CodeCow/stack
1
0
Fork 0
mirror of https://github.com/stack-auth/stack.git synced 2026-06-27 21:01:03 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
38ae913fc9
stack/packages/template/src/lib/auth.ts
BilalG1 38ae913fc9
Some checks failed
all-good: Did all the other checks pass? / all-good (push) Has been cancelled
Details
Ensure Prisma migrations are in sync with the schema / check_prisma_migrations (22.x) (push) Has been cancelled
Details
DB migration compat / Check if migrations changed (push) Has been cancelled
Details
Docker Server Build and Push / Docker Build and Push Server (push) Has been cancelled
Details
Docker Server Build and Run / docker (push) Has been cancelled
Details
Runs E2E API Tests (Local Emulator) / E2E Tests (Local Emulator, Node ${{ matrix.node-version }}) (22.x) (push) Has been cancelled
Details
Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (mock, 22.x) (push) Has been cancelled
Details
Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (prod, 22.x) (push) Has been cancelled
Details
Runs E2E API Tests with custom port prefix / build (22.x) (push) Has been cancelled
Details
Runs E2E Fallback Tests / E2E Fallback Tests (Node ${{ matrix.node-version }}) (22.x) (push) Has been cancelled
Details
Lint & build / lint_and_build (24) (push) Has been cancelled
Details
TOC Generator / TOC Generator (push) Has been cancelled
Details
DB migration compat / Back-compat — Current branch migrations with ${{ needs.check-migrations-changed.outputs.base_branch }} branch code (push) Has been cancelled
Details
DB migration compat / Forward-compat — Current branch code with ${{ needs.check-migrations-changed.outputs.base_branch }} branch migrations (push) Has been cancelled
Details
DB migration compat / No migration changes (skipped) (push) Has been cancelled
Details
Rename STACK_* env vars to HEXCLAVE_* in env templates, with legacy dual-read (#1588) 
## Summary

Completes the env-var side of the Hexclave rebrand: every
`STACK_*`-prefixed variable (including `NEXT_PUBLIC_STACK_*` and
`VITE_STACK_*`) is renamed to `HEXCLAVE_*` across all checked-in `.env`,
`.env.development`, and `.env.example` files (30 files, ~135 keys).
Legacy `STACK_*` names keep working everywhere via dual-read, so
**existing deployments, `.env.local` files, and self-hosted setups need
no immediate migration**.

## How legacy names keep working

- **Server code** already resolves `HEXCLAVE_*` first with `STACK_*`
fallback via `getEnvVariable`. Direct `process.env.STACK_X` readers fed
by the renamed files (prisma seed, e2e tests/helpers, internal-tool
scripts, examples, `prisma.config.ts`) now read `HEXCLAVE_X || STACK_X`.
- **Client code** (Next.js build-time inlining) uses literal dual-read
expressions; the dashboard's `_inlineEnvVars` already had them.
- **Docker/self-hosting**: `docker/server/entrypoint.sh` (shared by the
server and local-emulator images) gets a generic two-way
`HEXCLAVE_`↔`STACK_` env mirror — runs at startup and again before
sentinel replacement — replacing the previous URL-trio-only mirror.
Operators can use either prefix.

## The empty-placeholder trap (`||` vs `??`)

The checked-in templates define empty placeholders (`HEXCLAVE_X=#
comment` parses to `""` via dotenv). With `?? `-based fallbacks, that
empty string would silently shadow a real value under the legacy name —
including legacy vars set in Vercel/CI env at build time, since the
tracked `.env` is present during builds. All fallback chains therefore
treat empty-as-unset (`||`):

- `getEnvVariable` and `getProcessEnv` in `packages/shared`
- the dashboard/docs/example literal dual-reads
- the generated SDK env getters (via
`packages/template/scripts/generate-env.ts`; the generated
`src/generated/env.ts` files are gitignored and regenerate at build)

## Other notable changes

- Tests that override env now set the canonical `HEXCLAVE_*` name (it
wins over `STACK_*`): e2e `cross-domain-auth`, backend
`internal-feedback-emails` in-source test.
- e2e `helpers.ts` port-prefix expansion loop also matches the
`HEXCLAVE_` prefixes.
- `docker/local-emulator/generate-env-development.mjs` reads source keys
canonically (legacy fallback) and emits canonical keys; regenerated
output matches.
- `rotate-secrets.sh` falls back to
`HEXCLAVE_DATABASE_CONNECTION_STRING`.
- Docs code snippets (`docs/code-examples`) renamed outright to
canonical names, consistent with #1571.
- OAuth callback `console.warn` in `packages/template/src/lib/auth.ts`
now says Hexclave.

## Migration note for the team

Local `.env.local` files with legacy `STACK_*` overrides keep working
**unless** the override targets a var that `.env.development` now sets
to a real (non-empty) `HEXCLAVE_*` value — the canonical name wins over
file precedence. Rename those keys in your `.env.local` once.

## Verification

- `typecheck` + `lint` pass on every touched package (shared, backend,
dashboard, e2e, internal-tool, cli, docs, template). Pre-existing
failures on dev (`admin-app-impl.ts` typecheck, dashboard metrics-page
errors) are unchanged (identical error counts with/without this change).
- `getEnvVariable`/`getProcessEnv` fallback semantics smoke-tested
directly (empty-HEXCLAVE → legacy fallback, HEXCLAVE wins when set,
defaults intact).
- `internal-feedback-emails` in-source vitest passes; emulator env
generator `--check` passes; `bash -n` on touched shell scripts.
- Two independent review agents audited the diff for correctness bugs
and coverage gaps; all confirmed findings are fixed in the third commit.

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Renamed all `STACK_*` env vars (including
`NEXT_PUBLIC_STACK_*`/`VITE_STACK_*`) to `HEXCLAVE_*` across env
templates and code, with dual‑read that treats empty as unset, detects
conflicts, ignores post‑build sentinels, and falls back to legacy names.
All GitHub Actions now use `HEXCLAVE_*`; local‑emulator e2e is fixed by
setting `NEXT_PUBLIC_HEXCLAVE_IS_LOCAL_EMULATOR` in CI.

- **Refactors**
- Added conflict‑aware dual‑read helpers (prefer `HEXCLAVE_*`,
empty‑as‑unset, ignore post‑build sentinels, preserve empty passthrough)
and used them across `packages/shared` (resolver + tests),
`apps/dashboard` inline/public envs (with tests), `apps/backend` Prisma
config/seed and vitest (accept both prefixes), `packages/cli`
(API/Dashboard URLs, project ID, `HEXCLAVE_EMULATOR_HOME`; tests),
Docker (`entrypoint.sh` mirroring + `rotate-secrets.sh` DB URL),
docs/components (`docs/src/lib/env.ts`), and examples; hosted/Vite apps
now error if both spellings differ.
- Port‑prefix expansion includes `HEXCLAVE_*`; backend tests use a new
helper to resolve DB connection strings; Prisma prefers
`HEXCLAVE_DATABASE_CONNECTION_STRING` with legacy fallback.
- Generated SDK env getters use plain `HEXCLAVE_*` || `STACK_*` (no
conflict throw); dashboard inline resolver preserves empty/sentinel
passthrough to avoid build failures; docs/examples include dual‑read
utilities.
- Tests now stub canonical `HEXCLAVE_*` flags (e.g., plan limits, bot
challenge, OAuth tokens, hosted handler) to avoid shadowing/conflict
with committed defaults.

- **Migration**
  - No immediate action; legacy `STACK_*` names still work.
- If both names are set with different values, builds/scripts error. Set
only `HEXCLAVE_*` or make both equal.
- SDK consumers won’t see conflict throws; update env names to
`HEXCLAVE_*` over time.

<sup>Written for commit 7539fb9fbf.
Summary will update on new commits.</sup>

<a
href="https://cubic.dev/pr/hexclave/hexclave/pull/1588?utm_source=github"
target="_blank" rel="noopener noreferrer"
data-no-image-dialog="true"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://www.cubic.dev/buttons/review-in-cubic-light.svg"><img
alt="Review in cubic"
src="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a>

<!-- End of auto-generated description by cubic. -->

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Migrated environment variable names from the legacy `STACK_*` prefix
to the new `HEXCLAVE_*` prefix across backend, dashboard, tooling,
Docker, and examples.
* Updated environment/config resolution to prefer `HEXCLAVE_*`, treat
empty strings as unset, and detect conflicts when both `STACK_*` and
`HEXCLAVE_*` are set to different values.
* Updated local emulator, server startup, and env-generation workflows
to use the new names (with legacy fallback where applicable).
* **Documentation**
  * Updated docs and code examples to reference `HEXCLAVE_*` variables.
* **Tests**
* Refreshed unit and e2e coverage to validate dual-read behavior,
conflict detection, and empty-value handling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-06-19 18:58:53 -07:00

206 lines
7.0 KiB
TypeScript
Raw Blame History

import { KnownError, KnownErrors, HexclaveClientInterface } from "@hexclave/shared";
import { InternalSession } from "@hexclave/shared/dist/sessions";
import { HexclaveAssertionError, throwErr } from "@hexclave/shared/dist/utils/errors";
import { Result } from "@hexclave/shared/dist/utils/results";
import { deindent } from "@hexclave/shared/dist/utils/strings";
import { constructRedirectUrl } from "../utils/url";
import { consumeVerifierAndStateCookie, saveVerifierAndState } from "./cookie";
export async function getNewOAuthProviderOrScopeUrl(
iface: HexclaveClientInterface,
options: {
provider: string,
redirectUrl: string,
errorRedirectUrl: string,
providerScope?: string,
},
session: InternalSession,
): Promise<string> {
const { codeChallenge, state } = await saveVerifierAndState();
return await iface.getOAuthUrl({
provider: options.provider,
redirectUrl: constructRedirectUrl(options.redirectUrl, "redirectUrl"),
errorRedirectUrl: constructRedirectUrl(options.errorRedirectUrl, "errorRedirectUrl"),
afterCallbackRedirectUrl: constructRedirectUrl(window.location.href, "afterCallbackRedirectUrl"),
codeChallenge,
state,
type: "link",
session,
providerScope: options.providerScope,
});
}
/**
* Checks if the current URL has the query parameters for an OAuth callback, and if so, removes them.
*
* Must be synchronous for the logic in callOAuthCallback to work without race conditions.
*/
type OAuthCallbackConsumptionResult =
| {
type: "oauth-response",
originalUrl: URL,
codeVerifier: string,
state: string,
}
| {
type: "known-error",
error: KnownError,
};
const oauthErrorParams = ["error", "error_description", "errorCode", "message", "details"] as const;
function removeOAuthErrorParamsFromHistory(originalUrl: URL): void {
const newUrl = new URL(originalUrl);
for (const param of oauthErrorParams) {
newUrl.searchParams.delete(param);
}
window.history.replaceState({}, "", newUrl.toString());
}
function getProviderOAuthErrorFromUrl(originalUrl: URL): KnownError | null {
const providerError = originalUrl.searchParams.get("error");
const providerErrorDescription = originalUrl.searchParams.get("error_description");
if (providerError == null && providerErrorDescription == null) {
return null;
}
switch (providerError) {
case "access_denied":
case "consent_required": {
return new KnownErrors.OAuthProviderAccessDenied();
}
case "server_error":
case "temporarily_unavailable":
default: {
return new KnownErrors.OAuthProviderTemporarilyUnavailable();
}
}
}
function consumeOAuthCallbackQueryParams(options?: {
dontWarnAboutMissingQueryParams?: boolean,
}): OAuthCallbackConsumptionResult | null {
const requiredParams = ["code", "state"];
const originalUrl = new URL(window.location.href);
const knownErrorCode = originalUrl.searchParams.get("errorCode");
const knownErrorMessage = originalUrl.searchParams.get("message");
if (knownErrorCode && knownErrorMessage) {
const details = originalUrl.searchParams.get("details");
let detailsJson = {};
if (details) {
try {
detailsJson = JSON.parse(details);
} catch (error) {
throw new HexclaveAssertionError("OAuth callback returned malformed known-error details", {
details,
cause: error,
});
}
}
removeOAuthErrorParamsFromHistory(originalUrl);
return {
type: "known-error",
error: KnownError.fromJson({
code: knownErrorCode,
message: knownErrorMessage,
details: detailsJson,
}),
};
}
const providerOAuthError = getProviderOAuthErrorFromUrl(originalUrl);
if (providerOAuthError != null && !requiredParams.every(param => originalUrl.searchParams.has(param))) {
removeOAuthErrorParamsFromHistory(originalUrl);
return {
type: "known-error",
error: providerOAuthError,
};
}
for (const param of requiredParams) {
if (!originalUrl.searchParams.has(param)) {
if (!options?.dontWarnAboutMissingQueryParams) {
console.warn(new Error(`Missing required query parameter on OAuth callback: ${param}. Maybe you opened or reloaded the oauth-callback page from your history?`));
}
return null;
}
}
const expectedState = originalUrl.searchParams.get("state") ?? throwErr("This should never happen; isn't state required above?");
const cookieResult = consumeVerifierAndStateCookie(expectedState);
if (!cookieResult) {
// If the state can't be found in the cookies, then the callback wasn't meant for us.
// Maybe the website uses another OAuth library?
console.warn(deindent`
Hexclave found an outer OAuth callback state in the query parameters, but not in cookies.
This could have multiple reasons:
- The cookie expired, because the OAuth flow took too long.
- The user's browser deleted the cookie, either manually or because of a very strict cookie policy.
- The cookie was already consumed by this page, and the user already logged in.
- You are using another OAuth client library with the same callback URL as Hexclave.
- The user opened the OAuth callback page from their history.
Either way, it is probably safe to ignore this warning unless you are debugging an OAuth issue.
`);
return null;
}
const newUrl = new URL(originalUrl);
for (const param of requiredParams) {
newUrl.searchParams.delete(param);
}
// let's get rid of the authorization code in the history as we
// don't redirect to `redirectUrl` if there's a validation error
// (as the redirectUrl might be malicious!).
//
// We use history.replaceState instead of location.assign(...) to
// prevent an unnecessary reload
window.history.replaceState({}, "", newUrl.toString());
return {
type: "oauth-response",
originalUrl,
codeVerifier: cookieResult.codeVerifier,
state: expectedState,
};
}
export async function callOAuthCallback(
iface: HexclaveClientInterface,
redirectUrl: string,
options?: {
dontWarnAboutMissingQueryParams?: boolean,
},
) {
// note: this part of the function (until the return) needs
// to be synchronous, to prevent race conditions when
// callOAuthCallback is called multiple times in parallel
const consumed = consumeOAuthCallbackQueryParams(options);
if (!consumed) return Result.ok(undefined);
if (consumed.type === "known-error") {
throw consumed.error;
}
// the rest can be asynchronous (we now know that we are the
// intended recipient of the callback, and the only instance
// of callOAuthCallback that's running)
try {
return Result.ok(await iface.callOAuthCallback({
oauthParams: consumed.originalUrl.searchParams,
redirectUri: constructRedirectUrl(redirectUrl, "redirectUri"),
codeVerifier: consumed.codeVerifier,
state: consumed.state,
}));
} catch (e) {
if (KnownError.isKnownError(e)) {
throw e;
}
throw new HexclaveAssertionError("Error signing in during OAuth callback. Please try again.", { cause: e });
}
}
Reference in New Issue View Git Blame Copy Permalink