feat(client): add allowCustomSchemes flag and desktop runtime detection#10949
feat(client): add allowCustomSchemes flag and desktop runtime detection#10949iamnotmega wants to merge 3 commits intoappwrite:mainfrom
Conversation
Adds isDesktopRuntime() helper and client.setAllowCustomSchemes(true) config option to allow safe usage of custom URI schemes (tauri://, electron://) in OAuth callback flows. Does not change default behavior for web projects.
📝 WalkthroughWalkthroughThis pull request introduces desktop runtime detection and a new configuration option to the SDK client. Specifically, it adds a new exported utility function Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (3)
public/sdk-project/client.ts (3)
92-102: Don’t rely on UA sniffing for “security gating”; prefer feature detection where possible.
navigator.userAgent.includes(...)is increasingly unreliable (UA reduction/overrides) and is easy to spoof; keepisDesktopRuntime()as a convenience signal, but ensure other code doesn’t use it alone to decide whether to allow unsafe callback schemes. Consider simplifying to primarily feature-detect (window.__TAURI__,window.process?.versions?.electron) and treat UA as best-effort only.
104-111: Good default:allowCustomSchemes: falsekeeps web behavior unchanged.
Optional: consider introducing an explicitClientConfigtype (orreadonly+ setters) to avoid ad-hoc config mutation and keep the public surface consistent as config grows.
194-206: Setter looks correct; consider aligning docs/guardrails with intended usage.
Since this flag affects URL scheme validation elsewhere, it may be worth documenting (here or in public docs) that enabling it should be paired with strict callback allowlisting and not auto-enabled purely viaisDesktopRuntime().
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
public/sdk-project/client.ts(3 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: scan
🔇 Additional comments (1)
public/sdk-project/client.ts (1)
179-180: No functional change (whitespace-only).
Security Scan Results for PRDocker Image Scan Results
Source Code Scan Results🎉 No vulnerabilities found! |
|
LGTM |
|
Hi @Meldiron! This PR is a recreation of the logic from #10892 with the necessary metadata/links fixed. It has already been approved by @ooye-sanket (the original author). May you please take a look at it? It is currently a big issue for many applications, including mine. |
yeah but we need a maintainer with write access to merge it |
|
Thanks for the clarification. @iamnotmega |
|
is someone reviewing this PR already |
Adds isDesktopRuntime() helper and client.setAllowCustomSchemes(true) config option to allow safe usage of custom URI schemes (tauri://, electron://) in OAuth callback flows.
Does not change default behavior for web projects.
Original fix made by @ooye-sanket (PR #10892)
What does this PR do?
This PR adds proper support for OAuth flows inside desktop runtimes such as Tauri and Electron, which rely on custom URI schemes (e.g., tauri://, electron://) instead of traditional http/https URLs.
Key additions include:
This ensures secure, opt-in support for desktop apps without compromising web redirect security.
Test Plan
Web (Browser)
Tauri/Electron
Runtime Detection
Regression
Related PRs and Issues
Checklist