[WIP] Block direct sign-in flow initiation from browser SPAs#3
[WIP] Block direct sign-in flow initiation from browser SPAs#3Malith-19 wants to merge 1 commit into
Conversation
cd34ac2 to
6160a7d
Compare
|
Warning Review limit reached
Next review available in: 52 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthrough
ChangesBrowser SPA sign-in guard
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
6160a7d to
5c251cf
Compare
Purpose
Block browser SPAs from initiating a sign-in flow directly via
POST /flow/execute, and require the redirect-based OAuth2authorization_code+ PKCE flow instead.A browser SPA initiating a flow passes a public
applicationId, which the server cannot use to authenticate the client. This is the SDK-side item of the secured-by-default model agreed in the design discussion. Since the SDKs have not had a release yet, this removes the capability rather than deprecating it. The config-time backend guard (a public-client SPA must use theauthorization_codegrant) is tracked separately under thunder-id/thunderid#3216.Approach
executeEmbeddedSignInFlowthrows aThunderIDRuntimeErrorwhen a new sign-in flow is initiated (applicationId+flowType) in a browser context.@thunderid/browser,@thunderid/react, and@thunderid/vueall reach this function through the core, so a single guard covers every browser SPA SDK.window/document). Server-side / confidential-client usage runs in Node, so it may still initiate the flow. The hosted Gate UI is also unaffected — it only continues a redirect-initiated flow viaexecutionId, never initiates./authorizehandler initiates authentication only, so registration and recovery have no redirect-based equivalent and are left unchanged.<SignIn>and vueSignIncomponents, plus a note in the JavaScript SDK README.Related Issues
Related PRs
thunderidrepo): [Docs] Block direct sign-in flow initiation from browser SPAs thunderid#3455Checklist
breaking changelabel added.🔧 Summary of Breaking Changes
Browser SPAs can no longer initiate a sign-in flow directly via
executeEmbeddedSignInFlow(the embedded<SignIn />component oruseThunderID().signIn({ applicationId })used standalone). Doing so now throws aThunderIDRuntimeError.💥 Impact
Browser SPA apps that drove sign-in with the app-native (embedded) flow. Server-side clients, and the hosted sign-in (Gate) continuation path, are not affected. The SDKs have not been released, so no published consumers are impacted.
🔄 Migration Guide
Configure the application for the
authorization_codegrant with a registeredredirect_uri, and sign in via the redirect-based flow — for example@thunderid/browser'ssignIn()or@thunderid/react's<SignInButton />. See Register an application.Security checks
Note
[WIP] — opened for testing and fine-tuning before review.
Summary by CodeRabbit
New Features
Bug Fixes
Tests