feat(settings): add developer toggle for useLatestURL cookie

[mathiiiiiis]

What does this PR do?

• Adds a developer toggle to manage the useLatestURL cookie state
• Configures the cookie to apply to the root .nerimity.com domain so that the desktop and mobile clients can correctly read it regardless of current subdomain
• Added new localization keys (settings.developer.useLatestUrl and settings.developer.useLatestUrlDescription) for the new settings block

Screenshots

Did you test your code?

• Toggled switch and verified via browser DevTools that the useLatestURL cookie correctly updates to true or false
• Confirmed cookie applies the domain=.nerimity.com parameter and a valid max-age
• Verified desktop app properly reads newly set cookie and changes its startup routing logic

Additional context

• This PR only handles the frontend UI and cookie assignment.
• Important: This feature relies on paired updates in the nerimity-desktop- and NerimityReactNative-Repository

Checklist

• Changes are clear, concise, and easy to review
• Code has been tested and works as intended
• Text/content changes support internationalization (i18n)
• Any new user-facing strings are properly localized

Side note

This is a draft PR, because I'm still working on the Mobile Implementation for this feature.
The updated code for the desktop App can be found here: https://github.com/mathiiiiiis/nerimity-desktop
(I'm going to open a PR for the mobile and desktop app at the same time)

I opened both PR's for Mobile and Desktop App:
Nerimity/NerimityReactNative#4
Nerimity/nerimity-desktop#28

Summary by CodeRabbit

• New Features

  • Added a configurable "Use Latest URL" toggle in Developer Settings. The toggle is interactive in the UI and preference persists across sessions (stored in a cookie) and is loaded on startup.

• Localization

  • Added localized strings for the toggle label, description, and a warning to support display in the UI.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a storage key USE_LATEST_URL, a developer-settings toggle backed by a cookie (with conditional domain for nerimity.com) and signal state, and three English locale strings for the new UI label, description, and warning.

Changes

Cohort / File(s)	Summary
Storage Configuration src/common/localStorage.ts	Added USE_LATEST_URL entry ("useLatestURL") to StorageKeys.
Developer Settings UI src/components/settings/developer/DeveloperSettings.tsx	Imported createSignal, added useLatest state and getInitialCookieValue(), added handleToggleCookie() to update state and write useLatestURL cookie (sets domain when hostname includes nerimity.com), and added a SettingsBlock with a Checkbox bound to useLatest.
Localization src/locales/list/en-gb.json	Added three keys under developer: useLatestUrl, useLatestUrlDescription, and useLatestUrlWarning.

Sequence Diagram(s)

sequenceDiagram
  participant User as User
  participant UI as DeveloperSettings
  participant State as Signal(useLatest)
  participant Cookie as BrowserCookie

  User->>UI: toggle "Use Latest URL"
  UI->>State: set useLatest value
  UI->>Cookie: write `useLatestURL` cookie (add domain if hostname includes nerimity.com)
  Cookie-->>UI: cookie stored
  UI->>UI: re-render SettingsBlock with updated state

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hop and toggle, seed a tiny clue,
A cookie tucked to bring the latest view,
One key, three phrases, a gentle cheer,
Dev settings hum — the path is clear! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a developer toggle for the useLatestURL cookie in settings.
Description check	✅ Passed	The description covers all required template sections including what the PR does, screenshots, testing details, additional context, and a completed checklist.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/components/settings/developer/DeveloperSettings.tsx`:
- Around line 55-60: The checkbox in DeveloperSettings (the input using
checked={useLatest()} and onChange={handleToggleCookie}) lacks an accessible
name; update the markup to provide one by either adding a descriptive id to the
input and a corresponding <label htmlFor="..."> (e.g., “Use latest build” or
similar) or by adding an explicit aria-label/aria-labelledby attribute on the
input that describes its purpose, and ensure the label text matches the meaning
used in handleToggleCookie/useLatest for clarity.
- Around line 32-33: The hostname check in DeveloperSettings.tsx uses
window.location.hostname.includes("nerimity.com") which can match unintended
hosts; replace this with a strict match against the root domain and allowed
subdomains (e.g., compare hostname === "nerimity.com" or
endsWith(".nerimity.com") with a guard that ensures a dot before the suffix)
when computing the domain variable used in document.cookie assignment for
useLatestURL, so only exact root or valid subdomains set domain=.nerimity.com;
keep the rest of the cookie string (path, max-age) unchanged and update the
domain variable logic accordingly.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6e03078 and 6c987ec.

📒 Files selected for processing (3)

• src/common/localStorage.ts
• src/components/settings/developer/DeveloperSettings.tsx
• src/locales/list/en-gb.json

[SupertigerDev]

You should probably update the message to let people know that they shouldn't use latest because it can be buggy

[mathiiiiiis]

I added the warning

[coderabbitai]

♻️ Duplicate comments (1)

src/components/settings/developer/DeveloperSettings.tsx (1)

32-33: ⚠️ Potential issue | 🟡 Minor

Use strict domain matching before setting domain=.nerimity.com.

Line 32 uses includes("nerimity.com"), which can match unintended hostnames and make cookie behavior fragile. Use exact root/subdomain matching.

Suggested fix

-    const domain = window.location.hostname.includes("nerimity.com") ? "domain=.nerimity.com;" : "";
+    const hostname = window.location.hostname;
+    const isNerimityDomain =
+      hostname === "nerimity.com" || hostname.endsWith(".nerimity.com");
+    const domain = isNerimityDomain ? "domain=.nerimity.com;" : "";

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/settings/developer/DeveloperSettings.tsx` around lines 32 -
33, The hostname check is too permissive: replace the includes("nerimity.com")
logic used to build the domain string (the const domain and subsequent
document.cookie assignment in DeveloperSettings.tsx) with a strict match such as
hostname === "nerimity.com" || hostname.endsWith(".nerimity.com") so only the
root domain and its subdomains set domain=.nerimity.com; keep the rest of the
cookie string (useLatestURL, path, max-age) unchanged and only append
`domain=.nerimity.com;` when the strict check passes.

🧹 Nitpick comments (1)

src/components/settings/developer/DeveloperSettings.tsx (1)

21-24: Avoid duplicating the cookie key literal.

"useLatestURL" is hardcoded in both read/write paths. Please use the shared storage key constant added in src/common/localStorage.ts to prevent drift across web/desktop/mobile integrations.

Also applies to: 33-33

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/settings/developer/DeveloperSettings.tsx` around lines 21 -
24, Replace the hardcoded "useLatestURL" string with the shared exported storage
key constant (e.g., USE_LATEST_URL_KEY) from the localStorage module: import
that constant, update getInitialCookieValue to search for
`${USE_LATEST_URL_KEY}=` when parsing document.cookie, and update any cookie
write/update code (the setter/onChange that writes the cookie) to use the same
constant so read and write paths reference the single shared symbol (e.g.,
update getInitialCookieValue and the cookie-setter/onChange handler to use
USE_LATEST_URL_KEY).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@src/components/settings/developer/DeveloperSettings.tsx`:
- Around line 32-33: The hostname check is too permissive: replace the
includes("nerimity.com") logic used to build the domain string (the const domain
and subsequent document.cookie assignment in DeveloperSettings.tsx) with a
strict match such as hostname === "nerimity.com" ||
hostname.endsWith(".nerimity.com") so only the root domain and its subdomains
set domain=.nerimity.com; keep the rest of the cookie string (useLatestURL,
path, max-age) unchanged and only append `domain=.nerimity.com;` when the strict
check passes.

---

Nitpick comments:
In `@src/components/settings/developer/DeveloperSettings.tsx`:
- Around line 21-24: Replace the hardcoded "useLatestURL" string with the shared
exported storage key constant (e.g., USE_LATEST_URL_KEY) from the localStorage
module: import that constant, update getInitialCookieValue to search for
`${USE_LATEST_URL_KEY}=` when parsing document.cookie, and update any cookie
write/update code (the setter/onChange that writes the cookie) to use the same
constant so read and write paths reference the single shared symbol (e.g.,
update getInitialCookieValue and the cookie-setter/onChange handler to use
USE_LATEST_URL_KEY).

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e27822a and fbeb6ae.

📒 Files selected for processing (2)

• src/components/settings/developer/DeveloperSettings.tsx
• src/locales/list/en-gb.json

🚧 Files skipped from review as they are similar to previous changes (1)

• src/locales/list/en-gb.json

[SupertigerDev]

Please use the existing checkbox component

[mathiiiiiis]

Changed it. Sorry, I forgot about components 🫠

[coderabbitai]

♻️ Duplicate comments (2)

src/components/settings/developer/DeveloperSettings.tsx (2)

31-32: ⚠️ Potential issue | 🟡 Minor

Use strict hostname matching before assigning domain=.nerimity.com.

includes("nerimity.com") is too broad and can misfire on unrelated hosts, causing fragile cookie behavior.

Suggested fix

-    const domain = window.location.hostname.includes("nerimity.com") ? "domain=.nerimity.com;" : "";
+    const hostname = window.location.hostname;
+    const isNerimityDomain =
+      hostname === "nerimity.com" || hostname.endsWith(".nerimity.com");
+    const domain = isNerimityDomain ? "domain=.nerimity.com;" : "";

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/settings/developer/DeveloperSettings.tsx` around lines 31 -
32, The hostname check in DeveloperSettings.tsx is too permissive; replace
window.location.hostname.includes("nerimity.com") with a strict match such as
checking hostname === "nerimity.com" or hostname.endsWith(".nerimity.com") so
only the root domain and its subdomains set domain=.nerimity.com; update the
logic that computes the domain variable (the const domain line) to use this
stricter test and leave the document.cookie assignment using that domain and the
checked variable unchanged.

---

54-54: ⚠️ Potential issue | 🟠 Major

Give the checkbox an accessible name.

Rendering Checkbox without a label leaves the native input without a reliable accessible name for screen readers.

One possible fix in this file

-          <Checkbox checked={useLatest()} onChange={handleToggleCookie} />
+          <Checkbox
+            checked={useLatest()}
+            onChange={handleToggleCookie}
+            label={t("settings.developer.useLatestUrl")}
+          />

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/settings/developer/DeveloperSettings.tsx` at line 54, The
Checkbox rendered in DeveloperSettings (checked={useLatest()}
onChange={handleToggleCookie}) lacks an accessible name; add one by either
wrapping it with a visible label component (e.g., a FormControlLabel or <label>
that references the Checkbox) or by supplying an explicit aria-label or
aria-labelledby prop that describes its purpose (for example "Use latest
version" or similar) so screen readers can announce it; update the Checkbox
usage in DeveloperSettings.tsx accordingly and ensure the label text is
meaningful and localized if needed.

🧹 Nitpick comments (1)

src/components/settings/developer/DeveloperSettings.tsx (1)

32-32: Harden cookie attributes (SameSite + conditional Secure).

This preference cookie is missing defensive attributes. Add SameSite=Lax and Secure when on HTTPS.

Suggested hardening

-    document.cookie = `useLatestURL=${checked}; path=/; max-age=315360000; ${domain}`;
+    const secure = window.location.protocol === "https:" ? "Secure; " : "";
+    document.cookie = `useLatestURL=${checked}; path=/; max-age=315360000; SameSite=Lax; ${secure}${domain}`;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/components/settings/developer/DeveloperSettings.tsx` at line 32, The
cookie assignment for the preference (the template that sets document.cookie
using checked and domain) lacks SameSite and conditional Secure attributes;
update the cookie string constructed where document.cookie is set (the code
using `useLatestURL=${checked}` and `domain`) to append `; SameSite=Lax` and,
when running under HTTPS (check window.location.protocol === 'https:'), append
`; Secure`; ensure you still include path and max-age and preserve the existing
domain variable.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@src/components/settings/developer/DeveloperSettings.tsx`:
- Around line 31-32: The hostname check in DeveloperSettings.tsx is too
permissive; replace window.location.hostname.includes("nerimity.com") with a
strict match such as checking hostname === "nerimity.com" or
hostname.endsWith(".nerimity.com") so only the root domain and its subdomains
set domain=.nerimity.com; update the logic that computes the domain variable
(the const domain line) to use this stricter test and leave the document.cookie
assignment using that domain and the checked variable unchanged.
- Line 54: The Checkbox rendered in DeveloperSettings (checked={useLatest()}
onChange={handleToggleCookie}) lacks an accessible name; add one by either
wrapping it with a visible label component (e.g., a FormControlLabel or <label>
that references the Checkbox) or by supplying an explicit aria-label or
aria-labelledby prop that describes its purpose (for example "Use latest
version" or similar) so screen readers can announce it; update the Checkbox
usage in DeveloperSettings.tsx accordingly and ensure the label text is
meaningful and localized if needed.

---

Nitpick comments:
In `@src/components/settings/developer/DeveloperSettings.tsx`:
- Line 32: The cookie assignment for the preference (the template that sets
document.cookie using checked and domain) lacks SameSite and conditional Secure
attributes; update the cookie string constructed where document.cookie is set
(the code using `useLatestURL=${checked}` and `domain`) to append `;
SameSite=Lax` and, when running under HTTPS (check window.location.protocol ===
'https:'), append `; Secure`; ensure you still include path and max-age and
preserve the existing domain variable.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fbeb6ae and 1543771.

📒 Files selected for processing (1)

• src/components/settings/developer/DeveloperSettings.tsx

[SupertigerDev]

no problem 💖