Merge branch 'main' into mathieu/calendar-integration-rebased

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## [0.10.0](https://github.com/Monadical-SAS/reflector/compare/v0.9.0...v0.10.0) (2025-09-11)
+
+
+### Features
+
+* replace nextjs-config with environment variables ([#632](https://github.com/Monadical-SAS/reflector/issues/632)) ([369ecdf](https://github.com/Monadical-SAS/reflector/commit/369ecdff13f3862d926a9c0b87df52c9d94c4dde))
+
+
+### Bug Fixes
+
+* anonymous users transcript permissions ([#621](https://github.com/Monadical-SAS/reflector/issues/621)) ([f81fe99](https://github.com/Monadical-SAS/reflector/commit/f81fe9948a9237b3e0001b2d8ca84f54d76878f9))
+* auth post ([#624](https://github.com/Monadical-SAS/reflector/issues/624)) ([cde99ca](https://github.com/Monadical-SAS/reflector/commit/cde99ca2716f84ba26798f289047732f0448742e))
+* auth post ([#626](https://github.com/Monadical-SAS/reflector/issues/626)) ([3b85ff3](https://github.com/Monadical-SAS/reflector/commit/3b85ff3bdf4fb053b103070646811bc990c0e70a))
+* auth post ([#627](https://github.com/Monadical-SAS/reflector/issues/627)) ([962038e](https://github.com/Monadical-SAS/reflector/commit/962038ee3f2a555dc3c03856be0e4409456e0996))
+* missing follow_redirects=True on modal endpoint ([#630](https://github.com/Monadical-SAS/reflector/issues/630)) ([fc363bd](https://github.com/Monadical-SAS/reflector/commit/fc363bd49b17b075e64f9186e5e0185abc325ea7))
+* sync backend and frontend token refresh logic ([#614](https://github.com/Monadical-SAS/reflector/issues/614)) ([5a5b323](https://github.com/Monadical-SAS/reflector/commit/5a5b3233820df9536da75e87ce6184a983d4713a))
+
 ## [0.9.0](https://github.com/Monadical-SAS/reflector/compare/v0.8.2...v0.9.0) (2025-09-06)
 
 

CLAUDE.md

@@ -66,7 +66,6 @@ pnpm install
 
 # Copy configuration templates
 cp .env_template .env
-cp config-template.ts config.ts
 ```
 
 **Development:**

README.md

@@ -99,11 +99,10 @@ Start with `cd www`.
 
 ```bash
 pnpm install
-cp .env_template .env
+cp .env.example .env
-cp config-template.ts config.ts
 ```
 
-Then, fill in the environment variables in `.env` and the configuration in `config.ts` as needed. If you are unsure on how to proceed, ask in Zulip.
+Then, fill in the environment variables in `.env` as needed. If you are unsure on how to proceed, ask in Zulip.
 
 **Run in development mode**
 
@@ -168,3 +167,34 @@ You can manually process an audio file by calling the process tool:
 ```bash
 uv run python -m reflector.tools.process path/to/audio.wav
 ```
+
+
+## Feature Flags
+
+Reflector uses environment variable-based feature flags to control application functionality. These flags allow you to enable or disable features without code changes.
+
+### Available Feature Flags
+
+| Feature Flag | Environment Variable |
+|-------------|---------------------|
+| `requireLogin` | `NEXT_PUBLIC_FEATURE_REQUIRE_LOGIN` |
+| `privacy` | `NEXT_PUBLIC_FEATURE_PRIVACY` |
+| `browse` | `NEXT_PUBLIC_FEATURE_BROWSE` |
+| `sendToZulip` | `NEXT_PUBLIC_FEATURE_SEND_TO_ZULIP` |
+| `rooms` | `NEXT_PUBLIC_FEATURE_ROOMS` |
+
+### Setting Feature Flags
+
+Feature flags are controlled via environment variables using the pattern `NEXT_PUBLIC_FEATURE_{FEATURE_NAME}` where `{FEATURE_NAME}` is the SCREAMING_SNAKE_CASE version of the feature name.
+
+**Examples:**
+```bash
+# Enable user authentication requirement
+NEXT_PUBLIC_FEATURE_REQUIRE_LOGIN=true
+
+# Disable browse functionality
+NEXT_PUBLIC_FEATURE_BROWSE=false
+
+# Enable Zulip integration
+NEXT_PUBLIC_FEATURE_SEND_TO_ZULIP=true
+```

server/migrations/versions/0ce521cda2ee_remove_user_id_from_meeting_table.py

@@ -0,0 +1,36 @@
+"""remove user_id from meeting table
+
+Revision ID: 0ce521cda2ee
+Revises: 6dec9fb5b46c
+Create Date: 2025-09-10 12:40:55.688899
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "0ce521cda2ee"
+down_revision: Union[str, None] = "6dec9fb5b46c"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table("meeting", schema=None) as batch_op:
+        batch_op.drop_column("user_id")
+
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table("meeting", schema=None) as batch_op:
+        batch_op.add_column(
+            sa.Column("user_id", sa.VARCHAR(), autoincrement=False, nullable=True)
+        )
+
+    # ### end Alembic commands ###

server/migrations/versions/2ae3db106d4e_clean_up_orphaned_room_id_references_in_.py

@@ -0,0 +1,32 @@
+"""clean up orphaned room_id references in meeting table
+
+Revision ID: 2ae3db106d4e
+Revises: def1b5867d4c
+Create Date: 2025-09-11 10:35:15.759967
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "2ae3db106d4e"
+down_revision: Union[str, None] = "def1b5867d4c"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Set room_id to NULL for meetings that reference non-existent rooms
+    op.execute("""
+        UPDATE meeting
+        SET room_id = NULL
+        WHERE room_id IS NOT NULL
+          AND room_id NOT IN (SELECT id FROM room WHERE id IS NOT NULL)
+    """)
+
+
+def downgrade() -> None:
+    # Cannot restore orphaned references - no operation needed
+    pass

server/migrations/versions/6dec9fb5b46c_make_meeting_room_id_required_and_add_.py

@@ -0,0 +1,38 @@
+"""make meeting room_id required and add foreign key
+
+Revision ID: 6dec9fb5b46c
+Revises: 61882a919591
+Create Date: 2025-09-10 10:47:06.006819
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "6dec9fb5b46c"
+down_revision: Union[str, None] = "61882a919591"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table("meeting", schema=None) as batch_op:
+        batch_op.alter_column("room_id", existing_type=sa.VARCHAR(), nullable=False)
+        batch_op.create_foreign_key(
+            None, "room", ["room_id"], ["id"], ondelete="CASCADE"
+        )
+
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table("meeting", schema=None) as batch_op:
+        batch_op.drop_constraint("meeting_room_id_fkey", type_="foreignkey")
+        batch_op.alter_column("room_id", existing_type=sa.VARCHAR(), nullable=True)
+
+    # ### end Alembic commands ###

server/migrations/versions/def1b5867d4c_make_meeting_room_id_nullable_but_keep_.py

@@ -0,0 +1,34 @@
+"""make meeting room_id nullable but keep foreign key
+
+Revision ID: def1b5867d4c
+Revises: 0ce521cda2ee
+Create Date: 2025-09-11 09:42:18.697264
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "def1b5867d4c"
+down_revision: Union[str, None] = "0ce521cda2ee"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table("meeting", schema=None) as batch_op:
+        batch_op.alter_column("room_id", existing_type=sa.VARCHAR(), nullable=True)
+
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table("meeting", schema=None) as batch_op:
+        batch_op.alter_column("room_id", existing_type=sa.VARCHAR(), nullable=False)
+
+    # ### end Alembic commands ###

server/reflector/db/meetings.py

@@ -18,8 +18,12 @@ meetings = sa.Table(
     sa.Column("host_room_url", sa.String),
     sa.Column("start_date", sa.DateTime(timezone=True)),
     sa.Column("end_date", sa.DateTime(timezone=True)),
-    sa.Column("user_id", sa.String),
+    sa.Column(
-    sa.Column("room_id", sa.String),
+        "room_id",
+        sa.String,
+        sa.ForeignKey("room.id", ondelete="CASCADE"),
+        nullable=True,
+    ),
     sa.Column("is_locked", sa.Boolean, nullable=False, server_default=sa.false()),
     sa.Column("room_mode", sa.String, nullable=False, server_default="normal"),
     sa.Column("recording_type", sa.String, nullable=False, server_default="cloud"),
@@ -86,8 +90,7 @@ class Meeting(BaseModel):
     host_room_url: str
     start_date: datetime
     end_date: datetime
-    user_id: str | None = None
+    room_id: str | None
-    room_id: str | None = None
     is_locked: bool = False
     room_mode: Literal["normal", "group"] = "normal"
     recording_type: Literal["none", "local", "cloud"] = "cloud"
@@ -109,14 +112,10 @@ class MeetingController:
         host_room_url: str,
         start_date: datetime,
         end_date: datetime,
-        user_id: str,
         room: Room,
         calendar_event_id: str | None = None,
         calendar_metadata: dict[str, Any] | None = None,
     ):
-        """
-        Create a new meeting
-        """
         meeting = Meeting(
             id=id,
             room_name=room_name,
@@ -124,7 +123,6 @@ class MeetingController:
             host_room_url=host_room_url,
             start_date=start_date,
             end_date=end_date,
-            user_id=user_id,
             room_id=room.id,
             is_locked=room.is_locked,
             room_mode=room.room_mode,
@@ -138,9 +136,6 @@ class MeetingController:
         return meeting
 
     async def get_all_active(self) -> list[Meeting]:
-        """
-        Get active meetings.
-        """
         query = meetings.select().where(meetings.c.is_active)
         return await get_database().fetch_all(query)
 
@@ -150,8 +145,9 @@ class MeetingController:
     ) -> Meeting | None:
         """
         Get a meeting by room name.
+        For backward compatibility, returns the most recent meeting.
         """
-        query = meetings.select().where(meetings.c.room_name == room_name)
+        query = meetings.select().where(meetings.c.room_name == room_name).order_by(end_date.desc())
         result = await get_database().fetch_one(query)
         if not result:
             return None
@@ -219,9 +215,6 @@ class MeetingController:
         return Meeting(**result)
 
     async def get_by_id(self, meeting_id: str, **kwargs) -> Meeting | None:
-        """
-        Get a meeting by id
-        """
         query = meetings.select().where(meetings.c.id == meeting_id)
         result = await get_database().fetch_one(query)
         if not result:
@@ -261,7 +254,7 @@ class MeetingConsentController:
         result = await get_database().fetch_one(query)
         if result is None:
             return None
-        return MeetingConsent(**result) if result else None
+        return MeetingConsent(**result)
 
     async def upsert(self, consent: MeetingConsent) -> MeetingConsent:
         if consent.user_id:

server/reflector/settings.py

@@ -1,6 +1,8 @@
 from pydantic.types import PositiveInt
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
+from reflector.utils.string import NonEmptyString
+
 
 class Settings(BaseSettings):
     model_config = SettingsConfigDict(
@@ -120,7 +122,7 @@ class Settings(BaseSettings):
 
     # Whereby integration
     WHEREBY_API_URL: str = "https://api.whereby.dev/v1"
-    WHEREBY_API_KEY: str | None = None
+    WHEREBY_API_KEY: NonEmptyString | None = None
     WHEREBY_WEBHOOK_SECRET: str | None = None
     AWS_WHEREBY_ACCESS_KEY_ID: str | None = None
     AWS_WHEREBY_ACCESS_KEY_SECRET: str | None = None

server/reflector/utils/string.py

@@ -10,8 +10,11 @@ NonEmptyString = Annotated[
 non_empty_string_adapter = TypeAdapter(NonEmptyString)
 
 
-def parse_non_empty_string(s: str) -> NonEmptyString:
+def parse_non_empty_string(s: str, error: str | None = None) -> NonEmptyString:
-    return non_empty_string_adapter.validate_python(s)
+    try:
+        return non_empty_string_adapter.validate_python(s)
+    except Exception as e:
+        raise ValueError(f"{e}: {error}" if error else e) from e
 
 
 def try_parse_non_empty_string(s: str) -> NonEmptyString | None:

server/reflector/views/rooms.py

@@ -261,7 +261,6 @@ async def rooms_create_meeting(
                 host_room_url=whereby_meeting["hostRoomUrl"],
                 start_date=parse_datetime_with_timezone(whereby_meeting["startDate"]),
                 end_date=parse_datetime_with_timezone(whereby_meeting["endDate"]),
-                user_id=user_id,
                 room=room,
             )
         except (asyncpg.exceptions.UniqueViolationError, sqlite3.IntegrityError):

server/reflector/whereby.py

@@ -1,18 +1,60 @@
+import logging
 from datetime import datetime
 
 import httpx
 
 from reflector.db.rooms import Room
 from reflector.settings import settings
+from reflector.utils.string import parse_non_empty_string
+
+logger = logging.getLogger(__name__)
+
+
+def _get_headers():
+    api_key = parse_non_empty_string(
+        settings.WHEREBY_API_KEY, "WHEREBY_API_KEY value is required."
+    )
+    return {
+        "Content-Type": "application/json; charset=utf-8",
+        "Authorization": f"Bearer {api_key}",
+    }
+
 
-HEADERS = {
-    "Content-Type": "application/json; charset=utf-8",
-    "Authorization": f"Bearer {settings.WHEREBY_API_KEY}",
-}
 TIMEOUT = 10  # seconds
 
 
+def _get_whereby_s3_auth():
+    errors = []
+    try:
+        bucket_name = parse_non_empty_string(
+            settings.RECORDING_STORAGE_AWS_BUCKET_NAME,
+            "RECORDING_STORAGE_AWS_BUCKET_NAME value is required.",
+        )
+    except Exception as e:
+        errors.append(e)
+    try:
+        key_id = parse_non_empty_string(
+            settings.AWS_WHEREBY_ACCESS_KEY_ID,
+            "AWS_WHEREBY_ACCESS_KEY_ID value is required.",
+        )
+    except Exception as e:
+        errors.append(e)
+    try:
+        key_secret = parse_non_empty_string(
+            settings.AWS_WHEREBY_ACCESS_KEY_SECRET,
+            "AWS_WHEREBY_ACCESS_KEY_SECRET value is required.",
+        )
+    except Exception as e:
+        errors.append(e)
+    if len(errors) > 0:
+        raise Exception(
+            f"Failed to get Whereby auth settings: {', '.join(str(e) for e in errors)}"
+        )
+    return bucket_name, key_id, key_secret
+
+
 async def create_meeting(room_name_prefix: str, end_date: datetime, room: Room):
+    s3_bucket_name, s3_key_id, s3_key_secret = _get_whereby_s3_auth()
     data = {
         "isLocked": room.is_locked,
         "roomNamePrefix": room_name_prefix,
@@ -23,23 +65,26 @@ async def create_meeting(room_name_prefix: str, end_date: datetime, room: Room):
             "type": room.recording_type,
             "destination": {
                 "provider": "s3",
-                "bucket": settings.RECORDING_STORAGE_AWS_BUCKET_NAME,
+                "bucket": s3_bucket_name,
-                "accessKeyId": settings.AWS_WHEREBY_ACCESS_KEY_ID,
+                "accessKeyId": s3_key_id,
-                "accessKeySecret": settings.AWS_WHEREBY_ACCESS_KEY_SECRET,
+                "accessKeySecret": s3_key_secret,
                 "fileFormat": "mp4",
             },
             "startTrigger": room.recording_trigger,
         },
         "fields": ["hostRoomUrl"],
     }
-
     async with httpx.AsyncClient() as client:
         response = await client.post(
             f"{settings.WHEREBY_API_URL}/meetings",
-            headers=HEADERS,
+            headers=_get_headers(),
             json=data,
             timeout=TIMEOUT,
         )
+        if response.status_code == 403:
+            logger.warning(
+                f"Failed to create meeting: access denied on Whereby: {response.text}"
+            )
         response.raise_for_status()
         return response.json()
 
@@ -48,7 +93,7 @@ async def get_room_sessions(room_name: str):
     async with httpx.AsyncClient() as client:
         response = await client.get(
             f"{settings.WHEREBY_API_URL}/insights/room-sessions?roomName={room_name}",
-            headers=HEADERS,
+            headers=_get_headers(),
             timeout=TIMEOUT,
         )
         response.raise_for_status()

server/tests/test_cleanup.py

@@ -105,7 +105,6 @@ async def test_cleanup_deletes_associated_meeting_and_recording():
             host_room_url="https://example.com/meeting-host",
             start_date=old_date,
             end_date=old_date + timedelta(hours=1),
-            user_id=None,
             room_id=None,
         )
     )
@@ -241,7 +240,6 @@ async def test_meeting_consent_cascade_delete():
             host_room_url="https://example.com/cascade-test-host",
             start_date=datetime.now(timezone.utc),
             end_date=datetime.now(timezone.utc) + timedelta(hours=1),
-            user_id="test-user",
             room_id=None,
         )
     )

www/.env.example

@@ -0,0 +1,34 @@
+# Environment
+ENVIRONMENT=development
+NEXT_PUBLIC_ENV=development
+
+# Site Configuration
+NEXT_PUBLIC_SITE_URL=http://localhost:3000
+
+# Nextauth envs
+# not used in app code but in lib code
+NEXTAUTH_URL=http://localhost:3000
+NEXTAUTH_SECRET=your-nextauth-secret-here
+# / Nextauth envs
+
+# Authentication (Authentik OAuth/OIDC)
+AUTHENTIK_ISSUER=https://authentik.example.com/application/o/reflector
+AUTHENTIK_REFRESH_TOKEN_URL=https://authentik.example.com/application/o/token/
+AUTHENTIK_CLIENT_ID=your-client-id-here
+AUTHENTIK_CLIENT_SECRET=your-client-secret-here
+
+# Feature Flags
+# NEXT_PUBLIC_FEATURE_REQUIRE_LOGIN=true
+# NEXT_PUBLIC_FEATURE_PRIVACY=false
+# NEXT_PUBLIC_FEATURE_BROWSE=true
+# NEXT_PUBLIC_FEATURE_SEND_TO_ZULIP=true
+# NEXT_PUBLIC_FEATURE_ROOMS=true
+
+# API URLs
+NEXT_PUBLIC_API_URL=http://127.0.0.1:1250
+NEXT_PUBLIC_WEBSOCKET_URL=ws://127.0.0.1:1250
+NEXT_PUBLIC_AUTH_CALLBACK_URL=http://localhost:3000/auth-callback
+
+# Sentry
+# SENTRY_DSN=https://your-dsn@sentry.io/project-id
+# SENTRY_IGNORE_API_RESOLUTION_ERROR=1

www/.gitignore

@@ -40,7 +40,6 @@ next-env.d.ts
 # Sentry Auth Token
 .sentryclirc
 
-config.ts
 
 # openapi logs
 openapi-ts-error-*.log

www/app/(app)/layout.tsx

@@ -1,5 +1,5 @@
 import { Container, Flex, Link } from "@chakra-ui/react";
-import { getConfig } from "../lib/edgeConfig";
+import { featureEnabled } from "../lib/features";
 import NextLink from "next/link";
 import Image from "next/image";
 import UserInfo from "../(auth)/userInfo";
@@ -11,8 +11,6 @@ export default async function AppLayout({
 }: {
   children: React.ReactNode;
 }) {
-  const config = await getConfig();
-  const { requireLogin, privacy, browse, rooms } = config.features;
   return (
     <Container
       minW="100vw"
@@ -58,7 +56,7 @@ export default async function AppLayout({
           >
             Create
           </Link>
-          {browse ? (
+          {featureEnabled("browse") ? (
             <>
               &nbsp;·&nbsp;
               <Link href="/browse" as={NextLink} className="font-light px-2">
@@ -68,7 +66,7 @@ export default async function AppLayout({
           ) : (
             <></>
           )}
-          {rooms ? (
+          {featureEnabled("rooms") ? (
             <>
               &nbsp;·&nbsp;
               <Link href="/rooms" as={NextLink} className="font-light px-2">
@@ -78,7 +76,7 @@ export default async function AppLayout({
           ) : (
             <></>
           )}
-          {requireLogin ? (
+          {featureEnabled("requireLogin") ? (
             <>
               &nbsp;·&nbsp;
               <UserInfo />

www/app/(app)/transcripts/[transcriptId]/_components/TopicList.tsx

@@ -3,10 +3,11 @@ import ScrollToBottom from "../../scrollToBottom";
 import { Topic } from "../../webSocketTypes";
 import useParticipants from "../../useParticipants";
 import { Box, Flex, Text, Accordion } from "@chakra-ui/react";
-import { featureEnabled } from "../../../../domainContext";
 import { TopicItem } from "./TopicItem";
 import { TranscriptStatus } from "../../../../lib/transcript";
 
+import { featureEnabled } from "../../../../lib/features";
+
 type TopicListProps = {
   topics: Topic[];
   useActiveTopic: [

www/app/(app)/transcripts/[transcriptId]/correct/page.tsx

@@ -1,5 +1,5 @@
 "use client";
-import { useState } from "react";
+import { useState, use } from "react";
 import TopicHeader from "./topicHeader";
 import TopicWords from "./topicWords";
 import TopicPlayer from "./topicPlayer";
@@ -18,14 +18,16 @@ import { useRouter } from "next/navigation";
 import { Box, Grid } from "@chakra-ui/react";
 
 export type TranscriptCorrect = {
-  params: {
+  params: Promise<{
     transcriptId: string;
-  };
+  }>;
 };
 
-export default function TranscriptCorrect({
+export default function TranscriptCorrect(props: TranscriptCorrect) {
-  params: { transcriptId },
+  const params = use(props.params);
-}: TranscriptCorrect) {
+
+  const { transcriptId } = params;
+
   const updateTranscriptMutation = useTranscriptUpdate();
   const transcript = useTranscriptGet(transcriptId);
   const stateCurrentTopic = useState<GetTranscriptTopic>();

www/app/(app)/transcripts/[transcriptId]/page.tsx

@@ -5,7 +5,7 @@ import useWaveform from "../useWaveform";
 import useMp3 from "../useMp3";
 import { TopicList } from "./_components/TopicList";
 import { Topic } from "../webSocketTypes";
-import React, { useEffect, useState } from "react";
+import React, { useEffect, useState, use } from "react";
 import FinalSummary from "./finalSummary";
 import TranscriptTitle from "../transcriptTitle";
 import Player from "../player";
@@ -15,13 +15,14 @@ import { useTranscriptGet } from "../../../lib/apiHooks";
 import { TranscriptStatus } from "../../../lib/transcript";
 
 type TranscriptDetails = {
-  params: {
+  params: Promise<{
     transcriptId: string;
-  };
+  }>;
 };
 
 export default function TranscriptDetails(details: TranscriptDetails) {
-  const transcriptId = details.params.transcriptId;
+  const params = use(details.params);
+  const transcriptId = params.transcriptId;
   const router = useRouter();
   const statusToRedirect = [
     "idle",
@@ -43,7 +44,7 @@ export default function TranscriptDetails(details: TranscriptDetails) {
 
   useEffect(() => {
     if (waiting) {
-      const newUrl = "/transcripts/" + details.params.transcriptId + "/record";
+      const newUrl = "/transcripts/" + params.transcriptId + "/record";
       // Shallow redirection does not work on NextJS 13
       // https://github.com/vercel/next.js/discussions/48110
       // https://github.com/vercel/next.js/discussions/49540

www/app/(app)/transcripts/[transcriptId]/record/page.tsx

@@ -1,5 +1,5 @@
 "use client";
-import { useEffect, useState } from "react";
+import { useEffect, useState, use } from "react";
 import Recorder from "../../recorder";
 import { TopicList } from "../_components/TopicList";
 import { useWebSockets } from "../../useWebSockets";
@@ -14,19 +14,20 @@ import { useTranscriptGet } from "../../../../lib/apiHooks";
 import { TranscriptStatus } from "../../../../lib/transcript";
 
 type TranscriptDetails = {
-  params: {
+  params: Promise<{
     transcriptId: string;
-  };
+  }>;
 };
 
 const TranscriptRecord = (details: TranscriptDetails) => {
-  const transcript = useTranscriptGet(details.params.transcriptId);
+  const params = use(details.params);
+  const transcript = useTranscriptGet(params.transcriptId);
   const [transcriptStarted, setTranscriptStarted] = useState(false);
   const useActiveTopic = useState<Topic | null>(null);
 
-  const webSockets = useWebSockets(details.params.transcriptId);
+  const webSockets = useWebSockets(params.transcriptId);
 
-  const mp3 = useMp3(details.params.transcriptId, true);
+  const mp3 = useMp3(params.transcriptId, true);
 
   const router = useRouter();
 
@@ -47,7 +48,7 @@ const TranscriptRecord = (details: TranscriptDetails) => {
     if (newStatus && (newStatus == "ended" || newStatus == "error")) {
       console.log(newStatus, "redirecting");
 
-      const newUrl = "/transcripts/" + details.params.transcriptId;
+      const newUrl = "/transcripts/" + params.transcriptId;
       router.replace(newUrl);
     }
   }, [webSockets.status?.value, transcript.data?.status]);
@@ -75,7 +76,7 @@ const TranscriptRecord = (details: TranscriptDetails) => {
         <WaveformLoading />
       ) : (
         // todo: only start recording animation when you get "recorded" status
-        <Recorder transcriptId={details.params.transcriptId} status={status} />
+        <Recorder transcriptId={params.transcriptId} status={status} />
       )}
       <VStack
         align={"left"}
@@ -98,7 +99,7 @@ const TranscriptRecord = (details: TranscriptDetails) => {
               topics={webSockets.topics}
               useActiveTopic={useActiveTopic}
               autoscroll={true}
-              transcriptId={details.params.transcriptId}
+              transcriptId={params.transcriptId}
               status={status}
               currentTranscriptText={webSockets.accumulatedText}
             />

www/app/(app)/transcripts/[transcriptId]/upload/page.tsx

@@ -1,5 +1,5 @@
 "use client";
-import { useEffect, useState } from "react";
+import { useEffect, useState, use } from "react";
 import { useWebSockets } from "../../useWebSockets";
 import { lockWakeState, releaseWakeState } from "../../../../lib/wakeLock";
 import { useRouter } from "next/navigation";
@@ -9,18 +9,19 @@ import FileUploadButton from "../../fileUploadButton";
 import { useTranscriptGet } from "../../../../lib/apiHooks";
 
 type TranscriptUpload = {
-  params: {
+  params: Promise<{
     transcriptId: string;
-  };
+  }>;
 };
 
 const TranscriptUpload = (details: TranscriptUpload) => {
-  const transcript = useTranscriptGet(details.params.transcriptId);
+  const params = use(details.params);
+  const transcript = useTranscriptGet(params.transcriptId);
   const [transcriptStarted, setTranscriptStarted] = useState(false);
 
-  const webSockets = useWebSockets(details.params.transcriptId);
+  const webSockets = useWebSockets(params.transcriptId);
 
-  const mp3 = useMp3(details.params.transcriptId, true);
+  const mp3 = useMp3(params.transcriptId, true);
 
   const router = useRouter();
 
@@ -50,7 +51,7 @@ const TranscriptUpload = (details: TranscriptUpload) => {
     if (newStatus && (newStatus == "ended" || newStatus == "error")) {
       console.log(newStatus, "redirecting");
 
-      const newUrl = "/transcripts/" + details.params.transcriptId;
+      const newUrl = "/transcripts/" + params.transcriptId;
       router.replace(newUrl);
     }
   }, [webSockets.status?.value, transcript.data?.status]);
@@ -84,7 +85,7 @@ const TranscriptUpload = (details: TranscriptUpload) => {
                   Please select the file, supported formats: .mp3, m4a, .wav,
                   .mp4, .mov or .webm
                 </Text>
-                <FileUploadButton transcriptId={details.params.transcriptId} />
+                <FileUploadButton transcriptId={params.transcriptId} />
               </>
             )}
             {status && status == "uploaded" && (

www/app/(app)/transcripts/new/page.tsx

@@ -9,7 +9,6 @@ import { useRouter } from "next/navigation";
 import useCreateTranscript from "../createTranscript";
 import SelectSearch from "react-select-search";
 import { supportedLanguages } from "../../../supportedLanguages";
-import { featureEnabled } from "../../../domainContext";
 import {
   Flex,
   Box,
@@ -21,10 +20,9 @@ import {
   Spacer,
 } from "@chakra-ui/react";
 import { useAuth } from "../../../lib/AuthProvider";
-import type { components } from "../../../reflector-api";
+import { featureEnabled } from "../../../lib/features";
 
 const TranscriptCreate = () => {
-  const isClient = typeof window !== "undefined";
   const router = useRouter();
   const auth = useAuth();
   const isAuthenticated = auth.status === "authenticated";
@@ -176,7 +174,7 @@ const TranscriptCreate = () => {
                     placeholder="Choose your language"
                   />
                 </Box>
-                {isClient && !loading ? (
+                {!loading ? (
                   permissionOk ? (
                     <Spacer />
                   ) : permissionDenied ? (

www/app/(app)/transcripts/shareAndPrivacy.tsx

@@ -1,5 +1,4 @@
 import { useEffect, useState } from "react";
-import { featureEnabled } from "../../domainContext";
 
 import { ShareMode, toShareMode } from "../../lib/shareMode";
 import type { components } from "../../reflector-api";
@@ -24,6 +23,8 @@ import ShareCopy from "./shareCopy";
 import ShareZulip from "./shareZulip";
 import { useAuth } from "../../lib/AuthProvider";
 
+import { featureEnabled } from "../../lib/features";
+
 type ShareAndPrivacyProps = {
   finalSummaryRef: any;
   transcriptResponse: GetTranscript;

www/app/(app)/transcripts/shareLink.tsx

@@ -1,8 +1,9 @@
 import React, { useState, useRef, useEffect, use } from "react";
-import { featureEnabled } from "../../domainContext";
 import { Button, Flex, Input, Text } from "@chakra-ui/react";
 import QRCode from "react-qr-code";
 
+import { featureEnabled } from "../../lib/features";
+
 type ShareLinkProps = {
   transcriptId: string;
 };

www/app/(app)/transcripts/shareZulip.tsx

@@ -1,5 +1,4 @@
 import { useState, useEffect, useMemo } from "react";
-import { featureEnabled } from "../../domainContext";
 import type { components } from "../../reflector-api";
 
 type GetTranscript = components["schemas"]["GetTranscript"];
@@ -25,6 +24,8 @@ import {
   useTranscriptPostToZulip,
 } from "../../lib/apiHooks";
 
+import { featureEnabled } from "../../lib/features";
+
 type ShareZulipProps = {
   transcriptResponse: GetTranscript;
   topicsResponse: GetTranscriptTopic[];

www/app/(app)/transcripts/useMp3.ts

@@ -1,7 +1,7 @@
-import { useContext, useEffect, useState } from "react";
+import { useEffect, useState } from "react";
-import { DomainContext } from "../../domainContext";
 import { useTranscriptGet } from "../../lib/apiHooks";
 import { useAuth } from "../../lib/AuthProvider";
+import { API_URL } from "../../lib/apiClient";
 
 export type Mp3Response = {
   media: HTMLMediaElement | null;
@@ -19,7 +19,6 @@ const useMp3 = (transcriptId: string, waiting?: boolean): Mp3Response => {
     null,
   );
   const [audioDeleted, setAudioDeleted] = useState<boolean | null>(null);
-  const { api_url } = useContext(DomainContext);
   const auth = useAuth();
   const accessTokenInfo =
     auth.status === "authenticated" ? auth.accessToken : null;
@@ -78,7 +77,7 @@ const useMp3 = (transcriptId: string, waiting?: boolean): Mp3Response => {
 
     // Audio is not deleted, proceed to load it
     audioElement = document.createElement("audio");
-    audioElement.src = `${api_url}/v1/transcripts/${transcriptId}/audio/mp3`;
+    audioElement.src = `${API_URL}/v1/transcripts/${transcriptId}/audio/mp3`;
     audioElement.crossOrigin = "anonymous";
     audioElement.preload = "auto";
 
@@ -110,7 +109,7 @@ const useMp3 = (transcriptId: string, waiting?: boolean): Mp3Response => {
         if (handleError) audioElement.removeEventListener("error", handleError);
       }
     };
-  }, [transcriptId, transcript, later, api_url]);
+  }, [transcriptId, transcript, later]);
 
   const getNow = () => {
     setLater(false);

www/app/(app)/transcripts/useWebSockets.ts

@@ -1,13 +1,12 @@
-import { useContext, useEffect, useState } from "react";
+import { useEffect, useState } from "react";
 import { Topic, FinalSummary, Status } from "./webSocketTypes";
 import { useError } from "../../(errors)/errorContext";
-import { DomainContext } from "../../domainContext";
 import type { components } from "../../reflector-api";
 type AudioWaveform = components["schemas"]["AudioWaveform"];
 type GetTranscriptSegmentTopic =
   components["schemas"]["GetTranscriptSegmentTopic"];
 import { useQueryClient } from "@tanstack/react-query";
-import { $api } from "../../lib/apiClient";
+import { $api, WEBSOCKET_URL } from "../../lib/apiClient";
 
 export type UseWebSockets = {
   transcriptTextLive: string;
@@ -37,7 +36,6 @@ export const useWebSockets = (transcriptId: string | null): UseWebSockets => {
   const [status, setStatus] = useState<Status | null>(null);
   const { setError } = useError();
 
-  const { websocket_url: websocketUrl } = useContext(DomainContext);
   const queryClient = useQueryClient();
 
   const [accumulatedText, setAccumulatedText] = useState<string>("");
@@ -328,7 +326,7 @@ export const useWebSockets = (transcriptId: string | null): UseWebSockets => {
 
     if (!transcriptId) return;
 
-    const url = `${websocketUrl}/v1/transcripts/${transcriptId}/events`;
+    const url = `${WEBSOCKET_URL}/v1/transcripts/${transcriptId}/events`;
     let ws = new WebSocket(url);
 
     ws.onopen = () => {
@@ -494,7 +492,7 @@ export const useWebSockets = (transcriptId: string | null): UseWebSockets => {
     return () => {
       ws.close();
     };
-  }, [transcriptId, websocketUrl]);
+  }, [transcriptId]);
 
   return {
     transcriptTextLive,

www/app/[roomName]/page.tsx

@@ -7,6 +7,7 @@ import {
   useState,
   useContext,
   RefObject,
+  use,
 } from "react";
 import {
   Box,
@@ -37,9 +38,9 @@ import { FaBars } from "react-icons/fa6";
 import { useAuth } from "../lib/AuthProvider";
 
 export type RoomDetails = {
-  params: {
+  params: Promise<{
     roomName: string;
-  };
+  }>;
 };
 
 // stages: we focus on the consent, then whereby steals focus, then we focus on the consent again, then return focus to whoever stole it initially
@@ -262,9 +263,11 @@ const useWhereby = () => {
 };
 
 export default function Room(details: RoomDetails) {
+  const params = use(details.params);
   const wherebyLoaded = useWhereby();
   const wherebyRef = useRef<HTMLElement>(null);
-  const roomName = details.params.roomName;
+  const roomName = params.roomName;
+  const meeting = useRoomMeeting(roomName);
   const router = useRouter();
   const auth = useAuth();
   const status = auth.status;

www/app/api/auth/[...nextauth]/route.ts

@@ -1,6 +1,6 @@
 import NextAuth from "next-auth";
 import { authOptions } from "../../../lib/authBackend";
 
-const handler = NextAuth(authOptions);
+const handler = NextAuth(authOptions());
 
 export { handler as GET, handler as POST };

www/app/domainContext.tsx

@@ -1,49 +0,0 @@
-"use client";
-import { createContext, useContext, useEffect, useState } from "react";
-import { DomainConfig } from "./lib/edgeConfig";
-
-type DomainContextType = Omit<DomainConfig, "auth_callback_url">;
-
-export const DomainContext = createContext<DomainContextType>({
-  features: {
-    requireLogin: false,
-    privacy: true,
-    browse: false,
-    sendToZulip: false,
-  },
-  api_url: "",
-  websocket_url: "",
-});
-
-export const DomainContextProvider = ({
-  config,
-  children,
-}: {
-  config: DomainConfig;
-  children: any;
-}) => {
-  const [context, setContext] = useState<DomainContextType>();
-
-  useEffect(() => {
-    if (!config) return;
-    const { auth_callback_url, ...others } = config;
-    setContext(others);
-  }, [config]);
-
-  if (!context) return;
-
-  return (
-    <DomainContext.Provider value={context}>{children}</DomainContext.Provider>
-  );
-};
-
-// Get feature config client-side with
-export const featureEnabled = (
-  featureName: "requireLogin" | "privacy" | "browse" | "sendToZulip",
-) => {
-  const context = useContext(DomainContext);
-
-  return context.features[featureName] as boolean | undefined;
-};
-
-// Get config server-side (out of react) : see lib/edgeConfig.

www/app/layout.tsx

@@ -3,11 +3,10 @@ import { Metadata, Viewport } from "next";
 import { Poppins } from "next/font/google";
 import { ErrorProvider } from "./(errors)/errorContext";
 import ErrorMessage from "./(errors)/errorMessage";
-import { DomainContextProvider } from "./domainContext";
 import { RecordingConsentProvider } from "./recordingConsentContext";
-import { getConfig } from "./lib/edgeConfig";
 import { ErrorBoundary } from "@sentry/nextjs";
 import { Providers } from "./providers";
+import { assertExistsAndNonEmptyString } from "./lib/utils";
 
 const poppins = Poppins({
   subsets: ["latin"],
@@ -22,8 +21,13 @@ export const viewport: Viewport = {
   maximumScale: 1,
 };
 
+const NEXT_PUBLIC_SITE_URL = assertExistsAndNonEmptyString(
+  process.env.NEXT_PUBLIC_SITE_URL,
+  "NEXT_PUBLIC_SITE_URL required",
+);
+
 export const metadata: Metadata = {
-  metadataBase: new URL(process.env.NEXT_PUBLIC_SITE_URL!),
+  metadataBase: new URL(NEXT_PUBLIC_SITE_URL),
   title: {
     template: "%s – Reflector",
     default: "Reflector - AI-Powered Meeting Transcriptions by Monadical",
@@ -68,21 +72,17 @@ export default async function RootLayout({
 }: {
   children: React.ReactNode;
 }) {
-  const config = await getConfig();
-
   return (
     <html lang="en" className={poppins.className} suppressHydrationWarning>
       <body className={"h-[100svh] w-[100svw] overflow-x-hidden relative"}>
-        <DomainContextProvider config={config}>
+        <RecordingConsentProvider>
-          <RecordingConsentProvider>
+          <ErrorBoundary fallback={<p>"something went really wrong"</p>}>
-            <ErrorBoundary fallback={<p>"something went really wrong"</p>}>
+            <ErrorProvider>
-              <ErrorProvider>
+              <ErrorMessage />
-                <ErrorMessage />
+              <Providers>{children}</Providers>
-                <Providers>{children}</Providers>
+            </ErrorProvider>
-              </ErrorProvider>
+          </ErrorBoundary>
-            </ErrorBoundary>
+        </RecordingConsentProvider>
-          </RecordingConsentProvider>
-        </DomainContextProvider>
       </body>
     </html>
   );

www/app/lib/AuthProvider.tsx

@@ -9,6 +9,7 @@ import { Session } from "next-auth";
 import { SessionAutoRefresh } from "./SessionAutoRefresh";
 import { REFRESH_ACCESS_TOKEN_ERROR } from "./auth";
 import { assertExists } from "./utils";
+import { featureEnabled } from "./features";
 
 type AuthContextType = (
   | { status: "loading" }
@@ -27,65 +28,83 @@ type AuthContextType = (
 };
 
 const AuthContext = createContext<AuthContextType | undefined>(undefined);
+const isAuthEnabled = featureEnabled("requireLogin");
+
+const noopAuthContext: AuthContextType = {
+  status: "unauthenticated",
+  update: async () => {
+    return null;
+  },
+  signIn: async () => {
+    throw new Error("signIn not supposed to be called");
+  },
+  signOut: async () => {
+    throw new Error("signOut not supposed to be called");
+  },
+};
 
 export function AuthProvider({ children }: { children: React.ReactNode }) {
   const { data: session, status, update } = useNextAuthSession();
-  const customSession = session ? assertCustomSession(session) : null;
 
-  const contextValue: AuthContextType = {
+  const contextValue: AuthContextType = isAuthEnabled
-    ...(() => {
+    ? {
-      switch (status) {
+        ...(() => {
-        case "loading": {
+          switch (status) {
-          const sessionIsHere = !!customSession;
+            case "loading": {
-          switch (sessionIsHere) {
+              const sessionIsHere = !!session;
-            case false: {
+              // actually exists sometimes; nextAuth types are something else
-              return { status };
+              switch (sessionIsHere as boolean) {
+                case false: {
+                  return { status };
+                }
+                case true: {
+                  return {
+                    status: "refreshing" as const,
+                    user: assertCustomSession(
+                      assertExists(session as unknown as Session),
+                    ).user,
+                  };
+                }
+                default: {
+                  throw new Error("unreachable");
+                }
+              }
             }
-            case true: {
+            case "authenticated": {
-              return {
+              const customSession = assertCustomSession(session);
-                status: "refreshing" as const,
+              if (customSession?.error === REFRESH_ACCESS_TOKEN_ERROR) {
-                user: assertExists(customSession).user,
+                // token had expired but next auth still returns "authenticated" so show user unauthenticated state
-              };
+                return {
+                  status: "unauthenticated" as const,
+                };
+              } else if (customSession?.accessToken) {
+                return {
+                  status,
+                  accessToken: customSession.accessToken,
+                  accessTokenExpires: customSession.accessTokenExpires,
+                  user: customSession.user,
+                };
+              } else {
+                console.warn(
+                  "illegal state: authenticated but have no session/or access token. ignoring",
+                );
+                return { status: "unauthenticated" as const };
+              }
+            }
+            case "unauthenticated": {
+              return { status: "unauthenticated" as const };
             }
             default: {
-              const _: never = sessionIsHere;
+              const _: never = status;
               throw new Error("unreachable");
             }
           }
-        }
+        })(),
-        case "authenticated": {
+        update,
-          if (customSession?.error === REFRESH_ACCESS_TOKEN_ERROR) {
+        signIn,
-            // token had expired but next auth still returns "authenticated" so show user unauthenticated state
+        signOut,
-            return {
-              status: "unauthenticated" as const,
-            };
-          } else if (customSession?.accessToken) {
-            return {
-              status,
-              accessToken: customSession.accessToken,
-              accessTokenExpires: customSession.accessTokenExpires,
-              user: customSession.user,
-            };
-          } else {
-            console.warn(
-              "illegal state: authenticated but have no session/or access token. ignoring",
-            );
-            return { status: "unauthenticated" as const };
-          }
-        }
-        case "unauthenticated": {
-          return { status: "unauthenticated" as const };
-        }
-        default: {
-          const _: never = status;
-          throw new Error("unreachable");
-        }
       }
-    })(),
+    : noopAuthContext;
-    update,
-    signIn,
-    signOut,
-  };
 
   // not useEffect, we need it ASAP
   // apparently, still no guarantee this code runs before mutations are fired

www/app/lib/apiClient.tsx

@@ -6,10 +6,17 @@ import createFetchClient from "openapi-react-query";
 import { assertExistsAndNonEmptyString } from "./utils";
 import { isBuildPhase } from "./next";
 
-const API_URL = !isBuildPhase
+export const API_URL = !isBuildPhase
-  ? assertExistsAndNonEmptyString(process.env.NEXT_PUBLIC_API_URL)
+  ? assertExistsAndNonEmptyString(
+      process.env.NEXT_PUBLIC_API_URL,
+      "NEXT_PUBLIC_API_URL required",
+    )
   : "http://localhost";
 
+// TODO decide strict validation or not
+export const WEBSOCKET_URL =
+  process.env.NEXT_PUBLIC_WEBSOCKET_URL || "ws://127.0.0.1:1250";
+
 export const client = createClient<paths>({
   baseUrl: API_URL,
 });

www/app/lib/array.ts

@@ -0,0 +1,12 @@
+export type NonEmptyArray<T> = [T, ...T[]];
+export const isNonEmptyArray = <T>(arr: T[]): arr is NonEmptyArray<T> =>
+  arr.length > 0;
+export const assertNonEmptyArray = <T>(
+  arr: T[],
+  err?: string,
+): NonEmptyArray<T> => {
+  if (isNonEmptyArray(arr)) {
+    return arr;
+  }
+  throw new Error(err ?? "Expected non-empty array");
+};

www/app/lib/auth.ts

@@ -1,3 +1,5 @@
+import { assertExistsAndNonEmptyString } from "./utils";
+
 export const REFRESH_ACCESS_TOKEN_ERROR = "RefreshAccessTokenError" as const;
 // 4 min is 1 min less than default authentic value. here we assume that authentic won't be set to access tokens < 4 min
 export const REFRESH_ACCESS_TOKEN_BEFORE = 4 * 60 * 1000;

www/app/lib/authBackend.ts

@@ -19,102 +19,126 @@ import {
 } from "./redisTokenCache";
 import { tokenCacheRedis, redlock } from "./redisClient";
 import { isBuildPhase } from "./next";
+import { sequenceThrows } from "./errorUtils";
+import { featureEnabled } from "./features";
 
 const TOKEN_CACHE_TTL = REFRESH_ACCESS_TOKEN_BEFORE;
-const CLIENT_ID = !isBuildPhase
+const getAuthentikClientId = () =>
-  ? assertExistsAndNonEmptyString(process.env.AUTHENTIK_CLIENT_ID)
+  assertExistsAndNonEmptyString(
-  : "noop";
+    process.env.AUTHENTIK_CLIENT_ID,
-const CLIENT_SECRET = !isBuildPhase
+    "AUTHENTIK_CLIENT_ID required",
-  ? assertExistsAndNonEmptyString(process.env.AUTHENTIK_CLIENT_SECRET)
+  );
-  : "noop";
+const getAuthentikClientSecret = () =>
+  assertExistsAndNonEmptyString(
+    process.env.AUTHENTIK_CLIENT_SECRET,
+    "AUTHENTIK_CLIENT_SECRET required",
+  );
+const getAuthentikRefreshTokenUrl = () =>
+  assertExistsAndNonEmptyString(
+    process.env.AUTHENTIK_REFRESH_TOKEN_URL,
+    "AUTHENTIK_REFRESH_TOKEN_URL required",
+  );
 
-export const authOptions: AuthOptions = {
+export const authOptions = (): AuthOptions =>
-  providers: [
+  featureEnabled("requireLogin")
-    AuthentikProvider({
+    ? {
-      clientId: CLIENT_ID,
+        providers: [
-      clientSecret: CLIENT_SECRET,
+          AuthentikProvider({
-      issuer: process.env.AUTHENTIK_ISSUER,
+            ...(() => {
-      authorization: {
+              const [clientId, clientSecret] = sequenceThrows(
-        params: {
+                getAuthentikClientId,
-          scope: "openid email profile offline_access",
+                getAuthentikClientSecret,
+              );
+              return {
+                clientId,
+                clientSecret,
+              };
+            })(),
+            issuer: process.env.AUTHENTIK_ISSUER,
+            authorization: {
+              params: {
+                scope: "openid email profile offline_access",
+              },
+            },
+          }),
+        ],
+        session: {
+          strategy: "jwt",
         },
-      },
+        callbacks: {
-    }),
+          async jwt({ token, account, user }) {
-  ],
+            if (account && !account.access_token) {
-  session: {
+              await deleteTokenCache(tokenCacheRedis, `token:${token.sub}`);
-    strategy: "jwt",
+            }
-  },
-  callbacks: {
-    async jwt({ token, account, user }) {
-      if (account && !account.access_token) {
-        await deleteTokenCache(tokenCacheRedis, `token:${token.sub}`);
-      }
 
-      if (account && user) {
+            if (account && user) {
-        // called only on first login
+              // called only on first login
-        // XXX account.expires_in used in example is not defined for authentik backend, but expires_at is
+              // XXX account.expires_in used in example is not defined for authentik backend, but expires_at is
-        if (account.access_token) {
+              if (account.access_token) {
-          const expiresAtS = assertExists(account.expires_at);
+                const expiresAtS = assertExists(account.expires_at);
-          const expiresAtMs = expiresAtS * 1000;
+                const expiresAtMs = expiresAtS * 1000;
-          const jwtToken: JWTWithAccessToken = {
+                const jwtToken: JWTWithAccessToken = {
-            ...token,
+                  ...token,
-            accessToken: account.access_token,
+                  accessToken: account.access_token,
-            accessTokenExpires: expiresAtMs,
+                  accessTokenExpires: expiresAtMs,
-            refreshToken: account.refresh_token,
+                  refreshToken: account.refresh_token,
-          };
+                };
-          if (jwtToken.error) {
+                if (jwtToken.error) {
-            await deleteTokenCache(tokenCacheRedis, `token:${token.sub}`);
+                  await deleteTokenCache(tokenCacheRedis, `token:${token.sub}`);
-          } else {
+                } else {
-            assertNotExists(
+                  assertNotExists(
-              jwtToken.error,
+                    jwtToken.error,
-              `panic! trying to cache token with error in jwt: ${jwtToken.error}`,
+                    `panic! trying to cache token with error in jwt: ${jwtToken.error}`,
+                  );
+                  await setTokenCache(tokenCacheRedis, `token:${token.sub}`, {
+                    token: jwtToken,
+                    timestamp: Date.now(),
+                  });
+                  return jwtToken;
+                }
+              }
+            }
+
+            const currentToken = await getTokenCache(
+              tokenCacheRedis,
+              `token:${token.sub}`,
             );
-            await setTokenCache(tokenCacheRedis, `token:${token.sub}`, {
+            console.debug(
-              token: jwtToken,
+              "currentToken from cache",
-              timestamp: Date.now(),
+              JSON.stringify(currentToken, null, 2),
-            });
+              "will be returned?",
-            return jwtToken;
+              currentToken &&
-          }
+                !shouldRefreshToken(currentToken.token.accessTokenExpires),
-        }
+            );
-      }
+            if (
+              currentToken &&
+              !shouldRefreshToken(currentToken.token.accessTokenExpires)
+            ) {
+              return currentToken.token;
+            }
 
-      const currentToken = await getTokenCache(
+            // access token has expired, try to update it
-        tokenCacheRedis,
+            return await lockedRefreshAccessToken(token);
-        `token:${token.sub}`,
+          },
-      );
+          async session({ session, token }) {
-      console.debug(
+            const extendedToken = token as JWTWithAccessToken;
-        "currentToken from cache",
+            return {
-        JSON.stringify(currentToken, null, 2),
+              ...session,
-        "will be returned?",
+              accessToken: extendedToken.accessToken,
-        currentToken &&
+              accessTokenExpires: extendedToken.accessTokenExpires,
-          !shouldRefreshToken(currentToken.token.accessTokenExpires),
+              error: extendedToken.error,
-      );
+              user: {
-      if (
+                id: assertExists(extendedToken.sub),
-        currentToken &&
+                name: extendedToken.name,
-        !shouldRefreshToken(currentToken.token.accessTokenExpires)
+                email: extendedToken.email,
-      ) {
+              },
-        return currentToken.token;
+            } satisfies CustomSession;
-      }
+          },
-
-      // access token has expired, try to update it
-      return await lockedRefreshAccessToken(token);
-    },
-    async session({ session, token }) {
-      const extendedToken = token as JWTWithAccessToken;
-      return {
-        ...session,
-        accessToken: extendedToken.accessToken,
-        accessTokenExpires: extendedToken.accessTokenExpires,
-        error: extendedToken.error,
-        user: {
-          id: assertExists(extendedToken.sub),
-          name: extendedToken.name,
-          email: extendedToken.email,
         },
-      } satisfies CustomSession;
+      }
-    },
+    : {
-  },
+        providers: [],
-};
+      };
 
 async function lockedRefreshAccessToken(
   token: JWT,
@@ -174,16 +198,19 @@ async function lockedRefreshAccessToken(
 }
 
 async function refreshAccessToken(token: JWT): Promise<JWTWithAccessToken> {
+  const [url, clientId, clientSecret] = sequenceThrows(
+    getAuthentikRefreshTokenUrl,
+    getAuthentikClientId,
+    getAuthentikClientSecret,
+  );
   try {
-    const url = `${process.env.AUTHENTIK_REFRESH_TOKEN_URL}`;
-
     const options = {
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
       },
       body: new URLSearchParams({
-        client_id: process.env.AUTHENTIK_CLIENT_ID as string,
+        client_id: clientId,
-        client_secret: process.env.AUTHENTIK_CLIENT_SECRET as string,
+        client_secret: clientSecret,
         grant_type: "refresh_token",
         refresh_token: token.refreshToken as string,
       }).toString(),

www/app/lib/edgeConfig.ts

@@ -1,54 +0,0 @@
-import { get } from "@vercel/edge-config";
-import { isBuildPhase } from "./next";
-
-type EdgeConfig = {
-  [domainWithDash: string]: {
-    features: {
-      [featureName in
-        | "requireLogin"
-        | "privacy"
-        | "browse"
-        | "sendToZulip"]: boolean;
-    };
-    auth_callback_url: string;
-    websocket_url: string;
-    api_url: string;
-  };
-};
-
-export type DomainConfig = EdgeConfig["domainWithDash"];
-
-// Edge config main keys can only be alphanumeric and _ or -
-export function edgeKeyToDomain(key: string) {
-  return key.replaceAll("_", ".");
-}
-
-export function edgeDomainToKey(domain: string) {
-  return domain.replaceAll(".", "_");
-}
-
-// get edge config server-side (prefer DomainContext when available), domain is the hostname
-export async function getConfig() {
-  if (process.env.NEXT_PUBLIC_ENV === "development") {
-    try {
-      return require("../../config").localConfig;
-    } catch (e) {
-      // next build() WILL try to execute the require above even if conditionally protected
-      // but thank god it at least runs catch{} block properly
-      if (!isBuildPhase) throw new Error(e);
-      return require("../../config-template").localConfig;
-    }
-  }
-
-  const domain = new URL(process.env.NEXT_PUBLIC_SITE_URL!).hostname;
-  let config = await get(edgeDomainToKey(domain));
-
-  if (typeof config !== "object") {
-    console.warn("No config for this domain, falling back to default");
-    config = await get(edgeDomainToKey("default"));
-  }
-
-  if (typeof config !== "object") throw Error("Error fetching config");
-
-  return config as DomainConfig;
-}

www/app/lib/errorUtils.ts

@@ -1,4 +1,6 @@
-function shouldShowError(error: Error | null | undefined) {
+import { isNonEmptyArray, NonEmptyArray } from "./array";
+
+export function shouldShowError(error: Error | null | undefined) {
   if (
     error?.name == "ResponseError" &&
     (error["response"].status == 404 || error["response"].status == 403)
@@ -8,4 +10,40 @@ function shouldShowError(error: Error | null | undefined) {
   return true;
 }
 
-export { shouldShowError };
+const defaultMergeErrors = (ex: NonEmptyArray<unknown>): unknown => {
+  try {
+    return new Error(
+      ex
+        .map((e) =>
+          e ? (e.toString ? e.toString() : JSON.stringify(e)) : `${e}`,
+        )
+        .join("\n"),
+    );
+  } catch (e) {
+    console.error("Error merging errors:", e);
+    return ex[0];
+  }
+};
+
+type ReturnTypes<T extends readonly (() => any)[]> = {
+  [K in keyof T]: T[K] extends () => infer R ? R : never;
+};
+
+// sequence semantic for "throws"
+// calls functions passed and collects its thrown values
+export function sequenceThrows<Fns extends readonly (() => any)[]>(
+  ...fs: Fns
+): ReturnTypes<Fns> {
+  const results: unknown[] = [];
+  const errors: unknown[] = [];
+
+  for (const f of fs) {
+    try {
+      results.push(f());
+    } catch (e) {
+      errors.push(e);
+    }
+  }
+  if (errors.length) throw defaultMergeErrors(errors as NonEmptyArray<unknown>);
+  return results as ReturnTypes<Fns>;
+}

www/app/lib/features.ts

@@ -0,0 +1,55 @@
+export const FEATURES = [
+  "requireLogin",
+  "privacy",
+  "browse",
+  "sendToZulip",
+  "rooms",
+] as const;
+
+export type FeatureName = (typeof FEATURES)[number];
+
+export type Features = Readonly<Record<FeatureName, boolean>>;
+
+export const DEFAULT_FEATURES: Features = {
+  requireLogin: true,
+  privacy: true,
+  browse: true,
+  sendToZulip: true,
+  rooms: true,
+} as const;
+
+function parseBooleanEnv(
+  value: string | undefined,
+  defaultValue: boolean = false,
+): boolean {
+  if (!value) return defaultValue;
+  return value.toLowerCase() === "true";
+}
+
+// WARNING: keep process.env.* as-is, next.js won't see them if you generate dynamically
+const features: Features = {
+  requireLogin: parseBooleanEnv(
+    process.env.NEXT_PUBLIC_FEATURE_REQUIRE_LOGIN,
+    DEFAULT_FEATURES.requireLogin,
+  ),
+  privacy: parseBooleanEnv(
+    process.env.NEXT_PUBLIC_FEATURE_PRIVACY,
+    DEFAULT_FEATURES.privacy,
+  ),
+  browse: parseBooleanEnv(
+    process.env.NEXT_PUBLIC_FEATURE_BROWSE,
+    DEFAULT_FEATURES.browse,
+  ),
+  sendToZulip: parseBooleanEnv(
+    process.env.NEXT_PUBLIC_FEATURE_SEND_TO_ZULIP,
+    DEFAULT_FEATURES.sendToZulip,
+  ),
+  rooms: parseBooleanEnv(
+    process.env.NEXT_PUBLIC_FEATURE_ROOMS,
+    DEFAULT_FEATURES.rooms,
+  ),
+};
+
+export const featureEnabled = (featureName: FeatureName): boolean => {
+  return features[featureName];
+};

www/app/lib/types.ts

@@ -72,3 +72,7 @@ export const assertCustomSession = <S extends Session>(s: S): CustomSession => {
   // no other checks for now
   return r as CustomSession;
 };
+
+export type Mutable<T> = {
+  -readonly [P in keyof T]: T[P];
+};

www/app/lib/utils.ts

@@ -171,5 +171,6 @@ export const assertNotExists = <T>(
 
 export const assertExistsAndNonEmptyString = (
   value: string | null | undefined,
+  err?: string,
 ): NonEmptyString =>
-  parseNonEmptyString(assertExists(value, "Expected non-empty string"));
+  parseNonEmptyString(assertExists(value, err || "Expected non-empty string"));

www/app/providers.tsx

@@ -2,8 +2,8 @@
 
 import { ChakraProvider } from "@chakra-ui/react";
 import system from "./styles/theme";
+import dynamic from "next/dynamic";
 
-import { WherebyProvider } from "@whereby.com/browser-sdk/react";
 import { Toaster } from "./components/ui/toaster";
 import { NuqsAdapter } from "nuqs/adapters/next/app";
 import { QueryClientProvider } from "@tanstack/react-query";
@@ -11,6 +11,14 @@ import { queryClient } from "./lib/queryClient";
 import { AuthProvider } from "./lib/AuthProvider";
 import { SessionProvider as SessionProviderNextAuth } from "next-auth/react";
 
+const WherebyProvider = dynamic(
+  () =>
+    import("@whereby.com/browser-sdk/react").then((mod) => ({
+      default: mod.WherebyProvider,
+    })),
+  { ssr: false },
+);
+
 export function Providers({ children }: { children: React.ReactNode }) {
   return (
     <NuqsAdapter>

www/app/webinars/[title]/page.tsx

@@ -1,5 +1,5 @@
 "use client";
-import { useEffect, useState } from "react";
+import { useEffect, useState, use } from "react";
 import Link from "next/link";
 import Image from "next/image";
 import { notFound } from "next/navigation";
@@ -30,9 +30,9 @@ const FORM_FIELDS = {
 };
 
 export type WebinarDetails = {
-  params: {
+  params: Promise<{
     title: string;
-  };
+  }>;
 };
 
 export type Webinar = {
@@ -63,7 +63,8 @@ const WEBINARS: Webinar[] = [
 ];
 
 export default function WebinarPage(details: WebinarDetails) {
-  const title = details.params.title;
+  const params = use(details.params);
+  const title = params.title;
   const webinar = WEBINARS.find((webinar) => webinar.title === title);
   if (!webinar) {
     return notFound();

www/config-template.ts

@@ -1,13 +0,0 @@
-export const localConfig = {
-  features: {
-    requireLogin: true,
-    privacy: true,
-    browse: true,
-    sendToZulip: true,
-    rooms: true,
-  },
-  api_url: "http://127.0.0.1:1250",
-  websocket_url: "ws://127.0.0.1:1250",
-  auth_callback_url: "http://localhost:3000/auth-callback",
-  zulip_streams: "", // Find the value on zulip
-};

www/instrumentation-client.ts

@@ -23,3 +23,5 @@ if (SENTRY_DSN) {
     replaysSessionSampleRate: 0.0,
   });
 }
+
+export const onRouterTransitionStart = Sentry.captureRouterTransitionStart;

www/instrumentation.ts

@@ -0,0 +1,9 @@
+export async function register() {
+  if (process.env.NEXT_RUNTIME === "nodejs") {
+    await import("./sentry.server.config");
+  }
+
+  if (process.env.NEXT_RUNTIME === "edge") {
+    await import("./sentry.edge.config");
+  }
+}

www/middleware.ts

@@ -1,5 +1,5 @@
 import { withAuth } from "next-auth/middleware";
-import { getConfig } from "./app/lib/edgeConfig";
+import { featureEnabled } from "./app/lib/features";
 import { NextResponse } from "next/server";
 import { PROTECTED_PAGES } from "./app/lib/auth";
 
@@ -19,13 +19,12 @@ export const config = {
 
 export default withAuth(
   async function middleware(request) {
-    const config = await getConfig();
     const pathname = request.nextUrl.pathname;
 
     // feature-flags protected paths
     if (
-      (!config.features.browse && pathname.startsWith("/browse")) ||
+      (!featureEnabled("browse") && pathname.startsWith("/browse")) ||
-      (!config.features.rooms && pathname.startsWith("/rooms"))
+      (!featureEnabled("rooms") && pathname.startsWith("/rooms"))
     ) {
       return NextResponse.redirect(request.nextUrl.origin);
     }
@@ -33,10 +32,8 @@ export default withAuth(
   {
     callbacks: {
       async authorized({ req, token }) {
-        const config = await getConfig();
-
         if (
-          config.features.requireLogin &&
+          featureEnabled("requireLogin") &&
           PROTECTED_PAGES.test(req.nextUrl.pathname)
         ) {
           return !!token;

www/next.config.js

@@ -1,7 +1,6 @@
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   output: "standalone",
-  experimental: { esmExternals: "loose" },
   env: {
     IS_CI: process.env.IS_CI,
   },

www/package.json

@@ -17,20 +17,19 @@
     "@fortawesome/fontawesome-svg-core": "^6.4.0",
     "@fortawesome/free-solid-svg-icons": "^6.4.0",
     "@fortawesome/react-fontawesome": "^0.2.0",
-    "@sentry/nextjs": "^7.77.0",
+    "@sentry/nextjs": "^10.11.0",
     "@tanstack/react-query": "^5.85.9",
     "@types/ioredis": "^5.0.0",
-    "@vercel/edge-config": "^0.4.1",
     "@whereby.com/browser-sdk": "^3.3.4",
     "autoprefixer": "10.4.20",
     "axios": "^1.8.2",
     "eslint": "^9.33.0",
-    "eslint-config-next": "^14.2.31",
+    "eslint-config-next": "^15.5.3",
     "fontawesome": "^5.6.3",
     "ioredis": "^5.7.0",
     "jest-worker": "^29.6.2",
     "lucide-react": "^0.525.0",
-    "next": "^14.2.30",
+    "next": "^15.5.3",
     "next-auth": "^4.24.7",
     "next-themes": "^0.4.6",
     "nuqs": "^2.4.3",
@@ -63,8 +62,7 @@
     "jest": "^30.1.3",
     "openapi-typescript": "^7.9.1",
     "prettier": "^3.0.0",
-    "ts-jest": "^29.4.1",
+    "ts-jest": "^29.4.1"
-    "vercel": "^37.3.0"
   },
   "packageManager": "pnpm@10.14.0+sha512.ad27a79641b49c3e481a16a805baa71817a04bbe06a38d17e60e2eaee83f6a146c6a688125f5792e48dd5ba30e7da52a5cda4c3992b9ccf333f9ce223af84748"
 }