feat(auth): add pagination support to Auth user list

[udaycodespace]

🚀 Pull Request Description

Fixes #298

Implemented pagination support for the Auth page user list to make it consistent with the existing Database page pagination behavior.

Changes Made

• Added pagination state management (page, limit, totalRecords) in Auth.jsx
• Updated Auth user fetch requests to use paginated API calls
• Added reusable Pagination component below the user table
• Added page-size selection support
• Refetches data when page or page size changes
• Preserved pagination-aware refresh after user creation

This allows users to navigate through all available auth users instead of being restricted to the first set of records.

🛠️ Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📝 Documentation update
• 🎨 UI/UX improvement (Frontend only)
• ⚙️ Refactor / Chore

🧪 Testing & Validation

Backend Verification:

• I have run npm test in the backend/ directory and all tests passed.
• I have verified the API endpoints using Browser Console.
• New unit tests have been added (if applicable).

Frontend Verification:

• I have run npm run lint in the frontend/ directory.
• Verified the UI changes on different screen sizes (Responsive).
• Checked for any console errors in the browser dev tools.

📸 Screenshots / Recordings (Pending)

⚠️ Validation and screenshots are currently in progress.

The current test project does not contain enough Auth users to demonstrate multi-page navigation visually.

Current verification completed:

• Confirmed the backend endpoint accepts page and limit parameters.
• Confirmed successful paginated API responses from the Auth users endpoint.
• Confirmed pagination controls render correctly on the Auth page.
• Checked browser console for errors after implementation.

Console verification output:

{
  success: true,
  data: {
    items: [],
    total: 0
  },
  message: "Data fetched successfully."
}

I am currently preparing additional test data to fully validate page navigation behavior and will update this PR with screenshots and/or recordings once testing is completed.

✅ Checklist

• My code follows the code style of this project.
• I have performed a self-review of my code.
• I have commented my code, particularly in hard-to-understand areas.
• My changes generate no new warnings or errors.
• I have updated the documentation (README/Docs) accordingly.

---

Built with ❤️ for urBackend.

Summary by CodeRabbit

• New Features

  • Client-side pagination on the Auth user management page with page/limit controls and total count.
  • New admin API endpoints to list paginated users and delete an admin user.
  • Creates now refresh the current paginated view; changing items-per-page resets to page 1.

• Bug Fixes

  • Deletions update the list and total count and move to the previous page if current page becomes empty.
  • Prevents stale/overwritten results during rapid pagination changes.

[coderabbitai]

Warning

Review limit reached

@udaycodespace, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 45 minutes and 53 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e28c8a7e-00f6-4c43-b4aa-4e78e445fb8d

📥 Commits

Reviewing files that changed from the base of the PR and between e917509 and 1c671a1.

📒 Files selected for processing (2)

• apps/dashboard-api/src/__tests__/routes.projects.storage.test.js
• apps/dashboard-api/src/controllers/userAuth.controller.js

📝 Walkthrough

Walkthrough

Adds backend admin endpoints for listing and deleting users, and implements paginated user browsing in the Auth page with guarded paginated fetches, create/delete refreshes, and a Pagination control under the user table.

Changes

Admin users (backend + frontend)

Layer / File(s)	Summary
Admin controllers: list and delete apps/dashboard-api/src/controllers/userAuth.controller.js	Adds listAdminUsers (handles page/limit, returns items and total) and deleteAdminUser (deletes by userId, returns 404 when not found).
Route registrations for admin user endpoints apps/dashboard-api/src/routes/projects.js	Registers GET /:projectId/admin/users and DELETE /:projectId/admin/users/:userId and ensures controller imports are available alongside existing per-user GET/PUT routes.
Auth page: imports, state, request guard apps/web-dashboard/src/pages/Auth.jsx	Adds useRef and Pagination imports, initializes page, limit, totalRecords, and latestUsersRequestId to prevent stale async updates.
Paginated fetch effect and create-user refresh apps/web-dashboard/src/pages/Auth.jsx	Replaces users-loading effect to call /admin/users?page=&limit=, guards responses with request id, extracts totalRecords from multiple response shapes, and re-fetches the paginated list after creating a user.
Delete handler, pagination UI, and page adjustments apps/web-dashboard/src/pages/Auth.jsx	Delete handler calls admin DELETE, optimistically removes the user from state, decrements/clamps totalRecords, moves to previous page if current page empties; renders Pagination under UserTable with handlers for page and limit (limit change resets page to 1).

Sequence Diagram(s)

sequenceDiagram
  participant Client as AuthPage
  participant Server as DashboardAPI
  participant DB as MongoDB
  Client->>Server: GET /:projectId/admin/users?page=&limit= (reqId)
  Server->>DB: find(query, projection).sort(createdAt).skip((page-1)*limit).limit(limit)
  Server->>DB: countDocuments(query)
  DB-->>Server: items, total
  Server-->>Client: { items, total, page, limit }
  Client->>Client: if reqId matches → set users, set totalRecords

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• geturbackend/urBackend#263: Modifies Auth page user list handling; both PRs touch users state and fetching logic.

Suggested labels

GSSOC'26, level:intermediate, gssoc:approved

Suggested reviewers

• yash-pouranik

Poem

🐰 I hopped through pages, one by one,
I fetched, I counted, then I spun.
No stale replies can make me frown,
I keep the newest users in town.
Pagination's here — the list wears a crown.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(auth): add pagination support to Auth user list' directly and clearly summarizes the main change across all files.
Linked Issues check	✅ Passed	All linked issue #298 requirements are met: pagination added to Auth user list with state management, paginated API calls implemented, pagination controls included, backend admin endpoints created to exclude sensitive fields, and create/delete flows properly synchronized.
Out of Scope Changes check	✅ Passed	All changes directly support pagination implementation: state management and controls in Auth.jsx, admin endpoints in userAuth.controller.js, and route registration in projects.js for the /admin/users endpoints.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[udaycodespace]

@yash-pouranik

Quick update: PR is up, implementation is completed. I'll do final testing and upload screenshots/recordings tonight.

• Problem: Auth page only showed the first set of users and had no pagination, unlike the Database page.
• Solution: Reused the existing pagination pattern/component from the Database page and added paginated user fetching in Auth.
• Status: Code changes are complete, final validation with larger test data and screenshots is pending.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/web-dashboard/src/pages/Auth.jsx`:
- Around line 83-92: In the useEffect in Auth.jsx that fetches
`/api/projects/${projectId}/collections/users/data` wrap the post-await state
updates with a re-check for component liveness (or a requestId guard) to avoid
stale overwrites: after the `await api.get(...)` and before calling `setUsers`
and `setTotalRecords` verify `isMounted` (or compare the captured requestId
against the latest) and only proceed if still valid; apply this check around the
usage of `normalizeUsersResponse`, `setUsers`, and `setTotalRecords` so an
out-of-order response cannot overwrite newer pagination state.
- Around line 237-246: The delete path (handleDeleteUser) currently removes the
user from state with setUsers but doesn't update setTotalRecords, causing
pagination drift; after removing the user call setTotalRecords(prev =>
Math.max(prev - 1, 0)) to keep the total in sync and, if the current page
becomes empty (i.e., normalizeUsersResponse(users) length === 0 and page > 1),
decrement the page or trigger a refetch so the UI moves to the previous page;
update the logic in handleDeleteUser near the setUsers call and reference
setTotalRecords, setUsers, normalizeUsersResponse and page handling to implement
this fix.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2932cc8c-9005-4ecf-85a8-26d2a351bc59

📥 Commits

Reviewing files that changed from the base of the PR and between b6e59ab and cbec27d.

📒 Files selected for processing (1)

• apps/web-dashboard/src/pages/Auth.jsx

[yash-pouranik]

Some coderabbitai
comments
@udaycodespace

[udaycodespace]

Some coderabbitai comments @udaycodespace

• Thanks for the review.
• I'll address the CodeRabbit suggestions, complete final validation, and update the PR with screenshots/testing results tonight!

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/web-dashboard/src/pages/Auth.jsx`:
- Around line 173-176: The delete-success callback is using stale closure values
for users and page; change the mutations to use functional updaters so they read
the latest state: call setUsers(prevUsers => { const next =
normalizeUsersResponse(prevUsers).filter(u => u._id !== userId); return next;
}), call setTotalRecords(prev => Math.max(prev - 1, 0)), and compute page
rollback from the latest users/page by using setPage(prevPage => { if
(next.length === 0 && prevPage > 1) return prevPage - 1; return prevPage; }) (or
use synced refs for users/page if you prefer), ensuring you reference
normalizeUsersResponse, setUsers, setTotalRecords, setPage and userId in the
updated logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2479fb51-b6d5-4299-8ba3-9914c7494abc

📥 Commits

Reviewing files that changed from the base of the PR and between cbec27d and 1753704.

📒 Files selected for processing (1)

• apps/web-dashboard/src/pages/Auth.jsx

[udaycodespace]

@yash-pouranik ,

Addressed all CodeRabbit feedback:

• Added request-id guards to prevent stale async pagination responses from overwriting newer state.
• Synced totalRecords after user deletion.
• Updated delete flow to use functional state updates and safely roll back pagination when the current page becomes empty.

Final pagination validation and screenshots are in progress.

[yash-pouranik]

I can see that only frontend is changed
does /api/userauth/*
provides pagination??
@udaycodespace

[udaycodespace]

I can see that only frontend is changed does /api/userauth/* provides pagination?? @udaycodespace

Yes, only frontend changes were made.

Pagination is handled by the existing collection data endpoint (/api/projects/:projectId/collections/users/data?page=&limit=), not by /api/userAuth/*. The frontend now consumes that existing paginated API.

[udaycodespace]

Final validation completed.

• Created multiple Auth users and verified pagination across multiple pages.
• Confirmed page navigation (Page 1 ↔ Page 2) works correctly.
• Verified rows-per-page selection updates the dataset as expected.
• Confirmed create/delete flows keep pagination state synchronized.
• No console errors observed during testing.

Screenshots attached below.

[yash-pouranik]

2 months back when we integrated auth as a service
we created new api endpoints as
/api/userauth/*
that will be responsible for all the api calls in auth as a service
bcoz of one major reason -
/api/projects/:projectId/collections/users/data?page=&limit=
doesnt remove password like feilds from the user table and sent to the client side directly.
and 1 or 2 more reason that I was forgetting

let me know ur views @coderabbitai

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find Auth.jsx
fd -i "Auth.jsx" --exec cat {}

# Find userauth route/controller files
fd -i "userauth" -e js -e ts -e jsx -e tsx --exec echo "FILE: {}" \; --exec cat {} \; 2>/dev/null

# Also search by pattern in route registrations
rg -rn "userauth" --type js --type ts -C3 2>/dev/null | head -100

# Look for any pagination support in userauth routes
rg -rn "page\|limit\|pagination" --type js --type ts -C2 2>/dev/null | grep -i "userauth\|auth" | head -50

Length of output: 211489

---

---

@yash-pouranik — your concern is completely valid and important. Let me break down what's actually happening in this PR and why it matters.

---

The Problem

The PR fetches the user list using:

GET /api/projects/${projectId}/collections/users/data?page=${page}&limit=${limit}

This is a generic collection CRUD endpoint — it has no awareness that the users collection is special. It will return raw MongoDB documents including bcrypt password hashes to the dashboard frontend. Even though bcrypt hashes aren't reversible in practice, exposing them is:

• Unnecessary data exposure
• A violation of the principle of least privilege
• Inconsistent with the deliberate architecture decision made when /api/userauth/* was introduced

---

The Inconsistency in This PR

Looking at Auth.jsx, the PR is actually mixed in its approach:

Operation	Endpoint Used	Correct?
List users (paginated)	GET /collections/users/data?page=&limit=	❌ Generic, exposes password
Create user	POST /admin/users	✅ Goes through auth controller
Edit user	PUT /admin/users/:id	✅ Explicitly delete updateData.password
Delete user	DELETE /collections/users/data/:id	❌ Generic endpoint
Sessions	GET /admin/users/:id/sessions	✅ Auth-specific

---

Why This Happened

There's no paginated list endpoint under /admin/users in the dashboard-api's userAuth.controller.js. The PR author reached for the only paginated endpoint available. The correct fix is to add a dedicated endpoint:

// In dashboard-api userAuth.controller.js
module.exports.listAdminUsers = async (req, res) => {
    try {
        const project = req.project;
        const page = Math.max(1, parseInt(req.query.page) || 1);
        const limit = Math.min(100, Math.max(1, parseInt(req.query.limit) || 50));
        const skip = (page - 1) * limit;

        const usersColConfig = project.collections.find(c => c.name === 'users');
        if (!usersColConfig) return res.status(404).json({ error: "Auth collection not found" });

        const connection = await getConnection(project._id);
        const Model = getCompiledModel(connection, usersColConfig, project._id, project.resources.db.isExternal);

        const [items, total] = await Promise.all([
            Model.find({}, { password: 0 }).skip(skip).limit(limit).lean(),
            Model.countDocuments()
        ]);

        res.json({ items, total, page, limit });
    } catch (err) {
        res.status(500).json({ error: err.message });
    }
};

Then register it in the dashboard-api admin routes and update Auth.jsx to call GET /api/projects/${projectId}/admin/users?page=&limit= instead. The delete should similarly move to a dedicated admin delete route.

---

Summary

The PR author's implementation was a pragmatic workaround for a missing endpoint — the pagination logic itself is sound, but it's wired to the wrong API. The real fix needed here is:

1. Add GET /admin/users?page=&limit= with { password: 0 } projection in the dashboard-api
2. Add DELETE /admin/users/:id in the dashboard-api
3. Update Auth.jsx to use these new endpoints

Would you like me to open a follow-up issue for adding these missing admin endpoints, @udaycodespace?

[yash-pouranik]

yh all routes should go through - /admin
all listed
can u please do this?
@udaycodespace

[udaycodespace]

yh all routes should go through - /admin all listed can u please do this? @udaycodespace

@yash-pouranik

Done. I moved the Auth user list/delete flow to dedicated /admin/users endpoints instead of the generic collection routes.

Also added paginated admin user APIs on the backend with password exclusion, and updated the frontend to use those endpoints consistently.

Tested locally by changing page sizes (10/20/50/100), verifying paginated refetches, and confirming list/delete requests hit /admin/users routes only.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

apps/web-dashboard/src/pages/Auth.jsx (2)

252-263: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use current pagination when refreshing after create.

Lines 252-255 reuse page and limit from the submit-time closure. If pagination changes before the POST resolves, this follow-up GET fetches the old page, increments latestUsersRequestId, and can overwrite the newer page's data with stale results. Please drive this refresh through a shared fetchUsers helper or read the latest pagination from synced refs before issuing the GET.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/web-dashboard/src/pages/Auth.jsx` around lines 252 - 263, The GET after
create can use stale closure variables (page, limit) and overwrite newer data;
update the flow to drive the refresh via a shared fetchUsers helper (e.g.,
create/fix a fetchUsers function called by UI and by the POST follow-up) or read
the latest pagination from synced refs before requesting (use pageRef.current
and limitRef.current) so the GET uses current pagination; keep the optimistic
request id logic (latestUsersRequestId.current) and call setUsers/
setTotalRecords with normalizeUsersResponse only after confirming requestId ===
latestUsersRequestId.current.

---

75-103: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Block stale row actions while a new page is loading.

Lines 75-103 refetch on every page/limit change, but the component never enters a users-loading state before those requests. After Line 339 changes page, the paginator can already show the new page while UserTable still renders the old rows, so edit/delete actions stay live against stale data. Add a dedicated loading state for paginated fetches and clear/disable the table until that request settles.

Also applies to: 335-344

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/web-dashboard/src/pages/Auth.jsx` around lines 75 - 103, Add a dedicated
users-loading state (e.g., usersLoading / setUsersLoading) and use it around the
paginated users fetch in the existing useEffect/fetchData flow: set usersLoading
true (and optionally clear users via setUsers([])) immediately before issuing
the users API call triggered by page/limit changes, and set usersLoading false
in the finally block after the users request settles; keep the existing
latestUsersRequestId.current check and only call setUsers/setTotalRecords when
the request is current. Also update the table/paginator (or the row action
handlers) to disable edit/delete when usersLoading is true so row actions are
blocked until the paginated fetch completes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/dashboard-api/src/controllers/userAuth.controller.js`:
- Around line 241-268: Update listAdminUsers to conform to the API contract and
sanitize errors: change the handler signature to (req, res, next), and on
success return res.json({ success: true, data: { items, total, page, limit },
message: "" }) instead of the current payload; in the catch block do not expose
err.message — call next(new AppError("Failed to list admin users", 500)) (or
similar sanitized message) so failures are routed through the AppError flow;
apply the same pattern (add next param, standardized success object, and
AppError-based error forwarding) to the other admin handler referenced around
lines 270-288.
- Around line 281-286: Validate the userId at the start of deleteAdminUser using
mongoose.Types.ObjectId.isValid(userId) before constructing a new ObjectId; if
invalid, call next(new AppError("Invalid user id", 400)). After validation,
perform Model.deleteOne(...) and if deletedCount === 0 call next(new
AppError("User not found", 404)). For success, return the unified response shape
res.json({ success: true, data: null, message: "User deleted successfully" }).
Replace direct res.status(...).json({ error: ... }) error returns with AppError
via next(...) so global error handler formats errors consistently.

In `@apps/dashboard-api/src/routes/projects.js`:
- Around line 51-52: The test mock for the userAuth controller is missing two
exported handlers causing route registration to receive undefined; update the
mocked module in the failing test to include listAdminUsers: jest.fn(() => ...)
and deleteAdminUser: jest.fn(() => ...) so the router.get (listAdminUsers) and
router.delete (deleteAdminUser) in projects.js receive functions during Jest
runs; locate the mock of ../controllers/userAuth.controller in the test file and
add those two jest.fn mocks to the exported mock object.

---

Outside diff comments:
In `@apps/web-dashboard/src/pages/Auth.jsx`:
- Around line 252-263: The GET after create can use stale closure variables
(page, limit) and overwrite newer data; update the flow to drive the refresh via
a shared fetchUsers helper (e.g., create/fix a fetchUsers function called by UI
and by the POST follow-up) or read the latest pagination from synced refs before
requesting (use pageRef.current and limitRef.current) so the GET uses current
pagination; keep the optimistic request id logic (latestUsersRequestId.current)
and call setUsers/ setTotalRecords with normalizeUsersResponse only after
confirming requestId === latestUsersRequestId.current.
- Around line 75-103: Add a dedicated users-loading state (e.g., usersLoading /
setUsersLoading) and use it around the paginated users fetch in the existing
useEffect/fetchData flow: set usersLoading true (and optionally clear users via
setUsers([])) immediately before issuing the users API call triggered by
page/limit changes, and set usersLoading false in the finally block after the
users request settles; keep the existing latestUsersRequestId.current check and
only call setUsers/setTotalRecords when the request is current. Also update the
table/paginator (or the row action handlers) to disable edit/delete when
usersLoading is true so row actions are blocked until the paginated fetch
completes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ff911ad5-fea6-4cb4-8616-103fd86bb0f0

📥 Commits

Reviewing files that changed from the base of the PR and between 1753704 and e917509.

📒 Files selected for processing (3)

• apps/dashboard-api/src/controllers/userAuth.controller.js
• apps/dashboard-api/src/routes/projects.js
• apps/web-dashboard/src/pages/Auth.jsx

[udaycodespace]

@yash-pouranik ,

• All requested changes have been addressed.
• Auth user list/delete now use dedicated /admin/users endpoints, pagination is fully functional, passwords are excluded from responses, and all CI/CodeRabbit checks are passing.
• Thanks for the review.

[yash-pouranik]

yh this looks more prod ready
let me check

[udaycodespace]

yh this looks more prod ready let me check

Sure, please review once. Happy to make any further changes if required.