remove accessToken from being sent to client components#206
Conversation
__tests__/authkit-provider.spec.tsx
Outdated
| @@ -220,7 +220,6 @@ describe('useAuth', () => { | |||
| entitlements: ['feature1'], | |||
| impersonator: { email: 'admin@example.com' }, | |||
| oauthTokens: { access_token: 'token123' }, | |||
There was a problem hiding this comment.
we should probably remove these oauthTokens too for good measure (maybe someone else on the team thinks differently?).
There was a problem hiding this comment.
It looks like that's only referenced in that test and isn't actually passed to the client. We're only sending UserInfo | NoUserInfo from these actions
authkit-nextjs/src/interfaces.ts
Lines 26 to 45 in 700f29d
There was a problem hiding this comment.
I went ahead and removed oauthTokens here from the mock return.
There was a problem hiding this comment.
oh i see, we pass the oauthTokens to an onSuccess callback but otherwise don't store them at all 👍
|
Hi there! How does this affect the |
|
@statico
|
3 participants
Breaking change
This removes
accessTokenfrom being accessible in client components. The following is no longer allowed.This pull request focuses on removing the
accessTokenfrom the client-side code to enhance security and simplify the auth object. The most important changes include sanitizing the auth object, updating actions to use the sanitized auth object, and modifying components to remove references toaccessToken.Security Improvements:
sanitizefunction to remove theaccessTokenfrom the auth object before it is used on the client side. (src/actions.ts)getAuthActionandrefreshAuthActionto use thesanitizefunction. (src/actions.ts) [1] [2]Component Updates:
accessTokenfrom theAuthContextTypetype definition. (src/components/authkit-provider.tsx)accessTokenstate and related code from theAuthKitProvidercomponent. (src/components/authkit-provider.tsx) [1] [2] [3] [4] [5]Test Adjustments:
accessTokenfrom test mock data inuseAuthtest suite. (__tests__/authkit-provider.spec.tsx)