Initialize Configuration Management Using Viper

[window9u]

What This PR Does / Why We Need It:

Configuration Priority (from highest to lowest, where higher-priority settings override lower ones):

1. Environment Variables
2. config.yaml File
3. Default Values (within the code)

Configuration Method:

• Most configuration values are defined via environment variables, the config.yaml file, and default values, enabling flexible management.
• Command-line flags are minimized. Currently, only the path to config.yaml is accepted as a flag.
• Each section of the YAML file is mapped to a corresponding Go configuration struct.
• The effective order of configuration sources is as follows:
  • OS environment variables
  • config.yaml
  • Default values
• The only flags accepted are configfilepath and loglevel.
• If no configuration file path is provided, the system automatically attempts to read from ./config.yaml.

Using expectation

• In the development environment, the intention is to use config.yaml
• in production, sensitive secrets will be provided via OS environment variables and other configuration settings via config.yaml.

Migration consideration

codepair is using Docker Compose to obtain settings from environment variables, this approach should be compatible.

---

Which Issue(s) This PR Fixes:

Special Notes for the Reviewer:

• Some configuration options might appear unnecessary (e.g., Mongo config’s databaseName).
• Should we add mapstructure? It is used when viper maps values to a structure. Currently, it works without mapstructure because the Go struct names match the YAML object names. However, I have included it for explicit documentation.
• The configuration setup is quite complex, so I will add more documentation if the overall approach is acceptable.

---

Does This PR Introduce a User-Facing Change?

NONE

---

Additional Documentation:

• The EnvVarMap in backend-go/internal/config/env.go is essential for parsing environment variables.
• For example, if an environment variable like OAUTH_GITHUB_CLIENT_ID is provided, viper cannot automatically determine whether GITHUB represents a structure or if it is part of a larger key (e.g., GITHUB_CLIENT). In such cases, we explicitly map it to oauth.github.ClientId to indicate the correct structure depth, ensuring that viper correctly interprets that GITHUB is not a nested structure.

*(No additional documentation provided)*

---

Checklist:

• Added relevant tests (or not required)
• Didn't break anything

Summary by CodeRabbit

• New Features

  • Enhanced command-line options now allow specifying a configuration file and custom logging levels.
  • Expanded configuration settings enable more flexible server operations, authentication, token management, database connectivity, and storage provider configurations.

• Tests

  • Improved test coverage ensures robust loading and validation of configuration values from both environment variables and configuration files.

• Chores

  • Updated dependency management improves overall stability and functionality.

[coderabbitai]

Walkthrough

This pull request introduces command-line flag parsing in the main application to retrieve configuration file paths and log levels. The configuration is now loaded from a YAML file with structured sections for server, authentication, JWT, Yorkie, MongoDB, and storage options. Dependency management in the module is updated with new direct and indirect packages. Additionally, the internal configuration package receives comprehensive enhancements with functions for environment binding, default value assignments, and validations, alongside associated tests.

Changes

File(s)	Change Summary
backend-go/cmd/codepair/main.go	Added command-line flag parsing with parseFlag and setLogLevel functions; enhanced error handling and configuration loading using the provided config path and loglevel.
backend-go/config.yaml	Introduced a new, detailed configuration structure with sections: Server, Auth (including Github settings and FrontendBaseURL), JWT, Yorkie, Mongo, and Storage (Minio/S3 settings).
backend-go/go.mod	Updated dependency management; removed and reclassified dependencies; added new direct dependencies (viper, testify) along with multiple new indirect dependencies.
backend-go/internal/config/*.go	Overhauled configuration management: updated Config struct; added functions to load configurations from file or environment, ensure default values, and validate for components (JWT, Mongo, Server, Storage, Yorkie, Auth); introduced EnvVarMap for environment bindings and tests in config_test.go.

Sequence Diagram(s)

sequenceDiagram
    participant M as Main
    participant FP as parseFlag
    participant LS as setLogLevel
    participant CL as LoadConfig
    participant CF as Config Functions
    M->>FP: Retrieve configPath & loglevel
    FP-->>M: Return configPath & loglevel
    M->>LS: Set log level with provided flag
    LS-->>M: Return success or error
    M->>CL: Load configuration from configPath
    CL->>CF: Bind env vars, read file, ensure defaults, validate
    CF-->>CL: Return config or error
    CL-->>M: Provide configuration object or error

Loading

Possibly related PRs

• Initialize directory structure #437: Addresses similar changes in the main.go file with modifications to configuration loading using a new LoadConfig function.

Suggested Reviewers

• blurfx
• krapie
• binary-ho
• devleejb
• sihyeong671

Poem

In my burrow of code, I hop with glee,
Flags and defaults set the configuration free.
YAML meadows stretch far and wide,
With tests and logs, I take it in stride.
A bunny’s smile in every line I see—
Crunching carrots of code, so merry and free!
🥕🐰

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 352280c and 9765f88.

📒 Files selected for processing (1)

• backend-go/config.yaml (1 hunks)

🔇 Additional comments (7)

backend-go/config.yaml (7)

1-3: Server Configuration: Looks Good

The server port is clearly set to 3001, which is straightforward for a development or staging environment. In production, make sure you override this via Viper's environment variable binding if needed.

---

4-14: Auth Section: Use Descriptive Placeholders for Sensitive Fields

While the GitHub OAuth section includes a helpful warning comment, the ClientID and ClientSecret are currently empty. It is recommended to replace these with descriptive placeholders (e.g., <GITHUB_CLIENT_ID> and <GITHUB_CLIENT_SECRET>) to guide users in filling them and to prevent accidental usage of production credentials.

Consider applying the following diff:

-    ClientID: ""
-    ClientSecret: ""
+    ClientID: "<GITHUB_CLIENT_ID>"
+    ClientSecret: "<GITHUB_CLIENT_SECRET>"

---

15-21: JWT Configuration: Secure Defaults in Place

The JWT configuration is well-structured and includes a warning to use strong, unique secrets. Ensure that the <STRONG_RANDOM_SECRET> placeholders are replaced with securely generated values before production deployment.

---

22-26: Yorkie Configuration: Review Secret Key Usage

The ProjectSecretKey is currently an empty string. To maintain consistency and security best practices, consider using a descriptive placeholder (e.g., <PROJECT_SECRET_KEY>), along with a warning comment indicating that a secure secret must be provided in production.

A suggested change:

-  ProjectSecretKey: ""
+  ProjectSecretKey: "<PROJECT_SECRET_KEY>"  # WARNING: Replace with a secure value in production

---

27-32: MongoDB Configuration: Appropriate for Development

The MongoDB settings are clearly defined for a local setup with sensible timeouts and connection details. For production, verify that these values are overridden via environment variables or secure configuration so as not to expose any sensitive or default information.

---

33-41: Minio Storage Configuration: Default Credentials Warning

The Minio configuration uses the default credentials (minioadmin). Although common for development, these should be replaced with secure, descriptive placeholder values in production to prevent misuse.

Consider this diff:

-    AccessKey: "minioadmin"
-    SecretKey: "minioadmin"
+    AccessKey: "<MINIO_ACCESS_KEY>"
+    SecretKey: "<MINIO_SECRET_KEY>"

---

42-46: S3 Storage Configuration: Use Clear Placeholders

For the S3 settings, the access credentials are provided as fixed example strings. To safeguard against accidental production deployment with these values, replace them with clear placeholder values. For instance:

-    AccessKey: "aws_access_key"
-    SecretKey: "aws_secret_key"
+    AccessKey: "<AWS_ACCESS_KEY>"
+    SecretKey: "<AWS_SECRET_KEY>"

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (12)

backend-go/internal/config/config.go (2)

20-43: Resolve documentation discrepancy regarding 'status message'.

The docstring mentions returning "a status message describing which sources were used," but the function signature only returns (*Config, error). Either remove that reference from the docstring or implement the status message functionality.

-// It returns the populated Config, a status message describing which sources were used, and an error if any.
+// It returns the populated Config and an error if any.

---

56-77: Validate handling of file path fallback.

When no file path is provided, the system defaults to config.yaml in the current directory. Confirm there's no confusion if a different directory is used, or if there's a user expectation to place config in an alternate location.

backend-go/internal/config/server.go (1)

21-25: Port range validation is correct.

Restricting the port range to [1, 65535] prevents invalid server binding. Consider logging an additional hint if the port is out of range to guide users.

backend-go/internal/config/yorkie.go (1)

29-34: API address validation is a good start.

The validate() method checks APIAddr for emptiness. Consider also validating valid URL structure to prevent misconfiguration.

backend-go/internal/config/mongo.go (2)

9-9: Consider separating database name from default connection URI

The default connection URI includes the database name (codepair), which is redundant since DatabaseName is configured separately. This could lead to confusion if the database names don't match.

-DefaultMongoConnectionURI = "mongodb://localhost:27017/codepair"
+DefaultMongoConnectionURI = "mongodb://localhost:27017"

---

37-46: Enhance MongoDB configuration validation

The validation could be more comprehensive by checking for valid timeout values and URI format.

 func (m *Mongo) validate() error {
 	if m.ConnectionURI == "" {
 		return fmt.Errorf("mongo connection URI cannot be empty")
 	}
 	if m.DatabaseName == "" {
 		return fmt.Errorf("mongo database name cannot be empty")
 	}
+	if m.ConnectionTimeout <= 0 {
+		return fmt.Errorf("connection timeout must be positive")
+	}
+	if m.PingTimeout <= 0 {
+		return fmt.Errorf("ping timeout must be positive")
+	}
 	return nil
 }

backend-go/internal/config/env.go (2)

3-37: Document environment variable requirements

Add documentation to clarify which environment variables are required vs optional, and their expected formats.

Add this documentation above the map:

// EnvVarMap defines the mapping between configuration keys and their corresponding
// environment variables. Required variables in production:
// - OAUTH_GITHUB_CLIENT_ID, OAUTH_GITHUB_CLIENT_SECRET: GitHub OAuth credentials
// - JWT_ACCESS_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET: JWT signing secrets
// - MONGO_CONNECTION_URI, MONGO_DATABASE_NAME: MongoDB connection details
// - STORAGE_PROVIDER: Storage provider selection ("minio" or "s3")
//   For MinIO: STORAGE_MINIO_* variables
//   For S3: STORAGE_S3_* variables

---

4-4: Consider more specific naming for server port environment variable

The SERVER_PORT environment variable could be more specific to avoid conflicts with other services.

-	"server.port": "SERVER_PORT",
+	"server.port": "CODEPAIR_SERVER_PORT",

backend-go/internal/config/oauth.go (1)

34-39: Enhance OAuth validation

The validation only checks for empty strings. Consider adding URL format validation for the OAuth endpoints.

 func (o *OAuth) validate() error {
+	if err := validateURL(o.Github.CallbackURL); err != nil {
+		return fmt.Errorf("invalid callback URL: %w", err)
+	}
+	if err := validateURL(o.Github.AuthorizationURL); err != nil {
+		return fmt.Errorf("invalid authorization URL: %w", err)
+	}
 	if err := o.Github.validate(); err != nil {
 		return err
 	}
 	return nil
 }

backend-go/internal/config/storage.go (1)

82-87: Enhance storage validation

The Minio validation should also check for access and secret keys, and validate that the endpoint URL uses HTTPS in production environments.

 func (m *Minio) validate() error {
-	if m.Bucket == "" || m.Endpoint == "" {
-		return fmt.Errorf("minio requires Bucket and Endpoint to be set")
+	if m.Bucket == "" || m.Endpoint == "" || m.AccessKey == "" || m.SecretKey == "" {
+		return fmt.Errorf("minio requires Bucket, Endpoint, AccessKey, and SecretKey to be set")
+	}
+	if !strings.HasPrefix(m.Endpoint, "https://") && os.Getenv("ENV") == "production" {
+		return fmt.Errorf("minio endpoint must use HTTPS in production")
 	}
 	return nil
 }

backend-go/internal/config/config_test.go (1)

124-129: Add more test cases for config validation

The test suite should include negative test cases for invalid configurations, such as:

• Invalid URLs in OAuth config
• Invalid time durations
• Missing required fields

Example test case to add:

t.Run("invalid oauth config", func(t *testing.T) {
    const invalidOAuthYAML = `
OAuth:
  Github:
    ClientID: "test"
    ClientSecret: "test"
    CallbackURL: "invalid-url"
`
    filePath := writeTempConfigFile(t, "invalid_config.yaml", invalidOAuthYAML)
    _, err := config.LoadConfig(filePath)
    assert.Error(t, err)
    assert.Contains(t, err.Error(), "invalid callback URL")
})

backend-go/config.yaml (1)

17-19: Document time duration format

Add comments explaining the accepted time duration format for expiration times.

+  # Duration format: number + unit (s: seconds, m: minutes, h: hours)
   AccessTokenExpirationTime: "24h"
   RefreshTokenExpirationTime: "168h"

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 62deec8 and 999a8df.

⛔ Files ignored due to path filters (1)

• backend-go/go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• backend-go/cmd/codepair/main.go (1 hunks)
• backend-go/config.yaml (1 hunks)
• backend-go/go.mod (1 hunks)
• backend-go/internal/config/config.go (1 hunks)
• backend-go/internal/config/config_test.go (1 hunks)
• backend-go/internal/config/env.go (1 hunks)
• backend-go/internal/config/jwt.go (1 hunks)
• backend-go/internal/config/mongo.go (1 hunks)
• backend-go/internal/config/oauth.go (1 hunks)
• backend-go/internal/config/server.go (1 hunks)
• backend-go/internal/config/storage.go (1 hunks)
• backend-go/internal/config/yorkie.go (1 hunks)

🧰 Additional context used

🪛 golangci-lint (1.62.2)

backend-go/internal/config/oauth.go

[high] 9-9: G101: Potential hardcoded credentials

(gosec)

🔇 Additional comments (20)

backend-go/internal/config/config.go (5)

3-8: Consider maintaining consistency in import usage.

These imports look appropriate for Viper-based configuration. However, if you adopt errors from the standard library, also ensure that you consistently use fmt.Errorf rather than errors.New + fmt.Sprintf to maintain code consistency.

---

10-18: Ensure mapstructure tags align with YAML configuration keys.

The struct fields named Server, OAuth, JWT, Yorkie, Mongo, and Storage are each assigned mapstructure tags that match the top-level sections in the YAML. Verify that the YAML keys are properly capitalized (Server:, OAuth:, etc.) to avoid unexpected parsing issues.

---

45-54: Confirm that all relevant environment variables are bound.

bindEnvironmentVariables() relies on EnvVarMap for key-to-environment mappings. Ensure that all critical configuration parameters (especially sensitive credentials) have corresponding environment variable bindings to allow secure overrides in production.

---

79-86: Good use of default value enforcement.

ensureDefaultValue() properly sets defaults for each sub-config, ensuring the app doesn't crash from unset fields. This is a best practice for robust configuration management.

---

88-109: Validate sub-config error messages.

The chain of validations is done cleanly, with each error wrapped using fmt.Errorf(). Ensure each sub-config's error message is user-friendly and sufficiently descriptive for troubleshooting.

backend-go/internal/config/server.go (3)

3-3: Import usage is minimal and appropriate.

The fmt import is essential for error reporting in validation.

---

9-12: Mapstructure tag alignment.

Port int "mapstructure:\"Port\"" is consistent with the YAML key naming in the Server section. Make sure the Server.Port key in the YAML is capitalized exactly as "Port".

---

14-19: Great approach to default port.

Enforcing a default port of 3001 ensures the server will start even if the user omits a port setting.

backend-go/internal/config/yorkie.go (4)

1-4: File structure looks solid.

This file organizes Yorkie configuration cleanly under a dedicated struct, aiding clarity and maintainability.

---

5-9: Ensure default constants match production environment needs.

DefaultYorkieAPIAddr is set to localhost:8080. Verify if this aligns with your deployments.

---

11-15: Field mapping is clear and straightforward.

The Yorkie struct uses consistent mapstructure tags, which should align well with the YAML definition.

---

17-27: Proactively handle empty strings with defaults.

Calling ensureDefaultValue() sets safe defaults. This is beneficial if users omit them in their configuration.

backend-go/go.mod (8)

6-8: Dependency Additions for Debugging, FS Notifications, and HCL Support
The new dependencies on lines 6–8:

• github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
• github.com/fsnotify/fsnotify v1.7.0 // indirect
• github.com/hashicorp/hcl v1.0.0 // indirect

are appropriate for better debugging (go-spew), file system event monitoring (fsnotify), and HCL parsing support. They align with the PR’s aim to enhance configuration management. Please ensure these dependencies are indeed required in your configuration setup.

---

11-11: Inclusion of Properties Library
The addition of github.com/magiconair/properties v1.8.7 // indirect provides utilities to work with property files. Verify that its use complements your configuration strategy (or is required transitively by another tool).

---

14-16: Mapping & Parsing Enhancements
The new dependencies added on lines 14–16:

• github.com/mitchellh/mapstructure v1.5.0 // indirect
• github.com/pelletier/go-toml/v2 v2.2.2 // indirect
• github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect

support clearer mapping of YAML values to Go structs, TOML file parsing, and diffing functionalities. They directly support the PR objective to improve configuration management.

---

17-19: File-System Abstraction, Logging Shim, and Concurrency Utilities
The dependencies added on lines 17–19:

• github.com/sagikazarmark/locafero v0.4.0 // indirect
• github.com/sagikazarmark/slog-shim v0.1.0 // indirect
• github.com/sourcegraph/conc v0.3.0 // indirect

are likely intended to provide additional file-system abstraction, a logging interface shim, and concurrency utilities. Ensure their inclusion is justified in your configuration and application context to avoid unnecessary bloat.

---

20-25: Core Configuration & Environment Handling Libraries
The block from lines 20–25 adds several essential dependencies:

• github.com/spf13/afero v1.11.0 // indirect
• github.com/spf13/cast v1.6.0 // indirect
• github.com/spf13/pflag v1.0.5 // indirect
• github.com/spf13/viper v1.19.0 // indirect
• github.com/stretchr/testify v1.10.0 // indirect
• github.com/subosito/gotenv v1.6.0 // indirect

These libraries are central to the PR’s new configuration management approach. Viper, in combination with pflag and cast, allows for flexible command-line and file/environment-based configuration, while testify and gotenv support testing and environment variable loading respectively. Confirm that these libraries integrate seamlessly with your intended configuration hierarchy.

---

28-29: Advanced Error Handling and Atomic Operations
The additions on lines 28–29:

• go.uber.org/atomic v1.9.0 // indirect
• go.uber.org/multierr v1.9.0 // indirect

provide robust support for atomic operations and the aggregation of multiple errors. These can be very helpful for ensuring thread-safe configuration updates and improved error handling.

---

31-31: Usage of Experimental Package
The inclusion of golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect on line 31 introduces an experimental package. Since such packages can sometimes be unstable, please verify that its use is justified and well-isolated, minimizing any risk in production deployments.

---

35-36: INI and YAML Parsing Support
The addition of:

• gopkg.in/ini.v1 v1.67.0 // indirect
• gopkg.in/yaml.v3 v3.0.1 // indirect

provides enhanced support for configuration file formats (INI and YAML). This nicely complements the flexible configuration setup described in the PR objectives.

[coderabbitai]

🛠️ Refactor suggestion

Add config file path validation

The parseFlag function should validate that the config file exists when a path is provided.

 func parseFlag() (string, string) {
 	var configPath string
 	var loglevel string
 	flag.StringVar(&configPath, "config", "", "Path to the configuration file")
 	flag.StringVar(&loglevel, "loglevel", "error", "Log level")
 	flag.Parse()
 
+	if configPath != "" {
+		if _, err := os.Stat(configPath); err != nil {
+			log.Fatalf("Config file not found: %v", err)
+		}
+	}
 	return configPath, loglevel
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func parseFlag() (string, string) {
	var configPath string
	var loglevel string
	flag.StringVar(&configPath, "config", "", "Path to the configuration file")
	flag.StringVar(&loglevel, "loglevel", "error", "Log level")
	flag.Parse()
	return configPath, loglevel
	}
	func parseFlag() (string, string) {
	var configPath string
	var loglevel string
	flag.StringVar(&configPath, "config", "", "Path to the configuration file")
	flag.StringVar(&loglevel, "loglevel", "error", "Log level")
	flag.Parse()
	if configPath != "" {
	if _, err := os.Stat(configPath); err != nil {
	log.Fatalf("Config file not found: %v", err)
	}
	}
	return configPath, loglevel
	}

[coderabbitai]

🛠️ Refactor suggestion

Use clear placeholder values for sensitive fields

Replace example values with descriptive placeholders to prevent accidental use in production. Also, add a comment warning about sensitive values.

-    ClientID: "your_client_id"
-    ClientSecret: "your_client_secret"
+    # WARNING: Replace these values with your GitHub OAuth credentials
+    ClientID: "<GITHUB_CLIENT_ID>"
+    ClientSecret: "<GITHUB_CLIENT_SECRET>"

-  AccessTokenSecret: "your_access_token_secret"
-  RefreshTokenSecret: "your_refresh_token_secret"
+  # WARNING: Use strong, unique secrets in production
+  AccessTokenSecret: "<STRONG_RANDOM_SECRET>"
+  RefreshTokenSecret: "<STRONG_RANDOM_SECRET>"

Also applies to: 16-19

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (1)

backend-go/config.yaml (1)

32-46: Add security warnings and environment variable examples for storage credentials

The storage configuration should include documentation about using environment variables for sensitive credentials.

 Storage:
-  Provider: "minio"       # or "s3"
+  # Provider can be either "minio" or "s3"
+  # Override credentials using environment variables:
+  # - CODEPAIR_STORAGE_MINIO_ACCESS_KEY
+  # - CODEPAIR_STORAGE_MINIO_SECRET_KEY
+  # - CODEPAIR_STORAGE_S3_ACCESS_KEY
+  # - CODEPAIR_STORAGE_S3_SECRET_KEY
+  Provider: "minio"

   Minio:
     Bucket: "default-storage"
     Endpoint: "http://localhost:9000"
-    AccessKey: "minioadmin"
-    SecretKey: "minioadmin"
+    AccessKey: "<MINIO_ACCESS_KEY>"  # Default: minioadmin
+    SecretKey: "<MINIO_SECRET_KEY>"  # Default: minioadmin

   S3:
     Bucket: "default-storage"
     Region: "us-east-1"
-    AccessKey: "aws_access_key"
-    SecretKey: "aws_secret_key"
+    AccessKey: "<AWS_ACCESS_KEY>"
+    SecretKey: "<AWS_SECRET_KEY>"

🧹 Nitpick comments (2)

backend-go/internal/config/storage.go (1)

36-44: Consider providing default S3 configuration as well

Currently, ensureDefaultValue() applies only to the Minio struct. For consistency, you may consider providing a similar defaulting mechanism for S3 (e.g., fallback region or bucket name) if S3 is used. This would improve parity between the two providers.

backend-go/internal/config/config.go (1)

56-77: Enhance error messaging for clarity

While the error handling is functional, consider making the fallback behavior more explicit in the error messages.

 if errors.As(err, &nf) {
     if filePath != "" {
-        return fmt.Errorf("file path given but not found: %w", err)
+        return fmt.Errorf("config file not found at %s, falling back to environment variables: %w", filePath, err)
     }
     return nil
 }
-return fmt.Errorf("failed to read config file: %w", err)
+return fmt.Errorf("failed to read config file (check file format and permissions): %w", err)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 999a8df and ec9d3e1.

⛔ Files ignored due to path filters (1)

• backend-go/go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• backend-go/cmd/codepair/main.go (1 hunks)
• backend-go/config.yaml (1 hunks)
• backend-go/go.mod (1 hunks)
• backend-go/internal/config/config.go (1 hunks)
• backend-go/internal/config/config_test.go (1 hunks)
• backend-go/internal/config/env.go (1 hunks)
• backend-go/internal/config/jwt.go (1 hunks)
• backend-go/internal/config/mongo.go (1 hunks)
• backend-go/internal/config/oauth.go (1 hunks)
• backend-go/internal/config/server.go (1 hunks)
• backend-go/internal/config/storage.go (1 hunks)
• backend-go/internal/config/yorkie.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (6)

• backend-go/cmd/codepair/main.go
• backend-go/internal/config/mongo.go
• backend-go/internal/config/jwt.go
• backend-go/internal/config/yorkie.go
• backend-go/internal/config/env.go
• backend-go/internal/config/config_test.go

🧰 Additional context used

🪛 golangci-lint (1.62.2)

backend-go/internal/config/oauth.go

[high] 9-9: G101: Potential hardcoded credentials

(gosec)

🪛 GitHub Actions: CI GO Backend

backend-go/internal/config/oauth.go

[error] 9-9: Potential hardcoded credentials (gosec)

🔇 Additional comments (20)

backend-go/internal/config/storage.go (6)

12-13: Remove default credentials from code

These credentials pose a security risk, as flagged in a previous review. Setting them to empty strings will force configuration via environment variables or a config file:

-	DefaultMinioAccessKey = "minioadmin"
-	DefaultMinioSecretKey = "minioadmin"
+	DefaultMinioAccessKey = ""
+	DefaultMinioSecretKey = ""

---

16-34: Struct definitions look solid

No issues found in the definitions of Storage, S3, and Minio. They are well-structured and coherent with the rest of the codebase.

---

46-65: Validation of provider is correct

Your logic correctly enforces that only “minio” or “s3” are valid providers, returning helpful error messages if either Minio or S3 configs are missing. Nicely done.

---

67-80: Minio default value assignment is proper

The code ensures each needed field is assigned a default if not provided at runtime. This looks good.

---

82-87: Minio validation is sufficient

Ensures required fields (Bucket, Endpoint) are present, returning descriptive errors. Looks good.

---

89-94: S3 validation is sufficient

Checks for required fields (Bucket, Region, AccessKey, SecretKey) and returns clear errors. No concerns here.

backend-go/internal/config/server.go (3)

3-12: Server struct changes look good

No issues found with the fmt import or the addition of mapstructure:"Port". This ensures correct mapping from configuration sources.

---

14-19: Default port assignment is appropriate

The ensureDefaultValue() method nicely sets the port to DefaultServerPort (3001) if no custom port is specified. No concerns here.

---

21-25: Port validation is robust

Verifying the port is within a valid range (1-65535) ensures safe usage and avoids common pitfalls. Good job.

backend-go/internal/config/oauth.go (7)

8-9: False positive from static analysis

The pipeline flagged these as potential “hardcoded credentials,” but they’re actually standard public GitHub OAuth endpoints. No real secret is exposed here.

🧰 Tools

🪛 golangci-lint (1.62.2)

[high] 9-9: G101: Potential hardcoded credentials

(gosec)

🪛 GitHub Actions: CI GO Backend

[error] 9-9: Potential hardcoded credentials (gosec)

---

11-11: Use HTTPS for default callback URL

As previously suggested, adopting HTTPS, even for localhost, implements more secure practices:

-	DefaultGitHubCallbackURL      = "http://localhost:3000/auth/login/github"
+	DefaultGitHubCallbackURL      = "https://localhost:3000/auth/login/github"

---

14-25: The OAuth struct setup is clear

OAuth and GitHubOAuth are well-defined and align with other config structures.

---

27-32: Default value handling is consistent

Ensuring that o.Github is not nil and calling ensureDefaultValue() is a good pattern.

---

34-39: Validation flow for OAuth is correct

Runs Github.validate() and returns any error encountered. Straightforward and effective.

---

41-54: Proper fallback for GitHub endpoints

Sets the correct defaults if the user doesn’t provide them. Implementation looks spot-on.

---

56-65: Client credentials validation is adequate

Checks for non-empty ClientID and ClientSecret, returning informative errors. Nicely done.

backend-go/internal/config/config.go (2)

11-18: Well-structured configuration layout!

The Config struct is well-organized with clear section separation and proper mapstructure tags.

---

20-43: Excellent configuration loading implementation!

The function implements a clear and robust configuration loading sequence that aligns with the PR objectives:

1. Environment variables take precedence
2. Config file as fallback
3. Proper validation and default values

backend-go/config.yaml (1)

6-8: Use clear placeholder values for sensitive fields

The configuration file contains sensitive fields with unclear placeholder values.

Also applies to: 16-19

backend-go/go.mod (1)

5-40: Dependencies are well-managed

The addition of Viper and its dependencies is properly handled with specific version pins.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (3)

backend-go/internal/config/storage.go (3)

7-12: Add documentation for configuration constants.

Consider adding documentation comments for these constants to explain their purpose and when they are used, especially since they're part of the configuration management system.

 const (
+	// DefaultStorageProvider specifies the default storage backend to use if not configured
 	DefaultStorageProvider = "minio"
 
+	// DefaultMinioBucket specifies the default bucket name for Minio storage
 	DefaultMinioBucket   = "default-storage"
+	// DefaultMinioEndpoint specifies the default Minio server endpoint for development
 	DefaultMinioEndpoint = "http://localhost:9000"
 )

---

44-63: Simplify validation logic and add nil check.

The validation can be simplified, and a nil check should be added for safety.

+func (s *Storage) validate() error {
+	if s == nil {
+		return fmt.Errorf("storage config is nil")
+	}
+
 	if s.Provider != "minio" && s.Provider != "s3" {
 		return fmt.Errorf("invalid storage provider: %s (only 'minio' or 's3' are supported)", s.Provider)
 	}
 
-	switch s.Provider {
-	case "minio":
+	if s.Provider == "minio" {
 		if s.Minio == nil {
 			return fmt.Errorf("storage provider is minio but Minio config is nil")
 		}
 		return s.Minio.validate()
-	case "s3":
+	} else { // s.Provider == "s3"
 		if s.S3 == nil {
 			return fmt.Errorf("storage provider is s3 but S3 config is nil")
 		}
 		return s.S3.validate()
 	}
-
-	return nil
 }

---

20-25: Add EnsureDefaultValue for S3 configuration.

For consistency with Minio configuration, consider adding an EnsureDefaultValue method for S3 to set default region if needed.

 type S3 struct {
 	Bucket    string `mapstructure:"bucket"`
 	Region    string `mapstructure:"region"`
 	AccessKey string `mapstructure:"accessKey" sensitive:"true"`
 	SecretKey string `mapstructure:"secretKey" sensitive:"true"`
 }
+
+func (s3 *S3) EnsureDefaultValue() {
+	if s3.Region == "" {
+		s3.Region = "us-east-1" // Common default region
+	}
+}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ec9d3e1 and 0157de9.

📒 Files selected for processing (6)

• backend-go/cmd/codepair/main.go (1 hunks)
• backend-go/config.yaml (1 hunks)
• backend-go/internal/config/config_test.go (1 hunks)
• backend-go/internal/config/jwt.go (1 hunks)
• backend-go/internal/config/oauth.go (1 hunks)
• backend-go/internal/config/storage.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (5)

• backend-go/cmd/codepair/main.go
• backend-go/internal/config/jwt.go
• backend-go/internal/config/oauth.go
• backend-go/config.yaml
• backend-go/internal/config/config_test.go

🔇 Additional comments (1)

backend-go/internal/config/storage.go (1)

1-5: LGTM!

The package name and imports are appropriate for the configuration management purpose.

[coderabbitai]

🛠️ Refactor suggestion

Mark credential fields as sensitive.

Add sensitive:"true" tag to credential fields to prevent them from being logged in plain text.

 type S3 struct {
 	Bucket    string `mapstructure:"bucket"`
 	Region    string `mapstructure:"region"`
-	AccessKey string `mapstructure:"accessKey"`
-	SecretKey string `mapstructure:"secretKey"`
+	AccessKey string `mapstructure:"accessKey" sensitive:"true"`
+	SecretKey string `mapstructure:"secretKey" sensitive:"true"`
 }

 type Minio struct {
 	Bucket    string `mapstructure:"bucket"`
 	Endpoint  string `mapstructure:"endpoint"`
-	AccessKey string `mapstructure:"accessKey"`
-	SecretKey string `mapstructure:"secretKey"`
+	AccessKey string `mapstructure:"accessKey" sensitive:"true"`
+	SecretKey string `mapstructure:"secretKey" sensitive:"true"`
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	type S3 struct {
	Bucket string `mapstructure:"bucket"`
	Region string `mapstructure:"region"`
	AccessKey string `mapstructure:"accessKey"`
	SecretKey string `mapstructure:"secretKey"`
	}
	type Minio struct {
	Bucket string `mapstructure:"bucket"`
	Endpoint string `mapstructure:"endpoint"`
	AccessKey string `mapstructure:"accessKey"`
	SecretKey string `mapstructure:"secretKey"`
	}
	type S3 struct {
	Bucket string `mapstructure:"bucket"`
	Region string `mapstructure:"region"`
	AccessKey string `mapstructure:"accessKey" sensitive:"true"`
	SecretKey string `mapstructure:"secretKey" sensitive:"true"`
	}
	type Minio struct {
	Bucket string `mapstructure:"bucket"`
	Endpoint string `mapstructure:"endpoint"`
	AccessKey string `mapstructure:"accessKey" sensitive:"true"`
	SecretKey string `mapstructure:"secretKey" sensitive:"true"`
	}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

backend-go/internal/config/storage.go (1)

44-60: Validate unselected providers.

Currently, switching on s.Provider validates only one struct (either Minio or S3). If the user sets both inadvertently (or partially), it won’t be flagged. Consider warning or ignoring the unused struct to prevent confusion.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3938a0b and 186034e.

⛔ Files ignored due to path filters (1)

• backend-go/go.sum is excluded by !**/*.sum

📒 Files selected for processing (9)

• backend-go/go.mod (1 hunks)
• backend-go/internal/config/config.go (1 hunks)
• backend-go/internal/config/config_test.go (1 hunks)
• backend-go/internal/config/jwt.go (1 hunks)
• backend-go/internal/config/mongo.go (1 hunks)
• backend-go/internal/config/oauth.go (1 hunks)
• backend-go/internal/config/server.go (1 hunks)
• backend-go/internal/config/storage.go (1 hunks)
• backend-go/internal/config/yorkie.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (5)

• backend-go/internal/config/jwt.go
• backend-go/internal/config/mongo.go
• backend-go/internal/config/oauth.go
• backend-go/internal/config/yorkie.go
• backend-go/internal/config/config_test.go

🔇 Additional comments (17)

backend-go/internal/config/storage.go (4)

7-11: Default credentials removed – good job!

Previously, default Minio credentials were hard-coded. It's great to see they're no longer part of these constants, aligning with secure best practices.

---

19-24: Add sensitive:"true" tags to S3 credential fields.

Marking the credential fields as sensitive helps avoid accidental logging or exposure of secrets. This was mentioned in a past review.

---

26-31: Add sensitive:"true" tags to Minio credential fields.

Similarly, the AccessKey and SecretKey in Minio should also be marked sensitive to prevent logging in plain text. This was also mentioned in a past review.

---

62-69: No default credentials for Minio – approved.

By not setting default access/secret keys here, you reduce the risk of accidentally shipping insecure credentials, which is consistent with past security guidance.

backend-go/internal/config/server.go (4)

3-4: Import usage is fine.

The fmt package is necessary for error formatting. No issues here.

---

10-11: Port validation looks good.

Requiring a valid port range (1–65535) ensures correct server binding. Well done.

---

13-18: Default port assignment is clear.

Assigning DefaultServerPort when Port == 0 provides a sensible, easy-to-understand fallback.

---

20-26: Validation approach is consistent.

Using validate.Struct(s) ensures all struct fields are checked, returning a clear error message if anything is invalid.

backend-go/internal/config/config.go (7)

3-9: Imports and validator initialization.

The chosen packages (errors, fmt, github.com/go-playground/validator/v10, github.com/spf13/viper) are appropriate for flexible configuration and validation. Good setup.

---

15-21: Expanded config struct.

Including Server, OAuth, JWT, Yorkie, Mongo, and Storage under Config organizes settings effectively and promotes clarity.

---

23-46: Robust config loading with environment overrides.

Binding environment variables and gracefully handling file-based config ensures flexible runtime configuration. The error messages provide clear diagnostics.

---

48-57: Environment variable binding loop.

Systematically mapping config keys to environment variables reduces direct code duplication and fosters consistency. Solid approach.

---

59-80: Graceful fallback when config file is absent.

Skipping errors if the file is not found (and no path is specified) is user-friendly, letting environment variables or defaults take precedence.

---

82-89: Default value application is thorough.

All sub-configs (Server, OAuth, JWT, Yorkie, Mongo, and Storage) get sensible defaults before final validation.

---

91-112: Comprehensive validation across sub-configs.

Validating each sub-config clarifies which section failed and simplifies debugging. Good error structuring.

backend-go/go.mod (2)

5-10: Reevaluate Direct Dependency Listing for github.com/labstack/gommon
The direct dependency block now includes critical libraries such as github.com/spf13/viper (for configuration management) and github.com/stretchr/testify (for testing), which aligns well with the PR objectives. However, note that github.com/labstack/gommon v0.4.2 is included as a direct dependency even though the PR summary mentioned that it should be removed from the main list and relegated to an indirect dependency. Please verify if this inclusion was intentional or if it needs adjusting for consistency with the overall configuration management improvements.

---

12-45: Review of Updated Indirect Dependency Block
The updated indirect dependency block brings in several new libraries—such as github.com/mitchellh/mapstructure, which aids in YAML-to-struct mapping—as well as various other helpers that support the new configuration and validation features. Ensure that all these indirect dependencies are actively required by the code base; if any are unused, running go mod tidy should automatically clean them up. This will help keep the dependency graph lean and maintainable.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

backend-go/internal/config/config.go (1)

48-57: Consider adding environment variable prefix

To avoid naming conflicts with other applications, consider adding a prefix to environment variables.

 func bindEnvironmentVariables() error {
+    viper.SetEnvPrefix("CODEPAIR")
     for key, env := range EnvVarMap {

backend-go/config.yaml (2)

22-26: Add security warning for Yorkie project secret key

Similar to other sensitive fields, add a warning comment for the project secret key.

 Yorkie:
   APIAddr: "http://localhost:8080"
   ProjectName: "default"
+  # WARNING: Use a strong secret key in production
-  ProjectSecretKey: ""
+  ProjectSecretKey: "<YORKIE_PROJECT_SECRET_KEY>"

---

33-47: Add security warnings for storage credentials

Add warning comments for MinIO and S3 credentials similar to other sensitive fields.

 Storage:
   Provider: "minio"       # or "s3"

   Minio:
+    # WARNING: Replace with secure credentials in production
     Bucket: "default-storage"
     Endpoint: "http://localhost:9000"
-    AccessKey: "minioadmin"
-    SecretKey: "minioadmin"
+    AccessKey: "<MINIO_ACCESS_KEY>"
+    SecretKey: "<MINIO_SECRET_KEY>"

   S3:
+    # WARNING: Use secure AWS credentials in production
     Bucket: "default-storage"
     Region: "us-east-1"
-    AccessKey: "aws_access_key"
-    SecretKey: "aws_secret_key"
+    AccessKey: "<AWS_ACCESS_KEY>"
+    SecretKey: "<AWS_SECRET_KEY>"

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 186034e and 352280c.

📒 Files selected for processing (5)

• backend-go/config.yaml (1 hunks)
• backend-go/internal/config/auth.go (1 hunks)
• backend-go/internal/config/config.go (1 hunks)
• backend-go/internal/config/config_test.go (1 hunks)
• backend-go/internal/config/env.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• backend-go/internal/config/env.go
• backend-go/internal/config/config_test.go

🔇 Additional comments (6)

backend-go/internal/config/auth.go (3)

11-14: LGTM! Well-structured Auth configuration

The Auth struct is well-designed with proper validation tags and required fields.

---

16-23: LGTM! Comprehensive GitHub configuration

The Github struct includes all necessary fields with appropriate validation tags.

---

25-31: LGTM! Robust default value handling and validation

The implementation includes proper nil checks and error wrapping.

Also applies to: 33-39, 41-51

backend-go/internal/config/config.go (3)

23-46: LGTM! Well-implemented configuration loading

The LoadConfig function follows best practices:

• Proper error handling and wrapping
• Clear configuration hierarchy
• Comprehensive validation

---

59-80: LGTM! Robust config file handling

Good error handling for config file loading with proper distinction between "file not found" and other errors.

---

82-89: LGTM! Comprehensive validation chain

The validation implementation properly checks all configuration sections with clear error messages.

Also applies to: 91-112

[coderabbitai]

⚠️ Potential issue

Avoid hardcoding localhost in default callback URL

The default callback URL should not assume localhost as it may cause issues in production environments.

Consider making this configurable or environment-aware:

-const DefaultGitHubCallbackURL = "https://localhost:3000/auth/login/github"
+const DefaultGitHubCallbackURL = "" // Force explicit configuration

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	DefaultGitHubCallbackURL = "https://localhost:3000/auth/login/github"
	const DefaultGitHubCallbackURL = "" // Force explicit configuration

[window9u]

Here’s what I’m considering:

1. Should we use the mapstructure tag in Config structures?

   • Currently, it’s working well even without the mapstructure tag.
   • I think this is because all the config fields have the same names as the struct fields.

2. What values should we set as defaults?

   • I believe default values should be set automatically, like pingTimeout.
   • Values without defaults should be explicitly defined in the config.