CodeCow/stack
1
0
Fork 0
mirror of https://github.com/stack-auth/stack.git synced 2026-06-21 21:09:49 +08:00
Code Issues Actions 29 Packages Projects Releases Wiki Activity
5eedb484e1
stack/packages/shared/src/utils/jwt.tsx
BilalG1 c14a9dd3d0
feat(hexclave): PR 5 — internal symbol/path/package renames + brand strings (#1547) 
## Stack Auth → Hexclave rename — PR 5 (internal symbols, paths,
packages, brand strings)

PR 5 finishes the **internal / non-wire** half of the Stack→Hexclave
rename. It only touches things where nothing outside the repo depends on
the exact name: internal symbols, file/dir names, the
`@stackframe/template` package, and residual brand strings. Plan +
progress are in `HEXCLAVE-RENAME-PR5-PLAN.md`.

Every step was verified green (`pnpm typecheck` + `pnpm lint`, 28/28)
and committed as its own checkpoint, then a fan-out of review agents
audited all commits and the findings were fixed.

### What changed
- **Internal symbols** (`@hexclave/shared`, `packages/template`, apps):
`stack*`/`Stack*` → `hexclave*`/`Hexclave*` — incl.
`stackGlobalsSymbol`, the `_Stack*AppImpl` classes,
`stackAppInternalsSymbol`, `StackContext`, `getStackStripe`, etc. The
`stack*App` local-variable convention
(`stackServerApp`/`stackClientApp`/…) was renamed across 175
source/example/doc files.
- **File renames**: `hexclave-handler/provider/context.tsx`,
`backend/hexclave.tsx`, `internal-tool/hexclave.ts`,
`hexclave-app-internals.ts`.
- **Directory renames**: `lib/hexclave-app`, `hexclave-companion`,
`[...hexclave]` route segment, `skills/hexclave`,
`dashboard/src/hexclave`, and the package dirs
**`packages/{next,shared,ui,sc,cli}`** (dropping the `stack-` prefix to
match the `@hexclave/*` npm names).
- **Packages**: `@stackframe/template` → `@hexclave/template`; **deleted
`packages/init-stack`** (onboarding lives in `@hexclave/cli init`; the
published npm package is untouched).
- **Brand strings**: reworded `Stack Auth`/`Stack dashboard` prose in
code + docs-mintlify, renamed `hexclave-app.mdx`/`use-hexclave-app.mdx`
with redirects, regenerated OpenAPI, updated coupled e2e assertions;
`doctor`/`init` now prefer `hexclave.config.ts`.

### Intentionally kept (verified, not oversights)
Wire/compat identifiers (`x-stack-*` headers, `stack-*` cookies,
`STACK_*` env names, `*.stack-auth.com`, `stackauth_`, `ask_stack_auth`,
query params), public `Stack*` SDK aliases, crypto/JWT/vault
domain-separation tags, `*-brand-sentinel`s, the
`Symbol.for("StackAuth--…")` string, `_stack_sync_metadata`, Postgres
`stackframe` / docker image names, the `stack-auth-logo*.svg` (used by
the rebrand modal), and `migration.mdx` / "formerly known as Stack Auth"
notes. False positives (Phosphor `StackIcon`/`StackSimple`, `TanStack`,
`OrbStack`, `stackable`/`Stacked` charts) left alone.

### Review pass
Six review agents audited all commits. Found + fixed one real bug — a
build script (`bundle-type-definitions.ts`) hardcoded the old
`lib/stack-app` glob path (not an import, so typecheck/lint were blind),
silently emptying the dashboard AI type bundle — plus stale comments, a
dead CI env var, and stale `.gitignore`/`.dockerignore` entries.
Cross-cutting audit confirmed **zero wire-compat identifiers were
accidentally renamed**.

### ⚠️ Verification note
`typecheck` + `lint` are fully green locally. The **e2e suite was not
run** (needs a live backend+DB), so the brand-string assertion +
OpenAPI-regen changes are verified by grep/codegen only — please let CI
exercise e2e to confirm.

### Base-branch note
This branch was forked from the local-only `cl/friendly-lewin-72293f`
(not on origin, no separate PR), so this PR against `dev` also carries
that branch's ~11 preceding Hexclave-rename commits (config-file rename,
env-var dual-read, AI setup-prompt rebrand). If those should land
separately, re-parent before merge.

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Finishes the internal Stack Auth → Hexclave rename and cleans up
remaining stragglers, including dev-tool and prompt copy. All changes
are internal-only; public/wire APIs remain unchanged. Re-merged `dev`
and resolved the payments create-purchase-url conflict.

- **Refactors**
- Internal symbols: stack*/Stack* → hexclave*/Hexclave* (e.g.,
`getHexclaveServerApp` via `@/hexclave`, `getHexclaveStripe`,
`hexclaveAppInternalsSymbol`, `hexclaveSchemaInfo`, Prisma
`__hexclave_*`, `data-hexclave-handler-page`, Stripe mock
`hexclavePortPrefix`).
- Files/dirs: moved to `lib/hexclave-app`; handler route
`[...hexclave]`; backend entry `src/hexclave.tsx`; dashboard internals
`hexclave-app-internals`; companion `hexclave-companion`; dropped
`stack-` prefix across package dirs
(`packages/{shared,ui,sc,cli,next}`); workflows/emulator paths now
`packages/cli`; Quetzal codegen env at `packages/next/.env.local`.
- Packages/docs: `@stackframe/template` → `@hexclave/template`; removed
`packages/init-stack`; regenerated OpenAPI and updated docs
slugs/redirects for hexclave-app/use-hexclave-app.
- Brand strings/prompts: reworded remaining “Stack” dashboard strings to
Hexclave; updated dev-tool copy and prompts; `doctor/init` now prefer
`hexclave.config.ts`. Kept all wire-compat identifiers and public
aliases (`x-stack-*`, `stack-*` cookies, `STACK_*` env,
`*.stack-auth.com`, `Stack*` SDK names).
- Rebased/merged onto latest `dev`: retained `@hexclave/template`, kept
`src` in published files, refreshed setup-prompt imports and docs JSON,
adopted 1.0.5 version bumps, and re-merged `dev` again (resolved
`create-purchase-url` with `getHexclaveStripe`).

- **Bug Fixes**
- Restored dashboard AI type bundle by pointing the glob to
`packages/template/src/lib/hexclave-app`.
- Addressed rename leftovers: updated lingering `@/stack` imports and
CSS selector, fixed schema/meta and port-prefix expansions, and aligned
emulator commands to `packages/cli`.
- CI/build: removed a dead env var and stale ignore entries; fixed
Docker by renaming `STACK_SKIP_TEMPLATE_GENERATION` →
`HEXCLAVE_SKIP_TEMPLATE_GENERATION`.

<sup>Written for commit 3c1af3bff3.
Summary will update on new commits.</sup>

<a
href="https://cubic.dev/pr/hexclave/hexclave/pull/1547?utm_source=github"
target="_blank" rel="noopener noreferrer"
data-no-image-dialog="true"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cubic.dev/buttons/review-in-cubic-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cubic.dev/buttons/review-in-cubic-light.svg"><img
alt="Review in cubic"
src="https://cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a>

<!-- End of auto-generated description by cubic. -->
2026-06-03 18:57:09 -07:00

171 lines
5.6 KiB
TypeScript
Raw Blame History

import crypto from "crypto";
import elliptic from "elliptic";
import * as jose from "jose";
import { JOSEError } from "jose/errors";
import { encodeBase64Url } from "./bytes";
import { getEnvVariable } from "./env";
import { HexclaveAssertionError, errorToNiceString } from "./errors";
import { globalVar } from "./globals";
import { pick } from "./objects";
import { Result } from "./results";
import { nicify } from "./strings";
function getHexclaveServerSecret() {
const STACK_SERVER_SECRET = getEnvVariable("STACK_SERVER_SECRET");
try {
jose.base64url.decode(STACK_SERVER_SECRET);
} catch (e) {
throw new HexclaveAssertionError("STACK_SERVER_SECRET is not valid. Please use the generateKeys script to generate a new secret.", { cause: e });
}
return STACK_SERVER_SECRET;
}
export async function getJwtInfo(options: {
jwt: string,
}) {
try {
if (typeof options.jwt !== "string") return Result.error({ error: "JWT input is not a string!", stringifiedInput: nicify(options.jwt) });
if (!options.jwt.startsWith("ey")) return Result.error({ error: "Input is a string, but not a JWT!", input: options.jwt });
const decodedJwt = jose.decodeJwt(options.jwt);
return Result.ok({ payload: decodedJwt });
} catch (e) {
return Result.error({
exception: errorToNiceString(e),
});
}
}
export async function signJWT(options: {
issuer: string,
audience: string,
payload: any,
expirationTime?: string,
}) {
const privateJwks = await getPrivateJwks({ audience: options.audience });
const privateKey = await jose.importJWK(privateJwks[0]);
return await new jose.SignJWT(options.payload)
.setProtectedHeader({ alg: "ES256", kid: privateJwks[0].kid })
.setIssuer(options.issuer)
.setIssuedAt()
.setAudience(options.audience)
.setExpirationTime(options.expirationTime || "5m")
.sign(privateKey);
}
export async function verifyJWT(options: {
allowedIssuers: string[],
jwt: string,
}) {
const decodedJwt = jose.decodeJwt(options.jwt);
const audience = decodedJwt.aud;
if (!audience || typeof audience !== "string") {
throw new JOSEError("Invalid JWT audience");
}
const jwkSet = jose.createLocalJWKSet(await getPublicJwkSet(await getPrivateJwks({ audience })));
const verified = await jose.jwtVerify(options.jwt, jwkSet, { issuer: options.allowedIssuers });
return verified.payload;
}
export type PrivateJwk = {
kty: "EC",
alg: "ES256",
crv: "P-256",
kid: string,
d: string,
x: string,
y: string,
};
async function getPrivateJwkFromDerivedSecret(derivedSecret: string, kid: string): Promise<PrivateJwk> {
const secretHash = await globalVar.crypto.subtle.digest("SHA-256", jose.base64url.decode(derivedSecret));
const priv = new Uint8Array(secretHash);
const ec = new elliptic.ec('p256');
const key = ec.keyFromPrivate(priv);
const publicKey = key.getPublic();
return {
kty: 'EC',
crv: 'P-256',
alg: 'ES256',
kid: kid,
d: encodeBase64Url(priv),
x: encodeBase64Url(publicKey.getX().toBuffer()),
y: encodeBase64Url(publicKey.getY().toBuffer()),
};
}
/**
* Returns a list of valid private JWKs for the given audience, with the first one taking precedence when signing new
* JWTs.
*/
export async function getPrivateJwks(options: {
audience: string,
}): Promise<PrivateJwk[]> {
const getHashOfJwkInfo = (type: string) => jose.base64url.encode(
crypto
.createHash('sha256')
.update(JSON.stringify([type, getHexclaveServerSecret(), {
audience: options.audience,
}]))
.digest()
);
// NOTE (Hexclave rebrand): do NOT rename these "stack-*" literals. They are hashed into the
// per-audience JWT signing secret and key id (kid); renaming them would rotate every project's
// JWKS and invalidate all already-issued access tokens. Internal constants, never user-visible.
const perAudienceSecret = getHashOfJwkInfo("stack-jwk-audience-secret");
const perAudienceKid = getHashOfJwkInfo("stack-jwk-kid").slice(0, 12);
const oldPerAudienceSecret = oldGetPerAudienceSecret({ audience: options.audience });
const oldPerAudienceKid = oldGetKid({ secret: oldPerAudienceSecret });
return [
// TODO next-release: make this not take precedence; then, in the release after that, remove it entirely
await getPrivateJwkFromDerivedSecret(oldPerAudienceSecret, oldPerAudienceKid),
await getPrivateJwkFromDerivedSecret(perAudienceSecret, perAudienceKid),
];
}
export type PublicJwk = {
kty: "EC",
alg: "ES256",
crv: "P-256",
kid: string,
x: string,
y: string,
};
export async function getPublicJwkSet(privateJwks: PrivateJwk[]): Promise<{ keys: PublicJwk[] }> {
return {
keys: privateJwks.map(jwk => pick(jwk, ["kty", "alg", "crv", "x", "y", "kid"])),
};
}
function oldGetPerAudienceSecret(options: {
audience: string,
}) {
if (options.audience === "kid") {
throw new HexclaveAssertionError("You cannot use the 'kid' audience for a per-audience secret, see comment below in jwt.tsx");
}
return jose.base64url.encode(
crypto
.createHash('sha256')
// TODO we should prefix a string like "stack-audience-secret" before we hash so you can't use `getKid(...)` to get the secret for eg. the "kid" audience if the same secret value is used
// Sadly doing this modification is a bit annoying as we need to leave the old keys to be valid for a little longer
.update(JSON.stringify([getHexclaveServerSecret(), options.audience]))
.digest()
);
};
export function oldGetKid(options: {
secret: string,
}) {
return jose.base64url.encode(
crypto
.createHash('sha256')
.update(JSON.stringify([options.secret, "kid"])) // TODO see above in getPerAudienceSecret
.digest()
).slice(0, 12);
}
Reference in New Issue View Git Blame Copy Permalink