ory · jonas-jonas · Jun 26, 2024 · Mar 22, 2024 · Apr 19, 2024 · Apr 20, 2024
@@ -5,6 +5,7 @@ on:
     branches: [master]
   pull_request:
     branches: [master]
+  workflow_dispatch:
 
 jobs:
   take-screenshots:

@@ -14,10 +14,10 @@ jobs:
     timeout-minutes: 60
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          node-version: "17.x"
+          node-version: "20.x"
           cache: "npm"
       - run: npm install
       - name: Test Build

@@ -26,15 +26,14 @@ To access Ory's APIs, use URL `http://localhost:4000`
 ### `npm test`
 
 Launches the test runner in the interactive watch mode.\
-See the section about
-[running tests](https://facebook.github.io/create-react-app/docs/running-tests)
+See the section about [running tests](https://facebook.github.io/create-react-app/docs/running-tests)
 for more information.
 
 ### `npm run build`
 
 Builds the app for production to the `build` folder.\
-It correctly bundles React in production mode and optimizes the build for the
-best performance.
+It correctly bundles React in production mode and optimizes the build for the best
+performance.
 
 The build is minified and the filenames include the hashes.\
 Your app is ready to be deployed!

@@ -67,7 +67,7 @@ import CodeBlock from '@theme/CodeBlock'
 If you wish to compile the binary yourself, you need to install and set up [Go 1.17+](https://golang.org/) and add `$GOPATH/bin`
 to your `$PATH`.
 
-:::warning
+:::danger
 
 Please note that this will check out the latest commit, which might be not yet released and unstable.
 

@@ -1,4 +1,4 @@
-:::warning
+:::danger
 
 Don't save secrets such as API keys, credentials, or personal data directly in Jsonnet code snippets. Jsonnet code snippets used
 for data mapping aren't stored in an encrypted format in Ory Network.

@@ -1,4 +1,4 @@
-:::warning
+:::danger
 
 The APIs of Ory open-source Servers don't come with integrated access control. This means that all requests sent to their APIs are
 considered authenticated, authorized, and will be executed. Leaving the APIs in this state can lead to severe security risks.

@@ -26,7 +26,7 @@ Ory automatically activates the `session` action when a user signs up using a so
 
 ## Toggle action
 
-:::warning
+:::danger
 
 This action modifies the HTTP response. As a result, no other hooks can be executed after the `session` action. If you want to
 trigger multiple actions that modify the HTTP response in your setup, make sure that `session` is triggered last.
@@ -61,7 +61,7 @@ ory patch identity-config {project-id} \
 
 The hook sends a `Set-Cookie` HTTP header which contains the session cookie. The user is signed in immediately.
 
-:::warning
+:::danger
 
 Using this job as part of your post-registration workflow makes your system vulnerable to Account Enumeration Attacks because a
 threat agent can distinguish between existing and non-existing accounts by checking if Set-Cookie was sent as part of the

@@ -92,11 +92,11 @@ Identities, unless explicitly advertised, implements these guidelines and best p
 Passwords must have a minimum length of 8 characters and all characters (unicode, ASCII) must be allowed:
 
 > Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit
-> subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII [RFC 20] characters as well as the space
-> character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. To make
-> allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior
-> to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed.
-> For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character.
+> subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII [RFC 20] characters as well as the
+> space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. To
+> make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character
+> prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be
+> performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character.
 
 Passwords must be checked against a database of compromised secrets such as [Have I Been Pwnd](https://haveibeenpwned.com):
 

@@ -4,7 +4,7 @@ title: Design
 ---
 
 This document provides a summary of Ory's REST design with topics like pagination and date formats. If you're interested in Ory's
-API design, check out the [REST API design guidelines](../open-source/guidelines/rest-api-guidelines.mdx).
+API design, check out the [REST API design guidelines](../open-source/guidelines/rest-api-guidelines.md).
 
 ## Date format
 

@@ -55,11 +55,11 @@ validate if the user is allowed to access the application.
 
 Add the code to the `main.go` file:
 
-```mdx-code-block title="main.go"
+```mdx-code-block
 import mainGo from '!!raw-loader!../../../code-examples/protect-page-login/go/main.go'
 import CodeBlock from '@theme/CodeBlock'
 
-<CodeBlock language="go">{mainGo}</CodeBlock>
+<CodeBlock language="go" title="main.go">{mainGo}</CodeBlock>
 ```
 
 ## Validate and login
@@ -74,10 +74,10 @@ is not authenticated or the session expired, the request is redirected for login
 
 To create the middleware, add the code to the `middleware.go` file:
 
-```mdx-code-block title="middleware.go"
+```mdx-code-block
 import middlewareGo from '!!raw-loader!../../../code-examples/protect-page-login/go/middleware.go'
 
-<CodeBlock language="go">{middlewareGo}</CodeBlock>
+<CodeBlock language="go" title="middleware.go">{middlewareGo}</CodeBlock>
 ```
 
 ## The protected page
@@ -86,18 +86,18 @@ As the final step, create a `Dashboard` page that's presented to signed-in users
 
 1. Create the `dashboardHandler` that renders the page with the session data. Add this code to the `handler.go` file:
 
-```mdx-code-block title="handler.go"
+```mdx-code-block
 import handlerGo from '!!raw-loader!../../../code-examples/protect-page-login/go/handler.go'
 
-<CodeBlock language="go">{handlerGo}</CodeBlock>
+<CodeBlock language="go" title="handler.go">{handlerGo}</CodeBlock>
 ```
 
 2. To present the data to the user, create the `Dashboard` HTML page. Add this code to the `index.html` file:
 
-```mdx-code-block title="index.html"
+```mdx-code-block
 import index from '!!raw-loader!../../../code-examples/protect-page-login/go/index.html'
 
-<CodeBlock language="html">{index}</CodeBlock>
+<CodeBlock language="html" title="index.html">{index}</CodeBlock>
 ```
 
 ## Test your application

@@ -56,11 +56,11 @@ This is a working example of basic `index.php` script which creates an Ory clien
 use of [Before Route Middlewares](https://github.com/bramus/router#before-router-middlewares) to validate if the user is allowed
 to view the Dashboard.
 
-```mdx-code-block title="index.php"
+```mdx-code-block
 import indexPHP from '!!raw-loader!../../../code-examples/protect-page-login/php/index.php'
 import CodeBlock from '@theme/CodeBlock'
 
-<CodeBlock language="php">{indexPHP}</CodeBlock>
+<CodeBlock language="php" title="index.php">{indexPHP}</CodeBlock>
 ```
 
 ## Validate and login
@@ -76,10 +76,10 @@ session data.
 
 This is accomplished by the simple `App` class stored in the `app.php` file:
 
-```mdx-code-block title="app.php"
+```mdx-code-block
 import appPHP from '!!raw-loader!../../../code-examples/protect-page-login/php/app.php'
 
-<CodeBlock language="php">{appPHP}</CodeBlock>
+<CodeBlock language="php" title="app.php">{appPHP}</CodeBlock>
 ```
 
 ## Run your app

@@ -76,11 +76,11 @@ This requires the express app (`npm run start`) to run on port 3000. The browser
 Next we add a session check to the default home page of the example application. The highlighted code is what we added to check
 whether the user is signed in, and redirect them to the login page if not:
 
-```mdx-code-block title="routes/index.js"
+```mdx-code-block
 import homePage from '!!raw-loader!../../../code-examples/protect-page-login/expressjs/routes/index.js'
 import CodeBlock from '@theme/CodeBlock'
 
-<CodeBlock language="js">{homePage}</CodeBlock>
+<CodeBlock language="js" title="routes/index.js">{homePage}</CodeBlock>
 ```
 
 ## Run your Express.js app

@@ -31,11 +31,11 @@ Add [dio](https://github.com/flutterchina/dio) and [flutter dotenv](https://gith
 We use [dio](https://github.com/flutterchina/dio) for HTTP request and
 [flutter dotenv](https://github.com/java-james/flutter_dotenv) for environment variable management.
 
-```mdx-code-block title="pubspec.yaml"
+```mdx-code-block
 import pubspec from '!!raw-loader!../../../code-examples/protect-page-login/flutter_web_redirect/pubspec.yaml'
 import CodeBlock from '@theme/CodeBlock'
 
-<CodeBlock language="yaml">{pubspec}</CodeBlock>
+<CodeBlock language="yaml" title="pubspec.yaml">{pubspec}</CodeBlock>
 ```
 
 ## Install Ory CLI
@@ -59,10 +59,10 @@ session information.
 mkdir lib/services && touch lib/services/auth.dart
 ```
 
-```mdx-code-block title="lib/services/auth.dart"
+```mdx-code-block
 import auth from '!!raw-loader!../../../code-examples/protect-page-login/flutter_web_redirect/lib/services/auth.dart'
 
-<CodeBlock language="dart">{auth}</CodeBlock>
+<CodeBlock language="dart" title="lib/services/auth.dart">{auth}</CodeBlock>
 ```
 
 ## Add environment variables
@@ -74,21 +74,21 @@ URL, for example `http://localhost:3005`.
 touch .env
 ```
 
-```mdx-code-block title=".env"
+```mdx-code-block
 import env from '!!raw-loader!../../../code-examples/protect-page-login/flutter_web_redirect/env'
 
-<CodeBlock language="text">{env}</CodeBlock>
+<CodeBlock language="text" title=".env">{env}</CodeBlock>
 ```
 
 ## Update lib/main.dart
 
 Finally, update the `lib/main.dart` file to check for a session cookie on the initial load of the application. If the cookie is
 found, the user can access the application. If the cookie isn't found, the user is redirected to the login page.
 
-```mdx-code-block title="lib/main.dart"
+```mdx-code-block
 import main from '!!raw-loader!../../../code-examples/protect-page-login/flutter_web_redirect/lib/main.dart'
 
-<CodeBlock language="dart">{main}</CodeBlock>
+<CodeBlock language="dart" title="lib/main.dart">{main}</CodeBlock>
 ```
 
 ## Test you application

@@ -50,7 +50,7 @@ Review rate limits in the [Project Rate Limits](https://www.ory.sh/docs/guides/r
 between projects use the [Ory CLI](https://www.ory.sh/docs/guides/cli/config-with-cli) For more information what environments are
 included on the Ory Network plans, head over to the [Pricing](https://ory.sh/pricing) page.
 
-:::warning
+:::danger
 
 Staging and development projects are for test data only! Ory Network doesn't guarantee GDPR-compliant PII handling in staging and
 development projects.

@@ -58,11 +58,11 @@ npm install express-openid-connect express
 
 and create a file `server.js` with the following content:
 
-```mdx-code-block title="server.js"
+```mdx-code-block
 import CodeBlock from '@theme/CodeBlock';
-import content from '!!raw-loader!../../../code-examples/getting-started/oauth2-integration/express/server.js';
+import content from '!!raw-loader!../../../code-examples/getting-started/oauth2-integration/express/server';
 
-<CodeBlock language="js">{content}</CodeBlock>
+<CodeBlock language="js" title="server.js">{content}</CodeBlock>
 ```
 
 Finally, start the server

@@ -63,7 +63,18 @@ production, it's recommended to use a CNAME.
 When an application runs on `http://localhost:3000`, Ory must be available on the same domain, for example at
 `http://localhost:4000`. Thanks to such setup, the system can manage Anti-CSRF Cookies and Ory Session Cookies.
 
-![Ory Proxy diagram](../_static/cli/proxy.svg)
+```mdx-code-block
+import Mermaid from "@site/src/theme/Mermaid"
+
+<Mermaid
+  chart={`
+flowchart TD
+    A[Developer] -->|GET http://localhost:1234| B(Ory Proxy)
+    B -->|GET /.ory/*| D[Ory Network]
+    B -->E[Your application]
+`}
+/>
+```
 
 ### URL structure
 

@@ -31,7 +31,7 @@ application when a user updates their profile information in another system.
 When building your own UI you can pass additional data when completing the registration flow that gets forwarded to any configured
 webhooks. This can be used to solve more complex use cases that would be out of scope for identity traits.
 
-:::warning
+:::danger
 
 Always put security first! When using webhooks, ensure that the data you send is secure and that the external system you are
 integrating with is trustworthy. Additionally, make sure to consider the data privacy laws and regulations that may apply to your

@@ -9,7 +9,6 @@ sidebar_label: Permissions
 ```mdx-code-block
 import CodeFromRemote from "@theme/CodeFromRemote"
 import BrowserWindow from "@site/src/theme/BrowserWindow"
-const file = (path) => `https://github.com/ory/keto/blob/master/contrib/rewrites-example/${path}`
 ```
 
 [Ory Permissions](https://www.ory.sh/permissions/) (based on [Ory Keto](https://github.com/ory/keto)) implements
@@ -101,7 +100,7 @@ Go to <ConsoleLink route="project.permissions.relationships" /> and switch to th
 Paste the following content into the editor:
 
 ```mdx-code-block
-<CodeFromRemote src={file("namespaces.keto.ts")} title="namespaces.keto.ts" />
+<CodeFromRemote src="https://github.com/ory/keto/blob/master/contrib/rewrites-example/namespaces.keto.ts" title="namespaces.keto.ts" />
 ```
 
 :::info
@@ -146,7 +145,7 @@ the hierarchy.
 You can create additional fine-grained permission rules for certain objects, similar to the `private` file.
 
 ```mdx-code-block
-<CodeFromRemote src={file("relation-tuples/tuples.json")} title="relationships.json" />
+<CodeFromRemote src="https://github.com/ory/keto/blob/master/contrib/rewrites-example/relation-tuples/tuples.json" title="relationships.json" />
 ```
 
 Save the file as `relationships.json` in your current working directory. To create these relationships in Ory Permissions, run

@@ -36,7 +36,7 @@ Each of these policies incorporates two types of rate limits:
 |                | `/relation-tuples/check`   |          80 |            1800 |
 |                | `GET /admin/identities`    |          10 |             300 |
 |                | `*`                        |          40 |             900 |
-| **Staging **   | `/sessions/whoami`         |          10 |             300 |
+| **Staging**    | `/sessions/whoami`         |          10 |             300 |
 |                | `/admin/oauth2/introspect` |          10 |             300 |
 |                | `/relation-tuples/check`   |          10 |             300 |
 |                | `GET /admin/identities`    |           1 |              10 |
@@ -51,7 +51,7 @@ Each of these policies incorporates two types of rate limits:
 |                | `/relation-tuples/check`   |         800 |           18000 |
 |                | `GET /admin/identities`    |          20 |             600 |
 |                | `*`                        |         400 |            9000 |
-| **Staging **   | `/sessions/whoami`         |          10 |              30 |
+| **Staging**    | `/sessions/whoami`         |          10 |              30 |
 |                | `/admin/oauth2/introspect` |          10 |             300 |
 |                | `/relation-tuples/check`   |          10 |             300 |
 |                | `GET /admin/identities`    |           1 |              10 |

@@ -215,7 +215,7 @@ If a webhook for `refresh_token` grant type fails with a non-graceful result, th
 
 ## Legacy webhook implementation (deprecated)
 
-:::warning
+:::danger
 
 This mechanism is deprecated and no longer supported
 

@@ -31,7 +31,7 @@ ory patch oauth2-config $PROJECT_ID \
   --replace "/oidc/subject_identifiers/pairwise/salt=\"{16-character-long-salt}\""
 ```
 
-:::warning
+:::danger
 
 Don't change the salt value once it's set in production. When you change the salt, all client applications receive new user IDs
 from Ory. This can cause serious complications with authentication in your system.

@@ -18,7 +18,7 @@ You can find more examples of SDK usage in the auto-generated documentation
 
 The Ory Hydra Go SDK is generated using [`go-swagger`](http://goswagger.io).
 
-:::warning
+:::danger
 
 Don't consume the `/oauth2/auth` and `/oauth2/token` endpoints using this SDK. Use
 [golang.org/x/oauth2](https://godoc.org/golang.org/x/oauth2). For more information visit the

@@ -16,7 +16,7 @@ You can find more examples of SDK usage in the auto-generated documentation
 
 :::
 
-:::warning
+:::danger
 
 Don't consume the `/oauth2/auth` and `/oauth2/token` endpoints using this SDK. Use
 [golang.org/x/oauth2](https://godoc.org/golang.org/x/oauth2). For more information visit the

@@ -7,7 +7,7 @@ In this document you can find code examples for the Ory Hydra Go SDK.
 
 The Ory Hydra Go SDK is generated using [`go-swagger`](http://goswagger.io).
 
-:::warning
+:::danger
 
 Don't consume the `/oauth2/auth` and `/oauth2/token` endpoints using this SDK. Use
 [golang.org/x/oauth2](https://godoc.org/golang.org/x/oauth2). For more information visit the