mirror of https://github.com/stack-auth/stack.git synced 2026-06-13 21:01:21 +08:00

History

BilalG1 c0fefd3b7a feat(backend): dual-accept hexclave-mobile-oauth-url:// alongside legacy scheme (#1501 ) ## What 1. Backend dual-accept: `isAcceptedNativeAppUrl()` accepts both `stack-auth-mobile-oauth-url://` (legacy) and `hexclave-mobile-oauth-url://` (canonical). 2. Swift SDK switches to the canonical scheme: `StackAuth` Swift SDK now emits and intercepts `hexclave-mobile-oauth-url://` for native-app OAuth callbacks. Before this PR, `hexclave-mobile-oauth-url` existed only inside `RENAME-TO-HEXCLAVE.md` — not in any code. ## Why the Swift SDK change is safe The Swift SDK uses `ASWebAuthenticationSession(url:callbackURLScheme:completion:)` ([StackClientApp.swift:197-199](sdks/implementations/swift/Sources/StackAuth/StackClientApp.swift#L197)). With this API, iOS intercepts the callback scheme ephemerally — no `Info.plist` registration is required. The Swift SDK source has no `Info.plist`, and the example apps' `pbxproj` registers no `CFBundleURLSchemes`. So: - New customer builds against the updated SDK → emit new scheme → backend accepts → `ASWebAuthenticationSession` intercepts on new scheme → works. - Already-shipped customer App Store binaries on older SDK versions → emit old scheme → backend still accepts → works. - No customer ever has to update an `Info.plist`. The only real backward-compat constraint is that the backend can never drop the old scheme (already-shipped customer binaries have the constant baked into them). Hence the dual-accept. (Note: `RENAME-TO-HEXCLAVE.md` line 88 incorrectly attributes the constraint to `Info.plist` registration. That's not how the SDK works — the scheme is baked into the SDK binary, not the customer's plist. The fix described in that doc is essentially the right shape; only the mechanism description is wrong.) ## Changes \| File \| Change \| \|---\|---\| \| `packages/stack-shared/src/utils/redirect-urls.tsx` \| `isAcceptedNativeAppUrl()` accepts either protocol. \| \| `apps/backend/src/lib/redirect-urls.test.tsx` \| Adds positive assertions for the new scheme in `isAcceptedNativeAppUrl`; parity negative assertions in `validateRedirectUrl`. \| \| `sdks/implementations/swift/Sources/StackAuth/StackClientApp.swift` \| `callbackScheme` → `"hexclave-mobile-oauth-url"`; fatalError example strings updated. \| \| `sdks/implementations/swift/Tests/StackAuthTests/OAuthTests.swift` \| Test fixture URLs updated (no assertions depend on the scheme literal). \| \| `sdks/implementations/swift/Examples/StackAuthiOS/.../StackAuthiOSApp.swift` \| Default values in the example UI. \| \| `sdks/implementations/swift/Examples/StackAuthMacOS/.../StackAuthMacOSApp.swift` \| Default values in the example UI. \| \| `sdks/implementations/swift/README.md` \| Documents the new canonical scheme; compat note for the legacy one. \| \| `sdks/spec/src/apps/client-app.spec.md` \| New scheme is canonical; legacy is "accepted indefinitely for already-shipped customer app binaries built against older SDK versions." \| ## Verification - `pnpm test run apps/backend/src/lib/redirect-urls.test.tsx` — 34/34 passing (was 33; one new `it` block plus parity assertions). - `pnpm --filter @stackframe/stack-shared --filter @stackframe/backend run lint` — clean. - `pnpm --filter @stackframe/stack-shared --filter @stackframe/backend run typecheck` — clean. - Swift assertions in `OAuthTests.swift` do not check the scheme literal — they only check `oauth/authorize/<provider>`, state/verifier non-emptiness, and that `redirectUrl` round-trips. The fixture-value change is mechanical. ## Risk Low. Backend behavior strictly widens (every URL accepted before is still accepted). Swift SDK change is internal to OAuth callback handling, requires no customer migration, and is paired with the backend dual-accept landing in the same PR. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Adopted the canonical OAuth callback scheme "hexclave-mobile-oauth-url://" for native apps while continuing to accept the legacy "stack-auth-mobile-oauth-url://". * Documentation * Updated SDK docs, examples, and spec guidance to reference the canonical callback scheme and clarify legacy acceptance. * Tests & Samples * Updated tests and example apps to use and validate the canonical scheme. * Style * Rebranded the dev-tool trigger icon to the new Hexclave monochrome logo. <!-- review_stack_entry_start --> [![Review Change Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/hexclave/stack-auth/pull/1501?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->		2026-05-27 15:44:06 -07:00
..
scripts	feat(hexclave): PR 1 — wire compatibility layer (invisible) (#1475 )	2026-05-23 17:24:55 -07:00
src	feat(backend): dual-accept hexclave-mobile-oauth-url:// alongside legacy scheme (#1501 )	2026-05-27 15:44:06 -07:00
.env	Vanilla JS client library (#408 )	2025-02-08 02:31:03 +01:00
.eslintrc.cjs	New { type: "hosted" } for page URLs (#1261 )	2026-03-27 14:48:01 -07:00
.gitignore	Vanilla JS client library (#408 )	2025-02-08 02:31:03 +01:00
components.json	Vanilla JS client library (#408 )	2025-02-08 02:31:03 +01:00
LICENSE	Vanilla JS client library (#408 )	2025-02-08 02:31:03 +01:00
next-env.d.ts	Vanilla JS client library (#408 )	2025-02-08 02:31:03 +01:00
package-template.json	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
package.json	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
postcss.config.js	Vanilla JS client library (#408 )	2025-02-08 02:31:03 +01:00
quetzal.config.json	Vanilla JS client library (#408 )	2025-02-08 02:31:03 +01:00
README.md	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
tailwind.config.js	Vanilla JS client library (#408 )	2025-02-08 02:31:03 +01:00
tsconfig.json	In-source unit tests (#429 )	2025-02-14 11:47:52 -08:00
tsdown.config.ts	Fix build	2026-02-27 00:48:07 -08:00
vitest.config.ts	[codex] Add TanStack Start SDK integration (#1399 )	2026-05-08 10:59:16 -07:00

README.md

Hexclave: Open-source Clerk/Auth0 alternative

📘 Docs | ☁️ Hosted Version | ✨ Demo | 🎮 Discord | GitHub

Hexclave is a managed user authentication solution. It is developer-friendly and fully open-source (licensed under MIT and AGPL).

Hexclave gets you started in just five minutes, after which you'll be ready to use all of its features as you grow your project. Our managed service is completely optional and you can export your user data and self-host, for free, at any time.

We support Next.js frontends, along with any backend that can use our REST API. Check out our setup guide to get started.

📦 Installation & Setup

Run Hexclave's installation wizard with the following command:
```
npx @hexclave/cli@latest init
```
Then, create an account on the Hexclave dashboard, create a new project with an API key, and copy its environment variables into the .env.local file of your Next.js project:
```
NEXT_PUBLIC_STACK_PROJECT_ID=<your-project-id>
NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=<your-publishable-client-key>
STACK_SECRET_SERVER_KEY=<your-secret-server-key>
```
That's it! You can run your app with npm run dev and go to http://localhost:3000/handler/signup to see the sign-up page. You can also check out the account settings page at http://localhost:3000/handler/account-settings.

Check out the documentation for a more detailed guide.