docs: update identity-aware encryption to the strategy-based API#57
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This was referenced Jul 9, 2026
The live docs teach `new LockContext().identify(jwt)`. Per-operation CTS
tokens were removed in protect-ffi 0.25, so `identify()` is deprecated: it
still compiles and logs a warning, but the token it fetches is no longer
used by encryption operations. Readers copying these examples get code that
appears to bind an identity and does not.
Correct usage authenticates the client as the end user with
OidcFederationStrategy (config.authStrategy), then names the claim to bind:
const client = await Encryption({
schemas: [users],
config: { authStrategy: OidcFederationStrategy.create(crn, () => getJwt()) },
})
await client.encrypt(v, opts).withLockContext({ identityClaim: ["sub"] })
Two pages also used `client.withLockContext({ identityToken })`, a call shape
that never existed in any release.
Verified against the shipped type definitions of @cipherstash/stack 0.19.0
and @cipherstash/auth 0.42.0.
1b3a701 to
3cb2abd
Compare
coderdan
added a commit
that referenced
this pull request
Jul 9, 2026
…sed API The ported snippet used new LockContext().identify(userJwt), deprecated in protect-ffi 0.25, and passed the resulting Result straight to withLockContext() instead of unwrapping .data. main fixed this in #57; this carries the fix across so merging the port doesn't reintroduce it.
This was referenced Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ships before the Supabase launch post. The live docs teach an identity API that no longer does what the page says it does.
The problem
Per-operation CTS tokens were removed in
protect-ffi0.25.LockContext.identify(jwt)is marked@deprecatedin the shipped types: "the token fetched here is no longer used by encryption operations." It still compiles and logs a runtime warning.So a reader copying our current examples gets code that looks like it binds encryption to a user identity, runs without error, and does not bind anything. That's a worse failure mode than a compile error.
Two pages were worse still:
use-cases/compliance.mdxanduse-cases/provable-access.mdxusedclient.withLockContext({ identityToken: jwt }).encrypt(...), a call shape that has never existed in any release.The fix
Authenticate the client as the end user with
OidcFederationStrategy, then name the claim to bind:Lock context is layered on the strategy: it requires
OidcFederationStrategy, but the strategy doesn't require lock context. Both strategies are re-exported from@cipherstash/stack.Files (10)
encryption/supabase.mdxencryption/identity.mdxencryption/encrypt-decrypt.mdxencryption/bulk-operations.mdxidentify(), dropped the.data!non-null assertionencryption/models.mdxreference/error-handling.mdxLockContext.identify()from theResultlist. Was not in my first sweep (it usedidentify()withoutwithLockContext)reference/use-cases/provable-access.mdxidentityTokenformreference/use-cases/compliance.mdxreference/comparisons/aws-kms.mdxResultofidentify()straight towithLockContext, missing.datareference/agent-skills.mdxLockContext+ JWTTwo things reviewers should check
1. Supabase's builder still requires a
LockContextinstance.EncryptedQueryBuilder.withLockContext(lockContext: LockContext)is typed narrower than the core operations, which acceptLockContextInput(LockContext | { identityClaim }). Sosupabase.mdxusesnew LockContext({ context: { identityClaim: ["sub"] } })while every other page passes the plain object. That's an SDK inconsistency, not a docs one. Worth widening the Supabase type toLockContextInput.2.
@cipherstash/nextjslooks vestigial. It still exportsprotectClerkMiddlewareandgetCtsToken(v4.1.1, published yesterday), and is still CTS-token based. But encryption no longer consumes a CTS token, sonew LockContext({ ctsToken })is now inert for key derivation. I rewrote the Clerk section to feed the Clerk session token toOidcFederationStrategydirectly, and added a note that the middleware isn't required for identity-aware encryption. Someone who owns that package should confirm.Note the constructor itself is not deprecated, only
identify()andgetLockContext(). I've been careful to say so.Verification
.d.tsof@cipherstash/stack@0.19.0and@cipherstash/auth@0.42.0, not the npm READMEs. The@cipherstash/stackREADME's "Identity-Aware Encryption" section still documents the deprecatedidentify()flow and should be updated.next buildpasses; 589 pages generate.bun run buildfails onmainfor an unrelated pre-existing reason.prebuildregeneratescontent/stack/reference/eql/index.mdxfrom the EQL manifest with an unclosed<tt>tag, which MDX rejects. Branchesfix/eql-docs-strip-tt-tagandfix/eql-mdx-escape-ltalready target it. I verified withnext buildagainst the committed file.