Conversation
Wire the dashboard to Ory through Auth.js while preserving Supabase mode behind the auth provider switch.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
PR SummaryHigh Risk Overview API contract: OpenAPI adds UX & middleware: Sign-in/up/forgot-password pages redirect to hosted Ory via Local Hydra: Optional Deps/config: Reviewed by Cursor Bugbot for commit b20766d. Bugbot is set up for automated code reviews on this repo. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| loginChallenge: challenge, | ||
| }) | ||
|
|
||
| const { redirect_to } = await hydra.acceptOAuth2LoginRequest({ |
There was a problem hiding this comment.
🔒 Agentic Security Review
Severity: HIGH
The login provider route accepts any login_challenge and unconditionally authenticates it as a fixed ORY_LOCAL_LOGIN_SUBJECT, but there is no runtime enforcement that this path can only run in local/dev mode.
If this route is ever wired outside an isolated dev setup, an attacker can start an OAuth flow and receive tokens as that fixed subject, resulting in authentication bypass/account impersonation.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 95f62c7. Configure here.
| className="text-fg underline underline-offset-[3px]" | ||
| > | ||
| Continue if you are not redirected automatically | ||
| </button> |
There was a problem hiding this comment.
Raw button element instead of Button primitive
Low Severity
A new raw <button> element with manual Tailwind styling (text-fg underline underline-offset-[3px]) is used instead of the Button component from @/ui/primitives/button. This is new feature code that violates the rule requiring use of the Button primitive for consistent focus rings, disabled states, and accessibility.
Triggered by learned rule: Use Button primitive instead of raw button elements
Reviewed by Cursor Bugbot for commit 95f62c7. Configure here.
| name: keyof OryTokenClaims | ||
| ): string | null { | ||
| return readStringClaim(claims, name) | ||
| } |
There was a problem hiding this comment.
readRequiredStringClaim is identical to readStringClaim
Low Severity
readRequiredStringClaim is a wrapper that does nothing beyond calling readStringClaim — it returns string | null without enforcing any "required" semantics. The name is misleading: callers reading the code at line 29 (readRequiredStringClaim(accessClaims, 'sub')) would expect it to throw or assert on missing claims, but it silently returns null just like the non-required variant.
Reviewed by Cursor Bugbot for commit 95f62c7. Configure here.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 95f62c79a9
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| const isOry = isOryAuthEnabled() | ||
| const headers: Record<string, string> = isOry | ||
| ? { Authorization: `Bearer ${token}` } |
There was a problem hiding this comment.
authHeaders now switches behavior via isOryAuthEnabled(), which reads process.env.AUTH_PROVIDER, but this helper is also consumed by client-side code paths introduced in this commit (for example terminal/inspect browser SDK calls). In Next.js, non-NEXT_PUBLIC_ env vars are not available in browser bundles, so client code will not reliably select the Ory branch and can keep emitting Supabase-style headers; in AUTH_PROVIDER=ory deployments that causes sandbox API calls from the browser to be unauthorized.
Useful? React with 👍 / 👎.
Wire the dashboard as Hydra's login provider so the OIDC flow can complete end-to-end against a self-hosted Hydra (e.g. ../infra devenv) without requiring a separate IdP UI. - src/app/oauth/login: auto-accept login challenges as ORY_LOCAL_LOGIN_SUBJECT. - src/app/oauth/consent: defensive auto-accept (never hit while the seeded client has skip_consent=true; kept for misconfiguration safety). - src/app/oauth/logout: auto-accept logout challenges. - src/core/server/auth/ory/hydra-admin.ts: OAuth2Api client that targets ORY_HYDRA_ADMIN_URL (self-hosted, no PAT) or ORY_SDK_URL (Ory Network, PAT). - src/lib/env.ts: new optional ORY_HYDRA_ADMIN_URL and ORY_LOCAL_LOGIN_SUBJECT. - package.json: pin 'next dev' to :3001 so it doesn't collide with the infra api on :3000 and matches the seeded client's redirect_uri. Modeled on ory/hydra-login-consent-node. Intended for local/dev only; production deployments delegate login to Ory Network / Kratos.
2 participants
No description provided.