feat(auth0-fastify): dynamic application base URL support#81
feat(auth0-fastify): dynamic application base URL support#81frederikprijck wants to merge 12 commits into
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (4)
🚧 Files skipped from review as they are similar to previous changes (4)
📝 WalkthroughWalkthroughAdds ChangesDynamic appBaseUrl Support in Auth0 Fastify Plugin
Example Application: Dynamic Base URL with Allow-List
Sequence Diagram(s)sequenceDiagram
participant Client
participant FastifyRoute
participant resolveOr500
participant resolveAppBaseUrl
participant Auth0
Client->>FastifyRoute: GET /auth/login
FastifyRoute->>resolveOr500: resolve(appBaseUrlConfig, request)
resolveOr500->>resolveAppBaseUrl: resolveAppBaseUrl(config, request)
alt static mode
resolveAppBaseUrl-->>resolveOr500: configured URL
else dynamic mode
resolveAppBaseUrl->>resolveAppBaseUrl: infer from request.protocol + request.host
resolveAppBaseUrl-->>resolveOr500: inferred URL
else allowlist mode
resolveAppBaseUrl->>resolveAppBaseUrl: infer origin, check against Set
alt origin matched
resolveAppBaseUrl-->>resolveOr500: inferred URL
else origin not matched
resolveAppBaseUrl-->>resolveOr500: throws InvalidConfigurationError
resolveOr500-->>Client: HTTP 500
end
end
resolveOr500-->>FastifyRoute: resolved appBaseUrl
FastifyRoute->>Auth0: redirect with redirect_uri built from appBaseUrl
Auth0-->>Client: auth redirect response
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~28 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
examples/example-fastify-web-dynamic/src/index.spec.ts (1)
18-23: ⚡ Quick winRestore mutated environment variables in teardown for test isolation.
This suite mutates global
process.envand leaves values behind, which can make later tests order-dependent.Also applies to: 48-51
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@examples/example-fastify-web-dynamic/src/index.spec.ts` around lines 18 - 23, The test file is mutating process.env variables without restoring them after tests complete, causing test isolation issues. Save the original values of AUTH0_DOMAIN, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, AUTH0_SESSION_SECRET, and APP_BASE_URL before setting them in the test setup, then restore these original values in an afterEach or afterAll hook. Apply this same cleanup pattern to all locations where environment variables are mutated (including the section mentioned at lines 48-51).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/examples.yml:
- Around line 24-26: In the Checkout code step that uses actions/checkout, add a
with parameter to set persist-credentials to false. This prevents the GitHub
token from being persisted in the local git config, reducing credential exposure
risk in the workflow. Add the persist-credentials configuration as a new line
under the uses declaration of the checkout action.
In `@examples/example-fastify-web-dynamic/src/index.ts`:
- Around line 27-33: The fastify.register call for fastifyView has a relative
path root: './views' that depends on the process working directory, which can
cause template rendering failures if the app starts from a different directory.
Fix this by replacing the relative path with an absolute path using the path
module and __dirname, similar to the pattern already used in `@fastify/static` on
the same file. Change the root property in the fastifyView registration options
to use path.join(__dirname, 'views') instead of the relative path string.
In `@examples/example-fastify-web-dynamic/views/layout.ejs`:
- Around line 44-46: The logout link in the navigation uses unescaped EJS output
syntax (<%- ... %>) when rendering the user name from locals.user.name. Change
the unescaped output tag <%- to the escaped output tag <%= on the line
containing the logout link to ensure the user name is HTML-escaped, following
defense-in-depth security practices. This applies to both instances where
locals.user.name is displayed in the parentheses of the logout text.
---
Nitpick comments:
In `@examples/example-fastify-web-dynamic/src/index.spec.ts`:
- Around line 18-23: The test file is mutating process.env variables without
restoring them after tests complete, causing test isolation issues. Save the
original values of AUTH0_DOMAIN, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET,
AUTH0_SESSION_SECRET, and APP_BASE_URL before setting them in the test setup,
then restore these original values in an afterEach or afterAll hook. Apply this
same cleanup pattern to all locations where environment variables are mutated
(including the section mentioned at lines 48-51).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 14ed1c08-1b03-44cc-8642-dcbde7601bfb
⛔ Files ignored due to path filters (1)
examples/example-fastify-web-dynamic/public/img/auth0.pngis excluded by!**/*.png
📒 Files selected for processing (11)
.github/workflows/examples.ymlexamples/example-fastify-web-dynamic/.env.exampleexamples/example-fastify-web-dynamic/README.mdexamples/example-fastify-web-dynamic/package.jsonexamples/example-fastify-web-dynamic/src/index.spec.tsexamples/example-fastify-web-dynamic/src/index.tsexamples/example-fastify-web-dynamic/tsconfig.jsonexamples/example-fastify-web-dynamic/views/index.ejsexamples/example-fastify-web-dynamic/views/layout.ejsexamples/example-fastify-web-dynamic/views/private.ejsexamples/example-fastify-web-dynamic/views/public.ejs
✅ Files skipped from review due to trivial changes (3)
- examples/example-fastify-web-dynamic/views/public.ejs
- examples/example-fastify-web-dynamic/views/private.ejs
- examples/example-fastify-web-dynamic/README.md
- examples.yml: set persist-credentials: false on checkout - index.ts: use absolute @fastify/view root (cwd-independent) - layout.ejs: HTML-escape user.name output (<%= instead of <%-) - index.spec.ts: restore mutated process.env in teardown
Summary
Makes dynamic
appBaseUrla standalone capability in@auth0/auth0-fastify, now accepting three forms:string[]) — base URL is inferred per request and must match one of the listed origins, otherwise the request is rejected with HTTP 500.Key changes:
domain, not only aDomainResolver. The two-arm options union collapses into a single shape (appBaseUrl?: string | string[]).x-forwarded-*header reads with Fastify'srequest.host/request.protocol, which honor the host app'strustProxysetting. Trust is delegated to the app's Fastify config (the idiomatic equivalent of Express'strust proxy).secure: true; an explicitsecure: falsewhileNODE_ENV === 'production'throwsInvalidConfigurationError.InvalidConfigurationError(exported) for invalid config and resolution failures.src/app-base-url.tsmodule.Behavior change for proxied deployments
Inference now requires
Fastify({ trustProxy: true })forx-forwarded-*headers to be honored (previously they were always trusted). Documented inEXAMPLES.md. A static stringdomainwith noappBaseUrlis now legal (previously threw).Test Plan
npm run test -w @auth0/auth0-fastify— 60 tests pass (17 unit + 43 integration)npm run build -w @auth0/auth0-fastify— clean (incl. DTS)npm run lint -w @auth0/auth0-fastify— cleannpm run build/npm run test— green, noauth0-fastify-apiregressionsSummary by CodeRabbit
Summary by CodeRabbit
appBaseUrlas a static URL or an allow-list of origins, with per-request dynamic inference when omitted.securebehavior accordingly.appBaseUrl/cookie configuration is invalid or insecure for the current environment.