fix: resolve dashboard session drop and implement metrics caching fallback

[SatyaViswas]

Summary

This PR fixes the issue where the dashboard session drops on a page reload or hard refresh. It also resolves a chain-reaction cascade of 500 Internal Server Errors and 502 Bad Gateway errors across the dashboard widgets by adding robust fallback logic, token decryption error handling, and integrating a global development-safe cache shield for endpoints that were previously fetching directly from GitHub on every call.

Closes #428

Type of Change

• Bug fix
• New feature
• Documentation update
• Refactor / code cleanup

Changes Made

• src/lib/auth.ts: Removed the manual custom cookies block configuration within authOptions to let NextAuth natively handle safe cookie synchronization across client, middleware, and server contexts.
• src/lib/github-accounts.ts: Introduced isolated try/catch safety blocks to block exceptions thrown by key mismatches during decryptToken(), preventing unhandled 500 errors on account routing.
• src/lib/metrics-cache.ts: Implemented a local in-memory fallback cache mapped to the globalThis object, ensuring the caching layer survives Next.js Hot Reloads even if Upstash Redis keys are left unconfigured during local development.
• src/middleware.ts: Adjusted authenticated and anonymous rate-limiting thresholds to scale up dynamically when process.env.NODE_ENV === "development" to eliminate false-positive 429 blockades during testing.
• Metrics API Routes: Integrated and wrapped the remaining core metrics fetching loops (issues, weekly-summary, pr-breakdown, languages, repo-health, and ci) with the protective withMetricsCache middleware pattern to shield the GitHub API from spam.

How to Test

Steps for the reviewer to verify this works:

1. Clone or pull this branch locally, create a .env configuration file with your test Supabase and GitHub OAuth keys, and run npm install.
2. Start up the server locally using npm run dev.
3. Open http://localhost:3000 in your browser, log in through GitHub, and navigate onto the main /dashboard page.
4. Spam or hard-refresh the browser tab multiple times in rapid succession. Verify that all dashboard widgets populate cleanly from the RAM fallback cache, the primary session is never forcefully logged out, and no 500, 502, or 429 exceptions reappear in the console.

Screenshots (if UI change):

Before:

Screen.Recording.2026-05-20.at.4.01.21.PM.mov

After:

Screen.Recording.2026-05-20.at.4.02.35.PM.mov

Checklist

• Linked issue in summary
• npm run lint passes locally
• No TypeScript errors (npm run type-check)
• Self-reviewed the diff
• Added/updated tests if applicable

[vercel]

@SatyaViswas is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[github-actions]

Thanks for your first PR on DevTrack! 🎉

A maintainer will review it within 48 hours. While you wait:

• Make sure CI is passing (type-check + lint)
• Double-check the PR description is filled out and the issue is linked
• Feel free to ask questions in Discussions if you need help

[SatyaViswas]

Also the settings page works perfectly on my version, but doesn't work on the main deploy link.

Before:

Screen.Recording.2026-05-20.at.4.33.19.PM.mov

After:

Screen.Recording.2026-05-20.at.4.32.47.PM.mov

[Priyanshu-byte-coder]

Conflicts with open PR #407 which targets the same files (src/lib/auth.ts cookie config, src/lib/github-accounts.ts) and is still pending. Resolve that conflict first.

Additional issues:

1. Unexplained cookie config removal — the PR removes the explicit httpOnly: true, sameSite: 'lax', secure: true, maxAge cookie settings from auth.ts. The PR claims this fixes session drops, but does not explain the causal link. Next-auth defaults should be equivalent, but this is a security-relevant change that needs explicit justification.

2. Unbounded memory cache — the new memoryCache Map in metrics-cache.ts has no max-size limit or LRU eviction. If Redis is down in production, this will grow until OOM. Add a max-entries cap.

3. Dev-mode rate limits — AUTHENTICATED_LIMIT = 5000 and ANONYMOUS_LIMIT = 1000 in dev mode are fine as local-only values, but include a comment explaining these are dev-only and never apply to production.

4. any type casts introduced — e.g., runs.flat().filter((r: any) => r.conclusion) removes TypeScript safety from previously typed code. Use proper types.

5. Missing EOF newlines on modified files.

[SatyaViswas]

Thank you for the review. I have updated the code to follow your precise constraints:

Justification for Cookie Config Removal (auth.ts): The session drops occurred because the explicit cookies block manually overrode the sessionToken without defining equivalent mirrors for parallel fields like csrfToken and callbackUrl. In distributed dev-to-build edge cases, this asymmetry broke internal NextAuth token validation. Removing the manual block completely resolves this: NextAuth natively defaults to identical security flags (httpOnly: true, sameSite: "lax", and automatic __Secure- on HTTPS) while ensuring strict, internal cryptographic synchronization out of the box.

Capped Memory Cache (metrics-cache.ts):
Added a MAX_CACHE_ENTRIES = 1000 cap check before storage. If hit, it drops the oldest record using a First-In, First-Out (FIFO) eviction style to strictly isolate resource allocation and prevent any OOM behavior if Upstash Redis goes offline.

Dev-Mode Rate Limits (middleware.ts):
Added explicit source code documentation confirming that these high thresholds are restricted purely to local environments to facilitate rapid refresh testing. They evaluate statically at build-time and drop out completely in production to restore the default parameters (60/10).

Eliminated any Casts (ci/route.ts):
Replaced the inline any array iterator casts with the matching WorkflowRun type interface to restore complete TypeScript compiler evaluation and safety.

EOF Newlines Added:
Ensured clean trailing blank lines on all modified script structures.

[SatyaViswas]

Hey @Priyanshu-byte-coder , also previous pr merged by another contributor to solve this issue didn't solve the problem. So I would like you to check this as it works perfectly!

[SatyaViswas]

Hey @Priyanshu-byte-coder, I have solved all new conflicts. The main deployed website still has the session drop issues. My version still makes sure the session doesn't drop after hard refresh. Please review and merge the PR!

[Priyanshu-byte-coder]

This PR has merge conflicts with main. Please rebase on the latest main branch and force-push to resolve:

git fetch origin
git rebase origin/main
git push --force-with-lease

[SatyaViswas]

Hey @Priyanshu-byte-coder , I solved the merge conflicts!