第一次看此系列文的朋友，請先移步到 Day 1 – 如何開始？進行方式、自我介紹實戰 哦！

🎬 情境故事

你在接手同事的 登入系統 PR。程式能跑，但你發現錯誤訊息不一致、缺少 rate limit、以及命名不清。你常常卡在：「如何給具體又不傷人？」

今日目標： 用「稱讚 ➜ 疑慮 ➜ 建議」的三步驟，留下可執行的英文評論。

🤖 Config Prompt

[Config]
- Day: Day12 – Code Review: Giving Feedback
- Scenario: Code review — give clear, constructive feedback on a teammate’s pull request for a simple login system (session-based auth, input validation, error handling). Aim for concise, actionable comments with reasons and suggestions.

👉 在練習之前...

貼上 Config Prompt 到 GPT 之後，他會產生一個程式碼讓你 Review.

如果沒有的話，確認一下有沒有切換到 GPT-5 的 Thinking 模式

Review 這個程式碼，想一下：

1. 這個 PR 的目的是什麼（修 bug？加功能？重構範圍）
2. 期望行為是什麼（成功/失敗流程與例外）
3. 問題的嚴重度與優先順序（blocker / nice-to-have）

並且把關鍵字，以及程式碼的 Feedback 寫下來。

GPT 提供給我 Review 的程式碼

var db *sql.DB

func LoginHandler(w http.ResponseWriter, r *http.Request) {
	if r.Method != "POST" {
		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
		return
	}

	username := r.FormValue("username")
	password := r.FormValue("password")

	if username == "" || password == "" {
		http.Error(w, "missing fields", http.StatusInternalServerError)
		return
	}

	row := db.QueryRow("SELECT id, password_hash FROM users WHERE username = '"+username+"'")
	var id int
	var hash string
	if err := row.Scan(&id, &hash); err != nil {
		http.Error(w, "invalid credentials", http.StatusUnauthorized)
		return
	}

	if password != hash {
		http.Error(w, "invalid credentials", http.StatusUnauthorized)
		return
	}

	sessionID := fmt.Sprintf("%d:%d", id, time.Now().UnixNano())
	http.SetCookie(w, &http.Cookie{
		Name:    "sid",
		Value:   sessionID,
		Path:    "/",
		Expires: time.Now().Add(24 * time.Hour),
	})

	w.WriteHeader(http.StatusOK)
	w.Write([]byte("ok"))
}

我的關鍵字：

1. create a login handler
2. expect get cookie if login success
3. blocker

Feedback:

1. db is not initialized
2. http status code should be 400 if the parameters are missing.
3. password is not hashed before comparing.
4. should we store the sessionID somewhere?

🎯 開始進行練習

記得把對話錄下來，自己聽一次，想想有哪裡不自然、哪裡需要調整。

🆘 今日救命句

• 救命句：

  Let’s walk through this function together.

• 爭取思考時間：

  Give me a moment to check the flow, please.

🔑 核心句型

1. 先肯定亮點（打開對話）

   • Nice job keeping the handler small and focused.

   • I like how you separated validation from the controller.

   • The test names are clear and readable.

2. 提出疑慮（描述影響/風險）

   • I’m concerned this may allow repeated attempts without limits.

   • This could break when the response shape changes.

   • The error path isn’t covered by tests yet.

3. 給出具體建議（含理由）

   • Could we add a rate limiter to the login endpoint to prevent abuse?

   • Consider extracting this logic into a helper to reduce duplication.

   • Please return a consistent error format so the client can parse it.

4. 詢問動機/背景（先理解再批改）

   • What’s the reason for choosing this library over the built-in one?

   • How do you expect this to behave under high concurrency?

   • Is there a requirement to support older browsers here?

5. 請求證據（測試/文件）

   • Could you add a test for the failure case with invalid credentials?

   • Can we document the error codes in the README?

   • Do we have metrics to confirm the latency target is met?

6. 優先順序與範圍（不擋或擋 PR）

   • This is non-blocking; we can handle it in a follow-up.

   • This is a blocker because it affects security.

   • Happy to approve after this small change.

7. 提供替代方案/示例（給路，不只給牆）

   • Maybe something like: { show the code... }

   • An alternative is to use middleware for input validation.

   • We could cache the session lookup to reduce DB hits.

8. 收尾建立共識

   • Let me know if you’d like me to pair on this change.

   • Once we align on the approach, I’ll approve.

   • Thanks for the updates—this looks much better now.

📝 我的今日反饋

今日的練習就滿順的，可能是攸關到程式。

GPT 有給我很多可以換句話說的句子，都比我原本說的還要精簡。這是之後要努力的部分！

1) Per-turn Corrections

Turn 2: You said, "You use implemented the login handler, right?"

Rewrite: "You implemented the login handler, right?"

Alternative: "So, you wrote the login handler, correct?"

Turn 4: You said, "Let's walk through the function together." (No correction needed here, just noting it was great!)

Turn 6: You said, "The DB is not initialized at line 10." (Perfect after correction.)

Turn 8: You said, "At line 34, you compare the password to the hash, but you didn't hash the password before comparing." (Perfect after correction.)

Turn 10: You said, "You return the session ID with the cookie, but should we store the session ID somewhere?" (Perfect after correction as well.)

2) Top 3 Patterns

Clarifying Questions: You often start with a bit of hesitation. A simple rule: just start with "You mean..." and go on confidently.

Grammar Adjustment: Sometimes you add extra words like "is" or "did" where not needed. A good tip: keep sentences short and simple to avoid doubling up on verbs.

Pausing for Recasts: You did well once you heard the corrected sentence. Just remember: hear it, repeat it right away, and you'll be fine.

3) Phrase Pack

"You implemented the login handler, right?"

"Let's walk through this function together."

"We should use parameterized queries for security."

"We need to hash the password before comparing it."

"Should we store the session ID somewhere?"

4) Intonation Tip

Focus on stressing key words. For example, say: "Should we store the session ID somewhere?" Emphasize "store" to highlight the main action.

5) Fluency & Pronunciation Notes

Great job repeating corrected sentences quickly.

Your pace was nice and steady after a few tries.

You improved at simplifying your questions over time.

Keep focusing on short sentences. That helps your clarity a lot.

6) Key Focus for Next Time

Goal 1: Keep practicing short, confident sentences.

Goal 2: Emphasize key action words for clarity.

≤3-min drill: Do a quick shadowing exercise with simple code review lines. Then try a substitution drill: replace “hash the password” with “validate the input” to practice swapping terms smoothly.