Refactor API integration to use config module

[deadlyjack]

• Replaced instances of constants with config module for API_BASE and related URLs in sponsor, sponsors, themeSetting, welcome, and various settings files.
• Updated logic to check for premium features based on config settings.
• Enhanced Authenticator plugin to intercept requests and manage authentication tokens more effectively.
• Fixed minor typos and improved code readability in sidebarApp and helpers.

[greptile-apps]

Greptile Summary

This PR refactors the codebase to use a new config.js module instead of constants.js, replaces window.IS_FREE_VERSION with config.HAS_PRO, and rewrites the auth plugin to inject tokens via a WebView request interceptor rather than native Cordova calls.

• getRewardIdentity in adRewards.js is broken: the const user = await auth.getUserInfo() line was removed but user?.id was kept, causing a ReferenceError on every call; the result is also never returned.
• Authenticator.java interceptor calls conn.getInputStream() unconditionally: throws IOException for any 4xx/5xx response, silently falling back to an unauthenticated request and breaking session-expiry detection.
• Request bodies are not forwarded: WebResourceRequest does not expose the body, so any intercepted POST/DELETE with a payload will reach the server bodyless.

Confidence Score: 2/5

Not safe to merge — the auth interceptor silently fails on any non-2xx response and the ad-reward identity function is entirely broken.

Three P1 issues on core auth and monetization paths: broken getRewardIdentity (undeclared variable + missing return), HttpURLConnection.getInputStream() crash on error responses, and missing request-body forwarding in the interceptor.

src/plugins/auth/src/android/Authenticator.java and src/lib/adRewards.js require fixes before merging.

Important Files Changed

Filename	Overview
src/lib/config.js	New centralized config module replacing constants.js; consolidates API base URLs, social links, and the new HAS_PRO getter/setter — clean implementation
src/lib/auth.js	Replaced native Cordova calls with direct fetch to /api/login, relying on the new WebView interceptor for token injection; logic is sound but depends on the interceptor working correctly
src/plugins/auth/src/android/Authenticator.java	New WebView request interceptor injects auth token but calls getInputStream() unconditionally (throws on 4xx/5xx), drops request bodies for POST/DELETE, and has no connection timeouts — three P1/P2 issues
src/lib/adRewards.js	getRewardIdentity references undeclared user variable and has no return statement, always yielding undefined/device-UUID — P1 regression
src/main.js	Replaces window.IS_FREE_VERSION with config.HAS_PRO; correctly handles package flag, localStorage override, IAP check, and server-side acode_pro flag
src/lib/installPlugin.js	Migrates to config.API_BASE; also removes the progress-callback argument from readFile(), silently dropping download progress feedback
src/sidebarApps/sidebarApp.js	Fixes $contaienr typo to $container across all usages; no functional changes

Comments Outside Diff (1)

1. src/lib/adRewards.js, line 180-187 (link)

   user undeclared and result never returned

   The refactor removed the const user = await auth.getUserInfo() line but kept user?.id. Accessing an undeclared user throws a ReferenceError which the catch block absorbs, so the function always falls back to device?.uuid || "guest". Even if user were defined, there is no return statement in the try block, so getRewardIdentity() resolves to undefined, silently breaking ad-reward identity tracking.

_{Reviews (1): Last reviewed commit: "Refactor API integration to use config m..." | Re-trigger Greptile}

[greptile-apps]

getInputStream() throws for non-2xx responses

HttpURLConnection.getInputStream() throws IOException for 4xx/5xx status codes. A 401 Unauthorized response causes the catch to fire and fall back to super.shouldInterceptRequest(), retrying without the auth token. JavaScript's fetch receives an unauthenticated response, breaking the res.status === 401 check in auth.getLoggedInUser() and preventing proper session invalidation. Use conn.getErrorStream() for non-2xx codes.

[greptile-apps]

Request body not forwarded for POST/DELETE requests

WebResourceRequest does not expose the request body. Any fetch() call with a body will have it silently dropped by this interceptor, sending a bodyless request to the server.

[greptile-apps]

No connection timeouts set

HttpURLConnection has no connect or read timeout, risking indefinite hangs on the UI thread. Consider adding conn.setConnectTimeout(5000) and conn.setReadTimeout(10000).

[greptile-apps]

Plugin download progress indicator silently dropped

The original readFile() call included a progress callback that updated the loader dialog with a percentage. The new call fsOperation(pluginUrl).readFile() removes it, leaving users with no download progress feedback.