stack

mirror of https://github.com/stack-auth/stack.git synced 2026-06-13 21:01:21 +08:00

History

Will ec3875d1b7 Change JWT issuer (#656 ) This PR address #651 The `iss` domain [should be](https://mojoauth.com/glossary/jwt-issuer/#:~:text=The%20authorization%20server%20can%20then%20use%20the%20%22iss%22%20claim%20to%20verify%20the%20validity%20of%20the%20JWT%2C%20and%20to%20determine%20which%20client%20is%20requesting%20access%20to%20the%20protected%20resources.) a publicly accessible domain that can be used to verify the validity of the JWT. I believe this domain should be `api.stack-auth.com` as your `jwks.json` file is located at this domain (`https://api.stack-auth.com/api/v1/projects/<your-project-id>/.well-known/jwks.json`) Alternatively, you could make `jwks.json` available at your `https://access-token.jwt-signature.stack-auth.com` domain. Currently a DNS lookup fails: ``` $> nslookup access-token.jwt-signature.stack-auth.com Server: one.one.one.one Address: 1.1.1.1 * one.one.one.one can't find access-token.jwt-signature.stack-auth.com: Non-existent domain ``` One example of why this is a problem is Convex, which allows auth integration with any service following the OpenID Connect/JWKs standard. Upon receiving a JWT, Convex will match the `iss` claim to the [custom auth config](https://docs.convex.dev/auth/advanced/custom-auth#server-side-integration) it should use. It then attempts to connect to `iss` in order to validate the JWT. If I switch the `iss` (in Convex config) to `api.stack-auth.com`, then the `iss` claim doesn't match and auth fails. If I leave it at `https://access-token.jwt-signature.stack-auth.com`, then Convex tries to connect to `https://access-token.jwt-signature.stack-auth.com` and gets a DNS lookup fail and can't verify the token. This may have implications for currently issued JWTs - so porting this change may have to be done with care. <!-- ELLIPSIS_HIDDEN --> ---- > [!IMPORTANT] > Change JWT issuer to `https://api.stack-auth.com` for public accessibility and validation. > > - Behavior: > - Change JWT `iss` from `https://access-token.jwt-signature.stack-auth.com` to `https://api.stack-auth.com` in `decodeAccessToken()` and `generateAccessToken()` in `tokens.tsx`. > - Update test expectation for `iss` in `ensureParsableAccessToken()` in `backend-helpers.ts`. > - Rationale**: > - Ensures `iss` is a publicly accessible domain for JWT validation. > - Addresses issue #651. > > <sup>This description was created by </sup>[<img alt="Ellipsis" src="https://img.shields.io/badge/Ellipsis-blue?color=175173">](https://www.ellipsis.dev?ref=stack-auth%2Fstack-auth&utm_source=github&utm_medium=referral)<sup> for `00393b87ad`. You can [customize](https://app.ellipsis.dev/stack-auth/settings/summaries) this summary. It will automatically update as commits are pushed.</sup> <!-- ELLIPSIS_HIDDEN --> --------- Co-authored-by: Zai Shi <zaishi00@outlook.com>		2025-05-13 22:06:01 +02:00
..
tests	Change JWT issuer (#656 )	2025-05-13 22:06:01 +02:00
.env	Create users & auth endpoints in backend (#85 )	2024-07-01 22:42:08 -07:00
.env.development	Webhook E2E tests (#428 )	2025-02-13 20:29:05 +01:00
.eslintrc.cjs	tsup for stack-shared (#647 )	2025-04-28 21:26:52 -07:00
CHANGELOG.md	chore: update package versions	2025-04-30 11:18:45 -07:00
LICENSE	Create users & auth endpoints in backend (#85 )	2024-07-01 22:42:08 -07:00
package.json	chore: update package versions	2025-04-30 11:18:45 -07:00
tsconfig.json	In-source unit tests (#429 )	2025-02-14 11:47:52 -08:00
vitest.config.ts	Endpoints branching (#659 )	2025-04-30 15:39:47 -07:00