feat: comments plugin

[olliethedev]

Summary

• comments plugin (closes Comments Plugin #79 )

Type of change

• Bug fix
• New plugin
• Feature / enhancement to an existing plugin
• Documentation
• Chore / refactor / tooling

Checklist

• pnpm build passes
• pnpm typecheck passes
• pnpm lint passes
• Tests added or updated (unit and/or E2E)
• Docs updated (docs/content/docs/) if consumer-facing types or behavior changed
• All three example apps updated if a plugin was added or changed
• New plugin: submission checklist in CONTRIBUTING.md completed

Screenshots

---

Note

Medium Risk
Adds a new API surface (comments CRUD/moderation endpoints) and wires it into multiple example apps, so regressions could affect request routing and access control if hooks are misconfigured.

Overview
Introduces a new Comments plugin with threaded replies, likes, editing, moderation routes, and an embeddable CommentThread UI, including new public package exports/CSS entrypoints and a version bump to @btst/stack@2.8.0.

Updates docs and examples to register the plugin on both backend and client, import its CSS, and embed comments via new slot overrides (e.g. blog.postBottomSlot, kanban.taskDetailBottomSlot), plus adds PATCH handling to the catch-all API route configs and expands Playwright coverage with a comprehensive smoke.comments.spec.ts suite.

^{Written by Cursor Bugbot for commit bfd236e. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
better-stack-docs	Ready	Preview, Comment	Mar 14, 2026 1:04am

[github-actions]

✅ Shadcn registry validated — no registry changes detected.

[cursor]

Client-supplied currentUserId query parameter leaks pending comments

High Severity

The currentUserId accepted as an untrusted query parameter in GET /comments is used to fetch and return that user's pending comments. Any anonymous caller can pass ?currentUserId=victimId and see the victim's pending (pre-moderation) comment bodies. No server-side session validation is performed on this value, and the onBeforeList hook doesn't gate this path because the status filter remains "approved" (the default), so the non-approved status check at the top of the handler is skipped entirely. The currentUserId for this feature needs to be resolved server-side from the authenticated session, similar to how authorId is resolved in onBeforePost.

Additional Locations (1)

• packages/stack/src/plugins/comments/api/getters.ts#L168-L210

 

[cursor]

Status change and delete endpoints lack default authorization

Medium Severity

PATCH /comments/:id/status and DELETE /comments/:id proceed without any authorization when onBeforeStatusChange or onBeforeDelete hooks are absent. This is inconsistent with the secure-by-default pattern used by onBeforeEdit and onBeforeListByAuthor, which return 403 when their hooks are not configured. A developer following the minimal setup without configuring these hooks would unknowingly expose unauthenticated moderation and deletion endpoints.

Additional Locations (1)

• packages/stack/src/plugins/comments/api/plugin.ts#L506-L513

 

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Status mutations miss infinite thread cache invalidation

Low Severity

useUpdateCommentStatus and useApproveComment do not invalidate the ["commentsThread"] infinite query cache in their onSettled handlers, while useDeleteComment and useUpdateComment both do. When a comment's status changes (e.g., approved → spam), the CommentThread component's infinite-query cache retains the stale entry, so the comment remains visible in the thread until the staleTime expires or the user navigates away.

Additional Locations (1)

• packages/stack/src/plugins/comments/client/hooks/use-comments.tsx#L442-L451