Migrate to Next.js 16

[mrkeshav-05]

Proposed change

Migrated the project to Next.js 16.0.7.
Fixed: #2798

Changes Made:

1. Updated Dependencies (package.json)
   next: ^15.5.7 → ^16.0.7
   @next/eslint-plugin-next: ^15.5.7 → ^16.0.7
   @next/third-parties: ^15.5.7 → ^16.0.7
   eslint-config-next: ^15.5.7 → ^16.0.7
2. Migrated Middleware to Proxy
   As middleware.ts is deprecated
   Created proxy.ts via blog
   Removed deprecated middleware.ts
   Added tests proxy.test.ts

Checklist

• I've read and followed the contributing guidelines.
• I've run make check-test locally; all checks and tests passed.

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Upgraded Next.js ecosystem from version 15.5.7 to 16.0.7, including related tooling and dependencies
  • Updated TypeScript configuration for React JSX handling
  • Updated ESLint configuration to use TypeScript ESLint recommendations
  • Removed legacy build script

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Bumps Next.js and related packages to ^16.0.7, adds require-in-the-middle, updates ESLint and tsconfig JSX handling, renames default export authenticationMiddleware → proxy and updates tests, removes turbopack from spellcheck dictionary. No other logic changes.

Changes

Cohort / File(s)	Summary
Dependency & scripts frontend/package.json	Removed build:turbo script; bumped next, @next/eslint-plugin-next, @next/third-parties, and devDependency eslint-config-next to ^16.0.7; added require-in-the-middle@^8.0.1.
Next config frontend/next.config.ts	Added require-in-the-middle to serverExternalPackages (previously only import-in-the-middle).
TypeScript config frontend/tsconfig.json	Changed "jsx" from "preserve" to "react-jsx"; expanded/reformatted include to add .next/dev/types/**/*.ts and .next/types/**/*.ts.
ESLint config frontend/eslint.config.mjs	Replaced FlatCompat usage with tseslint.configs.recommended; removed explicit parser/plugin and FlatCompat baseDirectory configuration.
Auth proxy & tests frontend/src/proxy.ts, frontend/__tests__/unit/utils/proxy.test.ts	Renamed default export and all references from authenticationMiddleware → proxy; updated test describe text and imports; logic unchanged.
Spellcheck dictionary cspell/custom-dict.txt	Removed the turbopack entry.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Verify Next.js v16 compatibility across build and runtime (breaking changes).
• Check ESLint config for TypeScript parsing/rules regressions.
• Confirm require-in-the-middle addition and serverExternalPackages behavior.
• Run unit tests and a dev build to validate tsconfig include changes.

Possibly related PRs

• Add Turbo for Faster Compilation, Testing, and Build Times #1415 — Touches frontend/package.json and frontend/next.config.ts around require-in-the-middle / external packages.
• Fix NestBot calendar events feature branch merge conflicts #2230 — Related changes to frontend config and turbopack/turbo build script adjustments.

Suggested reviewers

• kasya

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Migrate to Next.js 16' accurately and concisely summarizes the primary change - upgrading the project to Next.js 16.0.7.
Description check	✅ Passed	The description clearly details the proposed change (migration to Next.js 16.0.7), lists specific dependency updates, explains the middleware to proxy migration, and references the linked issue #2798.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from issue #2798: bumped Next.js to 16.0.7, updated all affected dependencies, migrated deprecated middleware to proxy pattern, and added corresponding tests.
Out of Scope Changes check	✅ Passed	All changes are within scope of the Next.js 16 migration: dependency updates, configuration changes (tsconfig.json, eslint.config.mjs, next.config.ts), middleware-to-proxy migration, test updates, and related cleanup (removing 'turbopack' from spell-check dictionary, removing build:turbo script).

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8847798 and 1becc4b.

⛔ Files ignored due to path filters (1)

• frontend/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• frontend/package.json (4 hunks)
• frontend/src/proxy.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• frontend/src/proxy.ts
• frontend/package.json

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

frontend/src/proxy.ts (1)

6-14: Consider adding error handling and preserving the original URL.

The authentication logic is straightforward and follows Next.js 16 proxy conventions. However, consider these improvements:

1. Error handling: If getToken throws an error, the request will fail ungracefully. Add a try-catch block to handle potential errors.
2. Preserve original URL: Currently, users are redirected to /auth/login without preserving their intended destination. Consider adding the original URL as a query parameter for post-login redirect.

Apply this diff to add error handling and URL preservation:

 export default async function proxy(request: NextRequest) {
-  const token = await getToken({ req: request })
+  try {
+    const token = await getToken({ req: request })
 
-  if (!token) {
-    return NextResponse.redirect(new URL('/auth/login', request.url))
-  }
+    if (!token) {
+      const loginUrl = new URL('/auth/login', request.url)
+      loginUrl.searchParams.set('callbackUrl', request.url)
+      return NextResponse.redirect(loginUrl)
+    }
 
-  return NextResponse.next()
+    return NextResponse.next()
+  } catch (error) {
+    console.error('Proxy authentication error:', error)
+    return NextResponse.redirect(new URL('/auth/login', request.url))
+  }
 }

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5c7a924 and 5a34f4c.

📒 Files selected for processing (1)

• frontend/src/proxy.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: rudransh-shrivastava
Repo: OWASP/Nest PR: 2178
File: frontend/src/app/snapshots/[id]/page.tsx:0-0
Timestamp: 2025-09-21T17:04:48.154Z
Learning: User rudransh-shrivastava confirmed that suggested type safety improvements during Apollo Client migration were no longer relevant, reinforcing their preference to keep migration PRs focused on core migration changes rather than additional improvements.

🔇 Additional comments (2)

frontend/src/proxy.ts (2)

16-19: Matcher configuration is correct.

The matcher pattern '/my/mentorship/:path*' correctly protects all routes under /my/mentorship/. This follows Next.js conventions for path matching.

---

2-4: Move JWT validation from proxy.ts to a Node.js runtime endpoint or use an Edge-compatible JWT library.

getToken from next-auth/jwt requires Node.js runtime and uses Node.js crypto modules, but proxy.ts runs on the Edge runtime by default in Next.js 16. This will cause runtime errors. Either move the token validation to an API route or Server Action (which run on Node.js), or use an Edge-compatible JWT library like jose with Web Crypto for verification in proxy.ts. Alternatively, use next-auth's withAuth middleware helper if performing simple presence checks.

⛔ Skipped due to learnings

Learnt from: Rajgupta36
Repo: OWASP/Nest PR: 1717
File: frontend/src/app/api/auth/[...nextauth]/route.ts:13-25
Timestamp: 2025-08-10T11:08:47.258Z
Learning: In the OWASP Nest codebase (frontend/src/app/api/auth/[...nextauth]/route.ts), input validation and string trimming for authentication-related queries like `isProjectLeader` and `isMentor` are handled in the backend rather than the frontend. The backend is responsible for sanitizing and validating input parameters.

[kasya]

Why did we add this?

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[arkid15r]

Thank you @mrkeshav-05