Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: simplify PAR parameter handling by removing redundant filtering #2298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 16, 2025
Merged

feat: simplify PAR parameter handling by removing redundant filtering #2298

merged 7 commits into from
Sep 16, 2025

Conversation

tusharpandey13
Copy link
Contributor

@tusharpandey13 tusharpandey13 commented Sep 2, 2025
edited
Loading

Removes PAR parameter blocklist logic and leverages PAR's inherent security model for cleaner, more maintainable code. All parameters are now forwarded to PAR's encrypted request body when enabled.

  • All new/changed/fixed functionality is covered by tests (or N/A)
  • I have added documentation for all new/changed functionality (or N/A)

📋 Changes

The original handleLogin method used a filter that blocked all custom authorization parameters and increased complexity. PAR already secures parameters by moving them from URLs to encrypted request bodies, making client-side filtering redundant.

  • Changed src/server/auth-client.ts: Simplified parameter handling in handleLogin method

  • Changed src/server/auth-client.test.ts: Updated test expectations to match new forwarding behavior

🎯 Testing

Automated:
All 305 existing tests pass with updated expectations for PAR parameter forwarding behavior.

Manual:

  1. Enable PAR in Auth0 tenant configuration
  2. Navigate to /auth/login?screen_hint=signup&custom_param=value
  3. Verify parameters appear in PAR request body (not authorization URL)
  4. Verify redirect_uri cannot be overridden via query parameters
  5. Test with PAR disabled - parameters should appear in authorization URL

@tusharpandey13
bugfix: allow screen_hint parameter with PAR enabled
376f6f5 
- Implement selective parameter forwarding for PAR requests
- Add SAFE_PAR_PARAMETERS whitelist for UI/UX parameters
- Maintain security by blocking authorization parameters
- Add comprehensive test coverage for PAR parameter handling
- Fixes screen_hint signup flow when PAR is enabled

This change resolves the issue where screen_hint=signup parameter
was being blocked when Pushed Authorization Requests (PAR) was
enabled, preventing users from being directed to the signup screen.

The fix implements a security-conscious approach by whitelisting
only safe UI parameters while continuing to block potentially
dangerous authorization parameters, maintaining PAR's security
benefits while restoring essential UX functionality.
@tusharpandey13 tusharpandey13 requested a review from a team as a code owner September 2, 2025 09:48
@codecov-commenter
Copy link

codecov-commenter commented Sep 2, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.37%. Comparing base (c63a855) to head (32c36b0).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2298      +/-   ##
==========================================
- Coverage   85.37%   85.37%   -0.01%     
==========================================
  Files          26       26              
  Lines        2619     2618       -1     
  Branches      482      480       -2     
==========================================
- Hits         2236     2235       -1     
  Misses        377      377              
  Partials        6        6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tusharpandey13 tusharpandey13 changed the title bugfix: allow screen_hint parameter with PAR enabled improvement: simplify PAR parameter handling by removing redundant filtering Sep 2, 2025
@tusharpandey13 tusharpandey13 changed the title improvement: simplify PAR parameter handling by removing redundant filtering feat: simplify PAR parameter handling by removing redundant filtering Sep 2, 2025
@tusharpandey13 tusharpandey13 marked this pull request as draft September 3, 2025 06:15
@tusharpandey13 tusharpandey13 marked this pull request as ready for review September 8, 2025 07:16
@tusharpandey13 tusharpandey13 marked this pull request as draft September 8, 2025 07:30
@tusharpandey13 tusharpandey13 marked this pull request as ready for review September 10, 2025 11:48
nandan-bhat
nandan-bhat reviewed Sep 10, 2025
View reviewed changes
@tusharpandey13 tusharpandey13 merged commit 2154cce into main Sep 16, 2025
12 checks passed
@tusharpandey13 tusharpandey13 deleted the bugfix/screen-hint-par branch September 16, 2025 06:18
@tusharpandey13 tusharpandey13 mentioned this pull request Sep 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nandan-bhat nandan-bhat nandan-bhat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tusharpandey13 @codecov-commenter @nandan-bhat