Skip to content

[MNY-344] Dashboard: Add swap-widget iframe #8603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
graphite-app merged 1 commit into from
Jan 5, 2026
Merged

[MNY-344] Dashboard: Add swap-widget iframe #8603

graphite-app merged 1 commit into from
Jan 5, 2026
+262 −43

Conversation

@MananTank
Copy link
Member

@MananTank MananTank commented Jan 5, 2026
edited by coderabbitai bot
Loading

PR-Codex overview

This PR introduces a new NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID constant, updates security policies for swap widgets, and refactors the Providers component to BridgeProvidersLite. It also adds the SwapWidgetEmbed component for handling token swaps.

Detailed summary

  • Added NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID in public-envs.ts.
  • Updated next.config.ts with new content security policies for swap widgets.
  • Introduced BridgeProvidersLite component in Providers.client.tsx.
  • Added SwapWidgetEmbed component for token swaps in SwapWidgetEmbed.client.tsx.
  • Refactored pages to use BridgeProvidersLite instead of Providers.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

  • New Features

    • Added a cross‑chain swap page, embed component and layout with URL-prefill, theming, and fiat currency options.
    • Added a lightweight provider wrapper for embed usage.

  • Changes

    • Checkout widget no longer auto‑connects preconfigured wallets; provider usage unified to the lightweight wrapper.

  • Chores

    • Added CSP headers for swap widget routes.
    • Introduced public env var for swap iframe client ID.

✏️ Tip: You can customize this high-level summary in your review settings.

@vercel
Copy link

vercel bot commented Jan 5, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
thirdweb-www Ready Ready Preview, Comment Jan 5, 2026 8:34pm
4 Skipped Deployments
Project Deployment Review Updated (UTC)
docs-v2 Skipped Skipped Jan 5, 2026 8:34pm
nebula Skipped Skipped Jan 5, 2026 8:34pm
thirdweb_playground Skipped Skipped Jan 5, 2026 8:34pm
wallet-ui Skipped Skipped Jan 5, 2026 8:34pm

@vercel vercel bot temporarily deployed to Preview – wallet-ui January 5, 2026 19:39 Inactive
@vercel vercel bot temporarily deployed to Preview – docs-v2 January 5, 2026 19:39 Inactive
@vercel vercel bot temporarily deployed to Preview – nebula January 5, 2026 19:39 Inactive
@vercel vercel bot temporarily deployed to Preview – thirdweb_playground January 5, 2026 19:39 Inactive
@linear
Copy link

linear bot commented Jan 5, 2026

MNY-344 Add Swap Widget iframe

@changeset-bot
Copy link

changeset-bot bot commented Jan 5, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 9f265bf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 5, 2026
edited
Loading

Walkthrough

Adds a new swap-widget route (layout + page) and a client SwapWidgetEmbed that initializes a thirdweb SwapWidget with optional prefill and posts success/error to the parent; introduces NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID, updates CSP headers for swap-widget paths, and removes wallet auto-connect from CheckoutWidgetEmbed.

Changes

Cohort / File(s) Summary
Configuration & Environment
apps/dashboard/next.config.ts, apps/dashboard/src/@/constants/public-envs.ts		 Added CSP header rules for /bridge/swap-widget and /bridge/swap-widget/:path*; exported NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID.
Swap Widget Feature
apps/dashboard/src/app/bridge/swap-widget/page.tsx, apps/dashboard/src/app/bridge/swap-widget/layout.tsx, apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx		 New swap-widget route and layout; client SwapWidgetEmbed builds a prefill from query params, creates a configured thirdweb client using the new env var, and posts onSuccess/onError messages to window.parent.
Providers / Wrapper
apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx		 Added BridgeProvidersLite — a lighter provider wrapper (ThirdwebProvider + ThemeProvider) without autoconnect/toaster logic.
Checkout Widget Change
apps/dashboard/src/app/bridge/checkout-widget/page.tsx, apps/dashboard/src/app/bridge/checkout-widget/CheckoutWidgetEmbed.client.tsx		 Replaced local Providers usage with BridgeProvidersLite; removed wallet auto-connect configuration and related imports from CheckoutWidgetEmbed; removed NEXT_PUBLIC_CHECKOUT_IFRAME_CLIENT_ID validation from page.

Sequence Diagram(s)

mermaid
sequenceDiagram
autonumber
participant Parent as Parent Page (host)
participant Iframe as Swap Widget Iframe (route)
participant Embed as SwapWidgetEmbed (client)
participant SDK as Thirdweb SwapWidget (SDK)
Parent->>Iframe: load /bridge/swap-widget?query...
Iframe->>Embed: render with parsed params & client ID
Embed->>SDK: initialize with configured client & prefill
SDK-->>Embed: emits success / error
Embed->>Parent: postMessage({ type: "swap:success" / "swap:error", data })
note right of Parent: receives postMessage from iframe

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
Description check ❓ Inconclusive The PR description includes a PR-Codex overview that covers all major changes, but lacks explicit sections for 'Notes for the reviewer' and 'How to test' as specified in the template. Add explicit 'Notes for the reviewer' and 'How to test' sections to complete the description template and provide clearer testing guidance.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The PR title '[MNY-344] Dashboard: Add swap-widget iframe' accurately and concisely summarizes the main change—adding a new swap widget iframe feature to the dashboard.
Linked Issues check ✅ Passed The PR implements swap widget iframe functionality including environment variables, security policies, components, and pages that align with adding a swap widget iframe feature.
Out of Scope Changes check ✅ Passed All changes are focused on implementing the swap widget iframe feature. The refactoring of Providers to BridgeProvidersLite is a supporting change needed for the new swap widget implementation.
✨ Finishing touches
  • 📝 Generate docstrings

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)
  • TEAM-0000: Entity not found: Issue - Could not find referenced Issue.

Comment @coderabbitai help to get the list of available commands and usage tips.

@MananTank MananTank marked this pull request as ready for review January 5, 2026 19:39
@MananTank MananTank requested review from a team as code owners January 5, 2026 19:39
@github-actions github-actions bot added the Dashboard Involves changes to the Dashboard. label Jan 5, 2026
@MananTank Graphite App
Copy link
Member Author

MananTank commented Jan 5, 2026
edited
Loading

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

  • merge-queue - adds this PR to the back of the merge queue
  • hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

coderabbitai[bot]
coderabbitai bot reviewed Jan 5, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

Fix all issues with AI Agents 🤖 
In @apps/dashboard/src/app/bridge/swap-widget/layout.tsx:
- Around line 1-27: The file is missing a server-only marker and the layout
should be an async server component: add the top-level import "server-only"; and
change the exported function signature to "export default async function
SwapWidgetLayout(...)" (keep the same props shape and body, no 'use client'
directive); ensure existing symbols like SwapWidgetLayout and fontSans remain
unchanged so the component remains a server-only async layout.

In @apps/dashboard/src/app/bridge/swap-widget/page.tsx:
- Around line 1-26: This server component file is missing the required
server-only directive; add import "server-only"; as the very first line before
any other imports in this module (where symbols like metadata, SwapWidgetEmbed,
and BridgeProviders are defined/imported) to ensure the file is treated as
server-only and avoid client bundling.

In @apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx:
- Line 6: The component is importing and using
NEXT_PUBLIC_CHECKOUT_IFRAME_CLIENT_ID but should use
NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID; update the import statement to import
NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID and replace all usages of
NEXT_PUBLIC_CHECKOUT_IFRAME_CLIENT_ID in SwapWidgetEmbed (the client component
in SwapWidgetEmbed.client.tsx) with NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID so the
swap widget uses the correct client ID for configuration, authentication, and
telemetry.
- Around line 97-104: The sendMessageToParent function currently uses "*" as
targetOrigin which is insecure; change it to validate and supply a specific
origin: derive targetOrigin from a trusted source (preferably a parentOrigin
prop passed into SwapWidgetEmbed or, if unavailable, sanitize
document.referrer), check it against an allowlist of trusted origins, log and
abort if not allowed, and only then call window.parent.postMessage(content,
targetOrigin); if you must fall back to "*" document the tradeoff and ensure the
content excludes any sensitive fields (amounts, addresses, user identifiers).
🧹 Nitpick comments (1)
apps/dashboard/src/app/bridge/swap-widget/page.tsx (1)

86-104: Consider earlier validation of the required environment variable.

The validation of NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID happens at render time, which could result in a runtime error after the page has started processing. Consider validating required environment variables at build time or module initialization.

Alternative approach

Move the validation to the top level of the module:

if (!NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID) {
  throw new Error("NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID is not set");
}

function Providers({
  children,
  theme,
}: {
  children: React.ReactNode;
  theme: string;
}) {
  return (
    <BridgeProviders
      clientId={NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID}
      forcedTheme={theme}
    >
      {children}
    </BridgeProviders>
  );
}

This provides earlier failure feedback during development and build processes.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e5519ea and d04a526.

📒 Files selected for processing (6)
  • apps/dashboard/next.config.ts
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/src/app/bridge/checkout-widget/CheckoutWidgetEmbed.client.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
  • apps/dashboard/src/app/bridge/swap-widget/layout.tsx
  • apps/dashboard/src/app/bridge/swap-widget/page.tsx
💤 Files with no reviewable changes (1)
  • apps/dashboard/src/app/bridge/checkout-widget/CheckoutWidgetEmbed.client.tsx
🧰 Additional context used
📓 Path-based instructions (11)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each TypeScript file to one stateless, single-responsibility function for clarity
Re-use shared types from @/types or local types.ts barrels
Prefer type aliases over interface except for nominal shapes in TypeScript
Avoid any and unknown in TypeScript unless unavoidable; narrow generics when possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.) in TypeScript

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each file to one stateless, single-responsibility function for clarity and testability
Re-use shared types from @/types or local types.ts barrel exports
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics whenever possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.)
Comment only ambiguous logic in TypeScript files; avoid restating TypeScript types and signatures in prose

Files:

  • apps/dashboard/src/app/bridge/swap-widget/layout.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
  • apps/dashboard/src/app/bridge/swap-widget/page.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/next.config.ts
apps/{dashboard,playground-web}/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

apps/{dashboard,playground-web}/src/**/*.{ts,tsx}: Import UI component primitives from @/components/ui/* (Button, Input, Select, Tabs, Card, Sidebar, Badge, Separator) in dashboard and playground
Use Tailwind CSS only – no inline styles or CSS modules in dashboard and playground
Use cn() from @/lib/utils for conditional Tailwind class merging
Use design system tokens for styling (backgrounds: bg-card, borders: border-border, muted text: text-muted-foreground)
Expose className prop on root element for component overrides

Files:

  • apps/dashboard/src/app/bridge/swap-widget/layout.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
  • apps/dashboard/src/app/bridge/swap-widget/page.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
apps/dashboard/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

apps/dashboard/src/**/*.{ts,tsx}: Use NavLink for internal navigation with automatic active states in dashboard
Start server component files with import "server-only"; in Next.js
Read cookies/headers with next/headers in server components
Access server-only environment variables in server components
Perform heavy data fetching in server components
Implement redirect logic with redirect() from next/navigation in server components
Begin client component files with 'use client'; directive in Next.js
Handle interactive UI with React hooks (useState, useEffect, React Query, wallet hooks) in client components
Access browser APIs (localStorage, window, IntersectionObserver) in client components
Support fast transitions with prefetched data in client components
Always call getAuthToken() to retrieve JWT from cookies on server side
Use Authorization: Bearer header for API calls – never embed tokens in URLs
Return typed results (Project[], User[]) from server-side data fetches – avoid any
Wrap client-side API calls in React Query (@tanstack/react-query)
Use descriptive, stable queryKeys in React Query for cache hits
Configure staleTime/cacheTime in React Query based on freshness (default ≥ 60s)
Keep tokens secret via internal API routes or server actions
Never import posthog-js in server components – only use analytics client-side

Files:

  • apps/dashboard/src/app/bridge/swap-widget/layout.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
  • apps/dashboard/src/app/bridge/swap-widget/page.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
apps/dashboard/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/dashboard.mdc)

apps/dashboard/**/*.{ts,tsx}: Always import from the central UI library under @/components/ui/* for reusable core UI components like Button, Input, Select, Tabs, Card, Sidebar, Separator, Badge
Use NavLink from @/components/ui/NavLink for internal navigation to ensure active states are handled automatically
For notices and skeletons, rely on AnnouncementBanner, GenericLoadingPage, and EmptyStateCard components
Import icons from lucide-react or the project-specific …/icons exports; never embed raw SVG
Keep components pure; fetch data outside using server components or hooks and pass it down via props
Use Tailwind CSS as the styling system; avoid inline styles or CSS modules
Merge class names with cn from @/lib/utils to keep conditional logic readable
Stick to design tokens: use bg-card, border-border, text-muted-foreground and other Tailwind variables instead of hard-coded colors
Use spacing utilities (px-*, py-*, gap-*) instead of custom margins
Follow mobile-first responsive design with Tailwind helpers (max-sm, md, lg, xl)
Never hard-code colors; always use Tailwind variables
Combine class names via cn, and expose className prop if useful in components
Use React Query (@tanstack/react-query) for all client-side data fetching with typed hooks

Files:

  • apps/dashboard/src/app/bridge/swap-widget/layout.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
  • apps/dashboard/src/app/bridge/swap-widget/page.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/next.config.ts
apps/dashboard/**/layout.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/dashboard.mdc)

apps/dashboard/**/layout.{ts,tsx}: Reuse SidebarLayout or FullWidthSidebarLayout from @/components/blocks/SidebarLayout for all layouts
Export default async functions without 'use client'; in server components; they run on the Node edge

Files:

  • apps/dashboard/src/app/bridge/swap-widget/layout.tsx
**/*.{js,jsx,ts,tsx,json}

📄 CodeRabbit inference engine (AGENTS.md)

Biome governs formatting and linting; its rules live in biome.json. Run pnpm fix & pnpm lint before committing, ensure there are no linting errors

Files:

  • apps/dashboard/src/app/bridge/swap-widget/layout.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
  • apps/dashboard/src/app/bridge/swap-widget/page.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/next.config.ts
apps/{dashboard,playground}/**/*.{tsx,ts}

📄 CodeRabbit inference engine (AGENTS.md)

apps/{dashboard,playground}/**/*.{tsx,ts}: Import UI primitives from @/components/ui/_ (Button, Input, Select, Tabs, Card, Sidebar, Badge, Separator) in Dashboard and Playground apps
Use NavLink for internal navigation so active states are handled automatically
Use Tailwind CSS for styling – no inline styles or CSS modules
Merge class names with cn() from @/lib/utils to keep conditional logic readable
Stick to design tokens for styling: backgrounds (bg-card), borders (border-border), muted text (text-muted-foreground), etc.
Server Components: Read cookies/headers with next/headers, access server-only environment variables or secrets, perform heavy data fetching, implement redirect logic with redirect() from next/navigation, and start files with import 'server-only'; to prevent client bundling
Client Components: Begin files with 'use client'; before imports, handle interactive UI relying on React hooks (useState, useEffect, React Query, wallet hooks), access browser APIs (localStorage, window, IntersectionObserver, etc.), and support fast transitions with client-side data prefetching
For client-side data fetching: Wrap calls in React Query (@tanstack/react-query), use descriptive and stable queryKeys for cache hits, configure staleTime / cacheTime based on freshness requirements (default ≥ 60 s), and keep tokens secret by calling internal API routes or server actions

Files:

  • apps/dashboard/src/app/bridge/swap-widget/layout.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
  • apps/dashboard/src/app/bridge/swap-widget/page.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/next.config.ts
apps/{dashboard,playground}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

apps/{dashboard,playground}/**/*.{ts,tsx}: For server-side data fetching: Always call getAuthToken() to retrieve the JWT from cookies and inject the token as an Authorization: Bearer header – never embed it in the URL. Return typed results (Project[], User[], …) – avoid any
Never import posthog-js in server components; analytics reporting is client-side only

Files:

  • apps/dashboard/src/app/bridge/swap-widget/layout.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
  • apps/dashboard/src/app/bridge/swap-widget/page.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/next.config.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

Lazy-import optional features; avoid top-level side-effects

Files:

  • apps/dashboard/src/app/bridge/swap-widget/layout.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
  • apps/dashboard/src/app/bridge/swap-widget/page.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/next.config.ts
apps/dashboard/**/*.client.tsx

📄 CodeRabbit inference engine (.cursor/rules/dashboard.mdc)

apps/dashboard/**/*.client.tsx: Name component files after the component in PascalCase; append .client.tsx when the component is interactive
Client components must start with 'use client'; directive before imports

Files:

  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
apps/dashboard/**/page.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/dashboard.mdc)

Use the container class with a max-w-7xl cap for consistent page width

Files:

  • apps/dashboard/src/app/bridge/swap-widget/page.tsx
🧬 Code graph analysis (2)
apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx (2)
apps/dashboard/src/@/constants/thirdweb.server.ts (1)
  • getConfiguredThirdwebClient (26-97)
apps/dashboard/src/@/constants/public-envs.ts (1)
  • NEXT_PUBLIC_CHECKOUT_IFRAME_CLIENT_ID (48-49)
apps/dashboard/src/app/bridge/swap-widget/page.tsx (5)
apps/dashboard/src/app/bridge/_common/parseQueryParams.ts (3)
  • parseQueryParams (3-11)
  • onlyNumber (14-15)
  • onlyAddress (13-13)
apps/dashboard/src/app/bridge/_common/isValidCurrency.ts (1)
  • isValidCurrency (3-10)
apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx (1)
  • SwapWidgetEmbed (9-95)
apps/dashboard/src/@/constants/public-envs.ts (1)
  • NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID (51-52)
apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx (1)
  • BridgeProviders (9-42)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Analyze (javascript)
🔇 Additional comments (4)
apps/dashboard/next.config.ts (1)

182-199: LGTM! CSP headers properly configured for the new swap widget routes.

The Content-Security-Policy headers for /bridge/swap-widget and /bridge/swap-widget/:path* follow the established pattern used by other widget routes, correctly applying EmbedContentSecurityPolicy with frame-ancestors * to allow iframe embedding.

apps/dashboard/src/@/constants/public-envs.ts (1)

51-52: LGTM! Environment variable export follows established pattern.

The new NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID export is consistent with the existing iframe client ID variables and is properly validated at runtime in the page component.

apps/dashboard/src/app/bridge/swap-widget/page.tsx (1)

31-84: LGTM! Query parameter parsing and page structure are well-implemented.

The page correctly:

  • Parses and validates all swap-related query parameters
  • Provides type-safe defaults for optional parameters
  • Uses proper async/await for searchParams
  • Renders the SwapWidgetEmbed within appropriate providers
apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx (1)

40-70: LGTM! Prefill logic correctly constructs token data from optional parameters.

The prefill memo properly handles optional buy/sell parameters and only includes non-undefined values in the result, returning undefined when no parameters are provided.

@codecov
Copy link

codecov bot commented Jan 5, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.19%. Comparing base (e5519ea) to head (9f265bf).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #8603   +/-   ##
=======================================
  Coverage   53.19%   53.19%           
=======================================
  Files         922      922           
  Lines       61480    61480           
  Branches     4032     4032           
=======================================
  Hits        32706    32706           
  Misses      28676    28676           
  Partials       98       98
Flag Coverage Δ
packages 53.19% <ø> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 5, 2026
edited
Loading

size-limit report 📦

Path Size
@thirdweb-dev/nexus (esm) 105.66 KB (0%)
@thirdweb-dev/nexus (cjs) 319.47 KB (0%)

@MananTank MananTank mentioned this pull request Jan 5, 2026
Merged
@graphite-app
Copy link
Contributor

graphite-app bot commented Jan 5, 2026
edited
Loading

Merge activity

@MananTank
[MNY-344] Dashboard: Add swap-widget iframe (#8603)
9f265bf 
<!--

## title your PR with this format: "[SDK/Dashboard/Portal] Feature/Fix: Concise title for the changes"

If you did not copy the branch name from Linear, paste the issue tag here (format is TEAM-0000):

## Notes for the reviewer

Anything important to call out? Be sure to also clarify these in your comments.

## How to test

Unit tests, playground, etc.

-->

<!-- start pr-codex -->

---

## PR-Codex overview
This PR introduces a new `NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID` constant and enhances the swap functionality with a `SwapWidgetEmbed` component, while refactoring the existing `Providers` component to `BridgeProvidersLite`. It also adds necessary headers for security and updates layout components.

### Detailed summary
- Added `NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID` constant in `public-envs.ts`.
- Updated `next.config.ts` to include security headers for swap widget routes.
- Introduced `BridgeProvidersLite` component in `Providers.client.tsx`.
- Created `SwapWidgetEmbed` component for swap functionality.
- Refactored `page.tsx` to utilize `BridgeProvidersLite` and `SwapWidgetEmbed`.
- Removed the old `Providers` component logic.

> ✨ Ask PR-Codex anything about this PR by commenting with `/codex {your question}`

<!-- end pr-codex -->

<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
## Summary by CodeRabbit

* **New Features**
  * Added a cross‑chain swap widget with page, embed component and layout, URL-prefill support, theming, and fiat currency options.
  * Added a lightweight provider wrapper for embed usage.

* **Changes**
  * Checkout widget no longer auto-connects preconfigured wallets; provider usage unified to the lightweight wrapper.

* **Chores**
  * Added CSP headers for swap widget routes.
  * Introduced public env var for swap iframe client ID.

<sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
@MananTank MananTank mentioned this pull request Jan 5, 2026
Merged
coderabbitai[bot]
coderabbitai bot reviewed Jan 5, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Fix all issues with AI Agents 🤖 
In @apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx:
- Around line 30-38: The code calls getConfiguredThirdwebClient with
NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID without validating it; add a check at
component initialization (before useMemo or inside it) to verify
NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID is defined and non-empty, and if not either
throw a clear error or render an error fallback UI (follow the invalid
configuration handling pattern used in checkout-widget/page.tsx lines ~80-115);
update the useMemo call that creates the client (getConfiguredThirdwebClient) to
only run when the validated clientId exists and include a descriptive log or
error message to aid debugging.
♻️ Duplicate comments (1)
apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx (1)

97-104: Security concern already flagged in previous review.

The use of wildcard origin "*" in postMessage has been identified as a security issue in the previous review comments. Please refer to the existing recommendations for implementing origin validation.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a6340c1 and 9f265bf.

📒 Files selected for processing (8)
  • apps/dashboard/next.config.ts
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx
  • apps/dashboard/src/app/bridge/checkout-widget/CheckoutWidgetEmbed.client.tsx
  • apps/dashboard/src/app/bridge/checkout-widget/page.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
  • apps/dashboard/src/app/bridge/swap-widget/layout.tsx
  • apps/dashboard/src/app/bridge/swap-widget/page.tsx
💤 Files with no reviewable changes (1)
  • apps/dashboard/src/app/bridge/checkout-widget/CheckoutWidgetEmbed.client.tsx
🚧 Files skipped from review as they are similar to previous changes (3)
  • apps/dashboard/next.config.ts
  • apps/dashboard/src/app/bridge/swap-widget/layout.tsx
  • apps/dashboard/src/app/bridge/swap-widget/page.tsx
🧰 Additional context used
📓 Path-based instructions (12)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each TypeScript file to one stateless, single-responsibility function for clarity
Re-use shared types from @/types or local types.ts barrels
Prefer type aliases over interface except for nominal shapes in TypeScript
Avoid any and unknown in TypeScript unless unavoidable; narrow generics when possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.) in TypeScript

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each file to one stateless, single-responsibility function for clarity and testability
Re-use shared types from @/types or local types.ts barrel exports
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics whenever possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.)
Comment only ambiguous logic in TypeScript files; avoid restating TypeScript types and signatures in prose

Files:

  • apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/src/app/bridge/checkout-widget/page.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
apps/{dashboard,playground-web}/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

apps/{dashboard,playground-web}/src/**/*.{ts,tsx}: Import UI component primitives from @/components/ui/* (Button, Input, Select, Tabs, Card, Sidebar, Badge, Separator) in dashboard and playground
Use Tailwind CSS only – no inline styles or CSS modules in dashboard and playground
Use cn() from @/lib/utils for conditional Tailwind class merging
Use design system tokens for styling (backgrounds: bg-card, borders: border-border, muted text: text-muted-foreground)
Expose className prop on root element for component overrides

Files:

  • apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/src/app/bridge/checkout-widget/page.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
apps/dashboard/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

apps/dashboard/src/**/*.{ts,tsx}: Use NavLink for internal navigation with automatic active states in dashboard
Start server component files with import "server-only"; in Next.js
Read cookies/headers with next/headers in server components
Access server-only environment variables in server components
Perform heavy data fetching in server components
Implement redirect logic with redirect() from next/navigation in server components
Begin client component files with 'use client'; directive in Next.js
Handle interactive UI with React hooks (useState, useEffect, React Query, wallet hooks) in client components
Access browser APIs (localStorage, window, IntersectionObserver) in client components
Support fast transitions with prefetched data in client components
Always call getAuthToken() to retrieve JWT from cookies on server side
Use Authorization: Bearer header for API calls – never embed tokens in URLs
Return typed results (Project[], User[]) from server-side data fetches – avoid any
Wrap client-side API calls in React Query (@tanstack/react-query)
Use descriptive, stable queryKeys in React Query for cache hits
Configure staleTime/cacheTime in React Query based on freshness (default ≥ 60s)
Keep tokens secret via internal API routes or server actions
Never import posthog-js in server components – only use analytics client-side

Files:

  • apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/src/app/bridge/checkout-widget/page.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
apps/dashboard/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/dashboard.mdc)

apps/dashboard/**/*.{ts,tsx}: Always import from the central UI library under @/components/ui/* for reusable core UI components like Button, Input, Select, Tabs, Card, Sidebar, Separator, Badge
Use NavLink from @/components/ui/NavLink for internal navigation to ensure active states are handled automatically
For notices and skeletons, rely on AnnouncementBanner, GenericLoadingPage, and EmptyStateCard components
Import icons from lucide-react or the project-specific …/icons exports; never embed raw SVG
Keep components pure; fetch data outside using server components or hooks and pass it down via props
Use Tailwind CSS as the styling system; avoid inline styles or CSS modules
Merge class names with cn from @/lib/utils to keep conditional logic readable
Stick to design tokens: use bg-card, border-border, text-muted-foreground and other Tailwind variables instead of hard-coded colors
Use spacing utilities (px-*, py-*, gap-*) instead of custom margins
Follow mobile-first responsive design with Tailwind helpers (max-sm, md, lg, xl)
Never hard-code colors; always use Tailwind variables
Combine class names via cn, and expose className prop if useful in components
Use React Query (@tanstack/react-query) for all client-side data fetching with typed hooks

Files:

  • apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/src/app/bridge/checkout-widget/page.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
apps/dashboard/**/components/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/dashboard.mdc)

Add className prop to the root element of every component to allow external overrides

Files:

  • apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx
apps/dashboard/**/*.client.tsx

📄 CodeRabbit inference engine (.cursor/rules/dashboard.mdc)

apps/dashboard/**/*.client.tsx: Name component files after the component in PascalCase; append .client.tsx when the component is interactive
Client components must start with 'use client'; directive before imports

Files:

  • apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
**/*.{js,jsx,ts,tsx,json}

📄 CodeRabbit inference engine (AGENTS.md)

Biome governs formatting and linting; its rules live in biome.json. Run pnpm fix & pnpm lint before committing, ensure there are no linting errors

Files:

  • apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/src/app/bridge/checkout-widget/page.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
apps/{dashboard,playground}/**/*.{tsx,ts}

📄 CodeRabbit inference engine (AGENTS.md)

apps/{dashboard,playground}/**/*.{tsx,ts}: Import UI primitives from @/components/ui/_ (Button, Input, Select, Tabs, Card, Sidebar, Badge, Separator) in Dashboard and Playground apps
Use NavLink for internal navigation so active states are handled automatically
Use Tailwind CSS for styling – no inline styles or CSS modules
Merge class names with cn() from @/lib/utils to keep conditional logic readable
Stick to design tokens for styling: backgrounds (bg-card), borders (border-border), muted text (text-muted-foreground), etc.
Server Components: Read cookies/headers with next/headers, access server-only environment variables or secrets, perform heavy data fetching, implement redirect logic with redirect() from next/navigation, and start files with import 'server-only'; to prevent client bundling
Client Components: Begin files with 'use client'; before imports, handle interactive UI relying on React hooks (useState, useEffect, React Query, wallet hooks), access browser APIs (localStorage, window, IntersectionObserver, etc.), and support fast transitions with client-side data prefetching
For client-side data fetching: Wrap calls in React Query (@tanstack/react-query), use descriptive and stable queryKeys for cache hits, configure staleTime / cacheTime based on freshness requirements (default ≥ 60 s), and keep tokens secret by calling internal API routes or server actions

Files:

  • apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/src/app/bridge/checkout-widget/page.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
apps/{dashboard,playground}/**/components/**/*.{tsx,ts}

📄 CodeRabbit inference engine (AGENTS.md)

apps/{dashboard,playground}/**/components/**/*.{tsx,ts}: Group feature-specific components under feature/components/_ and expose a barrel index.ts when necessary
Expose a className prop on the root element of every component for styling overrides

Files:

  • apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx
apps/{dashboard,playground}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

apps/{dashboard,playground}/**/*.{ts,tsx}: For server-side data fetching: Always call getAuthToken() to retrieve the JWT from cookies and inject the token as an Authorization: Bearer header – never embed it in the URL. Return typed results (Project[], User[], …) – avoid any
Never import posthog-js in server components; analytics reporting is client-side only

Files:

  • apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/src/app/bridge/checkout-widget/page.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

Lazy-import optional features; avoid top-level side-effects

Files:

  • apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx
  • apps/dashboard/src/@/constants/public-envs.ts
  • apps/dashboard/src/app/bridge/checkout-widget/page.tsx
  • apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
apps/dashboard/**/page.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/dashboard.mdc)

Use the container class with a max-w-7xl cap for consistent page width

Files:

  • apps/dashboard/src/app/bridge/checkout-widget/page.tsx
🧬 Code graph analysis (1)
apps/dashboard/src/app/bridge/checkout-widget/page.tsx (1)
apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx (1)
  • BridgeProvidersLite (44-64)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
  • GitHub Check: E2E Tests (pnpm, esbuild)
  • GitHub Check: Build Packages
  • GitHub Check: E2E Tests (pnpm, vite)
  • GitHub Check: Size
  • GitHub Check: Unit Tests
  • GitHub Check: Lint Packages
  • GitHub Check: Analyze (javascript)
🔇 Additional comments (5)
apps/dashboard/src/@/constants/public-envs.ts (1)

51-52: LGTM! Consistent with existing iframe client ID exports.

The new environment variable follows the same pattern as NEXT_PUBLIC_BRIDGE_IFRAME_CLIENT_ID and NEXT_PUBLIC_CHECKOUT_IFRAME_CLIENT_ID, maintaining consistency across the codebase.

apps/dashboard/src/app/bridge/(general)/components/client/Providers.client.tsx (1)

44-64: LGTM! Clean refactor for lightweight embedding scenarios.

The BridgeProvidersLite component appropriately removes auto-connect and toaster functionality while maintaining consistent theming configuration. This is a sensible pattern for iframe embed contexts where wallet auto-connect behavior is not desired.

apps/dashboard/src/app/bridge/checkout-widget/page.tsx (1)

12-12: LGTM! Provider refactor aligns with iframe embedding requirements.

The migration from BridgeProviders to BridgeProvidersLite removes wallet auto-connect functionality from the checkout widget flow, which is appropriate for iframe embed scenarios. The forcedTheme prop correctly propagates the theme preference through the provider chain.

Also applies to: 81-114, 119-138

apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx (2)

40-70: LGTM! Prefill logic is clean and correctly structured.

The conditional construction of buyToken and sellToken based on the presence of their respective chainId parameters is appropriate, and the dependency array correctly captures all inputs. Returning undefined when no tokens are specified is the right behavior for the SwapWidget's prefill prop.

72-95: LGTM! SwapWidget integration follows standard patterns.

The widget configuration and event handlers are correctly implemented. The onSuccess and onError callbacks appropriately notify the parent window of swap outcomes.

apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx
Comment on lines +30 to +38
const client = useMemo(
() =>
getConfiguredThirdwebClient({
clientId: NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID,
secretKey: undefined,
teamId: undefined,
}),
[],
);
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Missing validation for required environment variable.

NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID is used without validation at line 33. If this environment variable is undefined, the swap widget will fail to initialize properly, likely resulting in authentication or connection errors that are difficult to debug.

🔎 Recommended validation pattern

Add validation at component initialization:

 export function SwapWidgetEmbed({
   buyChainId,
   buyTokenAddress,
   buyAmount,
   sellChainId,
   sellTokenAddress,
   sellAmount,
   showThirdwebBranding,
   theme,
   currency,
 }: {
   buyChainId?: number;
   buyTokenAddress?: Address;
   buyAmount?: string;
   sellChainId?: number;
   sellTokenAddress?: Address;
   sellAmount?: string;
   showThirdwebBranding?: boolean;
   theme: "light" | "dark";
   currency?: SupportedFiatCurrency;
 }) {
+  if (!NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID) {
+    throw new Error(
+      "NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID environment variable is required"
+    );
+  }
+
   const client = useMemo(
     () =>
       getConfiguredThirdwebClient({
         clientId: NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID,
         secretKey: undefined,
         teamId: undefined,
       }),
     [],
   );

Alternatively, render an error UI similar to the invalid configuration handling in checkout-widget/page.tsx (lines 80-115).

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In @apps/dashboard/src/app/bridge/swap-widget/SwapWidgetEmbed.client.tsx around
lines 30-38, The code calls getConfiguredThirdwebClient with
NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID without validating it; add a check at
component initialization (before useMemo or inside it) to verify
NEXT_PUBLIC_SWAP_IFRAME_CLIENT_ID is defined and non-empty, and if not either
throw a clear error or render an error fallback UI (follow the invalid
configuration handling pattern used in checkout-widget/page.tsx lines ~80-115);
update the useMemo call that creates the client (getConfiguredThirdwebClient) to
only run when the validated clientId exists and include a descriptive log or
error message to aid debugging.

@graphite-app graphite-app bot merged commit 9f265bf into main Jan 5, 2026
25 checks passed
@graphite-app graphite-app bot deleted the mny-344 branch January 5, 2026 20:39
@vercel vercel bot temporarily deployed to Production – nebula January 5, 2026 20:39 Inactive
@vercel vercel bot temporarily deployed to Production – wallet-ui January 5, 2026 20:39 Inactive
@vercel vercel bot temporarily deployed to Production – thirdweb_playground January 5, 2026 20:39 Inactive
@vercel vercel bot temporarily deployed to Production – docs-v2 January 5, 2026 20:39 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

@MananTank MananTank

Labels

Dashboard Involves changes to the Dashboard.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MananTank