Send flow secret via Flow-Secret header on native flow init#20
Merged
Conversation
📝 WalkthroughWalkthroughAdds an optional ChangesFlow secret header support
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant NextClient as ThunderIDNextClient
participant API as executeEmbeddedSignInFlow
participant FetchAPI
NextClient->>API: signIn(arg2 with flowSecret)
alt new flow start and flowSecret provided
API->>FetchAPI: fetch(request with X-Flow-Secret header)
else continuation or no flowSecret
API->>FetchAPI: fetch(request without X-Flow-Secret header)
end
FetchAPI-->>API: response
API-->>NextClient: result
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
11 tasks
The backend now reads the Flow Secret for POST /flow/execute from the Flow-Secret request header instead of the request body. Add an optional flowSecret config field on the embedded flow request and send it in the Flow-Secret header when initiating a new native sign-in flow (a payload carrying applicationId and flowType); it is omitted from continuation requests. Forward flowSecret through the Next.js client's embedded signIn path. Refs thunder-id/thunderid#3795
140f4db to
099efa9
Compare
ThaminduDilshan
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
The backend is moving the Flow Secret for
POST /flow/executeout of the JSON request body and into a dedicatedFlow-Secretrequest header (see thunder-id/thunderid#3795 and PR thunder-id/thunderid#3808). This updates the SDK so backend/server-side applications can present the Flow Secret via the header when they initiate a native (embedded) sign-in flow.Previously a caller could put
flowSecretinside the flowpayloadand it would serialize into the request body. With the header change that no longer works, and the higher-level Next.jssignInwrapper dropped any custom request config, so there was no way to convey the secret. This adds first-class support.Approach
flowSecretfield toEmbeddedFlowExecuteRequestConfigBase(packages/javascript/src/models/embedded-flow.ts). It is documented as being sent in theFlow-Secretheader and only on a new flow initiation.executeEmbeddedSignInFlownow sendsflowSecretin theFlow-Secretheader, but only when initiating a new flow (a payload carryingapplicationId+flowType). It is deliberately omitted from continuation/step-submission requests, mirroring the backend, which only gates direct initiation of authentication flows.ThunderIDNextClient.signInforwardsflowSecretfrom the request config intoexecuteEmbeddedSignInFlow, so it is usable through the Next.js server-action path (signInAction(payload, { flowSecret })).Server-side initiators that build the request themselves (the Express
handleFlowmiddleware, directexecuteEmbeddedSignInFlowcallers) can already passflowSecretvia the config; wiring it through their own config/UX is a natural follow-up if needed.Related Issues
Related PRs
Checklist
breaking changelabel added.Security checks
Summary by CodeRabbit
New Features
Bug Fixes
Tests