stacklok / toolhive-cloud-ui / 22901022240
75%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 60
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 72.982% (+1.2%) from 71.805%
22901022240

push

github

web-flow 
fix(auth): handle OIDC refresh token rotation in cookie mode (#409)

* fix(auth): handle OIDC refresh token rotation in cookie mode

Better Auth stores OIDC tokens in the `account_data` JWE cookie. When
Okta rotates the refresh token (R1 → R2) on each use, the rotated R2
must be saved back to the browser cookie. However, Next.js forbids
`cookies().set()` in Server Components, causing R2 to be discarded and
the next refresh to fail with `invalid_grant`.

Fix:
- Add `isTokenNearExpiry()` utility that decodes the `account_data` JWE
  to check `accessTokenExpiresAt` with a 30-second preemptive margin
- Add `/api/auth/token-refresh` Route Handler that calls
  `getAccessToken({ asResponse: true })` and forwards the resulting
  Set-Cookie headers (including R2) directly onto the HTTP redirect
  response — Route Handlers can write cookies, Server Components cannot
- In `getAuthenticatedClient()`, redirect to the Route Handler when the
  token is near expiry instead of calling `getAccessToken()` directly
- Add `proxy.ts` (Next.js 16 convention) to inject `x-url` header so
  the Route Handler knows which page to redirect back to after refresh
- Sign out before sign in to clear stale `account_data` cookies
- Remove debug utilities (`TokenDebugTracker`, `debug-actions.ts`)
- Remove security issue: OIDC tokens were being logged on every signin

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(auth): reduce isTokenNearExpiry margin to 10s to avoid redirect loop

The previous 30s margin exceeded the dev OIDC provider's 15s access token
TTL, causing an infinite redirect loop to /api/auth/token-refresh.

10s is safely above Better Auth's internal 5s refresh threshold while
remaining below the minimum token TTL in any environment.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(auth): address Copilot review comments on token refresh

- Fix open redirect in token-refresh route: replace startsWith("/") check
  with URL parsing + same-ori... (continued)

222 of 311 branches covered (71.38%)

Branch coverage included in aggregate %.

33 of 36 new or added lines in 4 files covered. (91.67%)

402 of 544 relevant lines covered (73.9%)

13.39 hits per line

New Missed Lines in Diff

Lines Coverage File
1
22.22
 0.0% src/lib/auth/auth.ts
2
62.22
 5.97% src/lib/api-client.ts
Jobs
ID Job ID Ran Files Coverage
1 22901022240.1 60
72.98
 GitHub Action Run
Source Files on build 22901022240