From d4663fbe7dda58b42512a78d607d414d3029820e Mon Sep 17 00:00:00 2001 From: Konstantin Wohlwend Date: Sat, 23 May 2026 10:34:53 -0700 Subject: [PATCH 1/4] Capture more errors on failures --- .claude/CLAUDE-KNOWLEDGE.md | 3 +++ AGENTS.md | 2 ++ apps/backend/src/lib/emails-low-level.tsx | 18 ++++++++++++++++++ apps/backend/src/private/implementation | 2 +- .../private/implementation-fallback/index.ts | 10 ++++++++++ apps/backend/src/private/index.ts | 2 +- 6 files changed, 35 insertions(+), 2 deletions(-) diff --git a/.claude/CLAUDE-KNOWLEDGE.md b/.claude/CLAUDE-KNOWLEDGE.md index f6eb84ce8..175fc2296 100644 --- a/.claude/CLAUDE-KNOWLEDGE.md +++ b/.claude/CLAUDE-KNOWLEDGE.md @@ -541,3 +541,6 @@ A: Put restricted-user docs at `docs-mintlify/guides/apps/authentication/restric ## Q: How should e2e tests switch to a newly created project? A: `Project.createAndSwitch` should leave `backendContext.projectKeys` set to real project API keys, not only `{ projectId, adminAccessToken }`. Internal admin access tokens are regular short-lived access tokens; keeping one in the default project context makes later server/admin requests fail with `ADMIN_ACCESS_TOKEN_EXPIRED` or validate the token against the wrong project. + +## Q: How should backend SMTP SSRF checks be rolled out? +A: Keep the real outbound SMTP policy in `apps/backend/src/private/implementation/smtp-egress-policy.ts`, export it through `apps/backend/src/private/index.ts`, and provide a simple `implementation-fallback` function for self-hosters. It should allow only SMTP ports 25, 465, 587, 2465, 2587, and 2525, reject internal IP literals or DNS resolutions, and initially run report-only from `emails-low-level.tsx` via `captureError("smtp-egress-policy-report-only", ...)` before enforcing hard failures. diff --git a/AGENTS.md b/AGENTS.md index 619547aa6..8feddfe47 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -116,6 +116,8 @@ To see all development ports, refer to the index.html of `apps/dev-launchpad/pub - NEVER INSTALL A NEW PACKAGE (or anything else) WITHOUT EXPLICIT APPROVAL FROM THE USER. - A "development environment" is either an RDE (remote development environment; = local dashboard + prod backend) or a local emulator (local dashboard + local backend). When communicating to the user, we always say "development environment" instead of RDE or local emulator (the distinction to the user is minor, even though the implementation is quite different). - NEVER EVER return a server error with an internal server error that may contain information that the user shouldn't see. For example, never return the error message on a public API from an upstream provider without properly filtering it first. Most of the time, for internal server errors, you should just use StackAssertionError (which won't pass the message to the user), not StatusError (you almost never want to instantiate a StatusError with status 5xx). +- When adding code to the `private` part of the backend, put the actual implementation into `implementation` (if the submodule is checked out), and implement a simple fallback in `implementation-fallback` for self-hosters. `implementation.generated.ts` will automatically be generated, which you can then import from `index.ts`. (See the existing code as an example.) If the submodule isn't checked out, but you need to add code to the `private` part of the backend, let the user know. +- Security-sensitive code on the backend that shouldn't be public should be in the `private` part of the backend. ### Code-related - Use ES6 maps instead of records wherever you can. diff --git a/apps/backend/src/lib/emails-low-level.tsx b/apps/backend/src/lib/emails-low-level.tsx index 90648ed32..3353a7929 100644 --- a/apps/backend/src/lib/emails-low-level.tsx +++ b/apps/backend/src/lib/emails-low-level.tsx @@ -10,6 +10,7 @@ import { runAsynchronously, wait } from '@stackframe/stack-shared/dist/utils/pro import { Result } from '@stackframe/stack-shared/dist/utils/results'; import { traceSpan } from '@stackframe/stack-shared/dist/utils/telemetry'; import nodemailer from 'nodemailer'; +import { checkSmtpEgressPolicy } from '@/private'; export function isSecureEmailPort(port: number | string) { // "secure" in most SMTP clients means implicit TLS from byte 1 (SMTPS) @@ -76,10 +77,27 @@ async function _lowLevelSendEmailWithoutRetries(options: LowLevelSendEmailOption return await traceSpan('sending email to ' + JSON.stringify(toArray), async () => { try { + const smtpEgressPolicyResult = await checkSmtpEgressPolicy({ + host: options.emailConfig.host, + port: options.emailConfig.port, + }); + if (smtpEgressPolicyResult.status === "error") { + console.warn("SMTP config rejected by the egress policy.", { + violation: smtpEgressPolicyResult.violation, + config: strippedEmailConfig, + }); + captureError("smtp-egress-policy-report-only", new StackAssertionError("SMTP config would be rejected by the egress policy", { + violation: smtpEgressPolicyResult.violation, + config: strippedEmailConfig, + })); + } + const transporter = nodemailer.createTransport({ host: options.emailConfig.host, port: options.emailConfig.port, secure: options.emailConfig.secure, + disableFileAccess: true, + disableUrlAccess: true, connectionTimeout: 15000, greetingTimeout: 10000, socketTimeout: 20000, diff --git a/apps/backend/src/private/implementation b/apps/backend/src/private/implementation index b05bcca34..ebe0d435e 160000 --- a/apps/backend/src/private/implementation +++ b/apps/backend/src/private/implementation @@ -1 +1 @@ -Subproject commit b05bcca3444c00fa6623f7eec332376031aefd2c +Subproject commit ebe0d435e7bbe0251463c78d088d10edcb7ff5a0 diff --git a/apps/backend/src/private/implementation-fallback/index.ts b/apps/backend/src/private/implementation-fallback/index.ts index 69c6ddec9..0e5f42972 100644 --- a/apps/backend/src/private/implementation-fallback/index.ts +++ b/apps/backend/src/private/implementation-fallback/index.ts @@ -12,3 +12,13 @@ export const signUpRiskEngine: SignUpRiskEngine = { }; export const preprocessProxyBody: AiProxyBodyProcessor = ({ parsedBody }) => parsedBody; + +export async function checkSmtpEgressPolicy(options: { + host: string, + port: number, +}) { + return { + status: "ok" as const, + addresses: [options.host], + }; +} diff --git a/apps/backend/src/private/index.ts b/apps/backend/src/private/index.ts index 159e7607c..d565f28d1 100644 --- a/apps/backend/src/private/index.ts +++ b/apps/backend/src/private/index.ts @@ -1 +1 @@ -export { signUpRiskEngine, preprocessProxyBody } from "./implementation.generated"; +export { signUpRiskEngine, preprocessProxyBody, checkSmtpEgressPolicy } from "./implementation.generated"; From 866e618a206b2ca4f365a9cfacda273ecb02bffe Mon Sep 17 00:00:00 2001 From: Konstantin Wohlwend Date: Sat, 23 May 2026 10:48:41 -0700 Subject: [PATCH 2/4] Fix CI/CD --- apps/backend/src/private/implementation | 2 +- .../src/private/implementation-fallback/index.ts | 5 +++-- apps/backend/src/private/types.ts | 11 +++++++++++ 3 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 apps/backend/src/private/types.ts diff --git a/apps/backend/src/private/implementation b/apps/backend/src/private/implementation index ebe0d435e..a815ddcd1 160000 --- a/apps/backend/src/private/implementation +++ b/apps/backend/src/private/implementation @@ -1 +1 @@ -Subproject commit ebe0d435e7bbe0251463c78d088d10edcb7ff5a0 +Subproject commit a815ddcd1354d4bf27042626d1035709c80abdc6 diff --git a/apps/backend/src/private/implementation-fallback/index.ts b/apps/backend/src/private/implementation-fallback/index.ts index 0e5f42972..7b31266b5 100644 --- a/apps/backend/src/private/implementation-fallback/index.ts +++ b/apps/backend/src/private/implementation-fallback/index.ts @@ -1,6 +1,7 @@ import { AiProxyBodyProcessor } from "@/lib/ai/proxy-preprocessing"; import { SignUpRiskEngine } from "@/lib/risk-scores"; import { createNeutralSignUpHeuristicFacts } from "@/lib/sign-up-heuristics"; +import type { SmtpEgressPolicyResult } from "../types"; export const signUpRiskEngine: SignUpRiskEngine = { async calculateRiskAssessment() { @@ -16,9 +17,9 @@ export const preprocessProxyBody: AiProxyBodyProcessor = ({ parsedBody }) => par export async function checkSmtpEgressPolicy(options: { host: string, port: number, -}) { +}): Promise { return { - status: "ok" as const, + status: "ok", addresses: [options.host], }; } diff --git a/apps/backend/src/private/types.ts b/apps/backend/src/private/types.ts new file mode 100644 index 000000000..46cb0883d --- /dev/null +++ b/apps/backend/src/private/types.ts @@ -0,0 +1,11 @@ +export type SmtpEgressPolicyViolation = { + reason: "disallowed-port" | "internal-ip-literal" | "internal-resolved-address" | "no-dns-addresses" | "dns-lookup-failed", + host: string, + port: number, + addresses?: string[], + cause?: unknown, +}; + +export type SmtpEgressPolicyResult = + | { status: "ok", addresses: string[] } + | { status: "error", violation: SmtpEgressPolicyViolation }; From 957a33a651bb0891051540fabc5b209259978ad1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sat, 23 May 2026 18:13:12 +0000 Subject: [PATCH 3/4] chore: update package versions --- apps/backend/package.json | 2 +- apps/dashboard/package.json | 2 +- apps/dev-launchpad/package.json | 2 +- apps/e2e/package.json | 2 +- apps/hosted-components/package.json | 2 +- apps/internal-tool/package.json | 2 +- apps/mcp/package.json | 2 +- apps/mock-oauth-server/package.json | 2 +- apps/skills/package.json | 2 +- docs-mintlify/package.json | 2 +- docs/package.json | 2 +- examples/cjs-test/package.json | 2 +- examples/convex/package.json | 2 +- examples/demo/package.json | 2 +- examples/docs-examples/package.json | 2 +- examples/e-commerce/package.json | 2 +- examples/js-example/package.json | 2 +- examples/lovable-react-18-example/package.json | 2 +- examples/middleware/package.json | 2 +- examples/react-example/package.json | 2 +- examples/supabase/package.json | 2 +- examples/tanstack-start-demo/package.json | 2 +- packages/dashboard-ui-components/package.json | 2 +- packages/init-stack/package.json | 2 +- packages/js/package.json | 2 +- packages/react/package.json | 2 +- packages/stack-cli/package.json | 2 +- packages/stack-sc/package.json | 2 +- packages/stack-shared/package.json | 2 +- packages/stack-ui/package.json | 2 +- packages/stack/package.json | 2 +- packages/tanstack-start/package.json | 2 +- packages/template/package-template.json | 2 +- packages/template/package.json | 2 +- sdks/implementations/swift/package.json | 2 +- sdks/spec/package.json | 2 +- 36 files changed, 36 insertions(+), 36 deletions(-) diff --git a/apps/backend/package.json b/apps/backend/package.json index dd3248a91..acd54eda9 100644 --- a/apps/backend/package.json +++ b/apps/backend/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/backend", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "type": "module", diff --git a/apps/dashboard/package.json b/apps/dashboard/package.json index c324152c3..e6dd14aac 100644 --- a/apps/dashboard/package.json +++ b/apps/dashboard/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/dashboard", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "scripts": { diff --git a/apps/dev-launchpad/package.json b/apps/dev-launchpad/package.json index adf9cd6d8..8d70d558e 100644 --- a/apps/dev-launchpad/package.json +++ b/apps/dev-launchpad/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/dev-launchpad", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "scripts": { diff --git a/apps/e2e/package.json b/apps/e2e/package.json index 5e38777e2..e53ad886a 100644 --- a/apps/e2e/package.json +++ b/apps/e2e/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/e2e-tests", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "type": "module", diff --git a/apps/hosted-components/package.json b/apps/hosted-components/package.json index 1d53a1254..81b4d8246 100644 --- a/apps/hosted-components/package.json +++ b/apps/hosted-components/package.json @@ -1,7 +1,7 @@ { "name": "@stackframe/hosted-components", "private": true, - "version": "2.8.102", + "version": "2.8.103", "type": "module", "scripts": { "dev": "vite dev --port ${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}09", diff --git a/apps/internal-tool/package.json b/apps/internal-tool/package.json index 074e30d11..3620b2253 100644 --- a/apps/internal-tool/package.json +++ b/apps/internal-tool/package.json @@ -1,7 +1,7 @@ { "name": "@stackframe/internal-tool", "private": true, - "version": "2.8.102", + "version": "2.8.103", "type": "module", "scripts": { "dev": "node scripts/pre-dev.mjs && next dev --turbopack --port ${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}41", diff --git a/apps/mcp/package.json b/apps/mcp/package.json index b363de744..6961a76c2 100644 --- a/apps/mcp/package.json +++ b/apps/mcp/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/mcp", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "type": "module", diff --git a/apps/mock-oauth-server/package.json b/apps/mock-oauth-server/package.json index 220ff75af..0fd2917b3 100644 --- a/apps/mock-oauth-server/package.json +++ b/apps/mock-oauth-server/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/mock-oauth-server", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "main": "index.js", diff --git a/apps/skills/package.json b/apps/skills/package.json index 3e9ce399c..cf3d2e0de 100644 --- a/apps/skills/package.json +++ b/apps/skills/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/skills", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "type": "module", diff --git a/docs-mintlify/package.json b/docs-mintlify/package.json index 8dd658f53..f9286d5db 100644 --- a/docs-mintlify/package.json +++ b/docs-mintlify/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/docs-mintlify", - "version": "2.8.102", + "version": "2.8.103", "private": true, "scripts": { "dev": "mint dev --port ${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}04 --no-open", diff --git a/docs/package.json b/docs/package.json index 1c9edc8c2..09c9dfeb4 100644 --- a/docs/package.json +++ b/docs/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/stack-docs", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "description": "", "main": "index.js", diff --git a/examples/cjs-test/package.json b/examples/cjs-test/package.json index 1f7b56772..4671225f8 100644 --- a/examples/cjs-test/package.json +++ b/examples/cjs-test/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/example-cjs-test", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "scripts": { diff --git a/examples/convex/package.json b/examples/convex/package.json index c4b33ccae..53c8f884d 100644 --- a/examples/convex/package.json +++ b/examples/convex/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/convex-example", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "scripts": { diff --git a/examples/demo/package.json b/examples/demo/package.json index fe1c04a05..35bd2d763 100644 --- a/examples/demo/package.json +++ b/examples/demo/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/example-demo-app", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "description": "", "private": true, diff --git a/examples/docs-examples/package.json b/examples/docs-examples/package.json index f474eb778..fe8d20225 100644 --- a/examples/docs-examples/package.json +++ b/examples/docs-examples/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/docs-examples", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "description": "", "private": true, diff --git a/examples/e-commerce/package.json b/examples/e-commerce/package.json index cd7748319..4c6ee6439 100644 --- a/examples/e-commerce/package.json +++ b/examples/e-commerce/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/e-commerce-demo", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "scripts": { diff --git a/examples/js-example/package.json b/examples/js-example/package.json index b7e9e0d02..80f7f4325 100644 --- a/examples/js-example/package.json +++ b/examples/js-example/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/js-example", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "description": "", diff --git a/examples/lovable-react-18-example/package.json b/examples/lovable-react-18-example/package.json index 070b75b0b..c47bd1bdd 100644 --- a/examples/lovable-react-18-example/package.json +++ b/examples/lovable-react-18-example/package.json @@ -1,7 +1,7 @@ { "name": "@stackframe/lovable-react-18-example", "private": true, - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "type": "module", "scripts": { diff --git a/examples/middleware/package.json b/examples/middleware/package.json index f49fbfb38..e7bc8d12b 100644 --- a/examples/middleware/package.json +++ b/examples/middleware/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/example-middleware-demo", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "scripts": { diff --git a/examples/react-example/package.json b/examples/react-example/package.json index 2d2676d26..50b572705 100644 --- a/examples/react-example/package.json +++ b/examples/react-example/package.json @@ -1,7 +1,7 @@ { "name": "react-example", "private": true, - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "type": "module", "scripts": { diff --git a/examples/supabase/package.json b/examples/supabase/package.json index 984b74821..00f4d2b9b 100644 --- a/examples/supabase/package.json +++ b/examples/supabase/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/example-supabase", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "private": true, "scripts": { diff --git a/examples/tanstack-start-demo/package.json b/examples/tanstack-start-demo/package.json index 1014a556c..f49e64de7 100644 --- a/examples/tanstack-start-demo/package.json +++ b/examples/tanstack-start-demo/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/example-tanstack-start-demo", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "description": "TanStack Start demo app for Stack Auth", "private": true, diff --git a/packages/dashboard-ui-components/package.json b/packages/dashboard-ui-components/package.json index ac3c9798d..8c632af89 100644 --- a/packages/dashboard-ui-components/package.json +++ b/packages/dashboard-ui-components/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/dashboard-ui-components", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "main": "./dist/index.js", "types": "./dist/index.d.ts", diff --git a/packages/init-stack/package.json b/packages/init-stack/package.json index c1684f2be..e958363f3 100644 --- a/packages/init-stack/package.json +++ b/packages/init-stack/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/init-stack", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "description": "The setup wizard for Stack. https://stack-auth.com", "main": "dist/index.mjs", diff --git a/packages/js/package.json b/packages/js/package.json index 399c0884b..34856c884 100644 --- a/packages/js/package.json +++ b/packages/js/package.json @@ -1,7 +1,7 @@ { "//": "THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template (FOR package.json FILES, PLEASE EDIT package-template.json)", "name": "@stackframe/js", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "sideEffects": false, "main": "./dist/index.js", diff --git a/packages/react/package.json b/packages/react/package.json index 60557d988..078e0f318 100644 --- a/packages/react/package.json +++ b/packages/react/package.json @@ -1,7 +1,7 @@ { "//": "THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template (FOR package.json FILES, PLEASE EDIT package-template.json)", "name": "@stackframe/react", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "sideEffects": false, "main": "./dist/index.js", diff --git a/packages/stack-cli/package.json b/packages/stack-cli/package.json index f2dde4bc7..04b406dd8 100644 --- a/packages/stack-cli/package.json +++ b/packages/stack-cli/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/stack-cli", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "description": "The CLI for Stack Auth. https://stack-auth.com", "main": "dist/index.js", diff --git a/packages/stack-sc/package.json b/packages/stack-sc/package.json index 92a5305dc..94278f0a2 100644 --- a/packages/stack-sc/package.json +++ b/packages/stack-sc/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/stack-sc", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "exports": { "./force-react-server": { diff --git a/packages/stack-shared/package.json b/packages/stack-shared/package.json index 2a9162d56..216255633 100644 --- a/packages/stack-shared/package.json +++ b/packages/stack-shared/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/stack-shared", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "scripts": { "build": "rimraf dist && tsdown", diff --git a/packages/stack-ui/package.json b/packages/stack-ui/package.json index f9e88b05d..45e511fa3 100644 --- a/packages/stack-ui/package.json +++ b/packages/stack-ui/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/stack-ui", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "main": "./dist/index.js", "types": "./dist/index.d.ts", diff --git a/packages/stack/package.json b/packages/stack/package.json index abd6f6bbb..668dd3dfa 100644 --- a/packages/stack/package.json +++ b/packages/stack/package.json @@ -1,7 +1,7 @@ { "//": "THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template (FOR package.json FILES, PLEASE EDIT package-template.json)", "name": "@stackframe/stack", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "sideEffects": false, "main": "./dist/index.js", diff --git a/packages/tanstack-start/package.json b/packages/tanstack-start/package.json index 69a4bc026..b6499aa35 100644 --- a/packages/tanstack-start/package.json +++ b/packages/tanstack-start/package.json @@ -1,7 +1,7 @@ { "//": "THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template (FOR package.json FILES, PLEASE EDIT package-template.json)", "name": "@stackframe/tanstack-start", - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "sideEffects": false, "main": "./dist/index.js", diff --git a/packages/template/package-template.json b/packages/template/package-template.json index 5c5bf0ede..9d2299b20 100644 --- a/packages/template/package-template.json +++ b/packages/template/package-template.json @@ -13,7 +13,7 @@ "//": "NEXT_LINE_PLATFORM template", "private": true, - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "sideEffects": false, "main": "./dist/index.js", diff --git a/packages/template/package.json b/packages/template/package.json index c67aae1f2..898c98acd 100644 --- a/packages/template/package.json +++ b/packages/template/package.json @@ -2,7 +2,7 @@ "//": "THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template (FOR package.json FILES, PLEASE EDIT package-template.json)", "name": "@stackframe/template", "private": true, - "version": "2.8.102", + "version": "2.8.103", "repository": "https://github.com/hexclave/stack-auth", "sideEffects": false, "main": "./dist/index.js", diff --git a/sdks/implementations/swift/package.json b/sdks/implementations/swift/package.json index 71f460aac..1d0b0c881 100644 --- a/sdks/implementations/swift/package.json +++ b/sdks/implementations/swift/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/swift-sdk", - "version": "2.8.102", + "version": "2.8.103", "private": true, "description": "Stack Auth Swift SDK", "scripts": { diff --git a/sdks/spec/package.json b/sdks/spec/package.json index bd3247f3d..4d22d78aa 100644 --- a/sdks/spec/package.json +++ b/sdks/spec/package.json @@ -1,6 +1,6 @@ { "name": "@stackframe/sdk-spec", - "version": "2.8.102", + "version": "2.8.103", "private": true, "description": "Stack Auth SDK specification files", "scripts": {} From 281701e99d6b4bba2ef985aaf6554693f3719b42 Mon Sep 17 00:00:00 2001 From: Konstantin Wohlwend Date: Sat, 23 May 2026 11:17:46 -0700 Subject: [PATCH 4/4] Fix CI --- apps/backend/src/route-handlers/smart-request.tsx | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/apps/backend/src/route-handlers/smart-request.tsx b/apps/backend/src/route-handlers/smart-request.tsx index 2562c599d..17e31219f 100644 --- a/apps/backend/src/route-handlers/smart-request.tsx +++ b/apps/backend/src/route-handlers/smart-request.tsx @@ -325,12 +325,7 @@ const parseAuth = withTraceSpan('smart request parseAuth', async (req: NextReque throw new KnownErrors.BranchDoesNotExist(branchId); } - // As explained above, as a performance optimization we already fetch the user from the global database optimistically - // If it turned out that the source-of-truth is not the global database, we'll fetch the user from the source-of-truth - // database instead. - const user = tenancy.config.sourceOfTruth.type === "hosted" - ? await queriesResults.userIfOnGlobalPrismaClient - : (userId ? await getUser({ userId, projectId, branchId }) : undefined); + const user = await queriesResults.userIfOnGlobalPrismaClient; return { project,