[AI] What to change: The support landing page for a specific project (<https://app...

[burkongla]

Automated PR

Task: What to change: The support landing page for a specific project (<https://app...
Description: What to change: The support landing page for a specific project (https://app.githelp.app/support/project_name)
Description and specific values:
• Apply a top banner color that corresponds with the color set under Settings/Branding from the Admin role, for the specific project.
• Make the horizontal top banner 61 px high.
• Apply a left sidebar with a formatting identical to the sidebar seen when logged in as a User. But with the following modifications:
◦ “Get support” is the default chosen, top navigation option in the left sidebar menu.
◦ Then, “Rates and details”, “Resources”, and “About support”.
◦ All other content an options within the left sidebar menu can be removed. Only keep the collapse option/interaction. And keep the bottom part showing the User. As the person will not be logged in, show the dp icon as grei with an “I” inside it. Writhe “Incognito” as profile name.
◦ Use the same icon for “Get support” as used for “Support” when logged in as a User.
◦ Use the same icon for “Rates and details” as used for “Landing page” when logged in as an Admin.
◦ Use the same icon for “Resources” as used for “SLAs” when logged in as an Admin.
◦ Use the same icon for “About support” as used for “Documentation”.
• Use the same base formatting as the “Support” page for User, for the “Get support” page. Start out by showing the Welcome message of the project in the chat window.
◦ Make the header in the support window, the project’s name only. Skip the part
◦ Make a supportive text below the header that says “Welcome to the support page for [project name]”
Source: slack
Requested by: U04E9DZ5ELF
Classification: flow

Changes

Restructure the public project support landing page (/support/[slug]) to use a layout with a 61px top banner colored by the project's branding primary_color, a left sidebar matching the user-role sidebar (with 4 custom nav items, an Incognito profile, and the collapse interaction), and replace the existing top tab bar with sidebar-driven views. The default Get support view should mirror the user-role /support/chat layout — a chat window showing the project welcome message, with the project name as the header and a 'Welcome to the support page for [project name]' subtitle.

Security Review

Status: warn
No dependency changes (package.json untouched, no npm audit needed). Two medium-severity concerns worth verifying: the redirect parameter handoff in handleSignIn relies on /auth/confirmed validating origins, and anonymous ticket creation depends entirely on RLS plus rate-limiting to prevent abuse and LLM cost exhaustion via classify-ticket. Several low-severity hardening items around input length, image source allowlisting, color validation, and markdown escaping.

Warnings:

• src/app/support/page.tsx: Potential open redirect: handleSignIn builds an auth callback URL with redirect=${encodeURIComponent(window.location.href)}. While window.location.href is same-origin at call time, the path and query string portions are fully user-controllable (e.g., crafted /support/?next=//evil.com style payloads) and are forwarded verbatim to /auth/confirmed. If /auth/confirmed performs window.location assignments or router.push() on the redirect value without validating that the parsed URL's origin matches the app origin, attackers can phish users via a trusted-looking signin link.
• src/app/support/page.tsx: Unauthenticated ticket creation: createTicket.mutateAsync is invoked with created_by: user?.id || null for users who are not signed in. This is a public, unauthenticated write path that depends entirely on Supabase RLS to prevent abuse (spam, resource exhaustion, arbitrary project_id targeting). The Edge Function classify-ticket is then invoked with the resulting ticket data, potentially burning AI tokens on attacker-generated content.
• src/app/support/page.tsx: No length cap on the ticket description: description: message is sent unbounded. Title is correctly truncated to 100 chars via substring, but description and the subsequent sendMessage content can be arbitrarily large, enabling storage exhaustion and inflated LLM costs in classify-ticket.
• src/app/support/page.tsx: User-controlled external image src: renders brandingData?.logo_url directly. A project owner can set this to any URL, enabling tracking pixels, request smuggling, or IP harvesting of all public-support visitors. The eslint-disable comment removes Next.js's image-domain allowlist check, which would otherwise mitigate this.
• src/app/support/page.tsx: Unsanitized CSS color value: style={{ backgroundColor: primaryColor }} uses brandingData?.primary_color directly. React's inline style object prevents declaration-injection (no semicolons interpreted), but an attacker-controlled value like url(//evil.com/track.png) or a long string can still cause a network request or visual defacement on the public support page.
• src/app/support/page.tsx: Attachment URL injected into markdown without escaping: setMessage((prev) => prev + "\n![attachment](" + url + ")\n"). If the storage URL ever contains a literal ) (unlikely but possible in signed URL query strings or with custom storage keys), the markdown renderer downstream will mis-parse it, and an attacker who can influence the storage path could craft a URL ending in )[xss](javascript:...) to break out of the image syntax.

---

🤖 Generated by githelp-support agent team

[netlify]

✅ Deploy Preview for githelp-support ready!

Name	Link
🔨 Latest commit	821b55d
🔍 Latest deploy log	https://app.netlify.com/projects/githelp-support/deploys/6a1aa1592e3f3e00096acf39
😎 Deploy Preview	https://deploy-preview-145--githelp-support.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.