Skip to content

feat: SDK update for version 0.33.0#109

Merged
ArnabChatterjee20k merged 1 commit into
mainfrom
dev
Jun 25, 2026
Merged

feat: SDK update for version 0.33.0#109
ArnabChatterjee20k merged 1 commit into
mainfrom
dev

Conversation

@ArnabChatterjee20k

@ArnabChatterjee20k ArnabChatterjee20k commented Jun 24, 2026

Copy link
Copy Markdown
Member

This PR contains updates to the SDK for version 0.33.0.

What's Changed

  • Added: Realtime connections now send the configured JWT for authentication.
  • Added: Forwarded impersonateUserId on avatars and storage file requests.
  • Fixed: URL-encode path parameters across all services.

@ArnabChatterjee20k ArnabChatterjee20k changed the title feat: React Native SDK update for version 0.33.0 feat: SDK update for version 0.33.0 Jun 24, 2026
@greptile-apps

greptile-apps Bot commented Jun 24, 2026

Copy link
Copy Markdown

Greptile Summary

This PR bumps the React Native SDK to version 0.33.0, adding three main improvements: JWT forwarding on realtime WebSocket connections (via URL param on web, custom header on native), impersonateUserId propagation to avatar and storage file request URLs, and encodeURIComponent on all path parameters across every service.

  • JWT in realtime: Both the legacy inline client realtime and the new standalone Realtime class correctly send the configured JWT — as a query param on web and as x-appwrite-jwt header on native platforms.
  • impersonateuserid in query strings: Avatar and storage endpoints now include the impersonation ID as a URL query parameter so that direct-URL use cases (e.g., <img> src tags) carry the credential — but the value is added unconditionally, meaning every request URL will include impersonateuserid= even when the field is empty (default ''), since Service.flatten does not filter empty strings.
  • Path-parameter URL encoding: All services now wrap path substitutions with encodeURIComponent, fixing potential 404s and injection vectors for IDs containing special characters.

Confidence Score: 3/5

The core realtime JWT and URL-encoding changes are straightforward and well-implemented, but the unconditional empty impersonateuserid query parameter in every avatar and storage request is a real defect that affects all users of the SDK — not just those using impersonation.

The impersonateuserid value is set in the query string without an emptiness guard, and Service.flatten passes through empty strings unchanged. This means every call to getBrowser, getFlag, getFilePreview, getFileDownload, and similar methods appends ?impersonateuserid= to the URL even when setImpersonateUserId was never called. The impact is broad — it touches all avatar and storage binary endpoints — and the fix is a simple conditional guard. The rest of the PR (URL encoding, JWT forwarding) is solid.

src/services/avatars.ts and src/services/storage.ts — every method that appends impersonateuserid to the query payload needs the assignment guarded by a non-empty check.

Important Files Changed

Filename Overview
src/client.ts Added JWT forwarding for realtime WebSocket connections (URL query param for web, custom header for native); new impersonation config fields added; version bumped to 0.33.0.
src/services/avatars.ts URL-encodes path parameters and adds impersonateuserid forwarding to query string for all avatar endpoints; the impersonateuserid is unconditionally added even when empty, polluting every request URL with an empty parameter.
src/services/storage.ts URL-encodes path parameters and adds impersonateuserid to query string for file download/view/preview endpoints; same empty-value issue as avatars.ts.
src/services/realtime.ts New standalone Realtime class with JWT forwarding (web: URL param, native: header); event dispatch requires subscription IDs — events without them are silently dropped, unlike the legacy client.ts fallback.
docs/examples/account/update-password.md Changed empty-string password placeholder to 'password'; both fields now use the same literal value which is a weaker example than distinct labeled placeholders.
CHANGELOG.md Adds 0.33.0 changelog entry covering JWT in realtime, impersonateUserId forwarding, and URL-encoded path parameters.

Comments Outside Diff (1)

  1. src/services/realtime.ts, line 765-767 (link)

    P2 Events silently dropped when server omits subscription IDs

    The guard !subscriptions || subscriptions.length === 0 causes the handler to return without dispatching any callbacks whenever the server sends an event without subscription IDs. The legacy inline implementation in client.ts handled this case with a channel-matching fallback. If the Appwrite server ever emits events in the older format (e.g., on partial rollouts, older self-hosted versions, or edge-case error paths), all subscribed callbacks will silently receive nothing. Adding a channel-name fallback — mirroring client.ts lines 590–595 — would preserve the previous behavior as a safety net.

Reviews (1): Last reviewed commit: "chore: update React Native SDK to 0.33.0" | Re-trigger Greptile

Comment thread src/services/avatars.ts
const uri = new URL(this.client.config.endpoint + apiPath);
payload['project'] = this.client.config.project;

payload['impersonateuserid'] = this.client.config.impersonateuserid;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Empty impersonateuserid unconditionally appended to every URL

this.client.config.impersonateuserid defaults to '' (see client.ts line 175). Service.flatten does not filter empty strings, so every avatar and storage request URL will include ?impersonateuserid= even when no impersonation is configured. The same unconditional assignment appears in all other avatar methods (getCreditCard, getFlag, getFavicon, getImage, getInitials, getQR, getScreenshot, and their *URL counterparts) and in storage.ts (getFileDownload, getFilePreview, getFileView, and their URL variants).

The assignment should be guarded to only run when the value is non-empty.

Comment on lines +11 to +12
password: 'password',
oldPassword: 'password' // optional

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Literal 'password' used as placeholder for both new and old password

Both password and oldPassword are now set to the same literal 'password' string in the example. A developer copying this code verbatim would set both fields to the exact same value and potentially not notice. Using distinct placeholders like '<NEW_PASSWORD>' and '<OLD_PASSWORD>' (matching the pre-existing '<OLD_PASSWORD>' style from the previous version) would make the intent clearer. The same pattern applies to create.md and update-recovery.md.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

@ArnabChatterjee20k
ArnabChatterjee20k merged commit ff16bab into main Jun 25, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants