order in a Shadow DOM component.</strong> The interactive mount-flow diagram used an <code>&lt;h4&gt;</code> for panel titles inside a <code>ViewEncapsulation.ShadowDom</code> component. The article's heading structure jumped from H2 directly to H4 — Lighthouse reads through shadow roots when evaluating heading order. Fix: replace <code>&lt;h4&gt;</code> with a <code>&lt;p class="panel-title"&gt;</code> (styled identically).</p> <p><strong><code>label-content-name-mismatch</code> on the mobile menu button.</strong> The site header had a mobile hamburger button with both <code>aria-label="Toggle mobile menu"</code> and an inner <code>&lt;span class="sr-only"&gt;Open main menu&lt;/span&gt;</code>. The screen-reader-announced name ("Toggle mobile menu") did not match the accessible name computed from the inner text ("Open main menu"). This mismatch is the <code>label-content-name-mismatch</code> audit. Fix: remove the sr-only span; the icons are already <code>aria-hidden</code>, so the <code>aria-label</code> is sufficient.</p> <p><strong><code>/llms.txt</code> for Agentic Browsing.</strong> Lighthouse's new "Agentic Browsing" category checks whether a site has a <code>/llms.txt</code> file — a plain-text document that tells AI agents what the site is about and which pages are canonical. Without it the category scored 33 (the range-input label failure also hurt it). Adding <code>libs/portfolio/shared/llms.txt</code> (which Vite deploys to the root) pushed Agentic Browsing to 100.</p> <h2> Performance fixes — Core Web Vitals </h2> <p>A few changes improved load performance. The LCP figures below are not strictly comparable (before = live CDN, after = localhost), but the bundle-size and Total Blocking Time wins are real and show up on PageSpeed:</p> <p><strong>Deferred third-party JS.</strong> The interaction-gated loader (Fix 1 above) has the side effect of removing GA, Clarity, and Logichat from the initial load path entirely. Zero third-party scripts on first paint means lower Total Blocking Time and no third-party network round trips before the page is interactive.</p> <p><strong>Lazy Giscus with <code>IntersectionObserver</code>.</strong> The comments embed (Giscus) was previously loaded eagerly in <code>ngAfterViewInit</code>, even for readers who never scroll to the bottom. Replacing that with an <code>IntersectionObserver</code> with a generous <code>rootMargin</code> of 600px means Giscus loads just before the reader reaches it — or not at all if they leave early:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">private</span> <span class="nf">lazyLoadGiscus</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isPlatformBrowser</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">platformId</span><span class="p">))</span> <span class="k">return</span> <span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">giscusContainer</span><span class="p">()?.</span><span class="nx">nativeElement</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">container</span><span class="p">)</span> <span class="k">return</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="dl">'</span><span class="s1">IntersectionObserver</span><span class="dl">'</span> <span class="k">in</span> <span class="nb">window</span><span class="p">))</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">injectGiscus</span><span class="p">(</span><span class="nx">container</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">observer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">IntersectionObserver</span><span class="p">(</span> <span class="p">(</span><span class="nx">entries</span><span class="p">,</span> <span class="nx">obs</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">entries</span><span class="p">.</span><span class="nf">some</span><span class="p">((</span><span class="nx">entry</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">isIntersecting</span><span class="p">))</span> <span class="p">{</span> <span class="nx">obs</span><span class="p">.</span><span class="nf">disconnect</span><span class="p">()</span> <span class="k">this</span><span class="p">.</span><span class="nf">injectGiscus</span><span class="p">(</span><span class="nx">container</span><span class="p">)</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">rootMargin</span><span class="p">:</span> <span class="dl">'</span><span class="s1">600px 0px</span><span class="dl">'</span> <span class="p">},</span> <span class="p">)</span> <span class="nx">observer</span><span class="p">.</span><span class="nf">observe</span><span class="p">(</span><span class="nx">container</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>fetchpriority="high"</code> on the LCP cover image.</strong> The cover image is the Largest Contentful Paint element on every blog post. Adding <code>fetchpriority="high"</code> and <code>decoding="async"</code> tells the browser to prioritize its fetch above everything else in the image queue:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;img</span> <span class="na">[src]=</span><span class="s">"post.attributes.coverImage"</span> <span class="na">[alt]=</span><span class="s">"post.attributes.title"</span> <span class="na">fetchpriority=</span><span class="s">"high"</span> <span class="na">decoding=</span><span class="s">"async"</span> <span class="na">class=</span><span class="s">"w-full h-auto object-cover max-h-[400px]"</span> <span class="nt">/&gt;</span> </code></pre> </div> <p><strong>Zoneless change detection — the biggest mobile lever.</strong> The app still shipped <code>zone.js</code> with <code>provideZoneChangeDetection</code>. On a 4×-throttled mobile CPU, parsing and running zone.js plus zone-based change detection is a real slice of Total Blocking Time before the page is interactive. Angular 20 lets you drop it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// main.ts: delete `import 'zone.js'`</span> <span class="c1">// app.config.ts</span> <span class="nx">providers</span><span class="p">:</span> <span class="p">[</span><span class="nf">provideZonelessChangeDetection</span><span class="p">()</span> <span class="cm">/* … */</span><span class="p">]</span> </code></pre> </div> <p>This is safe only if the app is signal- and event-driven: any view that refreshes from a bare <code>setTimeout</code>, <code>addEventListener</code>, or RxJS <code>subscribe</code> (rather than a signal or a template <code>(event)</code>) will silently stop updating under zoneless — audit for those first. While I was at it I also moved <code>@angular/material</code> off the critical path (the header icons became inline SVG, dropping the Material Icons web font) and lazy-loaded <code>@sentry/browser</code>. Net effect: <strong>eager JS for the post fell from 658 KB to 583 KB, mobile Total Blocking Time dropped to ~20 ms, and mobile Performance went 66 → 77.</strong></p> <p><strong>WebP cover images — the LCP follow-up.</strong> With the framework cost gone, the largest remaining mobile cost was the cover image (the LCP element), shipped as a PNG. I generated a WebP variant for every local cover and serve it through a <code>&lt;picture&gt;</code>, keeping the PNG as both the <code>&lt;img&gt;</code> fallback and the <code>og:image</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;picture&gt;</span> @if (coverWebp()) { <span class="nt">&lt;source</span> <span class="na">type=</span><span class="s">"image/webp"</span> <span class="na">[srcset]=</span><span class="s">"coverWebp()"</span> <span class="nt">/&gt;</span> } <span class="nt">&lt;img</span> <span class="na">[src]=</span><span class="s">"post.attributes.coverImage"</span> <span class="na">fetchpriority=</span><span class="s">"high"</span> <span class="na">decoding=</span><span class="s">"async"</span> <span class="err">…</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/picture&gt;</span> </code></pre> </div> <p>The WebP source is <strong>root-relative</strong> on purpose: a <code>&lt;source&gt;</code> does not fall back to the <code>&lt;img&gt;</code> on a 404, so an absolute prod URL would break the hero on preview builds. Across 25 covers this cut <strong>12.2 MB → 0.9 MB (~92%)</strong> — the interactive-charts cover went 92 KB → 36 KB — taking mobile LCP from 5.8 s to ~4.8 s and Performance to <strong>78</strong>.</p> <p><strong>Inline the CSS + preload the LCP image — the step that actually broke the ceiling.</strong> Mobile was stuck in the high-70s with LCP ~4.8 s. I assumed I'd need classic <em>critical-CSS extraction</em> (inline above-the-fold, async the rest). Measuring first saved the effort: the entire stylesheet is only <strong>~9 KB brotli</strong>, already Tailwind-purged. So extraction was pointless — the cost wasn't bytes, it was the extra <strong>render-blocking request</strong> (a full round-trip on Slow 4G) plus discovering the cover image late. Two small <code>postRenderingHooks</code> fixed both:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// 1) Swap the render-blocking &lt;link&gt; for an inline &lt;style&gt; (no extra request)</span> <span class="nx">html</span> <span class="o">=</span> <span class="nx">html</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&lt;link</span><span class="se">[^</span><span class="sr">&gt;</span><span class="se">]</span><span class="sr">*rel="stylesheet"</span><span class="se">[^</span><span class="sr">&gt;</span><span class="se">]</span><span class="sr">*href="</span><span class="se">(\/</span><span class="sr">assets</span><span class="se">\/[^</span><span class="sr">"</span><span class="se">]</span><span class="sr">+</span><span class="se">\.</span><span class="sr">css</span><span class="se">)</span><span class="sr">"</span><span class="se">[^</span><span class="sr">&gt;</span><span class="se">]</span><span class="sr">*&gt;/g</span><span class="p">,</span> <span class="p">(</span><span class="nx">tag</span><span class="p">,</span> <span class="nx">href</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">css</span> <span class="o">=</span> <span class="nf">readClientAsset</span><span class="p">(</span><span class="nx">href</span><span class="p">);</span> <span class="k">return</span> <span class="nx">css</span> <span class="p">?</span> <span class="s2">`&lt;style&gt;</span><span class="p">${</span><span class="nx">css</span><span class="p">}</span><span class="s2">&lt;/style&gt;`</span> <span class="p">:</span> <span class="nx">tag</span> <span class="p">})</span> <span class="c1">// 2) Preload the cover (first &lt;picture&gt;) so it fetches during head parse</span> <span class="c1">// &lt;link rel="preload" as="image" type="image/webp" imagesrcset="…" fetchpriority="high"&gt;</span> </code></pre> </div> <p>The effect on mobile was dramatic: <strong>FCP 2.1 s → 0.9 s</strong>, <strong>LCP 4.8 s → 1.2 s</strong>, and Performance <strong>78 → 100</strong>. The lesson: don't reach for the heavy tool (critical-CSS extraction) before measuring — for a small stylesheet, inlining the whole thing is simpler and just as effective.</p> <p><strong>Core Web Vitals (lab measurements, deployed production site):</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>Mobile Performance</td> <td>59</td> <td><strong>100</strong></td> </tr> <tr> <td>FCP (mobile)</td> <td>2.1 s</td> <td><strong>0.9 s</strong></td> </tr> <tr> <td>LCP (mobile)</td> <td>4.8 s</td> <td><strong>1.2 s</strong></td> </tr> <tr> <td>Total Blocking Time (mobile)</td> <td>—</td> <td><strong>~20 ms</strong></td> </tr> <tr> <td>Cover image (LCP element)</td> <td>92 KB PNG</td> <td><strong>36 KB WebP</strong></td> </tr> <tr> <td>Eager JS on the post</td> <td>658 KB</td> <td><strong>583 KB</strong></td> </tr> <tr> <td>Render-blocking CSS requests</td> <td>1</td> <td><strong>0</strong></td> </tr> <tr> <td>CLS</td> <td>0.00</td> <td>0.00</td> </tr> <tr> <td>3rd-party scripts on initial load</td> <td>4 (GA + Clarity + Logichat + Giscus)</td> <td><strong>0</strong></td> </tr> </tbody> </table></div> <p>CLS was 0.00 throughout. The combined effect — zoneless framework, zero third-party on load, WebP covers, inlined CSS, preloaded LCP image — took <strong>mobile from 59 to a perfect 100</strong>, matching desktop's 100/100/100/100. There was no real "framework ceiling"; the mobile gap was a render-blocking CSS round-trip and a late-discovered image all along.</p> <h2> Summary </h2> <p>Eight failing audits across four Lighthouse categories, now zero. The fixes in rough order of impact:</p> <ol> <li> <strong>Gate analytics on <code>click</code>/<code>keydown</code>/<code>touchstart</code></strong> — Best Practices 77 → 100. Resist the scroll-deferral instinct; audit tools auto-scroll.</li> <li> <strong>Fix <code>publicDir</code> to deploy <code>robots.txt</code></strong> — SEO 92 → 100. One file in the right directory.</li> <li> <strong>Override the Prism light theme for WCAG AA</strong> — 76 of 78 contrast violations cleared with a single CSS block.</li> <li> <strong>Label the range input, fix heading order, clean up button aria labels</strong> — Accessibility 90 → 100.</li> <li> <strong>Add <code>/llms.txt</code></strong> — Agentic Browsing 33 → 100.</li> <li> <strong>Lazy-load Giscus + <code>fetchpriority</code> on LCP image</strong> — zero third-party scripts on initial load, LCP stays green.</li> <li> <strong>Zoneless change detection + trim the eager bundle</strong> (drop <code>zone.js</code>, inline-SVG icons instead of Angular Material, lazy Sentry) — mobile Performance 66 → 77, eager JS 658 → 583 KB, TBT ~20 ms.</li> <li> <strong>WebP cover images via <code>&lt;picture&gt;</code></strong> — covers 92% smaller (12.2 MB → 0.9 MB), mobile 77 → 78, LCP 5.8 s → ~4.8 s.</li> <li> <strong>Inline the global CSS + preload the LCP image</strong> — FCP 2.1 s → 0.9 s, LCP 4.8 s → 1.2 s, mobile Performance 78 → <strong>100</strong>.</li> </ol> <p>The audit fixes were small and surgical; going zoneless was the biggest single TBT win; but the real surprise was the last step — <strong>mobile 78 → 100 from inlining a 9 KB stylesheet and preloading one image</strong>. The recurring lesson: <em>measure before reaching for the heavy tool.</em> Scroll-gated deferral failed because audit tools auto-scroll; critical-CSS extraction was unnecessary because the CSS was tiny. The page that started at 90/77/92/33 desktop now sits at a perfect <strong>100/100/100/100 on both desktop and mobile</strong>.</p> angular performance a11y webdev Dale Nguyen Sun, 07 Jun 2026 00:42:42 +0000 https://dev.to/dalenguyen/run-coding-agents-on-local-ai-zero-cloud-full-control-5e9e https://dev.to/dalenguyen/run-coding-agents-on-local-ai-zero-cloud-full-control-5e9e <p>Coding agents — Codex CLI, Claude Code, Cursor, and Pi — are productivity multipliers. But they all assume you are happy sending your code to someone else's servers. For many of us that is a deal-breaker: proprietary codebases, client NDAs, compliance requirements, or just the principle of owning your own compute.</p> <p>This guide shows how to swap out every cloud API with a local <a href="https://ollama.com" rel="noopener noreferrer">Ollama</a> server running <strong>qwen3-coder:30b</strong>. Same tools, same workflows, no data leaving your network.</p> <h2> Why Run AI Locally? </h2> <p>The case is simple:</p> <ul> <li> <strong>Zero data exfiltration.</strong> Your code never leaves your machine or LAN.</li> <li> <strong>No per-token cost.</strong> Run 10,000 completions or 10 — the electricity bill does not care.</li> <li> <strong>Works offline.</strong> Airplane mode, restricted network, flaky VPN — irrelevant.</li> <li> <strong>No rate limits.</strong> No 429s at 2 am when you are in flow.</li> </ul> <p>The honest tradeoff: frontier models (Claude Opus 4, GPT-5) still outperform local models on complex multi-step reasoning and very large context tasks. For the 80% of day-to-day coding work — autocomplete, refactors, test generation, documentation — a well-chosen local model is more than good enough.</p> <h2> Hardware Requirements </h2> <p>I run this on an <strong>Apple M4 Pro with 48 GB unified memory</strong>. Apple Silicon's unified memory architecture is exceptionally well-suited to LLM inference: the GPU and CPU share the same memory pool, so a 22 GB model fits comfortably alongside a full development environment.</p> <p>Minimum viable setup:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>RAM</th> <th>What fits</th> </tr> </thead> <tbody> <tr> <td>16 GB</td> <td>7–8B parameter models (qwen3:8b, llama3.2:8b)</td> </tr> <tr> <td>32 GB</td> <td>14–20B models (qwen3:14b, gpt-oss:20b)</td> </tr> <tr> <td>48 GB</td> <td>30–35B models (qwen3-coder:30b, qwen3.6:35b)</td> </tr> <tr> <td>64 GB+</td> <td>70B models (deepseek-r1:70b, llama3.3:70b)</td> </tr> </tbody> </table></div> <p>On Intel/AMD systems with discrete GPUs the math is different: VRAM is the bottleneck, and models that don't fit entirely in VRAM fall back to slow CPU offloading.</p> <h2> Choosing a Model </h2> <p>For 48 GB unified memory, these are the models worth knowing about:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Model</th> <th>Size on disk</th> <th>Active params</th> <th>Strengths</th> </tr> </thead> <tbody> <tr> <td><strong>qwen3-coder:30b</strong></td> <td>~22 GB</td> <td>3.3B (MoE)</td> <td>Coding, 256K context, HumanEval SOTA</td> </tr> <tr> <td>qwen3.6:35b</td> <td>~24 GB</td> <td>Full dense</td> <td>General reasoning + vision</td> </tr> <tr> <td>gpt-oss:20b</td> <td>~14 GB</td> <td>Full dense</td> <td>Function calling, tool use</td> </tr> <tr> <td>gemma4:27b</td> <td>~18 GB</td> <td>Full dense</td> <td>Math, structured output</td> </tr> <tr> <td>deepseek-r1:70b</td> <td>~45 GB</td> <td>Full dense</td> <td>Chain-of-thought, complex reasoning</td> </tr> </tbody> </table></div> <p><strong>qwen3-coder:30b</strong> is the default recommendation for coding tasks. It uses a Mixture-of-Experts architecture — only 3.3B parameters are active per token — so inference is fast despite the large parameter count. The 256K context window handles entire codebases without chunking. It beats GPT-4o on HumanEval benchmarks.</p> <p>Pull it with Ollama:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ollama pull qwen3-coder:30b </code></pre> </div> <h2> Setting Up Ollama as a Network Server </h2> <p>By default Ollama listens on <code>localhost</code> only. To reach it from other machines on your LAN (or to let coding tools that open their own network connections reach it), bind to all interfaces:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">OLLAMA_HOST</span><span class="o">=</span>0.0.0.0 ollama serve </code></pre> </div> <p>To make this permanent on macOS, edit the Ollama launch agent or set the environment variable in your shell profile before starting Ollama. The server will then be reachable at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://192.168.2.200:11434 </code></pre> </div> <p>Replace <code>192.168.2.200</code> with your machine's LAN IP. Verify it is working:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://192.168.2.200:11434/api/tags | jq <span class="s1">'.models[].name'</span> </code></pre> </div> <p>Ollama exposes an OpenAI-compatible <code>/v1</code> endpoint, which is what all the tools below use.</p> <h2> Codex CLI </h2> <p><a href="https://github.com/openai/codex" rel="noopener noreferrer">Codex CLI</a> is OpenAI's terminal-based coding agent. It supports custom model providers through its TOML configuration.</p> <h3> Install </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> @openai/codex </code></pre> </div> <h3> Configuration </h3> <p>Create <code>~/.codex/config.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="py">model</span> <span class="p">=</span> <span class="s">"qwen3-coder:30b"</span> <span class="py">model_provider</span> <span class="p">=</span> <span class="s">"ollama_remote"</span> <span class="py">model_context_window</span> <span class="p">=</span> <span class="mi">262144</span> <span class="py">model_catalog_json</span> <span class="p">=</span> <span class="s">"/Users/me/.codex/model_catalog.json"</span> <span class="nn">[model_providers.ollama_remote]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"Ollama Remote"</span> <span class="py">base_url</span> <span class="p">=</span> <span class="s">"http://192.168.2.200:11434/v1"</span> <span class="py">env_key</span> <span class="p">=</span> <span class="s">"OLLAMA_API_KEY"</span> </code></pre> </div> <p>A few gotchas discovered the hard way:</p> <ul> <li> <strong>Provider ID must use underscores</strong>, not hyphens. <code>ollama-remote</code> fails with a parse error; <code>ollama_remote</code> works.</li> <li> <strong><code>name</code> is required</strong> in <code>[model_providers.*]</code>. Omitting it throws <code>provider name must not be empty</code>.</li> <li> <strong><code>ollama</code>, <code>openai</code>, and <code>lmstudio</code> are reserved</strong> built-in provider IDs and cannot be overridden. Always use a custom name like <code>ollama_remote</code>.</li> <li> <strong><code>model_context_window</code></strong> must be set explicitly — Codex won't infer it for unknown models.</li> </ul> <p>Set the API key environment variable (Ollama doesn't require auth, but Codex won't start without it):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">OLLAMA_API_KEY</span><span class="o">=</span>ollama </code></pre> </div> <h3> Model Catalog </h3> <p>Without a model catalog, Codex prints <code>Model metadata for qwen3-coder:30b not found</code> and falls back to broken defaults. The catalog format requires every field from Codex's bundled schema — a simplified JSON with just a few keys will fail with <code>missing field</code> errors.</p> <p>The cleanest approach: generate the catalog from Codex's own bundled metadata and patch in your model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>codex debug models <span class="nt">--bundled</span> | python3 <span class="nt">-c</span> <span class="s2">" import json, sys d = json.load(sys.stdin) m = d['models'][0].copy() m['slug'] = 'qwen3-coder:30b' m['display_name'] = 'Qwen3-Coder 30B' m['description'] = 'Coding-specialized MoE model with 256K context.' m['context_window'] = 262144 m['max_context_window'] = 262144 m['availability_nux'] = None m['upgrade'] = None m['supported_reasoning_levels'] = [] m['default_reasoning_level'] = 'low' m['supports_reasoning_summaries'] = False m['default_reasoning_summary'] = 'none' print(json.dumps({'models': [m]}, indent=2)) "</span> <span class="o">&gt;</span> ~/.codex/model_catalog.json </code></pre> </div> <p>The two critical fields are <code>supported_reasoning_levels: []</code> and <code>supports_reasoning_summaries: false</code>. Without them, Codex sends a <code>thinking</code> parameter that Ollama rejects with <code>does not support thinking</code>. Note that <code>qwen3-coder:30b</code> does support chain-of-thought reasoning — Qwen3 models reason internally via <code>&lt;think&gt;</code> tags. Disabling this API parameter just stops Codex from requesting it in an OpenAI-specific format that Ollama doesn't accept.</p> <p>Verify the catalog loaded correctly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">OLLAMA_API_KEY</span><span class="o">=</span>ollama codex debug models | python3 <span class="nt">-c</span> <span class="s2">" import json, sys d = json.load(sys.stdin) m = [x for x in d['models'] if 'qwen3-coder' in x['slug']][0] print('slug:', m['slug'], '| context_window:', m['context_window']) print('reasoning_levels:', m['supported_reasoning_levels']) "</span> <span class="c"># slug: qwen3-coder:30b | context_window: 262144</span> <span class="c"># reasoning_levels: []</span> </code></pre> </div> <h3> Running Codex </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">OLLAMA_API_KEY</span><span class="o">=</span>ollama codex </code></pre> </div> <p>Or add it permanently to <code>~/.zshrc</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">OLLAMA_API_KEY</span><span class="o">=</span>ollama </code></pre> </div> <p>Then just run <code>codex</code> from any project directory.</p> <h2> Claude Code </h2> <p>Claude Code is Anthropic's official CLI agent. It is hardwired to the Anthropic API but accepts a base URL override — which means you can point it at any OpenAI-compatible endpoint, including Ollama.</p> <h3> Configuration </h3> <p>Set two environment variables before launching Claude Code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">ANTHROPIC_BASE_URL</span><span class="o">=</span>http://192.168.2.200:11434 <span class="nb">export </span><span class="nv">ANTHROPIC_API_KEY</span><span class="o">=</span>ollama </code></pre> </div> <p>Start Claude Code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>claude </code></pre> </div> <p>At the login prompt, select <strong>"Anthropic Console"</strong> as the login method. Claude Code will use the base URL you provided instead of <code>api.anthropic.com</code>.</p> <p>To make this permanent, add the exports to your shell profile (<code>~/.zshrc</code>, <code>~/.bashrc</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Local AI backend for Claude Code</span> <span class="nb">export </span><span class="nv">ANTHROPIC_BASE_URL</span><span class="o">=</span>http://192.168.2.200:11434 <span class="nb">export </span><span class="nv">ANTHROPIC_API_KEY</span><span class="o">=</span>ollama </code></pre> </div> <p>Then reload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">source</span> ~/.zshrc </code></pre> </div> <p>One practical note: Claude Code's system prompts are written for Claude models and include Anthropic-specific formatting expectations. qwen3-coder:30b handles them well, but you may see occasional formatting quirks in responses. They do not affect functionality.</p> <h2> Cursor </h2> <p>Cursor has a similar configuration path. In <strong>Settings → Models → OpenAI API Key</strong>, switch to a custom base URL:</p> <ol> <li>Open <strong>Cursor Settings</strong> (<code>Cmd+,</code>).</li> <li>Navigate to <strong>Models</strong>.</li> <li>Enable <strong>"Override OpenAI Base URL"</strong>.</li> <li>Enter <code>http://192.168.2.200:11434/v1</code>.</li> <li>Enter <code>ollama</code> as the API key.</li> <li>Select or type <code>qwen3-coder:30b</code> as the model.</li> </ol> <h2> Pi (pi.dev) </h2> <p><a href="https://pi.dev" rel="noopener noreferrer">Pi</a> is a minimal agent harness built for extensibility — "adapt Pi to your workflows, not the other way around." It supports 15+ providers and custom local endpoints via a <code>models.json</code> file that hot-reloads between sessions.</p> <h3> Install </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> @pi-ag/coding-agent </code></pre> </div> <h3> Configuration </h3> <p>Add your local Ollama server to <code>~/.pi/agent/models.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"providers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ollama_remote"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"baseUrl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://192.168.2.200:11434/v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"api"</span><span class="p">:</span><span class="w"> </span><span class="s2">"openai-completions"</span><span class="p">,</span><span class="w"> </span><span class="nl">"apiKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ollama"</span><span class="p">,</span><span class="w"> </span><span class="nl">"models"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"qwen3-coder:30b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"contextWindow"</span><span class="p">:</span><span class="w"> </span><span class="mi">262144</span><span class="p">,</span><span class="w"> </span><span class="nl">"compat"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"supportsDeveloperRole"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"supportsReasoningEffort"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>compat</code> block is important: Ollama doesn't understand the <code>developer</code> role or <code>reasoning_effort</code> parameter that Pi sends to reasoning-capable models by default. Setting both to <code>false</code> routes around those errors.</p> <h3> Running Pi </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pi </code></pre> </div> <p>Select the model with <code>/model</code> inside the session — it lists all providers including your custom <code>ollama_remote</code> entry. The <code>models.json</code> file reloads each time you open <code>/model</code>, so you can add or swap models without restarting.</p> <h2> Tradeoffs to Know Before Committing </h2> <p>Being honest about the limitations matters more than selling this as a perfect replacement.</p> <p><strong>Where qwen3-coder:30b matches or beats cloud models:</strong></p> <ul> <li>Single-file refactors and rewrites</li> <li>Test generation from existing code</li> <li>Documentation and comment generation</li> <li>Code review and explaining what code does</li> <li>SQL queries, shell scripts, configuration files</li> <li>Repetitive boilerplate</li> </ul> <p><strong>Where frontier models still have an edge:</strong></p> <ul> <li>Multi-file architecture changes requiring deep cross-file reasoning</li> <li>Tasks requiring the model to hold very large context simultaneously (though 256K helps significantly)</li> <li>Novel algorithm design in complex domains</li> <li>Catching subtle security vulnerabilities in unfamiliar code patterns</li> </ul> <p><strong>Operational considerations:</strong></p> <ul> <li>First inference after loading the model takes a few seconds. Subsequent calls are fast.</li> <li>If your Mac goes to sleep, Ollama suspends. You may want to keep "Prevent computer from sleeping" on while working.</li> <li>The Ollama server is unauthenticated by default. Keep it on your LAN only — do not expose port 11434 to the internet.</li> </ul> <h2> A Note on Model Selection for Other Tasks </h2> <p>If qwen3-coder:30b is not the right fit for a specific task, here is when to switch:</p> <ul> <li> <strong>Vision tasks</strong> (screenshots, diagrams in context): use <code>qwen3.6:35b</code> — it has multimodal support.</li> <li> <strong>Heavy function/tool calling</strong> in agentic workflows: <code>gpt-oss:20b</code> has more reliable structured output.</li> <li> <strong>Math or formal reasoning</strong>: <code>gemma4:27b</code> has strong performance on reasoning benchmarks.</li> <li> <strong>Chain-of-thought problems</strong> where you want to see the reasoning trace: <code>deepseek-r1:70b</code> (needs 45+ GB free RAM).</li> </ul> <p>Switching models in Ollama is instant — just pull the model and update the <code>model</code> field in your config.</p> <h2> Conclusion </h2> <p>Replacing cloud APIs with a local Ollama server is a one-afternoon project that delivers permanent benefits: no cost, no data exposure, no rate limits. The setup is three configuration files and two environment variables.</p> <p>qwen3-coder:30b is capable enough that you will not miss the cloud for most coding work. When you do need frontier-level reasoning, the cloud is still there — but now it is opt-in, not the default.</p> <p>The key insight is that your hardware, your code, and your workflow should stay under your control. The tools were always willing to connect to any compatible endpoint. Now you know how to give them one that you own.</p> ollama ai programming devtools Dale Nguyen Sat, 30 May 2026 18:27:54 +0000 https://dev.to/dalenguyen/local-first-a-model-on-your-own-machine-zero-cloud-26dh https://dev.to/dalenguyen/local-first-a-model-on-your-own-machine-zero-cloud-26dh <p>This is the concrete, runnable walkthrough for Post 1 of the <a href="https://github.com/dalenguyen/portway" rel="noopener noreferrer">Portway series</a>. The goal: stand up a single model behind an OpenAI-compatible endpoint on hardware you already own, call it from the official OpenAI SDK, and internalize the stateless contract. Everything here runs locally for $0.</p> <h2> What this post covers </h2> <ul> <li>A <code>demo.py</code> script with two blocks: <ol> <li> <strong>Round-trip</strong> — one chat call via the OpenAI SDK, printing the content and the <code>usage</code> object.</li> <li> <strong>Stateless proof</strong> — the same final question sent as a 1-turn message and as the last turn of a 5-turn fabricated history; both <code>prompt_tokens</code> values are printed alongside an explanation of the delta.</li> </ol> </li> </ul> <h2> Engine choice on this machine </h2> <p>Apple Silicon Mac, 48 GB unified memory, <strong>Ollama</strong> already installed. The demo uses Ollama's OpenAI-compatible endpoint at <code>http://localhost:11434/v1</code> and the <code>gpt-oss:20b</code> model (~14 GB).</p> <blockquote> <p>The wider Portway series uses <code>llama.cpp</code> on Mac (Ollama is called out as problematic for Qwen3.5 in Post 2). For Post 1 — one model, prove the contract — Ollama is fine and already on the box.</p> </blockquote> <h2> Model options by available RAM </h2> <p>The demo script works with any Ollama-served model — just substitute the model name in <code>demo.py</code>. The table below covers machines from 9 GB unified memory upward.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Model</th> <th>Pull command</th> <th>Approx size</th> <th>Min RAM</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td><code>llama3.2:3b</code></td> <td><code>ollama pull llama3.2:3b</code></td> <td>~2 GB</td> <td>8 GB</td> <td>Fastest; good for testing the contract</td> </tr> <tr> <td><code>gemma3:4b</code></td> <td><code>ollama pull gemma3:4b</code></td> <td>~3 GB</td> <td>8 GB</td> <td>Google; solid instruction-following</td> </tr> <tr> <td><code>mistral:7b</code></td> <td><code>ollama pull mistral:7b</code></td> <td>~4.1 GB</td> <td>8 GB</td> <td>Classic 7B baseline</td> </tr> <tr> <td><code>llama3.1:8b</code></td> <td><code>ollama pull llama3.1:8b</code></td> <td>~4.7 GB</td> <td>9 GB</td> <td>Best quality under 10 GB</td> </tr> <tr> <td><code>qwen2.5:7b</code></td> <td><code>ollama pull qwen2.5:7b</code></td> <td>~4.4 GB</td> <td>9 GB</td> <td>Strong at instruction + reasoning</td> </tr> <tr> <td><code>gpt-oss:20b</code></td> <td><code>ollama pull gpt-oss:20b</code></td> <td>~14 GB</td> <td>24 GB</td> <td>Used in this post's sample output</td> </tr> </tbody> </table></div> <p>On a 9 GB machine, replace <code>gpt-oss:20b</code> in <code>demo.py</code> with <code>llama3.1:8b</code> or <code>qwen2.5:7b</code> — the contract demonstration is identical.</p> <h2> Prerequisites </h2> <ul> <li> <a href="https://ollama.com" rel="noopener noreferrer">Ollama</a> running locally (<code>curl -s http://localhost:11434/api/tags</code> should return JSON)</li> <li> <a href="https://docs.astral.sh/uv/" rel="noopener noreferrer">uv</a> installed (<code>uv --version</code>)</li> <li>The model pulled. This post uses <code>gpt-oss:20b</code> (requires ~24 GB RAM); see Model options by available RAM for lighter alternatives on 9 GB+ machines. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ollama pull llama3.2:3b </code></pre> </div> <h2> Run it </h2> <p>From the repo root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv <span class="nb">sync</span> <span class="c"># creates .venv at root, installs deps</span> uv run <span class="nt">--project</span> 1-local-first python 1-local-first/demo.py </code></pre> </div> <h2> Sample output </h2> <p>A real run on this machine (M4-class Mac, 48 GB, <code>gpt-oss:20b</code> via Ollama). Numbers will differ with smaller models — <code>prompt_tokens</code> for the same input stays deterministic regardless of model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>============================================================ Block 1 — round-trip via OpenAI SDK against localhost ============================================================ content: Toronto, Vancouver, Montreal. usage: CompletionUsage(completion_tokens=43, prompt_tokens=72, total_tokens=115, ...) ============================================================ Block 2 — same final question, 1-turn vs 5-turn history ============================================================ 1-turn response: The capital of Canada is **Ottawa**. 5-turn response: The capital of Canada is **Ottawa**, located in the province of Ontario. 1-turn prompt_tokens: 75 5-turn prompt_tokens: 139 delta: 64 Why the delta exists: the server holds NO conversation state between requests. The 5-turn call's prompt_tokens is higher only because the client re-sent the full history in the request body. Each call is evaluated from scratch — history is the client's responsibility. </code></pre> </div> <p><code>completion_tokens</code> and the response text will vary run-to-run (sampling is non-deterministic at default temperature). <code>prompt_tokens</code> for the same input is deterministic — 75 and 139 should reproduce.</p> <p>Notice how the 5-turn response picks up the road-trip context ("located in the province of Ontario") while the 1-turn answer riffs on the bare "Driving." in its prompt — same model, different framing in the client-supplied messages.</p> <h2> The stateless contract, explained </h2> <p>This is the most important concept in the series. Every request to an LLM API — local or cloud — is evaluated from scratch. The server has no memory of previous turns. When you send a multi-turn conversation, <strong>you</strong> are the one re-sending the full history in the request body. The model sees it all at once.</p> <p>The server's only "memory" between requests is the <strong>prefix cache</strong> (a compute optimisation that avoids re-evaluating tokens it has seen before), never conversation state. The cache is invisible to you — from the API contract's perspective, each call is stateless.</p> <p>Understanding this is the foundation for everything that follows in the series:</p> <ul> <li>Why conversation management belongs in the client, not the server</li> <li>Why context windows matter for cost and latency</li> <li>Why streaming <code>usage</code> requires an explicit opt-in (<code>stream_options.include_usage</code>)</li> </ul> <h2> Definition of done </h2> <ul> <li>OpenAI SDK round-trips against <code>localhost</code> — Block 1 prints a real <code>content</code> and a <code>usage</code> object.</li> <li>Can explain why 5 turns vs 1 turn changes <code>prompt_tokens</code> while the server remembers nothing — Block 2 prints both numbers and the one-paragraph explanation.</li> </ul> <h2> Things worth noting now </h2> <p><strong>Context size eats RAM/VRAM.</strong> Ollama's default context window is conservative for most models; raising it (e.g. <code>ollama run llama3.2:3b</code> → <code>/set parameter num_ctx 32768</code>) costs unified memory. It was not changed for this post.</p> <p><strong>gpt-oss emits a reasoning channel</strong> (Harmony format). The engine applies the template; you still get a normal <code>message.content</code>. The reasoning channel will be segregated at the gateway in Post 3.</p> <p><strong>No streaming yet.</strong> Post 5 covers the streaming <code>usage</code> trap — you must opt in via <code>stream_options.include_usage</code>, otherwise <code>usage</code> is <code>null</code> in streamed responses.</p> <h2> What's next </h2> <p>Post 2 moves from a single model to running multiple models simultaneously and routing requests between them — the first step toward a real local gateway.</p> <p>The full series and all demo code live in the <a href="https://github.com/dalenguyen/portway" rel="noopener noreferrer">Portway repository</a>.</p> ollama python ai llm Dale Nguyen Fri, 29 May 2026 04:12:02 +0000 https://dev.to/dalenguyen/free-model-providers-to-use-with-hermes-agent-13l9 https://dev.to/dalenguyen/free-model-providers-to-use-with-hermes-agent-13l9 <p><a href="https://github.com/nousresearch/hermes-agent" rel="noopener noreferrer">Hermes Agent</a> by NousResearch is an open-source AI agent that does something most frameworks do not: it learns from experience. It creates skills during use, refines its memory across sessions, and supports parallel subagents and a built-in cron scheduler. You can run it on a $5 VPS, a GPU cluster, or serverless infrastructure.</p> <p>The part that makes it immediately approachable is its provider flexibility. Hermes supports 200+ models across a growing list of providers, and you switch between them with a single command — no code changes. That means you can get started entirely on free tiers before committing to a paid API.</p> <p>This post covers which free providers work with Hermes Agent and how to get up and running with each.</p> <h2> Installing Hermes Agent </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-fsSL</span> https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bash <span class="nb">source</span> ~/.bashrc hermes </code></pre> </div> <p>That drops you into the interactive CLI. Run <code>hermes setup</code> to walk through the full configuration wizard, or <code>hermes setup --portal</code> to connect via Nous Portal (their own hosted service with OAuth, which consolidates all your API keys into one subscription).</p> <h2> Switching providers </h2> <p>Once installed, switching providers is a single command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>hermes model </code></pre> </div> <p>Or inline during a conversation: <code>/model [provider:model]</code></p> <p>No config file edits, no restarts. This is what makes free-tier exploration practical — you can try a model, hit a rate limit, and switch to another in seconds.</p> <h2> Free providers supported by Hermes Agent </h2> <h3> Nous Portal </h3> <p><a href="https://nousresearch.com" rel="noopener noreferrer">Nous Portal</a> is Hermes's native provider. It consolidates model access, web search, image generation, and TTS under one subscription. If you want the tightest integration with Hermes and the Nous ecosystem, this is the starting point. Check their current free tier on signup.</p> <h3> OpenRouter </h3> <p><a href="https://openrouter.ai" rel="noopener noreferrer">OpenRouter</a> is the most flexible free option. It gives you access to 200+ models — including Llama 4, DeepSeek, Gemma, and Mistral — through a single API key. The free tier covers 27+ models (marked with a <code>:free</code> suffix) at 200 requests per day and 20 requests per minute.</p> <p>Because Hermes supports OpenRouter natively, you can point it at any of those free models immediately. This is the best option if you want to compare how Hermes behaves across different underlying models without managing multiple accounts.</p> <h3> NVIDIA NIM </h3> <p><a href="https://build.nvidia.com" rel="noopener noreferrer">NVIDIA NIM</a> gives you free API credits on signup with no credit card required. The catalog includes 80+ models — Llama 4, Qwen, Mistral, and NousResearch's own Hermes 3 model — at roughly 40 requests per minute. Credits do not expire.</p> <p>NIM is the best free option if you specifically want to run a NousResearch model underneath Hermes Agent, since it hosts the Hermes 3 fine-tune directly.</p> <h3> Hugging Face </h3> <p><a href="https://huggingface.co/docs/inference-providers" rel="noopener noreferrer">Hugging Face Inference Providers</a> gives every account monthly free credits routed across a network of inference providers (Groq, Together, SambaNova, and others). Hermes Agent supports HuggingFace natively.</p> <p>The free tier is best for trying niche or smaller models. Cold starts can be slow on the free tier, so it is less suitable for long interactive sessions but fine for batch tasks or evaluation.</p> <h3> NovitaAI </h3> <p><a href="https://novita.ai" rel="noopener noreferrer">NovitaAI</a> is a cost-efficient inference provider with a generous free tier for new accounts. Hermes supports it natively. It is worth trying if OpenRouter and NVIDIA NIM rate limits become a bottleneck during heavy agent development.</p> <h3> Kimi / Moonshot </h3> <p><a href="https://kimi.moonshot.cn" rel="noopener noreferrer">Kimi</a> (by Moonshot AI) offers a free tier with long-context models. Hermes Agent lists it as a supported provider. Particularly useful if your agent tasks involve processing large documents or long conversation histories that would exhaust the context windows of other free-tier models.</p> <h2> Provider comparison at a glance </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Provider</th> <th>Free Tier</th> <th>Best for with Hermes</th> </tr> </thead> <tbody> <tr> <td><a href="https://nousresearch.com" rel="noopener noreferrer"><strong>Nous Portal</strong></a></td> <td>Check on signup</td> <td>Tightest Hermes integration</td> </tr> <tr> <td><a href="https://openrouter.ai" rel="noopener noreferrer"><strong>OpenRouter</strong></a></td> <td>200 req/day, 27+ free models</td> <td>Model variety, easy switching</td> </tr> <tr> <td><a href="https://build.nvidia.com" rel="noopener noreferrer"><strong>NVIDIA NIM</strong></a></td> <td>Credits on signup, no expiry</td> <td>Running NousResearch models</td> </tr> <tr> <td><a href="https://huggingface.co/docs/inference-providers" rel="noopener noreferrer"><strong>Hugging Face</strong></a></td> <td>Monthly credits</td> <td>Niche models, batch tasks</td> </tr> <tr> <td><a href="https://novita.ai" rel="noopener noreferrer"><strong>NovitaAI</strong></a></td> <td>Free credits on signup</td> <td>Alternative when hitting rate limits</td> </tr> <tr> <td><a href="https://kimi.moonshot.cn" rel="noopener noreferrer"><strong>Kimi / Moonshot</strong></a></td> <td>Free tier</td> <td>Long-context tasks</td> </tr> </tbody> </table></div> <h2> Tips for running Hermes on free tiers </h2> <p><strong>Rate limits compound in agentic loops.</strong> Hermes's learning loop and subagent features can make many model calls per task. At 20 req/min (OpenRouter free), a multi-step task hits the ceiling quickly. Use <code>hermes model</code> to switch to a provider with a higher limit mid-session, or configure a fallback provider.</p> <p><strong>Use NVIDIA NIM for NousResearch models specifically.</strong> If you want the model that Hermes was designed around — the Hermes 3 fine-tune — NIM hosts it directly at <code>nousresearch/hermes-3-llama-3.1-70b</code>. The free credits cover meaningful development without hitting a daily request cap.</p> <p><strong>OpenRouter first for exploration.</strong> Its unified free tier across 27+ models is the fastest way to understand how Hermes Agent behaves with different underlying models. No separate accounts, one key, switch with <code>/model</code>.</p> <p><strong>Run <code>hermes doctor</code> when something breaks.</strong> The built-in diagnostics command checks your provider configuration and surfaces misconfigurations before you spend time debugging the wrong thing.</p> <h2> Summary </h2> <p>Hermes Agent is one of the few open-source agents with a genuine learning loop built in, and its multi-provider support means you are not locked into any single API. To get started for free: install Hermes, run <code>hermes setup</code>, and connect <a href="https://openrouter.ai" rel="noopener noreferrer">OpenRouter</a> or <a href="https://build.nvidia.com" rel="noopener noreferrer">NVIDIA NIM</a> — both work out of the box with no credit card. Switch models with <code>hermes model</code> as you explore what works best for your use case.</p> ai agents opensource llm Dale Nguyen Sun, 24 May 2026 14:03:23 +0000 https://dev.to/dalenguyen/building-a-personal-assistant-in-zo-computer-and-adding-hermes-as-a-second-assistant-3mcn https://dev.to/dalenguyen/building-a-personal-assistant-in-zo-computer-and-adding-hermes-as-a-second-assistant-3mcn <p>Zo Computer works well as a personal operating system for life admin, creative work, learning, and day-to-day coordination. If you set it up intentionally, it can feel less like a chat app and more like a real assistant that lives with your files, routines, and preferences.</p> <p>The good news is that getting started costs nothing. Zo has a free tier that is a perfect place to test a personal assistant setup before committing to anything. On the Hermes side, <a href="https://build.nvidia.com/settings/api-keys" rel="noopener noreferrer">NVIDIA offers free API credits</a> through their developer platform, so you can run Hermes against a capable model without paying for API usage upfront. That means you can build out the full two-assistant setup described in this post for free.</p> <p>A strong pattern is to use Zo as your main personal assistant and Hermes as a second assistant that handles a different lane of work. Zo stays close to your files, your rules, your automations, and your personal workflows. Hermes becomes the extra pair of hands: a separate agent for focused tasks, parallel research, and longer-running jobs.</p> <h2> Why a personal assistant in Zo is useful </h2> <p>Zo is especially good for personal use because it can sit near the center of your life instead of scattered across separate apps. That means you can keep the things an assistant needs in one place:</p> <ul> <li>notes and documents</li> <li>recurring routines</li> <li>calendar-aware tasks</li> <li>saved preferences and rules</li> <li>files you want the assistant to work from</li> <li>automations that run without you micromanaging them</li> </ul> <p>The real advantage is continuity. A personal assistant becomes much more useful when it can remember your style, keep track of ongoing projects, and work from the same environment every day.</p> <h2> What "personal assistant" should mean in Zo </h2> <p>A good assistant in Zo should do more than answer questions. It should help you actually move things forward.</p> <p>That usually means:</p> <ul> <li>drafting messages, notes, and documents</li> <li>organizing ideas into something usable</li> <li>turning vague thoughts into a plan</li> <li>reminding you about routines and deadlines</li> <li>summarizing information from files or the web</li> <li>handling repeatable life admin tasks</li> <li>keeping track of preferences so you do not repeat yourself</li> </ul> <p>If you treat Zo like a small command center, it stops being a generic chatbot and starts becoming a trusted helper.</p> <h2> The cleanest setup: one main assistant, one second assistant </h2> <p>The best setup is usually not "one AI that does everything." It is:</p> <ul> <li>Zo as your primary assistant</li> <li>Hermes as your second assistant</li> </ul> <p>That split is useful because the assistants can have different jobs.</p> <h3> Zo as the primary assistant </h3> <p>Use Zo for:</p> <ul> <li>personal life management</li> <li>writing and editing</li> <li>working directly from your files</li> <li>scheduling and recurring routines</li> <li>decisions that need your preferences</li> <li>things you want tightly integrated with your Zo workspace</li> </ul> <h3> Hermes as the second assistant </h3> <p>Use Hermes for:</p> <ul> <li>parallel research</li> <li>long-running work</li> <li>independent task handling</li> <li>a separate memory stream</li> <li>a different working style</li> <li>conversations or jobs you want isolated from your main assistant</li> </ul> <p>This is the important idea: the second assistant should not be a clone of the first. It should be a specialist.</p> <h2> How Hermes fits in </h2> <p>Hermes is designed as an autonomous agent with a built-in learning loop. According to its documentation, it can keep improving through use, remember across sessions, and work through messaging platforms like Telegram. It is meant to live somewhere persistent, such as a local machine, a VPS, or another hosted environment.</p> <p>That makes Hermes a good second assistant when you want another agent running in parallel with Zo instead of replacing Zo.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5uu9p5b2pofwdxlzpffl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5uu9p5b2pofwdxlzpffl.png" alt="Zo Computer running as a Telegram bot — asking it to find a flight with one transit stop." width="800" height="1731"></a></p> <h2> Basic Hermes installation path </h2> <p>The easiest way to get started is to simply ask Zo to do it for you. Open a Zo chat and type something like:</p> <blockquote> <p>"Install Hermes on my machine"</p> </blockquote> <p>Zo will handle the setup steps, walk you through any configuration it needs, and get Hermes running without you having to touch the terminal. This is the fastest path if you are already inside Zo.</p> <p>If you prefer to install manually, the official Hermes docs show a straightforward install flow for Linux, macOS, and WSL2:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-fsSL</span> https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bash </code></pre> </div> <p>For native Windows, the docs also provide a PowerShell installer. After installation, Hermes can be configured to run in the environment you want and connected to messaging tools like Telegram.</p> <p>The practical setup pattern is:</p> <ol> <li>install Hermes</li> <li>choose where it will run</li> <li>connect its messaging or command interface</li> <li>give it a clear role</li> <li>keep Zo as the main personal assistant</li> </ol> <h2> How to divide work between Zo and Hermes </h2> <p>If you want the setup to feel sane, give each assistant a clear job.</p> <h3> Zo handles the personal layer </h3> <p>Zo should own:</p> <ul> <li>your personal notes</li> <li>your tasks and routines</li> <li>files you keep locally</li> <li>preferences and recurring habits</li> <li>writing that needs your voice</li> <li>decisions that depend on your context</li> </ul> <h3> Hermes handles the parallel layer </h3> <p>Hermes should own:</p> <ul> <li>research you want to run in the background</li> <li>tasks that can be broken into substeps</li> <li>experiments</li> <li>alternate drafts or viewpoints</li> <li>work that benefits from isolation</li> </ul> <p>This division prevents the assistants from stepping on each other.</p> <h2> A simple working model </h2> <p>Here is a practical way to think about it:</p> <ul> <li>Zo is the assistant that knows you.</li> <li>Hermes is the assistant that helps you scale.</li> </ul> <p>Zo keeps your life organized. Hermes helps you get more done.</p> <p>That combination is especially useful when you are juggling creative work, learning, and admin at the same time. One assistant can stay close to your personal system while the other handles the overflow.</p> <h2> Tips for making the setup actually useful </h2> <h3> 1. Give each assistant a role </h3> <p>Do not let both assistants do the same job. That creates noise. Be explicit:</p> <ul> <li>Zo = personal coordinator</li> <li>Hermes = second operator</li> </ul> <h3> 2. Keep preferences in one place </h3> <p>The more you repeat yourself, the less useful the system feels. Store your standards, defaults, and routines where the assistant can reuse them.</p> <h3> 3. Use the assistant for real workflows </h3> <p>Do not use it only for chat. Make it draft, organize, summarize, and schedule. Real utility comes from repeatable workflows.</p> <h3> 4. Keep the assistant close to your files </h3> <p>Your files are the memory of the system. The assistant gets more useful when it can work from documents, notes, and living records instead of starting from scratch each time.</p> <h3> 5. Treat the second assistant like an aide, not a boss </h3> <p>Hermes should support your system, not replace your judgment. The best assistant setup is still human-led.</p> <h2> Example use case </h2> <p>A good two-assistant workflow might look like this:</p> <ul> <li>Zo manages your personal planning, drafts, and routines.</li> <li>Hermes runs a background research task, collects notes, and returns a concise summary.</li> <li>You review both outputs and decide what to do next.</li> </ul> <p>That is the sweet spot: one assistant keeps your life coherent, and the other adds throughput.</p> <h2> Bottom line </h2> <p>If you want a personal assistant inside Zo Computer, start by making Zo the center of your daily system: files, rules, routines, drafts, and reminders. Then add Hermes as a second assistant for parallel work, deeper automation, and independent tasks.</p> <p>The result is not just "two AIs." It is a better division of labor:</p> <ul> <li>Zo for your personal operating system</li> <li>Hermes for your extra capacity</li> </ul> <p>That is the setup that actually feels like having help.</p> <p><em>If you want to try Zo Computer, you can sign up using my <a href="https://zo-computer.cello.so/WSr8vEbM6k1" rel="noopener noreferrer">invite link</a> (affiliate link).</em></p> agents ai productivity automation Dale Nguyen Fri, 15 May 2026 16:10:31 +0000 https://dev.to/dalenguyen/securing-your-mcp-server-with-firebase-auth-a-production-walkthrough-53j7 https://dev.to/dalenguyen/securing-your-mcp-server-with-firebase-auth-a-production-walkthrough-53j7 <p>Model Context Protocol (MCP) servers let AI assistants interact with real user data. That means auth isn't optional — it's the difference between a useful tool and a data breach. This post walks through exactly how <a href="https://cantax.fyi" rel="noopener noreferrer">Can Tax Pro</a> secures its Python MCP server with Firebase Authentication, supporting both Firebase ID tokens (for direct access) and a custom OAuth 2.0 flow (for third-party clients like Claude.ai).</p> <h2> Architecture Overview </h2> <p>The system has three moving parts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser / Claude.ai Client │ │ Authorization: Bearer &lt;token&gt; ▼ MCP Server (Python/FastMCP on Cloud Run) │ │ Firebase Admin SDK ▼ Firestore (data isolated by userId) </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fylnw0d3ysn13hpq6ak7l.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fylnw0d3ysn13hpq6ak7l.gif" alt="Can Tax Pro MCP authentication flow demonstration" width="600" height="475"></a></p> <p>The MCP server accepts <strong>two token types</strong>:</p> <ol> <li> <strong>Firebase ID tokens</strong> — issued by Firebase Authentication, verified cryptographically</li> <li> <strong>Custom OAuth tokens</strong> (<code>ctpo_*</code>) — issued by the web app's OAuth server, stored as hashes in Firestore</li> </ol> <p>The web app itself acts as the OAuth authorization server for third-party integrations.</p> <h2> Step 1: Initialize Firebase Admin SDK </h2> <p>The server initializes Firebase Admin once at startup, with environment-aware credential resolution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">import</span> <span class="n">firebase_admin</span> <span class="kn">from</span> <span class="n">firebase_admin</span> <span class="kn">import</span> <span class="n">credentials</span><span class="p">,</span> <span class="n">auth</span> <span class="k">as</span> <span class="n">firebase_auth</span><span class="p">,</span> <span class="n">firestore</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">firebase_admin</span><span class="p">.</span><span class="n">_apps</span><span class="p">:</span> <span class="n">sa_json</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">FIREBASE_SERVICE_ACCOUNT</span><span class="sh">"</span><span class="p">)</span> <span class="n">project_id</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">FIREBASE_PROJECT_ID</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">sa_json</span><span class="p">:</span> <span class="n">cred</span> <span class="o">=</span> <span class="n">credentials</span><span class="p">.</span><span class="nc">Certificate</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">sa_json</span><span class="p">))</span> <span class="n">firebase_admin</span><span class="p">.</span><span class="nf">initialize_app</span><span class="p">(</span><span class="n">cred</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">projectId</span><span class="sh">"</span><span class="p">:</span> <span class="n">project_id</span><span class="p">})</span> <span class="k">else</span><span class="p">:</span> <span class="n">firebase_admin</span><span class="p">.</span><span class="nf">initialize_app</span><span class="p">(</span><span class="n">options</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">projectId</span><span class="sh">"</span><span class="p">:</span> <span class="n">project_id</span><span class="p">})</span> </code></pre> </div> <p><strong>Locally</strong>: set <code>FIREBASE_SERVICE_ACCOUNT</code> to your service account JSON.<br> <strong>On Cloud Run</strong>: omit it entirely — the SDK picks up Application Default Credentials (ADC) automatically via Workload Identity.</p> <p>This means no secrets in production. Your Cloud Run service account just needs the <code>Firebase Admin SDK Administrator Service Agent</code> IAM role.</p> <h2> Step 2: Token Resolution </h2> <p>Two resolver functions handle each token type:</p> <h3> OAuth Tokens (<code>ctpo_*</code>) </h3> <p>Custom tokens are never stored in plaintext. The server hashes them with SHA-256 and looks up the hash in Firestore:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">resolve_oauth_token</span><span class="p">(</span><span class="n">bearer_token</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">token_hash</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="n">bearer_token</span><span class="p">.</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">hexdigest</span><span class="p">()</span> <span class="n">doc</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="sh">"</span><span class="s">oauthTokens</span><span class="sh">"</span><span class="p">).</span><span class="nf">document</span><span class="p">(</span><span class="n">token_hash</span><span class="p">).</span><span class="nf">get</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">doc</span><span class="p">.</span><span class="n">exists</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Invalid or revoked OAuth token</span><span class="sh">"</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="n">doc</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()</span> <span class="n">expires_at</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">expiresAt</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">expires_at</span> <span class="ow">and</span> <span class="n">expires_at</span> <span class="o">&lt;</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">OAuth token expired</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">userId</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <p>The Firestore document stores <code>userId</code>, <code>expiresAt</code>, <code>clientId</code>, and a <code>refreshTokenHash</code>. Revocation is instant — delete the document and the token stops working on the next request.</p> <h3> Firebase ID Tokens </h3> <p>Firebase handles the hard part:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">resolve_id_token</span><span class="p">(</span><span class="n">id_token</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">decoded</span> <span class="o">=</span> <span class="n">firebase_auth</span><span class="p">.</span><span class="nf">verify_id_token</span><span class="p">(</span><span class="n">id_token</span><span class="p">)</span> <span class="k">return</span> <span class="n">decoded</span><span class="p">[</span><span class="sh">"</span><span class="s">uid</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <p><code>verify_id_token</code> checks the signature against Google's public keys and validates claims (expiry, issuer, audience). It caches the public keys locally so it doesn't make a network call on every request.</p> <h2> Step 3: The Auth Middleware </h2> <p>A Starlette <code>BaseHTTPMiddleware</code> wraps every request. It tries the OAuth path first, then falls back to Firebase ID tokens:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">AuthMiddleware</span><span class="p">(</span><span class="n">BaseHTTPMiddleware</span><span class="p">):</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">dispatch</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">call_next</span><span class="p">):</span> <span class="c1"># Skip auth for public endpoints </span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">url</span><span class="p">.</span><span class="n">path</span> <span class="ow">in</span> <span class="n">_PUBLIC_PATHS</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="n">auth_header</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">auth_header</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">Bearer </span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="nc">Response</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">WWW-Authenticate</span><span class="sh">"</span><span class="p">:</span> <span class="sh">'</span><span class="s">Bearer realm=</span><span class="sh">"</span><span class="s">tax-mcp</span><span class="sh">"'</span><span class="p">},</span> <span class="p">)</span> <span class="n">token</span> <span class="o">=</span> <span class="n">auth_header</span><span class="p">.</span><span class="nf">removeprefix</span><span class="p">(</span><span class="sh">"</span><span class="s">Bearer </span><span class="sh">"</span><span class="p">).</span><span class="nf">strip</span><span class="p">()</span> <span class="n">token_set</span> <span class="o">=</span> <span class="n">_user_id_var</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="sh">""</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Try OAuth token first </span> <span class="k">if</span> <span class="n">token</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">ctpo_</span><span class="sh">"</span><span class="p">):</span> <span class="n">user_id</span> <span class="o">=</span> <span class="nf">resolve_oauth_token</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">user_id</span> <span class="o">=</span> <span class="nf">resolve_id_token</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="n">_user_id_var</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="nc">Response</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">),</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">WWW-Authenticate</span><span class="sh">"</span><span class="p">:</span> <span class="sh">'</span><span class="s">Bearer realm=</span><span class="sh">"</span><span class="s">tax-mcp</span><span class="sh">"'</span><span class="p">},</span> <span class="p">)</span> <span class="k">finally</span><span class="p">:</span> <span class="n">_user_id_var</span><span class="p">.</span><span class="nf">reset</span><span class="p">(</span><span class="n">token_set</span><span class="p">)</span> </code></pre> </div> <p>Public paths (<code>/health</code>, <code>/.well-known/oauth-protected-resource</code>) bypass auth — necessary for health checks and OAuth discovery.</p> <h2> Step 4: Thread-Safe User Context </h2> <p>Tools shouldn't take a <code>user_id</code> parameter — that would pollute every signature and make testing awkward. Instead, use a <code>ContextVar</code> to propagate identity through the async call stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># _context.py </span><span class="kn">from</span> <span class="n">contextvars</span> <span class="kn">import</span> <span class="n">ContextVar</span> <span class="n">_user_id_var</span><span class="p">:</span> <span class="n">ContextVar</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nc">ContextVar</span><span class="p">(</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_user_id</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">return</span> <span class="n">_user_id_var</span><span class="p">.</span><span class="nf">get</span><span class="p">()</span> <span class="k">except</span> <span class="nb">LookupError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sh">"</span><span class="s">User context not set — request did not pass through auth middleware.</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Every tool calls <code>get_user_id()</code> to scope its Firestore queries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># tools/income.py </span><span class="kn">from</span> <span class="n">.._context</span> <span class="kn">import</span> <span class="n">get_user_id</span> <span class="nd">@mcp.tool</span><span class="p">()</span> <span class="k">def</span> <span class="nf">list_income</span><span class="p">(</span><span class="n">tax_year_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">]:</span> <span class="n">docs</span> <span class="o">=</span> <span class="p">(</span> <span class="n">db</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="sh">"</span><span class="s">users</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">document</span><span class="p">(</span><span class="nf">get_user_id</span><span class="p">())</span> <span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="sh">"</span><span class="s">taxYears</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">document</span><span class="p">(</span><span class="n">tax_year_id</span><span class="p">)</span> <span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="sh">"</span><span class="s">incomeEntries</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">stream</span><span class="p">()</span> <span class="p">)</span> <span class="k">return</span> <span class="p">[{</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">d</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="o">**</span><span class="n">d</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()}</span> <span class="k">for</span> <span class="n">d</span> <span class="ow">in</span> <span class="n">docs</span><span class="p">]</span> </code></pre> </div> <p><code>ContextVar</code> is async-safe — each concurrent request gets its own context, so there's no cross-contamination between users even under high concurrency.</p> <p>The middleware resets the var in a <code>finally</code> block, which is critical: without cleanup, the context leaks to the next request on a reused coroutine.</p> <h2> Step 5: The OAuth 2.0 Server (Web App Side) </h2> <p>For third-party clients (Claude.ai, etc.), the web app implements an OAuth 2.0 authorization server. Here's the flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Client → GET /oauth/authorize?client_id=...&amp;code_challenge=... 2. User logs in (Firebase Auth) 3. Server → redirect with authorization_code 4. Client → POST /oauth/token with code + code_verifier 5. Server → { access_token: "ctpo_...", refresh_token: "ctpr_..." } </code></pre> </div> <p><strong>Token generation</strong> (TypeScript, server-side):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server/routes/oauth/token.post.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createHash</span><span class="p">,</span> <span class="nx">randomBytes</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">ctpo_</span><span class="dl">"</span> <span class="o">+</span> <span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">tokenHash</span> <span class="o">=</span> <span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">accessToken</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="dl">"</span><span class="s2">oauthTokens</span><span class="dl">"</span><span class="p">).</span><span class="nf">doc</span><span class="p">(</span><span class="nx">tokenHash</span><span class="p">).</span><span class="nf">set</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">session</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">session</span><span class="p">.</span><span class="nx">clientId</span><span class="p">,</span> <span class="na">expiresAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="c1">// 1 hour</span> <span class="na">createdAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">access_token</span><span class="p">:</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="na">token_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">bearer</span><span class="dl">"</span><span class="p">,</span> <span class="na">expires_in</span><span class="p">:</span> <span class="mi">3600</span> <span class="p">};</span> </code></pre> </div> <p>The <code>ctpo_</code> prefix lets the MCP server route to the right resolver without trying Firebase first. Only the hash ever touches the database.</p> <p><strong>PKCE</strong> (Proof Key for Code Exchange) protects the authorization code flow. The client sends a <code>code_challenge</code> (SHA-256 of a random <code>code_verifier</code>) in step 1, then proves ownership by sending the raw <code>code_verifier</code> in step 4. The server hashes it and compares:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">verifierHash</span> <span class="o">=</span> <span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">code_verifier</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64url</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">verifierHash</span> <span class="o">!==</span> <span class="nx">session</span><span class="p">.</span><span class="nx">codeChallenge</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="nf">createError</span><span class="p">({</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid code_verifier</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h2> Step 6: Client-Side (Browser) </h2> <p>The Angular/Analog web app attaches Firebase ID tokens to outbound API requests via an HTTP interceptor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// auth.interceptor.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authInterceptor</span><span class="p">:</span> <span class="nx">HttpInterceptorFn</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="nf">inject</span><span class="p">(</span><span class="nx">Auth</span><span class="p">);</span> <span class="k">return</span> <span class="k">from</span><span class="p">(</span><span class="nx">auth</span><span class="p">.</span><span class="nx">currentUser</span><span class="p">?.</span><span class="nf">getIdToken</span><span class="p">()</span> <span class="o">??</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="kc">null</span><span class="p">)).</span><span class="nf">pipe</span><span class="p">(</span> <span class="nf">switchMap</span><span class="p">((</span><span class="nx">token</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="k">return</span> <span class="nf">next</span><span class="p">(</span><span class="nx">req</span><span class="p">);</span> <span class="k">return</span> <span class="nf">next</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nf">clone</span><span class="p">({</span> <span class="na">setHeaders</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span> <span class="p">},</span> <span class="p">}));</span> <span class="p">}),</span> <span class="p">);</span> <span class="p">};</span> </code></pre> </div> <p><code>getIdToken()</code> auto-refreshes the token when it's close to expiry, so you never send a stale JWT.</p> <h2> Step 7: Firestore Security Rules </h2> <p>The MCP server uses the <strong>Admin SDK</strong>, which bypasses all Firestore security rules. The <code>get_user_id()</code> context is your authorization layer. But rules provide defense-in-depth for direct client SDK access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="n">rules_version</span> <span class="o">=</span> <span class="s1">'2'</span><span class="p">;</span> <span class="n">service</span> <span class="n">cloud</span><span class="p">.</span><span class="n">firestore</span> <span class="p">{</span> <span class="k">match</span> <span class="o">/</span><span class="n">databases</span><span class="o">/</span><span class="p">{</span><span class="k">database</span><span class="p">}</span><span class="o">/</span><span class="n">documents</span> <span class="p">{</span> <span class="k">match</span> <span class="o">/</span><span class="n">users</span><span class="o">/</span><span class="p">{</span><span class="n">userId</span><span class="p">}</span><span class="o">/</span><span class="p">{</span><span class="n">document</span><span class="o">=**</span><span class="p">}</span> <span class="p">{</span> <span class="n">allow</span> <span class="k">read</span><span class="p">,</span> <span class="k">write</span><span class="p">:</span> <span class="n">if</span> <span class="n">request</span><span class="p">.</span><span class="n">auth</span> <span class="o">!=</span> <span class="k">null</span> <span class="o">&amp;&amp;</span> <span class="n">request</span><span class="p">.</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span> <span class="o">==</span> <span class="n">userId</span><span class="p">;</span> <span class="p">}</span> <span class="k">match</span> <span class="o">/</span><span class="n">oauthTokens</span><span class="o">/</span><span class="p">{</span><span class="n">tokenId</span><span class="p">}</span> <span class="p">{</span> <span class="n">allow</span> <span class="k">read</span><span class="p">,</span> <span class="k">write</span><span class="p">:</span> <span class="n">if</span> <span class="k">false</span><span class="p">;</span> <span class="o">//</span> <span class="n">Server</span><span class="o">-</span><span class="k">only</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>OAuth token documents are locked to server-only access. Users can never read or write them directly.</p> <h2> Step 8: OAuth Discovery Endpoint </h2> <p>Well-behaved OAuth clients (including Claude.ai) auto-discover server capabilities. Expose the RFC 9728 metadata endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/.well-known/oauth-protected-resource</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">oauth_protected_resource</span><span class="p">():</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">({</span> <span class="sh">"</span><span class="s">resource</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">https://your-mcp-server.run.app</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">authorization_servers</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">https://your-web-app.com</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">bearer_methods_supported</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">header</span><span class="sh">"</span><span class="p">],</span> <span class="p">})</span> </code></pre> </div> <p>This tells clients where to find the authorization server and how to present tokens. It's a public endpoint (no auth required) — make sure it's in <code>_PUBLIC_PATHS</code>.</p> <h2> Step 9: Local Testing </h2> <p>Don't rely on a real Firebase project for unit tests. Seed a test token directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># test_auth.py </span><span class="kn">import</span> <span class="n">hashlib</span> <span class="kn">from</span> <span class="n">firebase_admin</span> <span class="kn">import</span> <span class="n">firestore</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timezone</span><span class="p">,</span> <span class="n">timedelta</span> <span class="n">TEST_TOKEN</span> <span class="o">=</span> <span class="sh">"</span><span class="s">ctpo_localtest_</span><span class="sh">"</span> <span class="o">+</span> <span class="sh">"</span><span class="s">a</span><span class="sh">"</span> <span class="o">*</span> <span class="mi">48</span> <span class="n">TEST_TOKEN_HASH</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="n">TEST_TOKEN</span><span class="p">.</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">hexdigest</span><span class="p">()</span> <span class="k">def</span> <span class="nf">seed_test_token</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">db</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="sh">"</span><span class="s">oauthTokens</span><span class="sh">"</span><span class="p">).</span><span class="nf">document</span><span class="p">(</span><span class="n">TEST_TOKEN_HASH</span><span class="p">).</span><span class="nf">set</span><span class="p">({</span> <span class="sh">"</span><span class="s">userId</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">clientId</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">test-client</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">expiresAt</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">hours</span><span class="o">=</span><span class="mi">1</span><span class="p">),</span> <span class="p">})</span> <span class="k">def</span> <span class="nf">cleanup</span><span class="p">(</span><span class="n">db</span><span class="p">):</span> <span class="n">db</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="sh">"</span><span class="s">oauthTokens</span><span class="sh">"</span><span class="p">).</span><span class="nf">document</span><span class="p">(</span><span class="n">TEST_TOKEN_HASH</span><span class="p">).</span><span class="nf">delete</span><span class="p">()</span> </code></pre> </div> <p>Then test the three critical paths: no token → 401, invalid token → 401, valid token → 200.</p> <h2> Security Properties </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Property</th> <th>How it's achieved</th> </tr> </thead> <tbody> <tr> <td>Token confidentiality</td> <td>Only SHA-256 hashes stored; raw tokens never persist</td> </tr> <tr> <td>Revocation</td> <td>Delete Firestore doc; effective immediately</td> </tr> <tr> <td>Expiry</td> <td>Enforced server-side on every request</td> </tr> <tr> <td>Multi-user isolation</td> <td> <code>ContextVar</code> scopes every Firestore query to <code>userId</code> </td> </tr> <tr> <td>No key management in prod</td> <td>Cloud Run Workload Identity + ADC</td> </tr> <tr> <td>Code injection protection</td> <td>PKCE on OAuth code exchange</td> </tr> <tr> <td>Defense in depth</td> <td>Firestore rules lock down client SDK access</td> </tr> </tbody> </table></div> <h2> Summary </h2> <p>Securing an MCP server with Firebase Auth comes down to four things:</p> <ol> <li> <strong>Middleware</strong> that validates tokens before any tool runs</li> <li> <strong>ContextVar</strong> to propagate user identity without polluting tool signatures</li> <li> <strong>Hash-only storage</strong> for custom OAuth tokens</li> <li> <strong>Workload Identity</strong> to eliminate service account key management in production</li> </ol> <p>The dual-token design (Firebase ID tokens for direct use, custom OAuth tokens for third-party clients) keeps the server flexible while maintaining a single, auditable auth path. Every request either has a valid, unexpired token mapping to a real user, or it gets a 401.</p> firebase mcp python oauth Dale Nguyen Sat, 25 Apr 2026 03:43:44 +0000 https://dev.to/dalenguyen/building-mcp-apps-with-angular-3849 https://dev.to/dalenguyen/building-mcp-apps-with-angular-3849 <p>If you've been building MCP servers, you know the drill: your tool returns JSON, the host renders it as text, and the user squints at a timestamp string. <a href="https://github.com/modelcontextprotocol/ext-apps" rel="noopener noreferrer">MCP Apps</a> change that — they let your server ship an interactive UI that the host renders in an iframe, right inside the conversation.</p> <p>MCP Apps are built on the <strong>Model Context Protocol</strong> — an open standard. They're not tied to Claude or any specific AI provider. Any host that implements the MCP Apps specification (Claude Desktop, custom chat clients, or other AI assistants that adopt MCP) can render your UI. You build it once, and it works everywhere MCP is supported.</p> <p>This post walks through building MCP Apps with Angular. We'll start with a single tool, add a second tool with its own UI, and then show how to share code between them without bloating either bundle.</p> <h2> How MCP Apps Work (Quick Recap) </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>View (Angular App) &lt;--PostMessageTransport--&gt; Host (AppBridge) &lt;--MCP Client--&gt; MCP Server </code></pre> </div> <ul> <li> <strong>Server</strong> registers tools and resources. Each tool can point to a resource URI containing the UI.</li> <li> <strong>Host</strong> (the chat client) fetches that resource and renders it in a sandboxed iframe.</li> <li> <strong>View</strong> is your Angular app running inside that iframe. It uses the <code>App</code> class from <code>@modelcontextprotocol/ext-apps</code> to communicate with the host.</li> </ul> <p>The key insight: your UI is bundled into a <strong>single self-contained HTML file</strong> using Vite and <code>vite-plugin-singlefile</code>. The host doesn't need to know it's Angular — it just loads HTML.</p> <h2> Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>basic-server-angular/ ├── mcp-app.html # HTML entry point for UI #1 ├── greeting-app.html # HTML entry point for UI #2 ├── src/ │ ├── main.ts # Angular bootstrap for UI #1 │ ├── app.component.ts # Get Time component │ ├── greeting-main.ts # Angular bootstrap for UI #2 │ ├── greeting.component.ts # Greeting component │ ├── shared/ │ │ └── mcp-app-setup.ts # Shared App + theming setup │ └── global.css # Host-aware CSS variables ├── server.ts # MCP server (registers tools + resources) ├── main.ts # Server entry point (HTTP + stdio) └── vite.config.ts # Builds each HTML into a single file </code></pre> </div> <h2> Step 1: The Server </h2> <p>Every MCP App starts on the server side. You register a <strong>tool</strong> (what the LLM calls) and a <strong>resource</strong> (the HTML that gets rendered). They're linked by a resource URI.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">McpServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/server/mcp.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">CallToolResult</span><span class="p">,</span> <span class="nx">ReadResourceResult</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/types.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:fs/promises</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:path</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">registerAppTool</span><span class="p">,</span> <span class="nx">registerAppResource</span><span class="p">,</span> <span class="nx">RESOURCE_MIME_TYPE</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/ext-apps/server</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">DIST_DIR</span> <span class="o">=</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">filename</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">.ts</span><span class="dl">"</span><span class="p">)</span> <span class="p">?</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">dirname</span><span class="p">,</span> <span class="dl">"</span><span class="s2">dist</span><span class="dl">"</span><span class="p">)</span> <span class="p">:</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">dirname</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">createServer</span><span class="p">():</span> <span class="nx">McpServer</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">McpServer</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Basic MCP App Server (Angular)</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1.0.0</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">resourceUri</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">ui://get-time/mcp-app.html</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Register the tool — this is what the LLM calls</span> <span class="nf">registerAppTool</span><span class="p">(</span><span class="nx">server</span><span class="p">,</span> <span class="dl">"</span><span class="s2">get-time</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Get Time</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Returns the current server time as an ISO 8601 string.</span><span class="dl">"</span><span class="p">,</span> <span class="na">inputSchema</span><span class="p">:</span> <span class="p">{},</span> <span class="na">_meta</span><span class="p">:</span> <span class="p">{</span> <span class="na">ui</span><span class="p">:</span> <span class="p">{</span> <span class="nx">resourceUri</span> <span class="p">}</span> <span class="p">},</span> <span class="c1">// Links this tool to its UI</span> <span class="p">},</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">CallToolResult</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">time</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">time</span> <span class="p">}]</span> <span class="p">};</span> <span class="p">});</span> <span class="c1">// Register the resource — the bundled HTML for this tool's UI</span> <span class="nf">registerAppResource</span><span class="p">(</span><span class="nx">server</span><span class="p">,</span> <span class="nx">resourceUri</span><span class="p">,</span> <span class="nx">resourceUri</span><span class="p">,</span> <span class="p">{</span> <span class="na">mimeType</span><span class="p">:</span> <span class="nx">RESOURCE_MIME_TYPE</span><span class="p">,</span> <span class="p">},</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">ReadResourceResult</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">html</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">DIST_DIR</span><span class="p">,</span> <span class="dl">"</span><span class="s2">mcp-app.html</span><span class="dl">"</span><span class="p">),</span> <span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">,</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">contents</span><span class="p">:</span> <span class="p">[{</span> <span class="na">uri</span><span class="p">:</span> <span class="nx">resourceUri</span><span class="p">,</span> <span class="na">mimeType</span><span class="p">:</span> <span class="nx">RESOURCE_MIME_TYPE</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">html</span> <span class="p">}],</span> <span class="p">};</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">server</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The <code>_meta.ui.resourceUri</code> is the glue. When the host calls this tool, it reads that field to know which resource to fetch and render.</p> <h2> Step 2: The HTML Entry Point </h2> <p>Each UI needs an HTML file at the project root. This is the Vite entry point that gets bundled into a single self-contained file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- mcp-app.html --&gt;</span> <span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"viewport"</span> <span class="na">content=</span><span class="s">"width=device-width, initial-scale=1.0"</span><span class="nt">&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"color-scheme"</span> <span class="na">content=</span><span class="s">"light dark"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;</span>Get Time App<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"/src/global.css"</span><span class="nt">&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;app-root&gt;&lt;/app-root&gt;</span> <span class="nt">&lt;script </span><span class="na">type=</span><span class="s">"module"</span> <span class="na">src=</span><span class="s">"/src/main.ts"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h2> Step 3: The Angular App </h2> <p>The bootstrap is minimal — Angular 19+ with zoneless change detection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/main.ts</span> <span class="k">import</span> <span class="dl">"</span><span class="s2">@angular/compiler</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">bootstrapApplication</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@angular/platform-browser</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">provideZonelessChangeDetection</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@angular/core</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppComponent</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./app.component</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="dl">"</span><span class="s2">./global.css</span><span class="dl">"</span><span class="p">;</span> <span class="nf">bootstrapApplication</span><span class="p">(</span><span class="nx">AppComponent</span><span class="p">,</span> <span class="p">{</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span><span class="nf">provideZonelessChangeDetection</span><span class="p">()],</span> <span class="p">}).</span><span class="k">catch</span><span class="p">((</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">err</span><span class="p">));</span> </code></pre> </div> <p>Now the component itself. The <code>App</code> class from <code>@modelcontextprotocol/ext-apps</code> is the bridge between your Angular code and the host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/app.component.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Component</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">OnInit</span><span class="p">,</span> <span class="nx">signal</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@angular/core</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">App</span><span class="p">,</span> <span class="nx">applyDocumentTheme</span><span class="p">,</span> <span class="nx">applyHostStyleVariables</span><span class="p">,</span> <span class="nx">applyHostFonts</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">McpUiHostContext</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/ext-apps</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">CallToolResult</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/types.js</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">extractText</span><span class="p">(</span><span class="nx">result</span><span class="p">:</span> <span class="nx">CallToolResult</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">content</span><span class="p">?.</span><span class="nf">find</span><span class="p">((</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">c</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">)</span><span class="o">!</span><span class="p">.</span><span class="nx">text</span><span class="p">;</span> <span class="p">}</span> <span class="p">@</span><span class="nd">Component</span><span class="p">({</span> <span class="na">selector</span><span class="p">:</span> <span class="dl">"</span><span class="s2">app-root</span><span class="dl">"</span><span class="p">,</span> <span class="na">template</span><span class="p">:</span> <span class="s2">` &lt;main [style.padding-top.px]="hostContext()?.safeAreaInsets?.top" [style.padding-right.px]="hostContext()?.safeAreaInsets?.right" [style.padding-bottom.px]="hostContext()?.safeAreaInsets?.bottom" [style.padding-left.px]="hostContext()?.safeAreaInsets?.left" &gt; &lt;p&gt;&lt;strong&gt;Server Time:&lt;/strong&gt; &lt;code&gt;{{ serverTime() }}&lt;/code&gt;&lt;/p&gt; &lt;button (click)="handleGetTime()"&gt;Get Server Time&lt;/button&gt; &lt;/main&gt; `</span><span class="p">,</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppComponent</span> <span class="k">implements</span> <span class="nx">OnInit</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">app</span><span class="p">:</span> <span class="nx">App</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="nx">hostContext</span> <span class="o">=</span> <span class="nx">signal</span><span class="o">&lt;</span><span class="nx">McpUiHostContext</span> <span class="o">|</span> <span class="kc">undefined</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">undefined</span><span class="p">);</span> <span class="nx">serverTime</span> <span class="o">=</span> <span class="nf">signal</span><span class="p">(</span><span class="dl">"</span><span class="s2">Loading...</span><span class="dl">"</span><span class="p">);</span> <span class="k">async</span> <span class="nf">ngOnInit</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">instance</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Get Time App</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1.0.0</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">instance</span><span class="p">.</span><span class="nx">ontoolresult</span> <span class="o">=</span> <span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">serverTime</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nf">extractText</span><span class="p">(</span><span class="nx">result</span><span class="p">));</span> <span class="p">};</span> <span class="nx">instance</span><span class="p">.</span><span class="nx">onhostcontextchanged</span> <span class="o">=</span> <span class="p">(</span><span class="nx">params</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ctx</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="k">this</span><span class="p">.</span><span class="nf">hostContext</span><span class="p">(),</span> <span class="p">...</span><span class="nx">params</span> <span class="p">};</span> <span class="k">this</span><span class="p">.</span><span class="nx">hostContext</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ctx</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">theme</span><span class="p">)</span> <span class="nf">applyDocumentTheme</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">theme</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">?.</span><span class="nx">variables</span><span class="p">)</span> <span class="nf">applyHostStyleVariables</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">.</span><span class="nx">variables</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">?.</span><span class="nx">css</span><span class="p">?.</span><span class="nx">fonts</span><span class="p">)</span> <span class="nf">applyHostFonts</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">.</span><span class="nx">css</span><span class="p">.</span><span class="nx">fonts</span><span class="p">);</span> <span class="p">};</span> <span class="k">await</span> <span class="nx">instance</span><span class="p">.</span><span class="nf">connect</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">app</span> <span class="o">=</span> <span class="nx">instance</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ctx</span> <span class="o">=</span> <span class="nx">instance</span><span class="p">.</span><span class="nf">getHostContext</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">hostContext</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ctx</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">?.</span><span class="nx">theme</span><span class="p">)</span> <span class="nf">applyDocumentTheme</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">theme</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">?.</span><span class="nx">styles</span><span class="p">?.</span><span class="nx">variables</span><span class="p">)</span> <span class="nf">applyHostStyleVariables</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">.</span><span class="nx">variables</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">?.</span><span class="nx">styles</span><span class="p">?.</span><span class="nx">css</span><span class="p">?.</span><span class="nx">fonts</span><span class="p">)</span> <span class="nf">applyHostFonts</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">.</span><span class="nx">css</span><span class="p">.</span><span class="nx">fonts</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">handleGetTime</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nx">app</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nf">callServerTool</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">get-time</span><span class="dl">"</span><span class="p">,</span> <span class="na">arguments</span><span class="p">:</span> <span class="p">{},</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">serverTime</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nf">extractText</span><span class="p">(</span><span class="nx">result</span><span class="p">));</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">serverTime</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">[ERROR]</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>A few things to note:</p> <ul> <li> <strong><code>App</code> class</strong> — this is the SDK's main entry point. You create one, wire up callbacks, and call <code>connect()</code>. That's it.</li> <li> <strong><code>ontoolresult</code></strong> — fires when the host sends a tool result. This is how data flows from the server to your UI.</li> <li> <strong><code>callServerTool()</code></strong> — lets the UI call tools on the server. The host proxies this through the MCP client.</li> <li> <strong><code>onhostcontextchanged</code></strong> — the host pushes theme and style updates. The helper functions (<code>applyDocumentTheme</code>, etc.) apply them as CSS variables on <code>document</code>, so your component styles just work.</li> <li> <strong><code>safeAreaInsets</code></strong> — the host tells you how much padding to leave for its chrome. Use it on your root container.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomue11jkh4i33mvankds.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomue11jkh4i33mvankds.png" alt="Get Time MCP App running inside Claude Desktop" width="800" height="703"></a></p> <h2> Step 4: Adding a Second UI </h2> <p>Here's where it gets interesting. Say you want a "Greet" tool with its own UI. Each tool gets its own HTML entry point, its own Angular app, and its own resource registration.</p> <h3> Server: Register Both Tools </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server.ts — inside createServer()</span> <span class="c1">// Tool #1: Get Time</span> <span class="kd">const</span> <span class="nx">timeResourceUri</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">ui://get-time/mcp-app.html</span><span class="dl">"</span><span class="p">;</span> <span class="nf">registerAppTool</span><span class="p">(</span><span class="nx">server</span><span class="p">,</span> <span class="dl">"</span><span class="s2">get-time</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Get Time</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Returns the current server time.</span><span class="dl">"</span><span class="p">,</span> <span class="na">inputSchema</span><span class="p">:</span> <span class="p">{},</span> <span class="na">_meta</span><span class="p">:</span> <span class="p">{</span> <span class="na">ui</span><span class="p">:</span> <span class="p">{</span> <span class="na">resourceUri</span><span class="p">:</span> <span class="nx">timeResourceUri</span> <span class="p">}</span> <span class="p">},</span> <span class="p">},</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">CallToolResult</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">}]</span> <span class="p">};</span> <span class="p">});</span> <span class="nf">registerAppResource</span><span class="p">(</span><span class="nx">server</span><span class="p">,</span> <span class="nx">timeResourceUri</span><span class="p">,</span> <span class="nx">timeResourceUri</span><span class="p">,</span> <span class="p">{</span> <span class="na">mimeType</span><span class="p">:</span> <span class="nx">RESOURCE_MIME_TYPE</span><span class="p">,</span> <span class="p">},</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">ReadResourceResult</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">html</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">DIST_DIR</span><span class="p">,</span> <span class="dl">"</span><span class="s2">mcp-app.html</span><span class="dl">"</span><span class="p">),</span> <span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">contents</span><span class="p">:</span> <span class="p">[{</span> <span class="na">uri</span><span class="p">:</span> <span class="nx">timeResourceUri</span><span class="p">,</span> <span class="na">mimeType</span><span class="p">:</span> <span class="nx">RESOURCE_MIME_TYPE</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">html</span> <span class="p">}]</span> <span class="p">};</span> <span class="p">});</span> <span class="c1">// Tool #2: Greet</span> <span class="kd">const</span> <span class="nx">greetResourceUri</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">ui://greet/greeting-app.html</span><span class="dl">"</span><span class="p">;</span> <span class="nf">registerAppTool</span><span class="p">(</span><span class="nx">server</span><span class="p">,</span> <span class="dl">"</span><span class="s2">greet</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Greet</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Returns a personalised greeting.</span><span class="dl">"</span><span class="p">,</span> <span class="na">inputSchema</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">optional</span><span class="p">().</span><span class="k">default</span><span class="p">(</span><span class="dl">"</span><span class="s2">World</span><span class="dl">"</span><span class="p">).</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">Name to greet</span><span class="dl">"</span><span class="p">),</span> <span class="p">},</span> <span class="na">_meta</span><span class="p">:</span> <span class="p">{</span> <span class="na">ui</span><span class="p">:</span> <span class="p">{</span> <span class="na">resourceUri</span><span class="p">:</span> <span class="nx">greetResourceUri</span> <span class="p">}</span> <span class="p">},</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">name</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">name</span><span class="p">?:</span> <span class="kr">string</span> <span class="p">}):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">CallToolResult</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">greeting</span> <span class="o">=</span> <span class="s2">`Hello, </span><span class="p">${</span><span class="nx">name</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">World</span><span class="dl">"</span><span class="p">}</span><span class="s2">! Welcome to the MCP Apps SDK.`</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">greeting</span> <span class="p">}]</span> <span class="p">};</span> <span class="p">});</span> <span class="nf">registerAppResource</span><span class="p">(</span><span class="nx">server</span><span class="p">,</span> <span class="nx">greetResourceUri</span><span class="p">,</span> <span class="nx">greetResourceUri</span><span class="p">,</span> <span class="p">{</span> <span class="na">mimeType</span><span class="p">:</span> <span class="nx">RESOURCE_MIME_TYPE</span><span class="p">,</span> <span class="p">},</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">ReadResourceResult</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">html</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">DIST_DIR</span><span class="p">,</span> <span class="dl">"</span><span class="s2">greeting-app.html</span><span class="dl">"</span><span class="p">),</span> <span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">contents</span><span class="p">:</span> <span class="p">[{</span> <span class="na">uri</span><span class="p">:</span> <span class="nx">greetResourceUri</span><span class="p">,</span> <span class="na">mimeType</span><span class="p">:</span> <span class="nx">RESOURCE_MIME_TYPE</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">html</span> <span class="p">}]</span> <span class="p">};</span> <span class="p">});</span> </code></pre> </div> <h3> Greeting Component </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/greeting.component.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Component</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">OnInit</span><span class="p">,</span> <span class="nx">signal</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@angular/core</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">FormsModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@angular/forms</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">App</span><span class="p">,</span> <span class="nx">applyDocumentTheme</span><span class="p">,</span> <span class="nx">applyHostStyleVariables</span><span class="p">,</span> <span class="nx">applyHostFonts</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">McpUiHostContext</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/ext-apps</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">CallToolResult</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/types.js</span><span class="dl">"</span><span class="p">;</span> <span class="p">@</span><span class="nd">Component</span><span class="p">({</span> <span class="na">selector</span><span class="p">:</span> <span class="dl">"</span><span class="s2">greeting-root</span><span class="dl">"</span><span class="p">,</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span><span class="nx">FormsModule</span><span class="p">],</span> <span class="na">template</span><span class="p">:</span> <span class="s2">` &lt;main [style.padding-top.px]="hostContext()?.safeAreaInsets?.top" [style.padding-right.px]="hostContext()?.safeAreaInsets?.right" [style.padding-bottom.px]="hostContext()?.safeAreaInsets?.bottom" [style.padding-left.px]="hostContext()?.safeAreaInsets?.left" &gt; &lt;div&gt; &lt;label&gt;&lt;strong&gt;Your name:&lt;/strong&gt;&lt;/label&gt; &lt;input type="text" [(ngModel)]="nameText" placeholder="Enter your name"&gt; &lt;button (click)="handleGreet()"&gt;Get Greeting&lt;/button&gt; &lt;/div&gt; @if (greeting()) { &lt;div class="greeting-display"&gt;{{ greeting() }}&lt;/div&gt; } &lt;/main&gt; `</span><span class="p">,</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">GreetingComponent</span> <span class="k">implements</span> <span class="nx">OnInit</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">app</span><span class="p">:</span> <span class="nx">App</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="nx">hostContext</span> <span class="o">=</span> <span class="nx">signal</span><span class="o">&lt;</span><span class="nx">McpUiHostContext</span> <span class="o">|</span> <span class="kc">undefined</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">undefined</span><span class="p">);</span> <span class="nx">greeting</span> <span class="o">=</span> <span class="nf">signal</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="nx">nameText</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="k">async</span> <span class="nf">ngOnInit</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">instance</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Greeting App</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1.0.0</span><span class="dl">"</span> <span class="p">});</span> <span class="nx">instance</span><span class="p">.</span><span class="nx">ontoolresult</span> <span class="o">=</span> <span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">greeting</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">content</span><span class="p">?.</span><span class="nf">find</span><span class="p">((</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">c</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">)</span><span class="o">!</span><span class="p">.</span><span class="nx">text</span><span class="p">);</span> <span class="p">};</span> <span class="nx">instance</span><span class="p">.</span><span class="nx">onhostcontextchanged</span> <span class="o">=</span> <span class="p">(</span><span class="nx">params</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ctx</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="k">this</span><span class="p">.</span><span class="nf">hostContext</span><span class="p">(),</span> <span class="p">...</span><span class="nx">params</span> <span class="p">};</span> <span class="k">this</span><span class="p">.</span><span class="nx">hostContext</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ctx</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">theme</span><span class="p">)</span> <span class="nf">applyDocumentTheme</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">theme</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">?.</span><span class="nx">variables</span><span class="p">)</span> <span class="nf">applyHostStyleVariables</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">.</span><span class="nx">variables</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">?.</span><span class="nx">css</span><span class="p">?.</span><span class="nx">fonts</span><span class="p">)</span> <span class="nf">applyHostFonts</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">.</span><span class="nx">css</span><span class="p">.</span><span class="nx">fonts</span><span class="p">);</span> <span class="p">};</span> <span class="k">await</span> <span class="nx">instance</span><span class="p">.</span><span class="nf">connect</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">app</span> <span class="o">=</span> <span class="nx">instance</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ctx</span> <span class="o">=</span> <span class="nx">instance</span><span class="p">.</span><span class="nf">getHostContext</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">hostContext</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ctx</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">?.</span><span class="nx">theme</span><span class="p">)</span> <span class="nf">applyDocumentTheme</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">theme</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">?.</span><span class="nx">styles</span><span class="p">?.</span><span class="nx">variables</span><span class="p">)</span> <span class="nf">applyHostStyleVariables</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">.</span><span class="nx">variables</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">?.</span><span class="nx">styles</span><span class="p">?.</span><span class="nx">css</span><span class="p">?.</span><span class="nx">fonts</span><span class="p">)</span> <span class="nf">applyHostFonts</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">.</span><span class="nx">css</span><span class="p">.</span><span class="nx">fonts</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">handleGreet</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nx">app</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">nameText</span><span class="p">.</span><span class="nf">trim</span><span class="p">()</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">World</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nf">callServerTool</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">greet</span><span class="dl">"</span><span class="p">,</span> <span class="na">arguments</span><span class="p">:</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">}</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">greeting</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">content</span><span class="p">?.</span><span class="nf">find</span><span class="p">((</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">c</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">)</span><span class="o">!</span><span class="p">.</span><span class="nx">text</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">greeting</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">[ERROR]</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0zy41cpsen4zza2pyvoc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0zy41cpsen4zza2pyvoc.png" alt="Greeting MCP App running inside Claude Desktop" width="800" height="687"></a></p> <h2> Step 5: Sharing Code Between UIs </h2> <p>You probably noticed that both components have identical <code>App</code> setup and theming boilerplate. That's a great candidate for extraction — and since each HTML is a separate Vite entry point, <strong>Vite's tree-shaking ensures each bundle only includes what it actually imports</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/shared/mcp-app-setup.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">App</span><span class="p">,</span> <span class="nx">applyDocumentTheme</span><span class="p">,</span> <span class="nx">applyHostStyleVariables</span><span class="p">,</span> <span class="nx">applyHostFonts</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">McpUiHostContext</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/ext-apps</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">WritableSignal</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@angular/core</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">CallToolResult</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/types.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">extractText</span><span class="p">(</span><span class="nx">result</span><span class="p">:</span> <span class="nx">CallToolResult</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">content</span><span class="p">?.</span><span class="nf">find</span><span class="p">((</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">c</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">)</span><span class="o">!</span><span class="p">.</span><span class="nx">text</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">applyContext</span><span class="p">(</span><span class="nx">ctx</span><span class="p">:</span> <span class="nx">McpUiHostContext</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">theme</span><span class="p">)</span> <span class="nf">applyDocumentTheme</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">theme</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">?.</span><span class="nx">variables</span><span class="p">)</span> <span class="nf">applyHostStyleVariables</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">.</span><span class="nx">variables</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">?.</span><span class="nx">css</span><span class="p">?.</span><span class="nx">fonts</span><span class="p">)</span> <span class="nf">applyHostFonts</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">styles</span><span class="p">.</span><span class="nx">css</span><span class="p">.</span><span class="nx">fonts</span><span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">createMcpApp</span><span class="p">(</span> <span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">hostContext</span><span class="p">:</span> <span class="nx">WritableSignal</span><span class="o">&lt;</span><span class="nx">McpUiHostContext</span> <span class="o">|</span> <span class="kc">undefined</span><span class="o">&gt;</span><span class="p">,</span> <span class="nx">onToolResult</span><span class="p">?:</span> <span class="p">(</span><span class="nx">result</span><span class="p">:</span> <span class="nx">CallToolResult</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">void</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">App</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1.0.0</span><span class="dl">"</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">onToolResult</span><span class="p">)</span> <span class="nx">app</span><span class="p">.</span><span class="nx">ontoolresult</span> <span class="o">=</span> <span class="nx">onToolResult</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nx">onhostcontextchanged</span> <span class="o">=</span> <span class="p">(</span><span class="nx">params</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ctx</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nf">hostContext</span><span class="p">(),</span> <span class="p">...</span><span class="nx">params</span> <span class="p">}</span> <span class="k">as</span> <span class="nx">McpUiHostContext</span><span class="p">;</span> <span class="nx">hostContext</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ctx</span><span class="p">);</span> <span class="nf">applyContext</span><span class="p">(</span><span class="nx">ctx</span><span class="p">);</span> <span class="p">};</span> <span class="k">await</span> <span class="nx">app</span><span class="p">.</span><span class="nf">connect</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">ctx</span> <span class="o">=</span> <span class="nx">app</span><span class="p">.</span><span class="nf">getHostContext</span><span class="p">();</span> <span class="nx">hostContext</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ctx</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">ctx</span><span class="p">)</span> <span class="nf">applyContext</span><span class="p">(</span><span class="nx">ctx</span><span class="p">);</span> <span class="k">return</span> <span class="nx">app</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Both components import <code>createMcpApp</code> and <code>extractText</code> from the shared module. Since they're in separate Vite builds, tree-shaking still applies — each bundle only pulls in what it calls.</p> <h2> Step 6: The Build </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// vite.config.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">defineConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">vite</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">viteSingleFile</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">vite-plugin-singlefile</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">INPUT</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INPUT</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">INPUT</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">INPUT environment variable is not set</span><span class="dl">"</span><span class="p">);</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span><span class="nf">viteSingleFile</span><span class="p">()],</span> <span class="na">build</span><span class="p">:</span> <span class="p">{</span> <span class="na">rollupOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">input</span><span class="p">:</span> <span class="nx">INPUT</span> <span class="p">},</span> <span class="na">outDir</span><span class="p">:</span> <span class="dl">"</span><span class="s2">dist</span><span class="dl">"</span><span class="p">,</span> <span class="na">emptyOutDir</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// Key: don't wipe previous builds</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tsc --noEmit &amp;&amp; cross-env INPUT=mcp-app.html vite build &amp;&amp; cross-env INPUT=greeting-app.html vite build &amp;&amp; tsc -p tsconfig.server.json &amp;&amp; bun build server.ts --outdir dist --target node"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Each HTML file produces a fully self-contained output (all JS, CSS, and Angular runtime inlined). The two bundles are completely independent.</p> <h2> Theming: Looking Native in Any Host </h2> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nd">:root</span> <span class="p">{</span> <span class="py">color-scheme</span><span class="p">:</span> <span class="n">light</span> <span class="n">dark</span><span class="p">;</span> <span class="py">--color-text-primary</span><span class="p">:</span> <span class="n">light-dark</span><span class="p">(</span><span class="m">#1f2937</span><span class="p">,</span> <span class="m">#f3f4f6</span><span class="p">);</span> <span class="py">--color-background-primary</span><span class="p">:</span> <span class="n">light-dark</span><span class="p">(</span><span class="m">#ffffff</span><span class="p">,</span> <span class="m">#1a1a1a</span><span class="p">);</span> <span class="py">--color-accent</span><span class="p">:</span> <span class="m">#2563eb</span><span class="p">;</span> <span class="py">--border-radius-md</span><span class="p">:</span> <span class="m">6px</span><span class="p">;</span> <span class="py">--spacing-unit</span><span class="p">:</span> <span class="n">var</span><span class="p">(</span><span class="n">--font-text-md-size</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>When the host sends style updates via <code>onhostcontextchanged</code>, the helper functions overwrite these variables on the document root. Your Angular component styles reference the variables (<code>var(--color-accent)</code>, <code>var(--spacing-md)</code>), so they adapt automatically — no theme prop drilling needed.</p> <h2> Recap </h2> <ol> <li> <strong>Server</strong>: register a tool + resource pair per UI, linked by a resource URI</li> <li> <strong>HTML</strong>: one entry point per UI, each bootstrapping its own Angular app</li> <li> <strong>Component</strong>: create an <code>App</code> instance, wire up callbacks, call <code>connect()</code> </li> <li> <strong>Shared code</strong>: extract common setup into a shared module — Vite tree-shakes per entry point</li> <li> <strong>Build</strong>: run Vite once per HTML file into the same <code>dist/</code> directory</li> <li> <strong>Theming</strong>: use host CSS variables with fallbacks, apply updates via <code>onhostcontextchanged</code> </li> </ol> <p>The full source is available in the <a href="https://github.com/dalenguyen/ext-apps/tree/main/examples/basic-server-angular" rel="noopener noreferrer">ext-apps examples</a>.</p> angular mcp typescript vite Dale Nguyen Fri, 12 Sep 2025 02:35:15 +0000 https://dev.to/dalenguyen/how-i-almost-got-pwned-a-tale-of-supply-chain-attacks-and-github-actions-gone-wrong-56oh https://dev.to/dalenguyen/how-i-almost-got-pwned-a-tale-of-supply-chain-attacks-and-github-actions-gone-wrong-56oh <p><em>Or: "That time someone tried to turn my innocent Node.js repo into a credential-harvesting machine"</em></p> <p>So there I was, minding my own business with my trusty old Node.js REST API project, when I noticed something weird in the <code>package-lock.json</code> file from one of a <a href="https://github.com/dalenguyen/rest-api-node-typescript/pull/22" rel="noopener noreferrer">PR</a> from a random contributor - and another contributor actually approved the PR right after that. What started as a routine dependency check turned into a rabbit hole that led me straight into the middle of a supply chain attack campaign that was actively targeting developers like us.</p> <p>Buckle up, because this is a story about how modern software development can go sideways fast, and why that "helpful" pull request might not be so helpful after all.</p> <h2> What Even Is a Supply Chain Attack? </h2> <p>It’s when hackers sneak bad stuff (malware, credential stealers, you name it) into your dependencies, build scripts, or CI/CD pipelines—any link where code, secrets, and environments touch. Think: “If I can poison upstream, why bother attacking thousands of repos individually?” Welcome to modern risk!</p> <p>It's insidious because these are the tools we trust implicitly. When <code>lodash</code> releases an update, we don't usually audit every line of code, right? We just <code>npm update</code> and move on with our lives.</p> <h2> The Smoking Gun: The Lockfile Had Been Tampered With </h2> <p>It all started when I was reviewing the <code>package-lock.json</code> from the pull request. I noticed something that made my developer spidey-senses tingle - together with the <a href="https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen/" rel="noopener noreferrer">recent NPM hack news on Sep 2025</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">BEFORE</span><span class="w"> </span><span class="err">(Normal,</span><span class="w"> </span><span class="err">secure)</span><span class="w"> </span><span class="nl">"@types/body-parser"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.17.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requires"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@types/connect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3.4.32"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@types/node"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.12.18"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">AFTER</span><span class="w"> </span><span class="err">(Sus</span><span class="w"> </span><span class="err">as</span><span class="w"> </span><span class="err">hell)</span><span class="w"> </span><span class="nl">"@types/body-parser"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.17.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@types/connect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@types/node"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Those little asterisks? Those are wildcards that basically tell npm "give me whatever version you feel like." It's like ordering food and telling the waiter "surprise me" – except the surprise might be malware.</p> <p>This change completely bypasses version pinning, which is one of our main defenses against supply chain attacks. With wildcards, if any of those packages gets compromised later, you'll automatically pull the malicious version on your next install.</p> <h2> Enter the "Helpful" Contributor </h2> <p>Then I found the smoking gun: a pull request from September 5, 2025, submitted by a user called <code>harshitcodez19</code>. The PR looked innocent enough – just adding some CI/CD with GitHub Actions. How thoughtful!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Build on PR</span> <span class="c1"># Heello this is a ymk file made up for cICD</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="c1"># ← Wait, my repo uses 'master'</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="c1"># ← This is wrong too...</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Use Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm install</span> <span class="c1"># ← Should be 'npm ci' for security</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Build</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run build</span> </code></pre> </div> <p>At first glance, this looks like a newbie trying to be helpful. The typos in the comment ("Heello", "ymk", "cICD") make it seem like someone who's just learning. The branch configuration is wrong, so it wouldn't even run.</p> <p>But here's the thing – this is <strong>exactly</strong> how the GhostAction campaign operates.</p> <h2> The GhostAction Campaign: When GitHub Actions Turn Evil </h2> <p>The timing of this PR wasn't coincidental. <strong>September 5, 2025</strong> was when security researchers first detected the <strong>GhostAction campaign</strong> – a sophisticated supply chain attack targeting GitHub repositories.</p> <p>Here's how GhostAction works:</p> <ol> <li> <strong>Reconnaissance</strong>: Attackers identify repositories with outdated dependencies</li> <li> <strong>Social Engineering</strong>: Submit "helpful" PRs adding CI/CD workflows</li> <li> <strong>Intentional Sabotage</strong>: Include obvious mistakes to avoid immediate execution</li> <li> <strong>Patience</strong>: Wait for maintainers to "fix" the obvious issues</li> <li> <strong>Exploitation</strong>: When the workflow runs, it harvests secrets and credentials</li> </ol> <p>The genius is in the plausible deniability. The PR looks like a well-meaning but inexperienced contributor. The "mistakes" make it seem harmless. But once those workflows run with the right permissions, game over.</p> <h3> The Attack Vector Breakdown </h3> <p>Let's dissect what would have happened if I'd merged this PR:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># The branch misconfiguration prevents immediate execution</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="c1"># My repo uses 'master', so this won't trigger</span> </code></pre> </div> <p>This gives the attacker time. If I had "fixed" the obvious branch issue and merged it, the workflow would then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm install</span> <span class="c1"># Pulls wildcarded dependencies</span> </code></pre> </div> <p>With those wildcards in my lockfile, <code>npm install</code> would fetch the latest versions of <code>@types/node</code> and <code>@types/connect</code>. If those packages had been compromised (which is exactly what the broader npm hack was doing), my CI environment would install malware with full access to:</p> <ul> <li>GitHub secrets</li> <li>AWS credentials</li> <li>Database connection strings</li> <li>API keys</li> <li>Deploy tokens</li> </ul> <p>Basically, everything you need to completely own my infrastructure.</p> <h2> The Broader Context: The Great NPM Hack of 2025 </h2> <p>This attack was part of a much larger campaign according to <a href="https://www.ox.security/blog/npm-packages-compromised/" rel="noopener noreferrer">OX Security's research</a>.</p> <p>The attackers were:</p> <ul> <li>Compromising legitimate package maintainer accounts</li> <li>Injecting malicious code into trusted packages</li> <li>Specifically targeting CI/CD environments</li> <li>Using GitHub Actions to exfiltrate credentials</li> </ul> <p>My old lockfile, with packages from 2018-2019, was the perfect target. Outdated dependencies are like old locks – they work until someone with the right tools shows up.</p> <h2> Red Flags I Should Have Caught Earlier </h2> <p>Looking back, there were several warning signs:</p> <h3> 1. The Contributor Profile </h3> <ul> <li> <code>harshitcodez19</code> had minimal contribution history</li> <li>Random username pattern typical of throwaway accounts</li> <li>No established relationship with my project</li> </ul> <h3> 2. The "Mistakes" Were Too Convenient </h3> <ul> <li>Wrong branch names that prevent immediate execution</li> <li>Typos that create plausible deniability</li> <li>Using <code>npm install</code> instead of the more secure <code>npm ci</code> </li> </ul> <h3> 3. The Timing </h3> <ul> <li>Submitted on September 5, 2025 (exact GhostAction detection date)</li> <li>My lockfile wildcards appeared around the same timeframe</li> <li>Coincided with broader npm supply chain compromises</li> </ul> <h2> What Could Have Gone Wrong </h2> <p>If this attack had succeeded, here's what the attacker could have done:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In my compromised CI environment:</span> <span class="nb">echo</span> <span class="nv">$AWS_SECRET_ACCESS_KEY</span> <span class="c"># Exfiltrate cloud credentials</span> <span class="nb">echo</span> <span class="nv">$DATABASE_URL</span> <span class="c"># Steal database access</span> <span class="nb">echo</span> <span class="nv">$DEPLOY_TOKEN</span> <span class="c"># Compromise deployment pipeline</span> <span class="c"># Then pivot to:</span> <span class="c"># - Deploy backdoors to production</span> <span class="c"># - Access customer data</span> <span class="c"># - Crypto mining on my infrastructure</span> <span class="c"># - Lateral movement to other systems</span> </code></pre> </div> <p>The blast radius from a successful CI compromise is enormous because CI environments typically have elevated permissions to deploy, test, and integrate with other services.</p> <h2> Best Practices: How to Not Get Pwned </h2> <p>Here's what I learned and what you should do to protect yourself:</p> <h3> 1. Lockfile Hygiene </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Always use npm ci in production/CI</span> npm ci <span class="c"># Uses exact lockfile versions</span> <span class="c"># Never use npm install in CI</span> npm <span class="nb">install</span> <span class="c"># Can update versions unexpectedly</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Keep</span><span class="w"> </span><span class="err">your</span><span class="w"> </span><span class="err">lockfile</span><span class="w"> </span><span class="err">pinned</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@types/node"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.12.18"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">✅</span><span class="w"> </span><span class="err">Exact</span><span class="w"> </span><span class="err">version</span><span class="w"> </span><span class="nl">"@types/connect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">❌</span><span class="w"> </span><span class="err">Wildcard</span><span class="w"> </span><span class="err">=</span><span class="w"> </span><span class="err">danger</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 2. CI/CD Security </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Secure GitHub Actions workflow</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Secure Build</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">master</span><span class="pi">]</span> <span class="c1"># Correct branch names</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="c1"># Latest version</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="c1"># Cache for performance</span> <span class="c1"># Use npm ci for reproducible builds</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="c1"># Audit before building</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Security audit</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm audit --audit-level=critical</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run build</span> </code></pre> </div> <h3> 3. Dependency Management </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Regular maintenance</span> npm outdated <span class="c"># Check for updates</span> npm audit <span class="c"># Security vulnerabilities</span> npm audit fix <span class="c"># Auto-fix where possible</span> <span class="c"># Keep dependencies current</span> npm update <span class="c"># Update within semver ranges</span> </code></pre> </div> <h3> 4. PR Review Guidelines </h3> <p>When reviewing PRs that touch CI/CD or dependencies:</p> <ul> <li> <strong>Who is the contributor?</strong> Do they have a history with your project?</li> <li> <strong>Why are they making this change?</strong> Unsolicited CI/CD PRs are suspicious</li> <li> <strong>What permissions would this grant?</strong> Review secrets and environment access</li> <li> <strong>Are there obvious "mistakes"?</strong> Sometimes bugs are features for attackers</li> </ul> <h3> 5. Repository Protection </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/dependabot.yml</span> <span class="na">version</span><span class="pi">:</span> <span class="m">2</span> <span class="na">updates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">package-ecosystem</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="na">directory</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/'</span> <span class="na">schedule</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s1">'</span><span class="s">weekly'</span> <span class="na">reviewers</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">your-username'</span> </code></pre> </div> <p>Enable branch protection rules:</p> <ul> <li>Require PR reviews for CI/CD changes</li> <li>Require status checks to pass</li> <li>Restrict who can modify workflows</li> </ul> <h2> The Human Element </h2> <p>The scariest part of supply chain attacks isn't the technical sophistication – it's how they exploit our human nature. We want to be helpful to contributors. We want to trust the tools we use daily. We want to merge that PR that "fixes" an obvious mistake.</p> <p>But in the age of automated attacks and compromised packages, a little paranoia goes a long way. That friendly contributor might be a bot. That helpful PR might be reconnaissance. That simple typo fix might be setting up a backdoor.</p> <h2> Lessons Learned </h2> <ol> <li> <strong>Trust but verify</strong>: Even helpful PRs need scrutiny</li> <li> <strong>Keep dependencies updated</strong>: Old packages are attractive targets</li> <li> <strong>Use lockfiles properly</strong>: Pin versions and use <code>npm ci</code> </li> <li> <strong>Secure your CI/CD</strong>: It's the crown jewel attackers want</li> <li> <strong>Stay informed</strong>: Follow security researchers and vulnerability databases</li> </ol> <h2> The Silver Lining </h2> <p>While getting targeted by a supply chain attack was unsettling, it was also educational. It reminded me that security isn't just about writing secure code – it's about securing the entire development pipeline.</p> <p>The npm ecosystem is incredibly powerful, but that power comes with responsibility. Every <code>npm install</code> is a vote of trust in hundreds of package maintainers. Every GitHub Action workflow is a potential attack vector.</p> <p>But don't let this scare you away from open source. The community is what makes JavaScript development amazing. Just be smart about it. Audit your dependencies. Review your workflows. Trust but verify.</p> <p>And maybe, just maybe, be a little suspicious when <code>harshitcodez19</code> offers to help with your CI/CD pipeline.</p> <p><em>Stay safe out there, fellow developers. The supply chain attackers are getting creative, but so are we.</em></p> <h2> References </h2> <ul> <li><a href="https://www.ox.security/blog/npm-packages-compromised/" rel="noopener noreferrer">OX Security: NPM Packages Compromised</a></li> <li><a href="https://github.com/advisories" rel="noopener noreferrer">GitHub Security Advisory Database</a></li> <li><a href="https://docs.npmjs.com/cli/v11/commands/npm-audit" rel="noopener noreferrer">npm Audit Documentation</a></li> <li><a href="https://docs.github.com/en/actions/security-guides" rel="noopener noreferrer">Securing GitHub Actions</a></li> </ul> github security node devops Dale Nguyen Sun, 07 Sep 2025 14:11:09 +0000 https://dev.to/dalenguyen/mastering-email-rate-limits-a-deep-dive-into-resend-api-and-cloud-run-debugging-3973 https://dev.to/dalenguyen/mastering-email-rate-limits-a-deep-dive-into-resend-api-and-cloud-run-debugging-3973 <p><em>How we solved persistent rate limiting issues and implemented robust batch email functionality for our AI-powered learning platform</em></p> <h2> The Challenge: When Emails Start Failing </h2> <p>Picture this: You've built a beautiful lesson scheduling system that sends personalized daily lessons to your users. Everything works perfectly in development, but in production, you start seeing mysterious email failures:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx8toh7r8orcaryl8qp6l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx8toh7r8orcaryl8qp6l.png" alt="Email rate limit error" width="800" height="267"></a></p> <p>This was exactly the situation we faced with <a href="https://dailymastery.io" rel="noopener noreferrer">DailyMastery</a>, our AI-powered learning platform. Despite having a solid architecture built with Nx monorepo, Fastify microservices, and deployed on Google Cloud Run, our email delivery system was hitting Resend's rate limits consistently.</p> <h2> Understanding the Problem </h2> <h3> The Initial Architecture </h3> <p>Our system had a straightforward approach:</p> <ul> <li>Lesson scheduler triggered by Cloud Scheduler (3x daily)</li> <li>Individual API calls to Resend for each lesson email</li> <li>No rate limiting protection</li> <li>Basic error handling </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// The problematic approach</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">lesson</span> <span class="k">of</span> <span class="nx">lessons</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">emailResult</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">emailService</span><span class="p">.</span><span class="nf">sendEmail</span><span class="p">({</span> <span class="na">to</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="nx">lesson</span><span class="p">.</span><span class="nx">title</span><span class="p">,</span> <span class="na">html</span><span class="p">:</span> <span class="nx">lessonContent</span><span class="p">,</span> <span class="p">})</span> <span class="c1">// Rate limits hit here when processing multiple users rapidly</span> <span class="p">}</span> </code></pre> </div> <h3> The Root Cause </h3> <p>Resend enforces a <strong>2 requests per second</strong> rate limit across all endpoints. When our scheduler processed multiple users with multiple lessons each, we quickly exceeded this limit, causing cascading failures.</p> <h2> The Investigation: Debugging Cloud Run Like a Pro </h2> <h3> Step 1: Enhanced Logging Strategy </h3> <p>The first step was implementing comprehensive logging to understand exactly what was happening:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="nf">sendEmail</span><span class="p">(</span><span class="nx">options</span><span class="p">:</span> <span class="nx">EmailOptions</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">error</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">messageId</span><span class="p">?:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Attempting to send email via Resend:</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">to</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">to</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">subject</span><span class="p">,</span> <span class="na">htmlLength</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">html</span><span class="p">?.</span><span class="nx">length</span> <span class="o">||</span> <span class="mi">0</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">resend</span><span class="p">.</span><span class="nx">emails</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">emailData</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Resend API response:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">result</span><span class="p">);</span> <span class="c1">// Critical: Check if Resend returned an error (they don't throw exceptions!)</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Resend API returned error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="o">||</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">),</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">messageId</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span><span class="p">?.</span><span class="nx">id</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to send email via Resend:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Unknown error</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2: Cloud Run Log Analysis Techniques </h3> <p>You can view logs in the Google Cloud console, but if you like the terminal approach, then here are the essential Cloud Run debugging commands we used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Real-time log monitoring during issues</span> gcloud logging <span class="nb">read</span> <span class="s2">"resource.type=cloud_run_revision AND resource.labels.service_name=lesson-scheduler"</span> <span class="se">\</span> <span class="nt">--limit</span><span class="o">=</span>50 <span class="nt">--format</span><span class="o">=</span><span class="s2">"value(timestamp,textPayload)"</span> | <span class="nb">head</span> <span class="nt">-20</span> <span class="c"># Filter for specific errors</span> gcloud logging <span class="nb">read</span> <span class="s2">"resource.type=cloud_run_revision AND resource.labels.service_name=lesson-scheduler"</span> <span class="se">\</span> <span class="nt">--limit</span><span class="o">=</span>100 | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"(rate_limit|429|Failed)"</span> <span class="c"># Check logs from specific time range</span> gcloud logging <span class="nb">read</span> <span class="s2">"resource.type=cloud_run_revision AND resource.labels.service_name=lesson-scheduler AND timestamp&gt;=</span><span class="se">\"</span><span class="s2">2025-09-03T16:00:00Z</span><span class="se">\"</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--limit</span><span class="o">=</span>50 </code></pre> </div> <h2> The Solution: Multi-Layer Rate Limiting Strategy </h2> <h3> Layer 1: Proper Error Detection </h3> <p>The first critical insight: <strong>Resend doesn't throw exceptions for rate limits</strong>. They return error objects:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Before: Missing rate limit detection</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">resend</span><span class="p">.</span><span class="nx">emails</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">emailData</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">messageId</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span><span class="p">?.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1">// Wrong!</span> <span class="c1">// After: Comprehensive error checking</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">resend</span><span class="p">.</span><span class="nx">emails</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">emailData</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Resend API returned error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="o">||</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No data returned from Resend API</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">messageId</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h3> Layer 2: Intelligent Batch Email Implementation with Auto-Chunking </h3> <p>Resend offers a batch API that can send up to 100 emails in a single request. Here's our implementation with smart fallback and automatic chunking for larger batches:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="nf">sendBatchLessonEmails</span><span class="p">(</span> <span class="nx">emails</span><span class="p">:</span> <span class="nx">BatchEmailOptions</span><span class="p">[]</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">error</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">messageIds</span><span class="p">?:</span> <span class="kr">string</span><span class="p">[];</span> <span class="nl">sentCount</span><span class="p">?:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">failedCount</span><span class="p">?:</span> <span class="kr">number</span> <span class="p">}</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">emails</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">messageIds</span><span class="p">:</span> <span class="p">[],</span> <span class="na">sentCount</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">failedCount</span><span class="p">:</span> <span class="mi">0</span> <span class="p">};</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Sending batch of </span><span class="p">${</span><span class="nx">emails</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> lesson emails`</span><span class="p">);</span> <span class="c1">// Automatic chunking: Split into batches of 100 (Resend limit)</span> <span class="kd">const</span> <span class="nx">batchSize</span> <span class="o">=</span> <span class="mi">100</span><span class="p">;</span> <span class="kd">const</span> <span class="na">batches</span><span class="p">:</span> <span class="nx">BatchEmailOptions</span><span class="p">[][]</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">emails</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span> <span class="o">+=</span> <span class="nx">batchSize</span><span class="p">)</span> <span class="p">{</span> <span class="nx">batches</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">emails</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="nx">i</span><span class="p">,</span> <span class="nx">i</span> <span class="o">+</span> <span class="nx">batchSize</span><span class="p">));</span> <span class="p">}</span> <span class="kd">let</span> <span class="nx">totalSent</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">totalFailed</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="kd">const</span> <span class="na">allMessageIds</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="kd">const</span> <span class="na">errors</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="c1">// Process each chunk sequentially with rate limiting</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">batches</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">batch</span> <span class="o">=</span> <span class="nx">batches</span><span class="p">[</span><span class="nx">i</span><span class="p">];</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Sending batch </span><span class="p">${</span><span class="nx">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">batches</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> with </span><span class="p">${</span><span class="nx">batch</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> emails`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">emailService</span><span class="p">.</span><span class="nf">sendBatchEmails</span><span class="p">(</span><span class="nx">batch</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="nx">totalSent</span> <span class="o">+=</span> <span class="nx">batch</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">messageIds</span><span class="p">)</span> <span class="p">{</span> <span class="nx">allMessageIds</span><span class="p">.</span><span class="nf">push</span><span class="p">(...</span><span class="nx">result</span><span class="p">.</span><span class="nx">messageIds</span><span class="p">);</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`✅ Batch </span><span class="p">${</span><span class="nx">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2"> sent successfully (</span><span class="p">${</span><span class="nx">batch</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> emails)`</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">totalFailed</span> <span class="o">+=</span> <span class="nx">batch</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">errors</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="s2">`Batch </span><span class="p">${</span><span class="nx">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2"> failed: </span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">error</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">Unknown error</span><span class="dl">'</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`❌ Batch </span><span class="p">${</span><span class="nx">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">}</span><span class="s2"> failed: </span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Add delay between batches to avoid rate limiting</span> <span class="k">if </span><span class="p">(</span><span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">batches</span><span class="p">.</span><span class="nx">length</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">⏳ Waiting 1 second between batches to avoid rate limiting...</span><span class="dl">'</span><span class="p">);</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">resolve</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="mi">1000</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">overallSuccess</span> <span class="o">=</span> <span class="nx">totalFailed</span> <span class="o">===</span> <span class="mi">0</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="nx">overallSuccess</span><span class="p">,</span> <span class="na">messageIds</span><span class="p">:</span> <span class="nx">allMessageIds</span><span class="p">,</span> <span class="na">sentCount</span><span class="p">:</span> <span class="nx">totalSent</span><span class="p">,</span> <span class="na">failedCount</span><span class="p">:</span> <span class="nx">totalFailed</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">errors</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="p">?</span> <span class="nx">errors</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">; </span><span class="dl">'</span><span class="p">)</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error sending batch lesson emails:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Unknown error</span><span class="dl">'</span><span class="p">,</span> <span class="na">sentCount</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">failedCount</span><span class="p">:</span> <span class="nx">emails</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Layer 3: Architectural Refactoring </h3> <p>We completely restructured our email sending flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Old approach: Send emails immediately during processing</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">user</span> <span class="k">of</span> <span class="nx">users</span><span class="p">)</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">lesson</span> <span class="k">of</span> <span class="nx">lessons</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">sendEmail</span><span class="p">(</span><span class="nx">user</span><span class="p">,</span> <span class="nx">lesson</span><span class="p">)</span> <span class="c1">// Rate limit hit here</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// New approach: Prepare first, then batch send</span> <span class="kd">const</span> <span class="nx">allPreparedEmails</span><span class="p">:</span> <span class="nx">PreparedEmail</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[]</span> <span class="c1">// Phase 1: Prepare all emails</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">user</span> <span class="k">of</span> <span class="nx">users</span><span class="p">)</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">lesson</span> <span class="k">of</span> <span class="nx">lessons</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">preparedEmail</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">prepareLessonEmail</span><span class="p">(</span><span class="nx">user</span><span class="p">,</span> <span class="nx">lesson</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">preparedEmail</span><span class="p">)</span> <span class="p">{</span> <span class="nx">allPreparedEmails</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">preparedEmail</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">lesson</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Phase 2: Batch send with intelligent chunking and accurate tracking</span> <span class="k">if </span><span class="p">(</span><span class="nx">allPreparedEmails</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`🚀 Sending </span><span class="p">${</span><span class="nx">allPreparedEmails</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> emails in optimized batches`</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">emailsToSend</span> <span class="o">=</span> <span class="nx">allPreparedEmails</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">pe</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">pe</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="c1">// The EmailCoordinator handles chunking internally for 100+ email limits</span> <span class="kd">const</span> <span class="nx">batchResult</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">emailCoordinator</span><span class="p">.</span><span class="nf">sendBatchLessonEmails</span><span class="p">(</span><span class="nx">emailsToSend</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">batchResult</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Only mark lessons as sent based on actual successful send count</span> <span class="kd">const</span> <span class="nx">successfulEmails</span> <span class="o">=</span> <span class="nx">allPreparedEmails</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">batchResult</span><span class="p">.</span><span class="nx">sentCount</span><span class="p">)</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">markLessonsAsSent</span><span class="p">(</span><span class="nx">successfulEmails</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Layer 4: Smart Retry Logic </h3> <p>For critical emails like admin reports, we implemented retry logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="nf">sendSummaryReport</span><span class="p">(</span><span class="nx">result</span><span class="p">:</span> <span class="nx">SchedulerResult</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Add delay to avoid rate limiting after lesson emails</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">⏳ Waiting 3 seconds to avoid rate limiting...</span><span class="dl">'</span><span class="p">);</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">resolve</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="mi">3000</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">emailResult</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">emailService</span><span class="p">.</span><span class="nf">sendEmail</span><span class="p">({</span> <span class="na">to</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">reportingEmail</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="s2">`📊 Lesson Scheduler Report - </span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">timeSlot</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">html</span><span class="p">:</span> <span class="nx">htmlContent</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">emailResult</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Retry logic for rate limits</span> <span class="k">if </span><span class="p">(</span><span class="nx">emailResult</span><span class="p">.</span><span class="nx">error</span><span class="p">?.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">rate_limit_exceeded</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">emailResult</span><span class="p">.</span><span class="nx">error</span><span class="p">?.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">Too many requests</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">⏳ Rate limited - waiting 10 seconds and retrying...</span><span class="dl">'</span><span class="p">);</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">resolve</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="mi">10000</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">retryResult</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">emailService</span><span class="p">.</span><span class="nf">sendEmail</span><span class="p">({</span> <span class="na">to</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">reportingEmail</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="s2">`📊 Lesson Scheduler Report - </span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">timeSlot</span><span class="p">}</span><span class="s2"> (Retry)`</span><span class="p">,</span> <span class="na">html</span><span class="p">:</span> <span class="nx">htmlContent</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">retryResult</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">✅ Summary report sent successfully on retry</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Key Debugging Techniques for Cloud Run </h2> <h3> 1. Structured Logging </h3> <p>Use consistent emoji prefixes and structured data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Good logging practices</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">🚀 BATCH EMAIL MODE: Sending emails</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">count</span><span class="p">:</span> <span class="nx">emails</span><span class="p">.</span><span class="nx">length</span> <span class="p">})</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">✅ Email sent successfully</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">messageId</span><span class="p">,</span> <span class="nx">recipient</span> <span class="p">})</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">❌ Email failed</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="nx">recipient</span> <span class="p">})</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">⏳ Rate limiting delay</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">delayMs</span><span class="p">:</span> <span class="mi">600</span> <span class="p">})</span> </code></pre> </div> <h3> 2. Revision Tracking </h3> <p>Always verify your code is actually deployed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check current revision</span> gcloud run services describe lesson-scheduler <span class="se">\</span> <span class="nt">--region</span><span class="o">=</span>us-central1 <span class="se">\</span> <span class="nt">--format</span><span class="o">=</span><span class="s2">"value(status.latestReadyRevisionName)"</span> <span class="c"># List recent revisions with images</span> gcloud run revisions list <span class="nt">--service</span><span class="o">=</span>lesson-scheduler <span class="se">\</span> <span class="nt">--format</span><span class="o">=</span><span class="s2">"table(metadata.name,status.conditions[0].status,spec.containers[0].image)"</span> </code></pre> </div> <h3> 3. Real-time Monitoring </h3> <p>Set up log streaming during debugging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Stream logs in real-time</span> gcloud beta logging <span class="nb">tail</span> <span class="s2">"resource.type=cloud_run_revision AND resource.labels.service_name=lesson-scheduler"</span> <span class="c"># Filter for errors only</span> gcloud beta logging <span class="nb">tail</span> <span class="s2">"resource.type=cloud_run_revision AND resource.labels.service_name=lesson-scheduler"</span> <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"severity&gt;=ERROR"</span> </code></pre> </div> <h2> Results and Performance Impact </h2> <h3> Before Optimization </h3> <ul> <li>❌ Cascading failures due to rate limits</li> <li>❌ Poor user experience with missed lessons</li> <li>❌ Manual intervention required daily</li> </ul> <h3> After Optimization </h3> <ul> <li>✅ <strong>0% email failure rate</strong> </li> <li>✅ Automatic handling of up to 100 emails per batch</li> <li>✅ <strong>Zero manual intervention</strong> required</li> </ul> <h3> Performance Metrics </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Final Test Results: - totalUsers: 1 - emailsSent: 3 - emailsFailed: 0 - errorCount: 0 - processingTime: 7.048s - batchEmailsUsed: true </code></pre> </div> <h2> Best Practices Learned </h2> <h3> 1. Email Service Design Patterns </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">EmailService</span> <span class="p">{</span> <span class="c1">// Always return structured results</span> <span class="nf">sendEmail</span><span class="p">(</span><span class="nx">options</span><span class="p">:</span> <span class="nx">EmailOptions</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="nx">boolean</span> <span class="nx">error</span><span class="p">?:</span> <span class="kr">string</span> <span class="nx">messageId</span><span class="p">?:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span> <span class="c1">// Batch operations with fallback</span> <span class="nf">sendBatchEmails</span><span class="p">(</span><span class="nx">emails</span><span class="p">:</span> <span class="nx">BatchEmailOptions</span><span class="p">[]):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="nx">boolean</span> <span class="nx">error</span><span class="p">?:</span> <span class="kr">string</span> <span class="nx">messageIds</span><span class="p">?:</span> <span class="kr">string</span><span class="p">[]</span> <span class="nx">sentCount</span><span class="p">?:</span> <span class="kr">number</span> <span class="nx">failedCount</span><span class="p">?:</span> <span class="kr">number</span> <span class="p">}</span><span class="o">&gt;</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Rate Limiting Strategies </h3> <ol> <li> <strong>Batch First</strong>: Use batch APIs when available</li> <li> <strong>Automatic Chunking</strong>: Split large batches into 100-email chunks automatically</li> <li> <strong>Intelligent Delays</strong>: 600ms between individual requests (&lt; 2 req/sec) and 1s between batch chunks</li> <li> <strong>Accurate Tracking</strong>: Only mark operations as successful based on actual send counts</li> <li> <strong>Exponential Backoff</strong>: Longer delays for retries</li> <li> <strong>Circuit Breaker</strong>: Fail fast on repeated rate limits</li> </ol> <h2> Conclusion </h2> <p>Building a robust email delivery system requires understanding both your email provider's limitations and your cloud platform's deployment mechanics. Our journey from 30% failure rates to 0% taught us that:</p> <ol> <li> <strong>Rate limiting is real</strong> - Plan for it from day one</li> <li> <strong>Batch APIs are game-changers</strong> - Use them when available</li> <li> <strong>Docker caching can bite you</strong> - Structure your builds carefully</li> <li> <strong>Comprehensive logging saves time</strong> - Invest in good observability</li> <li> <strong>Fallback strategies are essential</strong> - Always have a Plan B</li> </ol> <p>The combination of Resend's batch API, intelligent fallback logic, proper rate limiting, and robust Cloud Run debugging techniques transformed our email delivery from a daily headache into a reliable, scalable system.</p> <p>Remember: In production systems, it's not just about making it work—it's about making it work reliably, even when things go wrong.</p> <p><em>This blog post is based on our real-world experience building <a href="https://dailymastery.io" rel="noopener noreferrer">DailyMastery</a>, an AI-powered learning platform. The techniques described here are battle-tested in production and have been processing thousands of lesson emails daily without issues.</em></p> <h2> Further Reading </h2> <ul> <li><a href="https://resend.com/docs/api-reference/emails/send-batch-emails" rel="noopener noreferrer">Resend Batch API Documentation</a></li> <li><a href="https://cloud.google.com/run/docs/tips/general" rel="noopener noreferrer">Google Cloud Run Best Practices</a></li> </ul> resend googlecloud webdev javascript Dale Nguyen Sat, 06 Sep 2025 04:05:16 +0000 https://dev.to/dalenguyen/supawp-storage-filter-hooks-seamless-supabase-storage-integration-for-wordpress-1ana https://dev.to/dalenguyen/supawp-storage-filter-hooks-seamless-supabase-storage-integration-for-wordpress-1ana <p>Building modern WordPress applications often requires robust file storage solutions that scale beyond traditional media library limitations. Today, we're excited to introduce <strong>SupaWP Storage Filter Hooks</strong> – a powerful new feature that brings seamless Supabase Storage integration directly to your WordPress plugins and themes.</p> <h2> What Are SupaWP Storage Filter Hooks? </h2> <p>SupaWP Storage Filter Hooks are a set of WordPress filter hooks that provide a standardized, developer-friendly way to integrate Supabase Storage into any WordPress application. Instead of writing custom storage code for each project, you can now leverage these hooks to upload, delete, and manage files in Supabase Storage with just a few lines of code.</p> <h2> Prerequisites </h2> <p>Before diving into the implementation, ensure you have:</p> <ul> <li>WordPress site with <a href="https://techcater.com/shop/products/SUPA_WP" rel="noopener noreferrer">SupaWP</a> plugin v1.3.4 or higher installed and configured</li> <li>Supabase project with Storage enabled</li> <li>Basic knowledge of WordPress filters and PHP</li> <li>Supabase Storage bucket configured</li> </ul> <h2> The Three Essential Hooks </h2> <h3> 1. <code>supawp_upload_image_to_supabase</code> </h3> <p>Upload images directly to Supabase Storage with automatic validation and security:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Upload a user profile image</span> <span class="nv">$image_url</span> <span class="o">=</span> <span class="nf">apply_filters</span><span class="p">(</span><span class="s1">'supawp_upload_image_to_supabase'</span><span class="p">,</span> <span class="nv">$file</span><span class="p">,</span> <span class="nv">$fileName</span><span class="p">,</span> <span class="s1">'user-images'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$image_url</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Success! Save the URL to your database</span> <span class="nf">update_user_meta</span><span class="p">(</span><span class="nv">$user_id</span><span class="p">,</span> <span class="s1">'profile_image_url'</span><span class="p">,</span> <span class="nv">$image_url</span><span class="p">);</span> <span class="k">return</span> <span class="k">array</span><span class="p">(</span><span class="s1">'success'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">,</span> <span class="s1">'url'</span> <span class="o">=&gt;</span> <span class="nv">$image_url</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> 2. <code>supawp_delete_image_from_supabase</code> </h3> <p>Remove files from Supabase Storage with proper cleanup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Delete a user's profile image</span> <span class="nv">$success</span> <span class="o">=</span> <span class="nf">apply_filters</span><span class="p">(</span><span class="s1">'supawp_delete_image_from_supabase'</span><span class="p">,</span> <span class="nv">$image_url</span><span class="p">,</span> <span class="s1">'user-images'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$success</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// File deleted successfully</span> <span class="nf">delete_user_meta</span><span class="p">(</span><span class="nv">$user_id</span><span class="p">,</span> <span class="s1">'profile_image_url'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> 3. <code>supawp_get_storage_config</code> </h3> <p>Access Supabase Storage configuration and verify setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Check if storage is properly configured</span> <span class="nv">$config</span> <span class="o">=</span> <span class="nf">apply_filters</span><span class="p">(</span><span class="s1">'supawp_get_storage_config'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$config</span><span class="p">))</span> <span class="p">{</span> <span class="k">echo</span> <span class="s2">"Storage URL: "</span> <span class="mf">.</span> <span class="nv">$config</span><span class="p">[</span><span class="s1">'url'</span><span class="p">];</span> <span class="k">echo</span> <span class="s2">"Authentication: Configured ✓"</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Simple File Upload Implementation </h2> <p>Here's a basic implementation using the SupaWP Storage Filter Hooks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="cd">/** * Simple File Upload with SupaWP Storage */</span> <span class="kd">class</span> <span class="nc">Simple_SupaWP_Upload</span> <span class="p">{</span> <span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">init</span><span class="p">()</span> <span class="p">{</span> <span class="nf">add_shortcode</span><span class="p">(</span><span class="s1">'simple_file_upload'</span><span class="p">,</span> <span class="k">array</span><span class="p">(</span><span class="s1">'Simple_SupaWP_Upload'</span><span class="p">,</span> <span class="s1">'upload_shortcode'</span><span class="p">));</span> <span class="nf">add_action</span><span class="p">(</span><span class="s1">'wp_ajax_upload_to_supabase'</span><span class="p">,</span> <span class="k">array</span><span class="p">(</span><span class="s1">'Simple_SupaWP_Upload'</span><span class="p">,</span> <span class="s1">'handle_upload'</span><span class="p">));</span> <span class="p">}</span> <span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">upload_shortcode</span><span class="p">()</span> <span class="p">{</span> <span class="nv">$current_user</span> <span class="o">=</span> <span class="nf">wp_get_current_user</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$current_user</span><span class="o">-&gt;</span><span class="no">ID</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="s1">'&lt;p&gt;Please log in to upload files.&lt;/p&gt;'</span><span class="p">;</span> <span class="p">}</span> <span class="nb">ob_start</span><span class="p">();</span> <span class="cp">?&gt;</span> <span class="nt">&lt;form</span> <span class="na">id=</span><span class="s">"upload-form"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">name=</span><span class="s">"user_file"</span> <span class="na">accept=</span><span class="s">".jpg,.jpeg,.png,.webp"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Upload File<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"upload-result"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">upload-form</span><span class="dl">'</span><span class="p">).</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">submit</span><span class="dl">'</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">formData</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FormData</span><span class="p">(</span><span class="k">this</span><span class="p">);</span> <span class="nx">formData</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="dl">'</span><span class="s1">action</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">upload_to_supabase</span><span class="dl">'</span><span class="p">);</span> <span class="nx">formData</span><span class="p">.</span><span class="nx">append</span><span class="p">(</span><span class="dl">'</span><span class="s1">nonce</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="cp">&lt;?php</span> <span class="k">echo</span> <span class="nf">wp_create_nonce</span><span class="p">(</span><span class="s1">'upload_nonce'</span><span class="p">);</span> <span class="cp">?&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="nx">fetch</span><span class="p">(</span><span class="dl">'</span><span class="cp">&lt;?php</span> <span class="k">echo</span> <span class="nf">admin_url</span><span class="p">(</span><span class="s1">'admin-ajax.php'</span><span class="p">);</span> <span class="cp">?&gt;</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">formData</span> <span class="p">})</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">response</span> <span class="o">=&gt;</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">upload-result</span><span class="dl">'</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">success</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">Upload successful!</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Upload failed: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">data</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="p">});</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="cp">&lt;?php</span> <span class="k">return</span> <span class="nb">ob_get_clean</span><span class="p">();</span> <span class="p">}</span> <span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">handle_upload</span><span class="p">()</span> <span class="p">{</span> <span class="nf">check_ajax_referer</span><span class="p">(</span><span class="s1">'upload_nonce'</span><span class="p">,</span> <span class="s1">'nonce'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="k">isset</span><span class="p">(</span><span class="nv">$_FILES</span><span class="p">[</span><span class="s1">'user_file'</span><span class="p">]))</span> <span class="p">{</span> <span class="nf">wp_send_json_error</span><span class="p">(</span><span class="s1">'No file provided'</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$file</span> <span class="o">=</span> <span class="nv">$_FILES</span><span class="p">[</span><span class="s1">'user_file'</span><span class="p">];</span> <span class="nv">$user_id</span> <span class="o">=</span> <span class="nf">get_current_user_id</span><span class="p">();</span> <span class="c1">// Generate file path</span> <span class="nv">$extension</span> <span class="o">=</span> <span class="nb">pathinfo</span><span class="p">(</span><span class="nv">$file</span><span class="p">[</span><span class="s1">'name'</span><span class="p">],</span> <span class="no">PATHINFO_EXTENSION</span><span class="p">);</span> <span class="nv">$fileName</span> <span class="o">=</span> <span class="s2">"users/</span><span class="si">{</span><span class="nv">$user_id</span><span class="si">}</span><span class="s2">/"</span> <span class="mf">.</span> <span class="nb">time</span><span class="p">()</span> <span class="mf">.</span> <span class="s2">".</span><span class="si">{</span><span class="nv">$extension</span><span class="si">}</span><span class="s2">"</span><span class="p">;</span> <span class="c1">// Upload using SupaWP hook</span> <span class="nv">$url</span> <span class="o">=</span> <span class="nf">apply_filters</span><span class="p">(</span><span class="s1">'supawp_upload_image_to_supabase'</span><span class="p">,</span> <span class="nv">$file</span><span class="p">,</span> <span class="nv">$fileName</span><span class="p">,</span> <span class="s1">'user-content'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$url</span><span class="p">)</span> <span class="p">{</span> <span class="nf">wp_send_json_success</span><span class="p">(</span><span class="k">array</span><span class="p">(</span><span class="s1">'url'</span> <span class="o">=&gt;</span> <span class="nv">$url</span><span class="p">));</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">wp_send_json_error</span><span class="p">(</span><span class="s1">'Upload failed'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">add_action</span><span class="p">(</span><span class="s1">'supawp_init'</span><span class="p">,</span> <span class="k">array</span><span class="p">(</span><span class="s1">'Simple_SupaWP_Upload'</span><span class="p">,</span> <span class="s1">'init'</span><span class="p">));</span> </code></pre> </div> <h2> Advanced Implementation Examples </h2> <h3> E-commerce Product Gallery </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">function</span> <span class="n">upload_product_images</span><span class="p">(</span><span class="nv">$product_id</span><span class="p">,</span> <span class="nv">$files</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$uploaded_urls</span> <span class="o">=</span> <span class="k">array</span><span class="p">();</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$files</span> <span class="k">as</span> <span class="nv">$file</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$fileName</span> <span class="o">=</span> <span class="s2">"products/</span><span class="si">{</span><span class="nv">$product_id</span><span class="si">}</span><span class="s2">/"</span> <span class="mf">.</span> <span class="nb">time</span><span class="p">()</span> <span class="mf">.</span> <span class="s2">".jpg"</span><span class="p">;</span> <span class="nv">$url</span> <span class="o">=</span> <span class="nf">apply_filters</span><span class="p">(</span><span class="s1">'supawp_upload_image_to_supabase'</span><span class="p">,</span> <span class="nv">$file</span><span class="p">,</span> <span class="nv">$fileName</span><span class="p">,</span> <span class="s1">'products'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$url</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$uploaded_urls</span><span class="p">[]</span> <span class="o">=</span> <span class="nv">$url</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">update_post_meta</span><span class="p">(</span><span class="nv">$product_id</span><span class="p">,</span> <span class="s1">'_gallery_urls'</span><span class="p">,</span> <span class="nv">$uploaded_urls</span><span class="p">);</span> <span class="k">return</span> <span class="nv">$uploaded_urls</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> User Document Management </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">function</span> <span class="n">upload_user_document</span><span class="p">(</span><span class="nv">$user_id</span><span class="p">,</span> <span class="nv">$file</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nf">current_user_can</span><span class="p">(</span><span class="s1">'upload_files'</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="nv">$fileName</span> <span class="o">=</span> <span class="s2">"documents/</span><span class="si">{</span><span class="nv">$user_id</span><span class="si">}</span><span class="s2">/"</span> <span class="mf">.</span> <span class="nb">time</span><span class="p">()</span> <span class="mf">.</span> <span class="s2">".pdf"</span><span class="p">;</span> <span class="nv">$url</span> <span class="o">=</span> <span class="nf">apply_filters</span><span class="p">(</span><span class="s1">'supawp_upload_image_to_supabase'</span><span class="p">,</span> <span class="nv">$file</span><span class="p">,</span> <span class="nv">$fileName</span><span class="p">,</span> <span class="s1">'documents'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$url</span><span class="p">)</span> <span class="p">{</span> <span class="nf">update_user_meta</span><span class="p">(</span><span class="nv">$user_id</span><span class="p">,</span> <span class="s1">'document_url'</span><span class="p">,</span> <span class="nv">$url</span><span class="p">);</span> <span class="k">return</span> <span class="nv">$url</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Integration with Popular Plugins </h2> <h3> Contact Form 7 Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">function</span> <span class="n">handle_contact_form_upload</span><span class="p">(</span><span class="nv">$contact_form</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$submission</span> <span class="o">=</span> <span class="n">WPCF7_Submission</span><span class="o">::</span><span class="nf">get_instance</span><span class="p">();</span> <span class="nv">$files</span> <span class="o">=</span> <span class="nv">$submission</span><span class="o">-&gt;</span><span class="nf">uploaded_files</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$files</span><span class="p">[</span><span class="s1">'resume'</span><span class="p">]))</span> <span class="p">{</span> <span class="nv">$fileName</span> <span class="o">=</span> <span class="s2">"resumes/"</span> <span class="mf">.</span> <span class="nb">time</span><span class="p">()</span> <span class="mf">.</span> <span class="s2">"_resume.pdf"</span><span class="p">;</span> <span class="nv">$url</span> <span class="o">=</span> <span class="nf">apply_filters</span><span class="p">(</span><span class="s1">'supawp_upload_image_to_supabase'</span><span class="p">,</span> <span class="nv">$files</span><span class="p">[</span><span class="s1">'resume'</span><span class="p">],</span> <span class="nv">$fileName</span><span class="p">,</span> <span class="s1">'resumes'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$url</span><span class="p">)</span> <span class="p">{</span> <span class="nf">update_option</span><span class="p">(</span><span class="s1">'latest_resume'</span><span class="p">,</span> <span class="nv">$url</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">add_action</span><span class="p">(</span><span class="s1">'wpcf7_mail_sent'</span><span class="p">,</span> <span class="s1">'handle_contact_form_upload'</span><span class="p">);</span> </code></pre> </div> <h3> WooCommerce Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">function</span> <span class="n">sync_product_to_supabase</span><span class="p">(</span><span class="nv">$product_id</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$product</span> <span class="o">=</span> <span class="nf">wc_get_product</span><span class="p">(</span><span class="nv">$product_id</span><span class="p">);</span> <span class="nv">$image_id</span> <span class="o">=</span> <span class="nv">$product</span><span class="o">-&gt;</span><span class="nf">get_image_id</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$image_id</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$image_path</span> <span class="o">=</span> <span class="nf">get_attached_file</span><span class="p">(</span><span class="nv">$image_id</span><span class="p">);</span> <span class="nv">$file</span> <span class="o">=</span> <span class="k">array</span><span class="p">(</span> <span class="s1">'tmp_name'</span> <span class="o">=&gt;</span> <span class="nv">$image_path</span><span class="p">,</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nb">basename</span><span class="p">(</span><span class="nv">$image_path</span><span class="p">),</span> <span class="s1">'size'</span> <span class="o">=&gt;</span> <span class="nb">filesize</span><span class="p">(</span><span class="nv">$image_path</span><span class="p">)</span> <span class="p">);</span> <span class="nv">$fileName</span> <span class="o">=</span> <span class="s2">"products/</span><span class="si">{</span><span class="nv">$product_id</span><span class="si">}</span><span class="s2">.jpg"</span><span class="p">;</span> <span class="nv">$url</span> <span class="o">=</span> <span class="nf">apply_filters</span><span class="p">(</span><span class="s1">'supawp_upload_image_to_supabase'</span><span class="p">,</span> <span class="nv">$file</span><span class="p">,</span> <span class="nv">$fileName</span><span class="p">,</span> <span class="s1">'products'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$url</span><span class="p">)</span> <span class="p">{</span> <span class="nf">update_post_meta</span><span class="p">(</span><span class="nv">$product_id</span><span class="p">,</span> <span class="s1">'_supabase_image'</span><span class="p">,</span> <span class="nv">$url</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">add_action</span><span class="p">(</span><span class="s1">'woocommerce_process_product_meta'</span><span class="p">,</span> <span class="s1">'sync_product_to_supabase'</span><span class="p">);</span> </code></pre> </div> <h2> Security Best Practices </h2> <h3> Row Level Security (RLS) Policies </h3> <p>Set up proper RLS policies in your Supabase dashboard:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Users can only upload to their own folders</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users upload own files"</span> <span class="k">ON</span> <span class="k">storage</span><span class="p">.</span><span class="n">objects</span> <span class="k">FOR</span> <span class="k">INSERT</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span> <span class="n">bucket_id</span> <span class="o">=</span> <span class="s1">'user-content'</span> <span class="k">AND</span> <span class="p">(</span><span class="k">storage</span><span class="p">.</span><span class="n">foldername</span><span class="p">(</span><span class="n">name</span><span class="p">))[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()::</span><span class="nb">text</span> <span class="p">);</span> <span class="c1">-- Users can only view their own files</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users view own files"</span> <span class="k">ON</span> <span class="k">storage</span><span class="p">.</span><span class="n">objects</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">bucket_id</span> <span class="o">=</span> <span class="s1">'user-content'</span> <span class="k">AND</span> <span class="p">(</span><span class="k">storage</span><span class="p">.</span><span class="n">foldername</span><span class="p">(</span><span class="n">name</span><span class="p">))[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()::</span><span class="nb">text</span> <span class="p">);</span> <span class="c1">-- Users can only delete their own files</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users delete own files"</span> <span class="k">ON</span> <span class="k">storage</span><span class="p">.</span><span class="n">objects</span> <span class="k">FOR</span> <span class="k">DELETE</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">bucket_id</span> <span class="o">=</span> <span class="s1">'user-content'</span> <span class="k">AND</span> <span class="p">(</span><span class="k">storage</span><span class="p">.</span><span class="n">foldername</span><span class="p">(</span><span class="n">name</span><span class="p">))[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()::</span><span class="nb">text</span> <span class="p">);</span> </code></pre> </div> <h3> Simple File Validation </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">function</span> <span class="n">validate_file</span><span class="p">(</span><span class="nv">$file</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Check file size (5MB limit)</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$file</span><span class="p">[</span><span class="s1">'size'</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">5242880</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Check file type</span> <span class="nv">$allowed_types</span> <span class="o">=</span> <span class="k">array</span><span class="p">(</span><span class="s1">'jpg'</span><span class="p">,</span> <span class="s1">'png'</span><span class="p">,</span> <span class="s1">'pdf'</span><span class="p">);</span> <span class="nv">$extension</span> <span class="o">=</span> <span class="nb">pathinfo</span><span class="p">(</span><span class="nv">$file</span><span class="p">[</span><span class="s1">'name'</span><span class="p">],</span> <span class="no">PATHINFO_EXTENSION</span><span class="p">);</span> <span class="k">return</span> <span class="nb">in_array</span><span class="p">(</span><span class="nv">$extension</span><span class="p">,</span> <span class="nv">$allowed_types</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Performance Optimization </h2> <h3> Batch Upload </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">function</span> <span class="n">batch_upload</span><span class="p">(</span><span class="nv">$files</span><span class="p">,</span> <span class="nv">$user_id</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$results</span> <span class="o">=</span> <span class="k">array</span><span class="p">();</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$files</span> <span class="k">as</span> <span class="nv">$file</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$fileName</span> <span class="o">=</span> <span class="s2">"users/</span><span class="si">{</span><span class="nv">$user_id</span><span class="si">}</span><span class="s2">/"</span> <span class="mf">.</span> <span class="nb">time</span><span class="p">()</span> <span class="mf">.</span> <span class="s2">".jpg"</span><span class="p">;</span> <span class="nv">$url</span> <span class="o">=</span> <span class="nf">apply_filters</span><span class="p">(</span><span class="s1">'supawp_upload_image_to_supabase'</span><span class="p">,</span> <span class="nv">$file</span><span class="p">,</span> <span class="nv">$fileName</span><span class="p">,</span> <span class="s1">'user-content'</span><span class="p">);</span> <span class="nv">$results</span><span class="p">[]</span> <span class="o">=</span> <span class="k">array</span><span class="p">(</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nv">$file</span><span class="p">[</span><span class="s1">'name'</span><span class="p">],</span> <span class="s1">'url'</span> <span class="o">=&gt;</span> <span class="nv">$url</span><span class="p">,</span> <span class="s1">'success'</span> <span class="o">=&gt;</span> <span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$url</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$results</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Using Your File Upload System </h2> <p>Once your code is in place:</p> <ol> <li> <strong>Add the shortcode to any page or post</strong>: <code>[simple_file_upload]</code> </li> <li> <strong>Ensure users are logged in</strong> for security</li> <li> <strong>Configure your Supabase Storage</strong> with appropriate buckets</li> </ol> <p>Example usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>[simple_file_upload] </code></pre> </div> <h2> Common Supabase Storage Query Filters </h2> <p>When working with uploaded files, you can query them using various filters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Get user's files from database</span> <span class="nv">$user_files</span> <span class="o">=</span> <span class="nf">apply_filters</span><span class="p">(</span><span class="s1">'supawp_get_data_from_supabase'</span><span class="p">,</span> <span class="s1">'files'</span><span class="p">,</span> <span class="k">array</span><span class="p">(</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="s1">'eq.'</span> <span class="mf">.</span> <span class="nv">$user_id</span><span class="p">,</span> <span class="s1">'order'</span> <span class="o">=&gt;</span> <span class="s1">'created_at.desc'</span> <span class="p">));</span> <span class="c1">// Filter by file size</span> <span class="nv">$large_files</span> <span class="o">=</span> <span class="nf">apply_filters</span><span class="p">(</span><span class="s1">'supawp_get_data_from_supabase'</span><span class="p">,</span> <span class="s1">'files'</span><span class="p">,</span> <span class="k">array</span><span class="p">(</span> <span class="s1">'file_size'</span> <span class="o">=&gt;</span> <span class="s1">'gt.1000000'</span> <span class="p">));</span> </code></pre> </div> <h2> Troubleshooting Common Issues </h2> <h3> Troubleshooting </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Check if storage is configured</span> <span class="nv">$config</span> <span class="o">=</span> <span class="nf">apply_filters</span><span class="p">(</span><span class="s1">'supawp_get_storage_config'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="k">empty</span><span class="p">(</span><span class="nv">$config</span><span class="p">))</span> <span class="p">{</span> <span class="k">echo</span> <span class="s2">"Storage not configured"</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Common Issues </h3> <ol> <li> <strong>Storage not configured</strong> - Check SupaWP settings</li> <li> <strong>Upload fails</strong> - Verify file size and type limits</li> <li> <strong>Permission denied</strong> - Check Supabase RLS policies</li> <li> <strong>Files not showing</strong> - Ensure bucket is public</li> </ol> <h2> Conclusion </h2> <p>SupaWP Storage Filter Hooks revolutionize file management in WordPress by providing seamless integration with Supabase's powerful storage infrastructure. With enterprise-grade security, global CDN distribution, and a developer-friendly API, you can build sophisticated file management systems with minimal code.</p> <p>Key benefits of this integration:</p> <ul> <li> <strong>Zero Configuration Complexity</strong> - SupaWP handles authentication and API communication</li> <li> <strong>Enterprise Security</strong> - Automatic RLS integration and secure file handling</li> <li> <strong>Global Performance</strong> - Leverage Supabase's worldwide CDN network</li> <li> <strong>WordPress Native</strong> - Uses familiar WordPress filter patterns</li> <li> <strong>Scalable Architecture</strong> - No server storage limitations</li> </ul> <p>Whether you're building a simple profile system, complex document management, or e-commerce product galleries, SupaWP Storage Filter Hooks provide the foundation for modern, scalable WordPress applications.</p> <h2> Resources </h2> <ul> <li><a href="https://techcater.com/shop/products/SUPA_WP" rel="noopener noreferrer">SupaWP Plugin</a></li> <li><a href="https://supabase.com/docs/guides/storage" rel="noopener noreferrer">Supabase Storage Documentation</a></li> <li><a href="https://developer.wordpress.org/reference/functions/apply_filters/" rel="noopener noreferrer">WordPress Filter Reference</a></li> <li><a href="https://supabase.com/docs/guides/auth/row-level-security" rel="noopener noreferrer">Supabase Row Level Security</a></li> </ul> <p>Ready to transform your WordPress file management? Download SupaWP v1.3.4+ and start building with Supabase Storage today!</p> supabase wordpress webdev php Dale Nguyen Thu, 04 Sep 2025 04:00:42 +0000 https://dev.to/dalenguyen/learn-with-daily-mastery-from-ai-generation-to-email-delivery-1jk1 https://dev.to/dalenguyen/learn-with-daily-mastery-from-ai-generation-to-email-delivery-1jk1 <p>One of the biggest challenges in online education isn't creating content—it's delivering the right content to the right person at the right time. When building <a href="https://dailymastery.io" rel="noopener noreferrer">DailyMastery</a>, we needed to solve a complex scheduling problem: how do you deliver personalized, AI-generated lessons to users across different time zones, preferences, and learning schedules?</p> <p>Our solution is a high-performance lesson scheduling system that processes thousands of users daily, generates personalized content on-the-fly, and delivers beautiful email lessons at precisely the right moment. Here's how we built it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5mrdcrrjklmensnn7jup.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5mrdcrrjklmensnn7jup.png" alt="DailyMastery email" width="800" height="541"></a></p> <h2> The Challenge: Personalization at Scale </h2> <p>Traditional learning platforms send the same content to everyone. But true personalization requires:</p> <ul> <li> <strong>Individual content generation</strong>: Each lesson tailored to specific goals and progress</li> <li> <strong>Time-based delivery</strong>: Respecting user preferences for morning, afternoon, or evening learning</li> <li> <strong>Scalable processing</strong>: Handling growing user bases without performance degradation</li> <li> <strong>Reliability</strong>: Ensuring lessons are delivered consistently, even when individual components fail</li> </ul> <h2> Architecture Overview: From User Preferences to Inbox </h2> <p>Our lesson scheduling system consists of several coordinated services:</p> <h3> 1. User Selection Engine </h3> <p>The system starts by identifying which users should receive lessons for each time slot:</p> <p><strong>Selection Criteria</strong>:</p> <ul> <li>Users must have <code>preferences.studyTime</code> matching the time slot ('morning', 'afternoon', 'evening')</li> <li>Users must have <code>preferences.notifications.dailyReminders</code> enabled</li> <li>Users must have active study plans with lessons scheduled for today</li> </ul> <p><strong>Time Slots</strong>:</p> <ul> <li>06:00 UTC (Morning): Targets users who prefer early learning</li> <li>12:00 UTC (Afternoon): Catches lunch-break learners</li> <li>18:00 UTC (Evening): Reaches after-work studiers</li> </ul> <h3> 2. AI Content Generation Pipeline </h3> <p>Once we identify users, each lesson goes through our AI enhancement process:</p> <p><strong>Process Flow</strong>:</p> <ol> <li> <strong>Lesson Retrieval</strong>: Get scheduled lesson from database with original template content</li> <li> <strong>AI Enhancement</strong>: Use Google Cloud Vertex AI with Gemini to expand and personalize the content</li> <li> <strong>Quality Validation</strong>: Ensure AI-generated content meets quality standards</li> <li> <strong>Fallback Strategy</strong>: Use original template if AI generation fails</li> </ol> <p><strong>Content Personalization</strong>:<br> The AI considers user context including:</p> <ul> <li>Learning objectives and goals</li> <li>Current progress and difficulty level</li> <li>Preferred learning style and time commitment</li> <li>Previous lesson feedback and engagement</li> </ul> <h3> 3. Batch Processing for Scale </h3> <p>To handle thousands of users efficiently, we use sophisticated batch processing:</p> <p><strong>Concurrency Control</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">pLimit</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">p-limit</span><span class="dl">'</span><span class="p">)).</span><span class="k">default</span> <span class="kd">const</span> <span class="nx">limit</span> <span class="o">=</span> <span class="nf">pLimit</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="c1">// Process up to 10 users concurrently</span> <span class="kd">const</span> <span class="nx">promises</span> <span class="o">=</span> <span class="nx">userGroups</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">userGroup</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">limit</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="k">this</span><span class="p">.</span><span class="nf">processUserGroup</span><span class="p">(</span><span class="nx">userGroup</span><span class="p">)))</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">allSettled</span><span class="p">(</span><span class="nx">promises</span><span class="p">)</span> </code></pre> </div> <p><strong>Error Resilience</strong>:<br> Individual user failures don't stop the entire batch. Each user's processing is isolated, logged, and reported separately.</p> <h2> The Lesson Processor: Heart of the System </h2> <p>Our <code>LessonProcessorService</code> handles the complex task of managing lesson content:</p> <h3> Active Plan Discovery </h3> <p>The system performs comprehensive scans to find all active study plans:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="nf">getActivePlans</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">UserPlanGroup</span><span class="p">[]</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Scan all users with active plans</span> <span class="c1">// Find today's scheduled lessons</span> <span class="c1">// Group by user for efficient processing</span> <span class="p">}</span> </code></pre> </div> <h3> AI Content Generation </h3> <p>Each lesson is enhanced with AI-generated content:</p> <p><strong>Quality Metrics</strong>:</p> <ul> <li>Content length and depth analysis</li> <li>Learning objective alignment</li> <li>Engagement potential scoring</li> <li>Readability assessment</li> </ul> <p><strong>Performance Tracking</strong>:</p> <ul> <li>AI generation time per lesson</li> <li>Success/failure rates</li> <li>Content quality improvement over time</li> <li>User engagement correlation</li> </ul> <h3> Database Integration </h3> <p>Seamless integration with Firestore for lesson management:</p> <ul> <li>Atomic updates for lesson content</li> <li>Timestamp tracking for delivery status</li> <li>Progress tracking for user analytics</li> <li>Batch operations for efficiency</li> </ul> <h2> Email Delivery: The Final Mile </h2> <p>Our <code>EmailCoordinatorService</code> handles the critical task of email delivery:</p> <h3> Personalized Templates </h3> <p>Each email is personalized based on:</p> <ul> <li> <strong>Time-based greetings</strong>: 🌅 "Good morning" vs ☀️ "Good afternoon" vs 🌙 "Good evening"</li> <li> <strong>Study plan context</strong>: Extracted plan names and goals</li> <li> <strong>Progress indicators</strong>: Current lesson number and completion status</li> <li> <strong>Engagement elements</strong>: Interactive exercises and progress tracking</li> </ul> <h3> Responsive Design </h3> <p>Our <code>TemplateEngineService</code> creates mobile-friendly emails with:</p> <ul> <li>Maximum width of 600px for optimal display</li> <li>Modern gradient designs and professional styling with CSS animations</li> <li>Clear call-to-action buttons for lesson engagement</li> <li>Progress visualization and success metrics</li> <li>Time-based personalized greetings and content adaptation</li> <li>Professional email templates with comprehensive fallback support</li> </ul> <h3> Delivery Reliability </h3> <p>Email delivery includes comprehensive error handling:</p> <ul> <li>Detailed error logging for failed deliveries</li> <li>Retry mechanisms for transient failures</li> <li>Admin alerting for critical delivery issues</li> <li>Success rate monitoring and reporting</li> <li>Batch email API with intelligent fallback to individual sends</li> <li>Rate limiting protection (2 requests per second compliance)</li> </ul> <h2> Real-Time Processing Flow </h2> <p>Here's what happens when our scheduler processes the morning time slot:</p> <h3> 1. Trigger Processing (06:00 UTC) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">POST</span> <span class="o">/</span><span class="nx">schedule</span><span class="o">/</span><span class="mi">06</span><span class="p">:</span><span class="mi">00</span> </code></pre> </div> <h3> 2. User Discovery </h3> <ul> <li>Query database for morning-preference users</li> <li>Filter for active daily reminders</li> <li>Identify today's scheduled lessons</li> </ul> <h3> 3. Batch Processing </h3> <ul> <li>Group users for efficient processing</li> <li>Apply concurrency limits (10 concurrent users)</li> <li>Process each user's lessons independently</li> </ul> <h3> 4. Content Generation </h3> <p>For each user:</p> <ul> <li>Retrieve scheduled lessons from database</li> <li>Generate AI-enhanced content</li> <li>Update lesson records with new content</li> <li>Mark lessons as processed</li> </ul> <h3> 5. Email Delivery </h3> <ul> <li>Render personalized HTML templates</li> <li>Send via Resend email service</li> <li>Track delivery status and metrics</li> <li>Update lesson records with sent timestamps</li> </ul> <h3> 6. Reporting and Monitoring </h3> <ul> <li>Generate processing summary</li> <li>Send admin reports via email</li> <li>Log performance metrics</li> <li>Alert on critical errors</li> </ul> <h2> Performance Metrics and Monitoring </h2> <p>Our system tracks comprehensive metrics:</p> <h3> Processing Performance </h3> <ul> <li><strong>Total processing time per time slot</strong></li> <li><strong>Average time per user</strong></li> <li><strong>Concurrency efficiency metrics</strong></li> <li><strong>Database operation latency</strong></li> </ul> <h3> Content Quality </h3> <ul> <li> <strong>AI generation success rates</strong> (target: &gt;95%)</li> <li><strong>Content length and complexity metrics</strong></li> <li><strong>User engagement correlation with AI content</strong></li> <li><strong>Fallback usage rates</strong></li> </ul> <h3> Email Delivery </h3> <ul> <li> <strong>Email send success rates</strong> (target: &gt;99%)</li> <li><strong>Template rendering performance</strong></li> <li> <strong>User engagement rates</strong> (opens, clicks, completions)</li> <li><strong>Bounce and complaint rates</strong></li> </ul> <h2> Future Enhancements </h2> <p>We're continuously improving the scheduling system:</p> <h3> Advanced Personalization </h3> <ul> <li> <strong>Learning pattern analysis</strong>: Adapt timing based on user engagement patterns</li> <li> <strong>Content difficulty adjustment</strong>: Dynamic complexity scaling based on progress</li> <li> <strong>Multi-modal delivery</strong>: Support for SMS, push notifications, and in-app delivery</li> </ul> <h3> Performance Optimization </h3> <ul> <li> <strong>Predictive scaling</strong>: Auto-scaling based on user growth patterns</li> <li> <strong>Content pre-generation</strong>: Cache frequently used AI-generated content</li> <li> <strong>Global distribution</strong>: Multi-region deployment for reduced latency</li> </ul> <h3> Analytics and Insights </h3> <ul> <li> <strong>Learning effectiveness metrics</strong>: Correlation between delivery timing and retention</li> <li> <strong>Content performance analysis</strong>: A/B testing for AI-generated vs template content</li> <li> <strong>User journey optimization</strong>: Personalized scheduling based on individual success patterns</li> </ul> <h2> Lessons Learned </h2> <p>Building a personalized lesson scheduling system taught us:</p> <h3> Technical Insights </h3> <ol> <li> <strong>Batch processing with concurrency limits</strong> provides the best balance of speed and reliability</li> <li> <strong>Comprehensive error handling</strong> at every level is essential for user trust</li> <li> <strong>AI content generation requires robust fallback strategies</strong> for reliability</li> <li> <strong>Email delivery is more complex than it appears</strong> - template rendering, personalization, and deliverability all matter</li> </ol> <h3> Product Insights </h3> <ol> <li> <strong>Time-based personalization significantly improves engagement</strong> compared to generic scheduling</li> <li> <strong>AI-enhanced content shows measurably higher completion rates</strong> than template-based lessons</li> <li> <strong>Processing transparency builds user confidence</strong> - users appreciate knowing when their lessons are being prepared</li> <li> <strong>Reliable delivery is table stakes</strong> - users expect lessons to arrive consistently</li> </ol> <h2> Getting Started </h2> <p>If you're building your own personalized delivery system, consider:</p> <ol> <li> <strong>Start with reliable basics</strong>: Get consistent delivery working before adding AI enhancement</li> <li> <strong>Design for failure</strong>: Assume every external service will fail and plan accordingly</li> <li> <strong>Monitor everything</strong>: Comprehensive logging and metrics are essential for debugging and optimization</li> <li> <strong>Test with real load</strong>: Batch processing behaves differently at scale</li> </ol> <p>Our lesson scheduling system demonstrates that personalized, AI-powered education delivery is not only possible but can be built reliably and efficiently with the right architecture and attention to detail.</p> nextjs ai gcp fastify Dale Nguyen Fri, 29 Aug 2025 14:34:06 +0000 https://dev.to/dalenguyen/fixing-nextjs-authentication-redirects-preserving-deep-links-after-login-pkk https://dev.to/dalenguyen/fixing-nextjs-authentication-redirects-preserving-deep-links-after-login-pkk <h2> The Problem </h2> <p>In our learning platform <a href="https://dailymastery.io" rel="noopener noreferrer">DailyMastery</a>, we send personalized lesson emails to users with direct links to specific lessons, like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code>https://dailymastery.io/dashboard/lessons/sample-lesson-detail </code></pre> </div> <p>However, we discovered a frustrating user experience issue: when users clicked these lesson links from their emails, they would be redirected to login (which is correct for unauthenticated users), but after successful authentication, instead of landing on the specific lesson page, they would end up on the generic dashboard.</p> <p>This broke the seamless experience we wanted to provide - users had to manually navigate to find their intended lesson after logging in.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ww4113aqgubli68ai69.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ww4113aqgubli68ai69.gif" alt="DailyMastery correct redirect example" width="560" height="342"></a></p> <h2> Understanding the Authentication Flow </h2> <p>Let's break down what was happening:</p> <h3> The Original (Broken) Flow: </h3> <ol> <li> <strong>User clicks lesson link</strong>: <code>https://dailymastery.io/dashboard/lessons/sample-lesson-detail</code> </li> <li> <strong>Middleware intercepts</strong>: Detects no authentication token</li> <li> <strong>Redirect to login</strong>: <code>https://dailymastery.io/login</code> (❌ <strong>Original URL lost!</strong>)</li> <li> <strong>User authenticates</strong>: Successfully logs in with Google</li> <li> <strong>Post-login redirect</strong>: Goes to default <code>/dashboard</code> (❌ <strong>Not the intended lesson</strong>)</li> </ol> <h3> The Root Cause </h3> <p>Our Next.js middleware was correctly protecting routes but wasn't preserving the original destination URL when redirecting unauthenticated users to the login page.</p> <p>Here's the problematic middleware code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ BEFORE: Lost the original URL</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">firebase-token</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// This loses the original URL!</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <h2> The Solution: Preserving Deep Links </h2> <p>The fix required two components working together:</p> <h3> 1. Enhanced Middleware (Capturing the Original URL) </h3> <p>We modified the middleware to capture the full original URL and pass it as a query parameter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ AFTER: Preserves the original URL</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cookieToken</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">firebase-token</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="kd">const</span> <span class="nx">headerToken</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">)?.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span><span class="p">,</span> <span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">cookieToken</span> <span class="o">||</span> <span class="nx">headerToken</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 🎯 Key fix: Preserve original URL with query params</span> <span class="kd">const</span> <span class="nx">loginUrl</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">)</span> <span class="nx">loginUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">redirect</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span> <span class="o">+</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">search</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="nx">loginUrl</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key improvements:</strong></p> <ul> <li> <code>request.nextUrl.pathname</code> captures the path (<code>/dashboard/lessons/sample-lesson-detail</code>)</li> <li> <code>request.nextUrl.search</code> captures any query parameters</li> <li>Combined as <code>redirect</code> parameter in the login URL</li> </ul> <h3> 2. Smart Login Page (Reading and Using the Redirect) </h3> <p>Our login page was already set up to handle redirects, but let's look at the key parts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// login/page.tsx</span> <span class="kd">function</span> <span class="nf">LoginForm</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nf">useRouter</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">searchParams</span> <span class="o">=</span> <span class="nf">useSearchParams</span><span class="p">()</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">loading</span> <span class="o">&amp;&amp;</span> <span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 🎯 Check for redirect parameter first, fallback to dashboard</span> <span class="kd">const</span> <span class="nx">redirectUrl</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">redirect</span><span class="dl">'</span><span class="p">)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">redirectUrl</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[</span><span class="nx">user</span><span class="p">,</span> <span class="nx">loading</span><span class="p">,</span> <span class="nx">router</span><span class="p">,</span> <span class="nx">searchParams</span><span class="p">])</span> <span class="kd">const</span> <span class="nx">signInWithGoogle</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">signInWithPopup</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="nx">provider</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">idToken</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">result</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">getIdToken</span><span class="p">()</span> <span class="c1">// Store auth token</span> <span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span> <span class="o">=</span> <span class="s2">`firebase-token=</span><span class="p">${</span><span class="nx">idToken</span><span class="p">}</span><span class="s2">; path=/; max-age=86400; secure; samesite=strict`</span> <span class="c1">// 🎯 Redirect to original destination after login</span> <span class="kd">const</span> <span class="nx">redirectUrl</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">redirect</span><span class="dl">'</span><span class="p">)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">redirectUrl</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setError</span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> The Fixed Flow </h2> <p>Now the authentication flow works perfectly:</p> <h3> The New (Working) Flow: </h3> <ol> <li> <strong>User clicks lesson link</strong>: <code>https://dailymastery.io/dashboard/lessons/sample-lesson-detail</code> </li> <li> <strong>Middleware intercepts</strong>: Detects no authentication token</li> <li> <strong>Smart redirect</strong>: <code>https://dailymastery.io/login?redirect=/dashboard/lessons/sample-lesson-detail</code> (✅ <strong>URL preserved!</strong>)</li> <li> <strong>User authenticates</strong>: Successfully logs in with Google</li> <li> <strong>Post-login redirect</strong>: Goes to the original lesson URL (✅ <strong>Perfect user experience!</strong>)</li> </ol> <h2> Testing the Fix </h2> <p>To test this, you can:</p> <ol> <li> <strong>Create a protected route</strong>: Any URL under <code>/dashboard/*</code> </li> <li> <strong>Visit while logged out</strong>: The middleware will redirect you</li> <li> <strong>Check the URL</strong>: Should be <code>/login?redirect=/dashboard/your-original-path</code> </li> <li> <strong>Complete authentication</strong>: Should redirect back to your original destination</li> </ol> <h2> Key Takeaways </h2> <h3> 1. Middleware Should Preserve Context </h3> <p>When redirecting users for authentication, always preserve where they were trying to go:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Bad: Loses context</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="c1">// Good: Preserves user intent</span> <span class="kd">const</span> <span class="nx">loginUrl</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">)</span> <span class="nx">loginUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">redirect</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span> <span class="o">+</span> <span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">search</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="nx">loginUrl</span><span class="p">)</span> </code></pre> </div> <h3> 2. Login Pages Should Check for Redirects </h3> <p>Your authentication success handler should always check for intended destinations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Bad: Always goes to same place</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Good: Respects user's original intent</span> <span class="kd">const</span> <span class="nx">redirectUrl</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">redirect</span><span class="dl">'</span><span class="p">)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">redirectUrl</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">)</span> </code></pre> </div> <h3> 3. Handle Edge Cases </h3> <p>Consider various scenarios:</p> <ul> <li>Query parameters in original URLs</li> <li>Relative vs absolute URLs</li> <li>Security validation of redirect URLs (prevent open redirects)</li> <li>Fallback behaviors when redirects fail</li> </ul> <h2> Security Considerations </h2> <p>When implementing redirect preservation, be mindful of <strong>open redirect vulnerabilities</strong>. In our case, we're safe because:</p> <ol> <li>We only redirect within our own domain</li> <li>The middleware controls what URLs get set as redirects</li> <li>We validate that redirects start with <code>/dashboard</code> (our protected routes)</li> </ol> <p>For additional security, you could add validation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">validateRedirectUrl</span> <span class="o">=</span> <span class="p">(</span><span class="nx">url</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Only allow internal redirects to specific paths</span> <span class="k">return</span> <span class="nx">url</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">url</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// In login handler:</span> <span class="kd">const</span> <span class="nx">redirectUrl</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">redirect</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">safeRedirectUrl</span> <span class="o">=</span> <span class="nx">redirectUrl</span> <span class="o">&amp;&amp;</span> <span class="nf">validateRedirectUrl</span><span class="p">(</span><span class="nx">redirectUrl</span><span class="p">)</span> <span class="p">?</span> <span class="nx">redirectUrl</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">safeRedirectUrl</span><span class="p">)</span> </code></pre> </div> <h2> Conclusion </h2> <p>This seemingly small fix dramatically improved our user experience. Users clicking lesson links in emails now seamlessly land on their intended lessons after authentication, rather than getting lost on a generic dashboard.</p> <p>The solution demonstrates how proper state preservation in authentication flows is crucial for maintaining user intent and creating smooth, professional web applications.</p> <p><strong>Technologies used</strong>: Next.js 15, TypeScript, Firebase Auth, Next.js Middleware</p> nextjs webdev learning tutorial