Commit Graph

3 Commits

Author SHA1 Message Date
Mantra
e2dc5f5ee0
[codex] fix OAuth redirect contract (#1393)
## Summary

- Route browser OAuth redirects through the configured `redirectMethod`
instead of hardcoded `window.location` calls.
- Keep OAuth redirect APIs pending after navigation starts, including
custom redirect methods.
- Add `cliAuthConfirm` handler URL metadata and custom-page prompt
coverage.
- Update SDK spec text for browser OAuth callback and `returnTo`
behavior.

## Root Cause

OAuth helpers previously combined URL construction with direct browser
navigation. That bypassed configured redirect methods and made it too
easy for public redirect APIs to resolve after navigation started.

## Impact

Browser SDK consumers get consistent redirect behavior across built-in
and custom navigation methods. `returnTo` is handled as the
post-callback destination while the OAuth callback URL remains fixed to
the configured handler route.

## Validation

- `pnpm test run packages/template/src/lib/auth.test.ts`
- `pnpm test run apps/e2e/tests/js/oauth.test.ts`
- `pnpm -C packages/template lint`
- `pnpm -C apps/e2e lint`
- `pnpm -C packages/template typecheck`
- `pnpm -C apps/e2e typecheck`

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added CLI authorization confirmation page/flow for terminal-based
auth.
* Added optional returnTo parameter for OAuth to control post-auth
redirects.
* Exposed configurable redirect behavior so apps follow the chosen
redirect method.

* **Bug Fixes**
* OAuth callback now uses app navigation/queued redirects and shows a
fallback link instead of forcing location.assign.

* **Tests**
* Added unit and e2e tests covering OAuth URL generation, scope
handling, and CLI auth confirmation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-28 16:33:59 -07:00
Mantra
e59a70783e
Turnstile integration for fraud protection (#1239)
Enhances sign-up process with Turnstile integration for fraud
protection. Builds on top of fraud-protection-temp-emails.

Made with [Cursor](https://cursor.com)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Cloudflare Turnstile bot-protection across signup/sign-in flows
(including SDK JSON mode).
  * Email deliverability checks via Emailable.
* Sign-up risk scoring with persisted risk metrics and country code
tracking.
* UI: country-code selector, risk-score editing in user details, users
list refresh button, and Turnstile signup demo pages.

* **Bug Fixes**
  * Use actual sign-up timestamp for reporting/metrics.

* **Documentation**
* Expanded knowledge base on Turnstile, risk scoring, and env
configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Konstantin Wohlwend <n2d4xc@gmail.com>
Co-authored-by: BilalG1 <bg2002@gmail.com>
Co-authored-by: Armaan Jain <84474476+Developing-Gamer@users.noreply.github.com>
Co-authored-by: nams1570 <amanganapathy@gmail.com>
2026-03-20 21:26:45 +00:00
BilalG1
e15ed03d3c
oauth sign in scope and test (#887)
<!--

Make sure you've read the CONTRIBUTING.md guidelines:
https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md

-->

<!-- ELLIPSIS_HIDDEN -->

----

> [!IMPORTANT]
> Adds `provider_scope` handling to OAuth requests and tests it in a new
`oauth.test.ts` file.
> 
>   - **Behavior**:
> - Adds `provider_scope` handling in `getOAuthUrl()` in
`client-interface.ts` for OAuth requests.
> - New test `oauth.test.ts` to verify `provider_scope` is set correctly
during OAuth sign-in.
>   - **Functions**:
> - Modifies `getOAuthUrl()` in `client-interface.ts` to always set
`provider_scope` if provided.
>   - **Tests**:
> - Adds `oauth.test.ts` to test `provider_scope` addition in OAuth
sign-in flow.
> - Updates `createApp()` in `js-helpers.ts` to accept `appOverrides`
for client and server configurations.
> 
> <sup>This description was created by </sup>[<img alt="Ellipsis"
src="https://img.shields.io/badge/Ellipsis-blue?color=175173">](https://www.ellipsis.dev?ref=stack-auth%2Fstack-auth&utm_source=github&utm_medium=referral)<sup>
for 1873f395b8. You can
[customize](https://app.ellipsis.dev/stack-auth/settings/summaries) this
summary. It will automatically update as commits are pushed.</sup>

<!-- ELLIPSIS_HIDDEN -->

<!-- RECURSEML_SUMMARY:START -->
## Review by RecurseML

_🔍 Review performed on
[1596315..1873f39](15963155e8...1873f395b8)_

| Severity | Location | Issue | Action |
|----------|----------|-------|--------|
| ![Medium](https://img.shields.io/badge/Medium-yellow?style=plastic) |
[apps/e2e/tests/js/oauth.test.ts:49](https://github.com/stack-auth/stack-auth/pull/887#discussion_r2335145911)
| Non-null assertion used instead of ?? throwErr pattern |
[![Dismiss](d1f3c6917f/?repo_owner=stack-auth&repo_name=stack-auth&pr_number=887)
|
| ![Medium](https://img.shields.io/badge/Medium-yellow?style=plastic) |
[apps/e2e/tests/js/oauth.test.ts:51](https://github.com/stack-auth/stack-auth/pull/887#discussion_r2335145939)
| Non-null assertion used instead of ?? throwErr pattern |
[![Dismiss](23c319564c/?repo_owner=stack-auth&repo_name=stack-auth&pr_number=887)
|
| ![Medium](https://img.shields.io/badge/Medium-yellow?style=plastic) |
[apps/e2e/tests/js/oauth.test.ts:30](https://github.com/stack-auth/stack-auth/pull/887#discussion_r2335145974)
| OAuth variable missing type prefix in name |
[![Dismiss](8508261a37/?repo_owner=stack-auth&repo_name=stack-auth&pr_number=887)
|
| ![Medium](https://img.shields.io/badge/Medium-yellow?style=plastic) |
[apps/e2e/tests/js/oauth.test.ts:62](https://github.com/stack-auth/stack-auth/pull/887#discussion_r2335146011)
| Non-null assertion used instead of ?? throwErr pattern |
[![Dismiss](3dbdbb46e7/?repo_owner=stack-auth&repo_name=stack-auth&pr_number=887)
|
| ![Medium](https://img.shields.io/badge/Medium-yellow?style=plastic) |
[apps/e2e/tests/js/oauth.test.ts:63](https://github.com/stack-auth/stack-auth/pull/887#discussion_r2335146041)
| Non-null assertion used instead of ?? throwErr pattern |
[![Dismiss](94c02a9e98/?repo_owner=stack-auth&repo_name=stack-auth&pr_number=887)
|
| ![Low](https://img.shields.io/badge/Low-green?style=plastic) |
[apps/e2e/tests/js/js-helpers.ts:43](https://github.com/stack-auth/stack-auth/pull/887#discussion_r2335146078)
| Variable name 'appOverrides' should be more descriptive to better
indicate its purpose and context |
[![Dismiss](57ad8fdfe7/?repo_owner=stack-auth&repo_name=stack-auth&pr_number=887)
|

<details>
<summary> Files analyzed, no issues (1)</summary>

  • `packages/stack-shared/src/interface/client-interface.ts`
</details>

[![Need help? Join our
Discord](https://img.shields.io/badge/Need%20help%3F%20Join%20our%20Discord-5865F2?style=plastic&logo=discord&logoColor=white)](https://discord.gg/n3SsVDAW6U)
<!-- RECURSEML_SUMMARY:END -->

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* OAuth sign-in and linking now support specifying provider-specific
scopes. When provided, these scopes are included in the authorization
request, ensuring consistent behavior across flows.

* **Bug Fixes**
* Ensures provider-specific OAuth scopes are correctly appended to the
authorization URL whenever supplied.

* **Tests**
* Added end-to-end test validating OAuth redirect behavior and scope
handling with a GitHub provider, including verification of the resulting
authorization URL and parameters.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-09 19:21:28 -07:00