[WIP] Feat: add report api (#346)

[Bangdayeon]

관련 이슈

• close [Feat] report api 작업 및 연결 #346

PR 설명

• report post api 작성
• report ui pr 머지 후, 연결하여 완성

[coderabbitai]

Walkthrough

보고서 제출 기능을 위한 새로운 API 클라이언트 모듈과 관련 타입 및 훅을 추가했습니다. src/apis/report.ts에 Bearer 토큰 인증과 15초 타임아웃을 포함한 createReport 함수를 구현했습니다. src/hooks/usePostReport.ts에는 React Query 뮤테이션을 래핑하는 커스텀 훅을 추가하여 성공 및 오류 상태 관리와 토스트 알림을 처리합니다. src/types/api/report.ts에는 ReportRequest 인터페이스와 ReportApiResponse 타입을 정의했습니다.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	PR 설명이 저장소의 필수 템플릿 구조를 따르고 있으며, 관련 이슈와 변경 사항을 포함하고 있습니다.
Linked Issues check	✅ Passed	PR의 변경사항이 이슈 #346의 요구사항을 충족하며, ReportModal 연결을 위한 report API 구현이 완료되었습니다.
Out of Scope Changes check	✅ Passed	모든 변경사항이 report API 구현이라는 범위 내에 있으며, 불필요한 외부 변경사항이 없습니다.
Title check	✅ Passed	제목이 '[WIP] Feat: add report api'로 변경 사항의 핵심 내용을 명확하게 설명하고 있습니다.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@src/apis/report.ts`:
- Around line 4-33: Add explicit guards that throw a clear error when
API_BASE_URL or API_TOKEN are missing instead of letting undefined propagate;
for example, validate process.env values at module initialization or inside
authHeaderValue() and before building the request in withAuth()/createReport(),
and throw a descriptive Error (e.g., "Missing NEXT_PUBLIC_BASE_API_URL" or
"Missing NEXT_PUBLIC_API_TOKEN") so calls to createReport() fail fast; update
authHeaderValue, withAuth or createReport to check API_BASE_URL/API_TOKEN and
stop execution with a thrown error before calling safeFetch.
- Around line 4-12: The API token (API_TOKEN / NEXT_PUBLIC_API_TOKEN) is exposed
to the client; confirm its sensitivity and if it is sensitive or has high
privileges, remove client-side usage by removing NEXT_PUBLIC_ prefix and moving
token usage to server-side proxies or API routes. Specifically, stop using
API_TOKEN in client modules (e.g., src/apis/report.ts functions authHeaderValue
and withAuth and client components like usePostReport), implement a server-side
endpoint (app/api/... or pages/api/...) that injects the Authorization header
using the non-public env var and have client code call that endpoint instead; if
the token is intended to be public/low-privilege, document that decision and
leave authHeaderValue/withAuth as-is.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's explore the file structure to understand the project
git ls-files | head -20

Repository: Team-SoFa/linkiving

Length of output: 507

---

🏁 Script executed:

# Search for all references to NEXT_PUBLIC_API_TOKEN
rg "NEXT_PUBLIC_API_TOKEN" --type ts --type tsx --type js --type jsx -B2 -A2

Repository: Team-SoFa/linkiving

Length of output: 90

---

🏁 Script executed:

# Check if there are server-side API routes or proxies
find . -type f -path "*/pages/api/*" -o -path "*/app/api/*" | head -20

Repository: Team-SoFa/linkiving

Length of output: 125

---

🏁 Script executed:

# Look for environment configuration files
find . -type f \( -name ".env*" -o -name "*.md" \) | grep -E "\.(env|md)$" | head -10

Repository: Team-SoFa/linkiving

Length of output: 713

---

🏁 Script executed:

# Check the report.ts file more completely
cat src/apis/report.ts 2>/dev/null || echo "File not found, searching for it"

Repository: Team-SoFa/linkiving

Length of output: 965

---

🏁 Script executed:

# Search for all references to NEXT_PUBLIC_API_TOKEN across all file types
rg "NEXT_PUBLIC_API_TOKEN" -B2 -A2

Repository: Team-SoFa/linkiving

Length of output: 3425

---

🏁 Script executed:

# Check the .env.example file for context on this token
cat .env.example

Repository: Team-SoFa/linkiving

Length of output: 225

---

🏁 Script executed:

# Look for where report.ts is imported from (to see if it's client or server code)
rg "from.*apis/report" -B1 -A1

Repository: Team-SoFa/linkiving

Length of output: 239

---

🏁 Script executed:

# Check safeFetch implementation to understand if it's server-side only
cat src/hooks/util/server/safeFetch.ts 2>/dev/null || rg "safeFetch" -l --max-count 5

Repository: Team-SoFa/linkiving

Length of output: 3758

---

🏁 Script executed:

# Look for other API route files and patterns
find ./src/app -type f -name "route.ts" -o -name "route.js" 2>/dev/null

Repository: Team-SoFa/linkiving

Length of output: 98

---

🏁 Script executed:

# Check if there are server-side implementations for these API calls
rg "app/api|pages/api" -l | grep -E "(report|chat|link)" || echo "No server API routes found for these"

Repository: Team-SoFa/linkiving

Length of output: 99

---

🏁 Script executed:

# Search for any configuration or documentation about token security
rg "token|TOKEN" README.md -B2 -A2 | head -30

Repository: Team-SoFa/linkiving

Length of output: 1393

---

🏁 Script executed:

# Check if usePostReport is actually client-side component
cat src/hooks/usePostReport.ts

Repository: Team-SoFa/linkiving

Length of output: 1458

---

🏁 Script executed:

# Look for "use client" or server component indicators in api files
head -5 src/apis/report.ts src/apis/chatApi.ts src/apis/linkApi.ts

Repository: Team-SoFa/linkiving

Length of output: 742

---

NEXT_PUBLIC_API_TOKEN은 클라이언트 번들에 노출되고 있습니다. 토큰이 공개용(읽기 전용)인지 확인이 필요합니다.

현재 코드에서 NEXT_PUBLIC_API_TOKEN은 src/apis/report.ts, src/apis/chatApi.ts, src/apis/linkApi.ts, src/apis/chatSocket.ts 등의 클라이언트 측 API 파일에서 직접 사용되고 있으며, usePostReport와 같은 클라이언트 컴포넌트('use client')에서 호출됩니다. NEXT_PUBLIC_ 접두사가 붙으므로 프로덕션 번들에 평문으로 포함됩니다.

현재 구조에는 서버 프록시나 API 라우트(app/api/ 또는 pages/api/)를 통한 보호 메커니즘이 없습니다.

• 이 토큰이 공개 읽기 전용이거나 낮은 권한이라면 현재 구현이 의도된 것일 수 있습니다.
• 이 토큰이 민감하거나 높은 권한을 가진다면 서버 프록시 또는 서버 액션으로 이동하는 것이 안전합니다.

토큰의 의도된 용도와 권한 수준을 명확히 하고, 필요시 서버 측 보호를 추가하시기 바랍니다.

🤖 Prompt for AI Agents

In `@src/apis/report.ts` around lines 4 - 12, The API token (API_TOKEN /
NEXT_PUBLIC_API_TOKEN) is exposed to the client; confirm its sensitivity and if
it is sensitive or has high privileges, remove client-side usage by removing
NEXT_PUBLIC_ prefix and moving token usage to server-side proxies or API routes.
Specifically, stop using API_TOKEN in client modules (e.g., src/apis/report.ts
functions authHeaderValue and withAuth and client components like
usePostReport), implement a server-side endpoint (app/api/... or pages/api/...)
that injects the Authorization header using the non-public env var and have
client code call that endpoint instead; if the token is intended to be
public/low-privilege, document that decision and leave authHeaderValue/withAuth
as-is.

[Bangdayeon]

토큰 사용에 대해 추후 논의 후 수정 필요

[coderabbitai]

@Bangdayeon, 알겠습니다! 토큰 사용에 대한 보안 검토를 나중에 진행하시는 것으로 이해했습니다.

이 이슈를 추적하기 위해 GitHub 이슈를 생성해드릴까요? 이슈에는 현재 PR과 이 코멘트의 링크를 포함하여 나중에 쉽게 참고하실 수 있도록 하겠습니다.