-
Notifications
You must be signed in to change notification settings - Fork 271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(clerk-js): Pass dev_browser to AP via query param, fix AP origin … #1567
fix(clerk-js): Pass dev_browser to AP via query param, fix AP origin … #1567
Conversation
🦋 Changeset detectedLatest commit: 9d54fe7 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
0144a11
to
b9aa85d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
✅ Great news! Jit hasn't found any security issues in your PR. Good Job! 🏆
b9aa85d
to
e313934
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me 💯 but maybe wait for Haris as requested
return res; | ||
} | ||
|
||
// Returns true for hosts such as: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should be a bit more strict with our checks here. For example we will return true for hostname accounts.foo.13.bar-1.lcl.dev
which is wrong
}); | ||
} | ||
|
||
// Returns true for hosts such as: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here we can be more strict with our checks. For example we will return true for hostname foo.bar.13.whatever.accounts.dev
which is wrong. Maybe use a regex instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking of a regex, but preferred to use the same logic as the BE has for this.
Note that this regex would also require that .clerk
is not contained be contained and I'm a bit worried about using a negative lookahead (?!
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chanioxaris do you have any planned changes in mind that could break this check? I totally agree that we could make this stricter to be on the safe side... the example domain you provided is unlikely to be used by someone though - could we be missing any cases here?
ba28b18
to
4f92750
Compare
packages/clerk-js/src/utils/url.ts
Outdated
@@ -27,26 +27,53 @@ export const DEV_OR_STAGING_SUFFIXES = [ | |||
'accounts.dev', | |||
]; | |||
|
|||
export const LEGACY_DEV_SUFFIXES = ['.lcl.dev', '.lclstage.dev', '.lclclerk.com']; | |||
|
|||
export const KIMA_DEV_SUFFIXES = ['.accounts.dev', '.accountstage.dev', '.accounts.lclclerk.com']; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
export const KIMA_DEV_SUFFIXES = ['.accounts.dev', '.accountstage.dev', '.accounts.lclclerk.com']; | |
export const DEV_SUFFIXES = ['.accounts.dev', '.accountstage.dev', '.accounts.lclclerk.com']; |
Kima was an internal project naming that shouldn't leak in the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will rename
packages/clerk-js/src/utils/url.ts
Outdated
// * foo-bar-13.accounts.lclclerk.com | ||
// But false for: | ||
// * foo-bar-13.clerk.accounts.lclclerk.com | ||
function isKimaDevAccountPortalOrigin(host: string): boolean { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto about Kima
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Renamed
const hasQueryParam = (url || '').includes('?'); | ||
return `${url}${hasQueryParam ? '&' : '?'}${DEV_BROWSER_SSO_JWT_PARAMETER}=${(jwt || '').trim()}`; | ||
// extract & strip existing jwt from hash | ||
const jwtFromHash = extractDevBrowserJWTFromHash(resultURL.hash); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❓ Since this is the setDevBrowserJWTInURL method are we using extractDevBrowserJWTFromHash
to make sure it's only set once?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but it might be in the hash & we need to move it to search or vice versa.
4f92750
to
9d54fe7
Compare
@@ -27,26 +27,52 @@ export const DEV_OR_STAGING_SUFFIXES = [ | |||
'accounts.dev', | |||
]; | |||
|
|||
export const LEGACY_DEV_SUFFIXES = ['.lcl.dev', '.lclstage.dev', '.lclclerk.com']; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding a comment for posterity/ future reference mostly, this change needs to be made to all similar helpers until we revamp clerk/shared.
This PR has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
…detection util
Type of change
Packages affected
@clerk/clerk-js
@clerk/clerk-react
@clerk/nextjs
@clerk/remix
@clerk/types
@clerk/themes
@clerk/localizations
@clerk/clerk-expo
@clerk/backend
@clerk/clerk-sdk-node
@clerk/shared
@clerk/fastify
@clerk/chrome-extension
gatsby-plugin-clerk
build/tooling/chore
Description
To make the dev_browser JWT available to the SSR context on Account Portal, we need to pass the JWT via the query, not the hash.
The current PR detects whether the URL we are navigating to is an AP URL & passes the db JWT as a query param.
Also fixed the AP origin detection util, which did not cover kima instances (ported logic from our backend).
Adding @chanioxaris to help verify if the AP origin detection logic is accurate.