stack

mirror of https://github.com/stack-auth/stack.git synced 2026-06-04 21:04:37 +08:00

开源的用户管理解决方案，自带前端组件和管理后台。

Go to file

BilalG1 fa2baa829d feat(oauth): per-provider customCallbackUrl for redirect_uri (#1512 ) ## Summary Replaces the request-host-header-derived OAuth `redirect_uri` with a config-driven `customCallbackUrl` field on each environment-level OAuth provider. Resolution of the `redirect_uri` we send to providers (and that customers register in their provider app config): - Shared providers → always the stack-auth-branded callback, so Stack's shared OAuth apps keep working. `customCallbackUrl` is schema-forbidden when `isShared` is true. - Custom + `customCallbackUrl` set → the configured URL verbatim. - Custom without it (legacy) → the stack-auth-branded callback, so providers registered before this field are unaffected. - New custom providers set up in the dashboard → the env-aware hexclave-branded callback (prod → `api.hexclave.com`, dev/staging → siblings, self-host/localhost → `NEXT_PUBLIC_STACK_API_URL` unchanged). ## Details - Schema (`schema.ts`, `schema-fields.ts`): optional `customCallbackUrl` after `clientSecret`, with a `.when('isShared')` rule rejecting any value for shared providers; added to the provider default factory. - Shared host helper (`utils/cloud-hosts.tsx`, new): `CLOUD_HOST_PAIRS` moved into stack-shared with `getCloudApiUrlSiblings` / `getStackAuthApiBaseUrl` / `getHexclaveApiBaseUrl`; `request-api-url.ts` re-exports it so the JWT `iss` logic is untouched. - Runtime (`oauth/index.tsx` + all 13 provider `create()`s): `getProvider` resolves the full `redirect_uri` from config instead of the request host; providers now take `redirectUri` instead of `apiUrl`. The JWT `iss` path still uses the request host. - Dashboard (`page-client.tsx`, `providers.tsx`, `oauth-callback-url.ts` new): brand-new custom providers get the hexclave callback; existing providers keep whatever they had (edits never silently move a registered redirect URL); the displayed Redirect URL mirrors backend resolution. - Docs (`migration.mdx`): existing `api.stack-auth.com` callbacks keep working; only recreated providers use the hexclave URL. ## Notes / scope decisions - Dashboard-only injection: SDK/CLI/legacy-config-created custom providers fall back to the stack-auth callback (they don't auto-get the hexclave URL). - shared → standard conversions keep the stack-auth fallback rather than flipping to hexclave (the safe path that never breaks a registered redirect). ## Test plan - [x] `typecheck` + `lint` green across stack-shared, backend, dashboard, e2e - [x] cloud-hosts unit tests, schema tests, schema fuzzer pass - [x] e2e: shared-provider `customCallbackUrl` rejected (400); standard-provider `customCallbackUrl` accepted and round-trips - [ ] e2e OAuth authorize/callback flow (needs running stack) — reasoned unaffected since localhost isn't a cloud host, so the redirect base stays localhost as before <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Adds a per-provider `customCallbackUrl` for OAuth `redirect_uri`, removing the request-host dependency and making redirects predictable. Shared providers always use the Stack-branded callback; new or converted custom providers default to the Hexclave-branded callback. Existing callbacks keep working; no changes needed unless you recreate or convert a provider. - New Features - Added `customCallbackUrl` on provider configs (URL-validated; forbidden when `isShared` is true). - `getProvider` now resolves a config-driven `redirectUri`; providers take `redirectUri` instead of `apiUrl` (pure resolver with in-source + e2e tests to lock legacy behavior). - Introduced `@stackframe/stack-shared` `utils/cloud-hosts.tsx` and dashboard helpers to show the resolved Redirect URL and set the Hexclave callback for new providers and when converting shared → standard. - Bug Fixes - OAuth callback now handles legitimate cross-host flows by recording the authorize host and skipping the host-scoped CSRF cookie when authorize and callback hosts differ, relying on server-side state and PKCE. <sup>Written for commit `32d95fcdcb`. Summary will update on new commits.</sup> <a href="https://cubic.dev/pr/hexclave/stack-auth/pull/1512?utm_source=github">Review in cubic</a> <!-- End of auto-generated description by cubic. --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Preserve and display custom OAuth callback/redirect URLs in the dashboard; provider creation/edit flows respect existing custom URLs. * Added cloud-host mapping and redirect-uri helpers to resolve branded API callback bases. * Bug Fixes * Improved cross-host OAuth callback handling and CSRF validation for reliable cross-host flows. * Tests * Added E2E and unit tests covering callback URL behavior and host mapping. * Documentation * Updated migration guidance for callback URL changes and recreation scenarios. <!-- review_stack_entry_start --> [![Review Change Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/hexclave/stack-auth/pull/1512?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->		2026-05-28 12:28:38 -07:00
.agents/skills	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
.changeset	Disable changesets changelogs	2026-01-12 15:21:56 -08:00
.claude	Rename port prefix envvar	2026-05-27 18:09:52 -07:00
.cursor	Add schema to migration that was missing it	2026-05-19 16:14:28 -07:00
.devcontainer	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
.github	Rebuild README.md for the Hexclave rebrand (#1474 )	2026-05-27 09:51:07 -07:00
.vscode	Update User Fundamentals	2026-05-22 16:28:43 -07:00
apps	feat(oauth): per-provider customCallbackUrl for redirect_uri (#1512 )	2026-05-28 12:28:38 -07:00
configs	[Fix] Infinite Loop on handler/sign-in due to useStackApp not being able to find the StackProvider given context (#1248 )	2026-03-12 22:28:47 -07:00
docker	Rename port prefix envvar	2026-05-27 18:09:52 -07:00
docs	Rename port prefix envvar	2026-05-27 18:09:52 -07:00
docs-mintlify	feat(oauth): per-provider customCallbackUrl for redirect_uri (#1512 )	2026-05-28 12:28:38 -07:00
examples	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
packages	feat(oauth): per-provider customCallbackUrl for redirect_uri (#1512 )	2026-05-28 12:28:38 -07:00
patches	Fix MS OAuth (#457 )	2025-02-21 19:39:22 +01:00
scripts	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
sdks	Rename port prefix envvar	2026-05-27 18:09:52 -07:00
skills/stack-auth	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
.dockerignore	emu with a q stuff (#1266 )	2026-04-04 00:33:52 +00:00
.gitignore	[codex] Add TanStack Start SDK integration (#1399 )	2026-05-08 10:59:16 -07:00
.gitmodules	Update GitHub URL	2026-05-19 10:27:53 -07:00
AGENTS.md	Rename port prefix envvar	2026-05-27 18:09:52 -07:00
CHANGELOG.md	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
CLAUDE.md	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
CONTRIBUTING.md	Rename port prefix envvar	2026-05-27 18:09:52 -07:00
LICENSE	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
package.json	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
pnpm-lock.yaml	Revert upgrades	2026-05-20 11:58:27 -07:00
pnpm-workspace.yaml	Enable blockExoticSubdeps	2026-05-11 16:23:34 -07:00
README.md	Rebuild README.md for the Hexclave rebrand (#1474 )	2026-05-27 09:51:07 -07:00
RENAME-TO-HEXCLAVE.md	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
skills-lock.json	Auth app redesign (#1367 )	2026-05-19 23:03:46 -07:00
turbo.json	feat(hexclave): PR 1 — wire compatibility layer (invisible) (#1475 )	2026-05-23 17:24:55 -07:00
vitest.shared.ts	Fix tests	2026-02-17 19:57:08 -08:00
vitest.workspace.ts	Hosted components (#1229 )	2026-03-10 11:29:05 -07:00

README.md

The user infrastructure platform.

Hexclave handles everything around your users: authentication, teams, payments, emails, analytics, and much more. Start in minutes on the hosted cloud. Your data is always yours to export and self-host.

Website · Docs · Dashboard · Discord

Where Hexclave fits in the infrastructure stack

Get started

Setting up Hexclave is one prompt. Paste this into your coding agent of choice:

Read skill.hexclave.com and help me setup hexclave in this project

What's included

Hexclave ships as a catalog of apps you switch on as your product needs them. Each one is built on the same user model, and new apps land regularly.

Authentication

Authentication that just works with passkeys, OAuth, and CLI auth. Drop in one component and ship the whole flow; auth methods toggle from the dashboard with no code changes needed.

Teams

Build for teams, not just users, with workspaces, email invites, and roles that actually gate the work. The workspace switcher remembers selection, invites auto sign up new users, and permissions hold up under audit.

RBAC

Permissions, sorted: roles that nest and one permission check that works the same on server or client. Define them in the dashboard, check them anywhere in your code.

API Keys

API keys without the footguns: leaked keys get auto-revoked, work for users and teams, and show the full secret only once. We never keep the plaintext after creation.

Payments

Payments without the plumbing for subscriptions, one-time charges, and usage metering with credits. Bill a person or a whole team with one model, no separate codepath.

Emails

Email that delivers and tells you so, handling transactional and marketing sends from one API. Edit templates with an AI editor, theme once, and track every open and click.

Analytics

Know your users with no data stack required, with live active user counts and session replays out of the box. Ask in plain English to build dashboards or write SQL to save queries, all with one flag enabled.

Webhooks

React to every user event in real time with signed, tamper-proof webhooks. Retries and backoff are handled for you; verify in five lines and manage endpoints from the dashboard.

Data Vault

A safe for the secrets your users hand you, locked with your secret so we never see the plaintext. Store and retrieve tokens in two lines each, server-only by design.

Launch Checklist

Run through the must-do checks before flipping to production: domain setup, callbacks locked, secrets rotated. The progress tracker keeps your team aligned so nothing critical slips through on launch day.

Contributing

Hexclave is open source, and contributions are welcome. Read CONTRIBUTING.md to get started, and say hello in Discord before picking up anything large. Found a security issue? Email security@hexclave.com.