Update SDK dependencies to latest version and handle the breaking changes #1100

nams1570 · 2026-01-12T18:51:28Z

We update the sdk dependencies (the ones present in package-template.json) to the latest versions. Since several packages have major version bumps, this results in a variety of breaking changes that have been handled here. Incidentally, when possible, we update similar dependencies across the codebase.
We decide to defer the tailwind update to another PR owing to its scale. The rest of the updates and changes have been catalogued below:

Bumping oauth4webapi to 3.8.3: this was a major version changed. While there were no compatibility issues in the sdk, there were several breaking changes in stack-shared. Namely:
a. The removal of isOauth2Error. We used this to check if the results of our oauth4webapi api invocations had issues. The functions were changed to explicitly throw either ResponseBodyErrors or AuthorizationResponseErrors, so the code was reworked to account for that with no loss in error handling.
b. Dropping of support for http broadly: oauth4webapi now only accepts https. This is desired, but I add a carve out for our test environments only.
c. refreshTokenGrantRequest and authorizationCodeGrantRequest now require clientAuthentication to be passed explicitly to them.
d. Changes in how we handle our MultiFactorAuthenticationRequired error: This is an error that we created and is passed to the oauth4webapi API if there are MFA issues. Since the processAuthorizationCodeResponse now explicitly throws a ResponseBodyError, we access the error cause from the body of the error instead.
Bumping color to 5.0.4: this was a major version bump. Simple type checking change, I checked the API for the correct interface.
Bumping simplewebauthn to 13.2.2: two major version bumps, but no incompatibilities surprisingly
Bumping cookie to 1.1.1: this was a major version bump.
a. Changing parse to parseCookie. In the most recent version, parse is still maintained as an alias for parseCookie for backwards compatibility, but I thought it would be best to change it over now. No change in functionality.
b. Typing is now strongly enforced. A cookie can be string | undefined, and the Cookies are now Record<string, string | undefined>. We already have code to handle if a cookie is returned as undefined/ null, so the changes here were more to ensure type compatibility rather than big changes in functionality.
Bumping rimraf to 6.1.2: No breaking changes, mostly just bug fixes.
Bumping jose to 6.1.3: This is another major version bump. We update it across the codebase to ensure compatibility. We use this for importing and processing jwk tokens. There are a few big changes in the version bump, but the only one that applies to us is that importJwk now yields a CryptoKey instead of a KeyObject in Node.js. However, this doesn't appear to break our code. We use importJwk in stack-auth/packages/stack-shared/src/utils/jwt.tsx.
Bumping hookform/resolvers to 5.2.2 (two major version jumps), and consequently bumping react-hook-form to 7.70.0: We already use the patterns that hookform/resolvers' latest versions seem to be enforcing. The only other breaking change is that it requires version 7.55.0+ of react-hook-form. Though we should pay attention to any interactions with zod and hookform/resolvers, some people have reported compatibility issues if they aren't using the latest compatible versions of both.
Bumping yup to 1.7.1: this was a minor version change, but we had incompatibility issues with this change. Versions 1.4.1 and 1.7.1 cannot exist in the same codebase due to incompatibility, so we bumped it up across the codebase, including in peer dependencies.
Some minor version changes for some packages, but these were mostly bug fixes.
Edited to add: Bumping freestyle to 0.1.6, and reworking the freestyle mock server. In 0.1.6, freestyle changed their API in two ways:
a. We're now supposed to hit their execute/v2/... endpoint and
b. They've flattened the config argument to serverless.runs.create.
These changes are minor, but are important. As part of a general suite of dependency bumps, this was judged to fit here.

We have linked the changelogs for the packages on each line.

Summary by CodeRabbit

Chores
- Updated many dependency versions across the project for improved security, compatibility, and tooling.
Bug Fixes
- Hardened OAuth/token flows with stronger client auth, clearer error mapping (including MFA), and explicit handling for insecure test endpoints.
- Improved cookie parsing and session token handling for more reliable sign-in/out behavior.
Other
- Minor backend and sandbox execution payload adjustments and expanded mock endpoint acceptance (no user-facing API changes).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

cmux-agent · 2026-01-12T18:51:31Z

Older cmux preview screenshots (latest comment is below)

Preview Screenshots

Open Diff Heatmap

⏳ Preview screenshots are being captured...

Workspace and dev browser links will appear here once the preview environment is ready.

Generated by cmux preview system

vercel · 2026-01-12T18:51:32Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
stack-backend	Ready	Preview, Comment	Jan 16, 2026 11:54pm
stack-dashboard	Ready	Preview, Comment	Jan 16, 2026 11:54pm
stack-demo	Ready	Preview, Comment	Jan 16, 2026 11:54pm
stack-docs	Ready	Preview, Comment	Jan 16, 2026 11:54pm

coderabbitai · 2026-01-12T19:34:04Z

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Centralized OAuth token endpoint/authentication and hardened OAuth error handling (including MFA mapping and test-only insecure HTTP allowance); migrated cookie handling from plain maps to typed cookie.Cookies with structured refresh-cookie logic; wide dependency bumps across many package manifests and minor UI/type and freestyle payload shape tweaks.

Changes

Cohort / File(s)	Summary
Dependency updates `apps/backend/package.json`, `apps/dashboard/package.json`, `docs/package.json`, `packages/js/package.json`, `packages/react/package.json`, `packages/stack-shared/package.json`, `packages/stack-ui/package.json`, `packages/stack/package.json`, `packages/template/package.json`, `packages/template/package-template.json`	Bumped numerous dependencies across manifests (notable: `jose` → `^6.1.3`, `yup` → `^1.7.1`, `oauth4webapi` → `^3.8.3`, plus other tooling/runtime packages).
OAuth token-exchange & error handling `packages/stack-shared/src/interface/client-interface.ts`	Centralizes `tokenEndpoint`, uses `ClientSecretPost` client auth, propagates `allowInsecureRequests` for test/HTTP endpoints, wraps OAuth calls in try/catch, maps oauth errors to `KnownErrors`/`StackAssertionError`, surfaces MFA as `MultiFactorAuthenticationRequired`.
Cookie handling type refactor `packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts`	Replaces `Record<string,string>` with typed `cookie.Cookies`; updates parsing (`parseCookie`), structured refresh-cookie parsing, extraction priority (legacy vs structured by `updatedAt`), token retrieval, browser/server cookie helpers, and cookie update/queueing to new types/formats.
UI typing tweak `packages/template/src/components/oauth-button.tsx`	Import/type changed to `ColorInstance`; `changeColor` parameter narrowed from `Color` → `ColorInstance`.
Freestyle payload shape change `apps/backend/src/lib/js-execution.tsx`	Removed nested config wrapper; pass `nodeModules` at top-level as `nodeModules: options.nodeModules ?? {}` in Freestyle API payload.
Mock endpoint acceptance `docker/dependencies/freestyle-mock/Dockerfile`	Expanded accepted POST endpoints to `/execute/v1/script` and `/execute/v2/script`; centralized endpoint validation variable.

Sequence Diagram(s)

sequenceDiagram
    participant Browser as Client (Browser)
    participant App as Stack Client Interface
    participant AuthZ as Authorization Server
    participant TokenEP as Token Endpoint

    Browser->>App: start OAuth flow / callback / refresh
    App->>App: compute tokenEndpoint & allowInsecure (based on env)
    App->>AuthZ: validate/process authorization response
    AuthZ-->>App: authorization response or error

    alt Authorization success
        App->>TokenEP: exchange code or refresh (ClientSecretPost + allowInsecure)
        TokenEP-->>App: access_token / refresh_token or error
        App->>App: process token response (try/catch)
        App-->>Browser: return tokens/session
    else ResponseBodyError with MFA
        App->>App: map to KnownErrors.MultiFactorAuthenticationRequired
        App-->>Browser: propagate MFA error
    else Other ResponseBodyError
        App->>App: wrap as StackAssertionError (with context)
        App-->>Browser: propagate error
    else Unexpected Error
        App->>App: wrap/throw StackAssertionError
        App-->>Browser: error response
    end

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

Partitioned cookie support #1052 — Refactors cookie APIs and structured cookie formats; overlaps with cookie parsing/format changes.
dashboard grant product #939 — Modifies the same StackClientInterface class; related to OAuth/token method changes.
Convex implementation #913 — Changes stack-app client implementation and token handling; overlaps with client-app cookie and token flows.

Suggested reviewers

N2D4
Developing-Gamer

Poem

🐇 I hopped through deps and tokens bright,

I nibbled cookies into typed delight,
I chased the flow from code to key,
I wrapped errors snug beneath a tree,
Hooray — the burrow's working right!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main objective of the PR: updating SDK dependencies and handling breaking changes resulting from those updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Copilot

Pull request overview

This PR updates SDK dependencies to their latest versions, handling multiple major version bumps and their associated breaking changes. The updates include oauth4webapi (v2→v3), cookie (v0.6→v1.1), color (v4→v5), simplewebauthn (v11→v13), jose (v5→v6), hookform/resolvers (v3→v5), react-hook-form (v7.51→v7.70), rimraf (v5→v6), and yup (v1.4→v1.7).

Changes:

Updated 9 major SDK dependencies with breaking changes, including oauth4webapi, cookie, color, simplewebauthn, jose, hookform/resolvers, and rimraf
Refactored OAuth error handling to use explicit try-catch blocks for ResponseBodyError and AuthorizationResponseError instead of the removed isOauth2Error function
Added explicit client authentication parameters and HTTP carve-out for test environments to accommodate oauth4webapi v3 requirements
Updated cookie library usage from parse to parseCookie and adjusted type signatures to handle string | undefined values
Modified color library usage to import ColorInstance type for proper type checking

Reviewed changes

Copilot reviewed 13 out of 14 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pnpm-lock.yaml	Updates all dependency versions and their transitive dependencies
packages/template/package.json	Updates SDK dependencies in template package
packages/template/package-template.json	Updates SDK dependencies in package template
packages/stack/package.json	Updates SDK dependencies in stack package
packages/stack-ui/package.json	Updates yup peer dependency version
packages/stack-shared/package.json	Updates jose and oauth4webapi dependencies and yup peer dependency
packages/react/package.json	Updates SDK dependencies in react package
packages/js/package.json	Updates SDK dependencies in js package
docs/package.json	Updates jose dependency version
apps/dashboard/package.json	Updates jose and yup dependencies
apps/backend/package.json	Updates jose and yup dependencies
packages/stack-shared/src/interface/client-interface.ts	Implements oauth4webapi v3 breaking changes including explicit client authentication, HTTP allowance for test environments, and new error handling patterns
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts	Updates cookie handling to use `parseCookie` instead of `parse` and adjusts type signatures to `cookie.Cookies`
packages/template/src/components/oauth-button.tsx	Imports `ColorInstance` type for proper color library type checking

Files not reviewed (1)

pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

packages/stack-shared/src/interface/client-interface.ts

coderabbitai

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/template/package-template.json (1)

142-143: Remove @types/cookie—cookie v1.1.1 includes bundled TypeScript definitions.

The cookie package v1.1.1 ships with its own TypeScript definitions (dist/index.d.ts), making the separate @types/cookie dependency redundant. Remove this dependency to avoid potential type conflicts and reduce maintenance overhead.

🤖 Fix all issues with AI agents

In @packages/js/package.json:
- Around line 56-57: Remove the redundant devDependency entries for @types/color
and @types/cookie from package.json (they correspond to the outdated
@types/color and @types/cookie entries in devDependencies), since [email protected]
and [email protected] bundle their own index.d.ts files; update package.json by
deleting those @types/* lines, run npm/yarn install to refresh lockfile, and run
TypeScript build/type-check to confirm the bundled types cover your usages and
fix any missing typings accordingly.

In @packages/stack-shared/src/interface/client-interface.ts:
- Around line 1066-1074: The catch block handling oauth.ResponseBodyError uses
unsafe (e.cause as any) accesses; update the oauth.ResponseBodyError branch in
the try/catch to defensively verify e.cause and e.cause.details exist before
reading .code or .details.attempt_code (use optional chaining and nullish
coalescing or explicit checks), and if missing throw a StackAssertionError with
the original error as cause; when code ===
"MULTI_FACTOR_AUTHENTICATION_REQUIRED" extract attempt_code safely
(e.cause?.details?.attempt_code ?? throw a StackAssertionError) and pass it to
KnownErrors.MultiFactorAuthenticationRequired, otherwise rethrow a
StackAssertionError("Outer OAuth error during authorization code response", {
cause: e.cause }).

🧹 Nitpick comments (1)

packages/stack-shared/src/interface/client-interface.ts (1)
200-213: Consider using consistent error cause property naming.

Lines 210 and 212 use { e } for the error context, while lines 1072 and 1074 use { cause: e }. Using { cause: e } consistently would align with JavaScript's standard error chaining pattern and the pattern used in callOAuthCallback.
♻️ Suggested fix for consistent error chaining
     } catch (e){
       if (e instanceof oauth.ResponseBodyError) {
-        throw new StackAssertionError("ResponseBodyError when processing refresh token response", { e });
+        throw new StackAssertionError("ResponseBodyError when processing refresh token response", { cause: e });
       }
-      throw new StackAssertionError("Unexpected error when processing refresh token response", { e });
+      throw new StackAssertionError("Unexpected error when processing refresh token response", { cause: e });
     }

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 20f435f and 05023a5.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (13)

apps/backend/package.json
apps/dashboard/package.json
docs/package.json
packages/js/package.json
packages/react/package.json
packages/stack-shared/package.json
packages/stack-shared/src/interface/client-interface.ts
packages/stack-ui/package.json
packages/stack/package.json
packages/template/package-template.json
packages/template/package.json
packages/template/src/components/oauth-button.tsx
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

🧰 Additional context used

📓 Path-based instructions (5)

**/*.{tsx,ts,jsx,js}

📄 CodeRabbit inference engine (AGENTS.md)

For blocking alerts and errors, never use toast; instead, use alerts as toasts are easily missed by the user

Files:

packages/template/src/components/oauth-button.tsx
packages/stack-shared/src/interface/client-interface.ts
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

**/*.{tsx,css}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{tsx,css}: Keep hover/click animations snappy and fast; don't delay actions with pre-transitions (e.g., no fade-in on button hover) as it makes UI feel sluggish; instead apply transitions after the action like smooth fade-out when hover ends
When creating hover transitions, avoid hover-enter transitions and use only hover-exit transitions (e.g., transition-colors hover:transition-none)

Files:

packages/template/src/components/oauth-button.tsx

**/*.{tsx,ts}

📄 CodeRabbit inference engine (AGENTS.md)

NEVER use Next.js dynamic functions if avoidable; prefer using client components instead to keep pages static (e.g., use usePathname instead of await params)

Files:

packages/template/src/components/oauth-button.tsx
packages/stack-shared/src/interface/client-interface.ts
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx,js,jsx}: NEVER try-catch-all, NEVER void a promise, and NEVER use .catch(console.error) or similar; use loading indicators instead; if asynchronous handling is necessary, use runAsynchronously or runAsynchronouslyWithAlert instead
Use ES6 maps instead of records wherever possible

Files:

packages/template/src/components/oauth-button.tsx
packages/stack-shared/src/interface/client-interface.ts
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Code defensively; prefer ?? throwErr(...) over non-null assertions with good error messages explicitly stating violated assumptions
Avoid the any type; when necessary, leave a comment explaining why it's used, why the type system fails, and how errors would be caught at compile-, test-, or runtime

Files:

packages/template/src/components/oauth-button.tsx
packages/stack-shared/src/interface/client-interface.ts
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

🧠 Learnings (6)

📚 Learning: 2026-01-08T20:30:36.983Z

Learnt from: nams1570
Repo: stack-auth/stack-auth PR: 1091
File: apps/backend/src/lib/email-rendering.tsx:49-54
Timestamp: 2026-01-08T20:30:36.983Z
Learning: In apps/backend/src/lib/email-rendering.tsx, the nodeModules constant intentionally pins React and react-dom to version 19.1.1 (rather than matching the project's React version) because pinning provides more reliability for email rendering in the sandbox environment.

Applied to files:

apps/backend/package.json
packages/template/package.json
packages/stack-shared/package.json
packages/react/package.json
packages/stack-ui/package.json
packages/stack/package.json
packages/template/package-template.json

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to {packages/stack,packages/js}/**/*.{ts,tsx,js,jsx} : NEVER UPDATE packages/stack OR packages/js; instead, update packages/template as those packages are copies of it

Applied to files:

packages/template/package.json
packages/js/package.json
packages/stack-shared/package.json
packages/stack-ui/package.json
packages/stack/package.json
packages/template/package-template.json

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: The project uses Vitest for testing and pnpm with workspaces as the package manager for monorepo management

Applied to files:

packages/js/package.json

📚 Learning: 2025-12-03T07:19:44.433Z

Learnt from: madster456
Repo: stack-auth/stack-auth PR: 1040
File: packages/stack-shared/src/interface/crud/oauth-providers.ts:62-87
Timestamp: 2025-12-03T07:19:44.433Z
Learning: In packages/stack-shared/src/interface/crud/oauth-providers.ts and similar CRUD files, the tag "Oauth" (not "OAuth") is the correct capitalization format as it's used by the documentation generation system and follows OpenAPI conventions.

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/e2e/**/*.{test,spec}.{ts,tsx,js,jsx} : ALWAYS add new E2E tests when changing the API or SDK interface; err on the side of creating too many tests due to the critical nature of the authentication industry

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/config/schema.ts,**/config/**/*.{ts,tsx} : Whenever making backwards-incompatible changes to the config schema, update the migration functions in `packages/stack-shared/src/config/schema.ts`

Applied to files:

packages/stack-shared/package.json
packages/stack-ui/package.json
packages/stack/package.json

🧬 Code graph analysis (1)

packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts (2)

packages/template/src/lib/stack-app/apps/implementations/common.ts (1)

TokenObject (148-151)

packages/stack-shared/src/utils/env.tsx (1)

isBrowserLike (4-6)

🪛 Biome (2.1.2)

packages/template/package-template.json

[error] 90-90: The key // was already declared.

This where a duplicated key was declared again.

If a key is defined multiple times, only the last definition takes effect. Previous definitions are ignored.

(lint/suspicious/noDuplicateObjectKeys)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Agent
GitHub Check: CodeQL analysis (javascript-typescript)
GitHub Check: Vercel Agent Review

🔇 Additional comments (21)

packages/stack-ui/package.json (1)

31-31: LGTM!

The yup peer dependency bump to ^1.7.1 is consistent with the broader repository-wide update and maintains the optional peer dependency configuration.

docs/package.json (1)

43-43: LGTM!

Patch version bump for jose aligns with the repository-wide update to ^6.1.3.

packages/template/src/components/oauth-button.tsx (2)

4-4: LGTM!

The import correctly brings in both the Color constructor and the ColorInstance type, aligning with color v5's updated type exports.

12-16: Type annotation correctly updated for color v5.

The parameter type change from Color to ColorInstance properly reflects the color library's v5 breaking change where instance types are now exported as ColorInstance. The function logic remains unchanged.

apps/dashboard/package.json (2)

101-101: LGTM!

The yup minor version bump to ^1.7.1 is consistent with the repository-wide update.

79-79: jose v6 upgrade is compatible with dashboard code.

The dashboard package.json correctly bumps jose from ^5.2.2 to ^6.1.3. The dashboard code uses only the stable SignJWT API (in apps/dashboard/src/app/(main)/integrations/featurebase/sso/page.tsx), which remains unchanged in v6. No code updates are needed for this upgrade.

packages/template/package-template.json (3)

88-89: Major version bumps for form and WebAuthn dependencies are compatible with current usage.

@hookform/resolvers v3→v5: yupResolver API unchanged; react-hook-form v7.70.0 satisfies requirement (≥ 7.55.0) ✓

@simplewebauthn/browser v11→v13: Core APIs (startRegistration, startAuthentication) verified as stable ✓

oauth4webapi v2→v3: PKCE functions (calculatePKCECodeChallenge, generateRandomCodeVerifier, generateRandomState) confirmed compatible ✓

jose v5→v6: decodeJwt, decodeProtectedHeader APIs unchanged ✓

No breaking changes detected in current codebase usage patterns.

104-104: Major version bump for oauth4webapi (v2 → v3).

This is a significant breaking change with multiple API updates. Confirmed changes include:

isOauth2Error removed (errors now thrown as ResponseBodyError/AuthorizationResponseError)

Additional breaking changes: jweDecrypt removed from Client interface, EdDSA behavior changes (Ed448 no longer supported), client assertion audience format change, and signature validation API renamed (validateJwtIntrospectionSignature → validateApplicationLevelSignature)

Ensure all OAuth flows have been updated with try/catch handling for the new error types, and review any code using the removed/renamed APIs. Verify HTTPS configuration for test environments if applicable.

98-100: Dependency migration verified.

cookie v1: parse → parseCookie migration confirmed; no deprecated API usage found.

color v5: Type exports correctly imported and used in oauth-button.tsx (ColorInstance, color methods).

jose v6: importJWK correctly returns CryptoKey and is properly passed to .sign() in jwt.tsx.

All breaking changes have been successfully addressed.

packages/stack-shared/package.json (1)

39-39: Dependency version bumps look consistent with the PR objectives.

The major version updates to jose (5→6), oauth4webapi (2→3), and yup (1.4→1.7) align with the described breaking change handling in the related code files.

Also applies to: 66-67

packages/react/package.json (1)

60-79: Dependency updates align with the PR scope.

The major version bumps are consistent across the repository. Since this file is auto-generated from the template (as noted in line 2), these changes should mirror the updates in packages/template/package.json.

packages/template/package.json (1)

65-85: Template dependency updates are consistent.

As the source template for other packages, these version bumps will propagate correctly to packages/stack, packages/js, and packages/react.

packages/stack/package.json (1)

60-80: Auto-generated file correctly mirrors the template.

The dependency versions match packages/template/package.json exactly, which is the expected behavior for this auto-generated file. Based on learnings, updates should be made to packages/template and this file should be regenerated.

packages/stack-shared/src/interface/client-interface.ts (2)

157-178: OAuth token refresh handling updated correctly for oauth4webapi 3.x.

The refactoring introduces:

Explicit tokenEndpoint constant

ClientSecretPost for client authentication (required by oauth4webapi 3.x)

Environment-aware allowInsecure flag for test environments

1042-1052: Authorization response validation error handling looks correct.

The try/catch properly distinguishes between AuthorizationResponseError and other unexpected errors, wrapping both in StackAssertionError with appropriate context.

packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts (3)

541-545: Cookie parsing updated correctly for cookie package 1.x.

The migration from cookie.parse to cookie.parseCookie is correctly implemented. The return type cookie.Cookies (which is Record<string, string | undefined>) properly reflects that cookie values may be undefined.

455-506: Cookie value handling properly accounts for undefined values.

The updated methods correctly handle the string | undefined type from cookie.Cookies:

_parseStructuredRefreshCookie accepts string | undefined and returns early if falsy

_extractRefreshTokenFromCookieMap uses truthy checks before accessing values

Nullish coalescing (??) is used where appropriate

556-588: Remaining cookie-related changes are consistent.

The helper methods and request header parsing all correctly use the updated cookie.Cookies type and parseCookie function.

Also applies to: 777-778

apps/backend/package.json (1)

85-85: Backend dependency updates are properly handled.

The jose upgrade to 6.x involves a breaking change where importJWK now returns CryptoKey instead of KeyObject. The code at line 45 of packages/stack-shared/src/utils/jwt.tsx correctly uses this return value with SignJWT(...).sign(), which accepts the CryptoKey type. The yup upgrade to 1.7.1 is a minor version bump with no breaking changes.
packages/js/package.json (2)
52-65: Major dependency bumps look appropriately coordinated.

The version bumps align with the PR objectives and the breaking changes appear to be handled in the corresponding code changes across the repository. Based on the retrieved learnings, since packages/js is auto-generated from packages/template, ensure packages/template/package.json is the source of these changes.

63-63: rimraf version mismatch between dependencies and devDependencies.

rimraf is listed in both dependencies (line 63: ^6.1.2) and devDependencies (line 82: ^5.0.5). This creates ambiguity about which version will be used and could lead to inconsistent behavior between build-time and runtime scripts.

Consider aligning both to ^6.1.2 or removing it from dependencies if it's only used for build scripts.

Also applies to: 82-82
⛔ Skipped due to learnings
Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to {packages/stack,packages/js}/**/*.{ts,tsx,js,jsx} : NEVER UPDATE packages/stack OR packages/js; instead, update packages/template as those packages are copies of it
Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/config/schema.ts,**/config/**/*.{ts,tsx} : Whenever making backwards-incompatible changes to the config schema, update the migration functions in `packages/stack-shared/src/config/schema.ts`

packages/js/package.json

packages/stack-shared/src/interface/client-interface.ts

greptile-apps · 2026-01-12T19:41:50Z

Greptile Overview

Greptile Summary

Summary

This PR updates SDK dependencies to their latest versions, handling multiple major version bumps. The main changes include:

Key Dependency Updates

oauth4webapi (v2 → v3.8.3): Significant API changes including removal of isOAuth2Error in favor of explicit error throwing via ResponseBodyError and AuthorizationResponseError
cookie (v0.6 → v1.1.1): API rename from parse to parseCookie with stronger typing (Record<string, string | undefined>)
color (v4 → v5.0.4): Type interface changes requiring explicit ColorInstance import
jose (v5 → v6.1.3): importJWK now returns CryptoKey instead of KeyObject (no breaking changes in usage)
@hookform/resolvers (v3 → v5.2.2) and react-hook-form (v7.51 → v7.70.0): Version compatibility updates
simplewebauthn (v11 → v13.2.2): Two major version jumps with no breaking changes
yup (v1.4.0 → v1.7.1): Updated across codebase for compatibility

Code Changes

oauth4webapi v3 Migration:

Removed isOAuth2Error checks, now using try-catch with instanceof checks
Added explicit clientAuthentication parameter to refreshTokenGrantRequest and authorizationCodeGrantRequest
Added HTTP allowance for test environments only via allowInsecureRequests flag
Changed MFA error extraction from direct property access to e.cause access in ResponseBodyError

cookie v1 Migration:

Updated all cookie.parse() calls to cookie.parseCookie()
Changed type signatures from Record<string, string> to cookie.Cookies (which allows string | undefined)
Existing null/undefined handling code already in place, so type changes are safe

color v5 Migration:

Added ColorInstance type import for function parameter typing

Critical Issue Found

⚠️ Bug in error handling: The AuthorizationResponseError catch block in callOAuthCallback (lines 1042-1051) will never execute because validateAuthResponse is wrapped in _networkRetryException, which wraps thrown errors in a generic network error. The instanceof check will always fail. This needs to be fixed by either checking e.cause or removing the retry wrapper for this specific call.

Testing Considerations

The HTTP allowance for test environments is correctly scoped to getNodeEnvironment() === 'test' and only for http:// URLs
MFA error handling has been updated but should be tested to ensure e.cause contains the expected structure
Cookie type changes are backward compatible since existing code already handles undefined values

Confidence Score: 3/5

This PR has one critical bug in OAuth error handling that could cause authorization errors to be mishandled
Score of 3 reflects a critical logic bug in the OAuth authorization flow where the AuthorizationResponseError catch block will never execute due to error wrapping in _networkRetryException. While most dependency updates are handled correctly (cookie, color, jose, simplewebauthn), this OAuth error handling bug could cause authorization failures to be incorrectly reported as network errors. The bug is in a critical authentication path but has a clear fix
packages/stack-shared/src/interface/client-interface.ts requires immediate attention to fix the AuthorizationResponseError handling bug on lines 1042-1051

Important Files Changed

File Analysis

Filename	Score	Overview
packages/stack-shared/src/interface/client-interface.ts	3/5	Updated OAuth4webapi usage to v3 with new error handling; contains a bug where AuthorizationResponseError catch block will never execute due to error wrapping in _networkRetryException
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts	5/5	Updated cookie package usage from parse to parseCookie and updated type annotations to use cookie.Cookies type (Record<string, string
packages/template/src/components/oauth-button.tsx	5/5	Updated Color import to include ColorInstance type for function parameter typing; correctly adapted to color v5 API
packages/template/package-template.json	5/5	Updated multiple SDK dependencies to latest versions including oauth4webapi v3, cookie v1, color v5, jose v6, hookform/resolvers v5, and others; all major version bumps handled in code
packages/stack-shared/package.json	5/5	Updated oauth4webapi to v3, jose to v6, and yup to v1.7.1; dependency version bumps are consistent with template packages

Sequence Diagram

sequenceDiagram
    participant ClientCode
    participant oauth4webapi
    participant RetryLogic
    
    Note over ClientCode,oauth4webapi: OAuth Flow Changes in v3

    ClientCode->>RetryLogic: Wrap validateAuthResponse call
    RetryLogic->>oauth4webapi: validateAuthResponse()
    
    alt Validation Fails
        oauth4webapi-->>RetryLogic: Throws AuthorizationResponseError
        RetryLogic->>RetryLogic: Attempts 5 retries
        RetryLogic-->>ClientCode: Wrapped in generic Error
        Note over ClientCode: BUG: Cannot catch specific error type
    else Validation Succeeds
        oauth4webapi-->>RetryLogic: Returns URLSearchParams
        RetryLogic-->>ClientCode: URLSearchParams
    end
    
    ClientCode->>oauth4webapi: authorizationCodeGrantRequest()
    oauth4webapi->>oauth4webapi: Makes HTTP request
    
    ClientCode->>oauth4webapi: processAuthorizationCodeResponse()
    
    alt Processing Fails
        oauth4webapi-->>ClientCode: Throws ResponseBodyError
        ClientCode->>ClientCode: Checks instanceof ResponseBodyError
        Note over ClientCode: Works correctly (not wrapped)
    else Processing Succeeds
        oauth4webapi-->>ClientCode: Returns result object
    end

greptile-apps

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

packages/stack-shared/src/interface/client-interface.ts

cmux-agent · 2026-01-12T20:11:36Z

Older cmux preview screenshots (latest comment is below)

Preview Screenshots

Open Diff Heatmap

⏳ Preview screenshots are being captured...

Workspace and dev browser links will appear here once the preview environment is ready.

Generated by cmux preview system

coderabbitai

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @packages/stack-shared/src/interface/client-interface.ts:
- Around line 1042-1050: The catch block for oauth.validateAuthResponse uses
object shorthand { e } instead of proper error chaining; update both throw sites
that create new StackAssertionError (the one for
oauth.AuthorizationResponseError and the fallback) to pass the original error as
{ cause: e } so the thrown StackAssertionError correctly chains the underlying
error (consistent with the other usage around validateAuthResponse).
- Around line 200-213: The catch block is wrapping errors in plain objects ({ e
}) which breaks error chaining; update both throw new StackAssertionError(...)
calls in the refresh token flow to pass the original error as the cause (use {
cause: e }) so the error chain is preserved—specifically, modify the branches
that throw new StackAssertionError("ResponseBodyError when processing refresh
token response", { e }) and new StackAssertionError("Unexpected error when
processing refresh token response", { e }) to use { cause: e } and leave the
messages intact; no other logic changes required (see
oauth.processRefreshTokenResponse, AccessToken.createIfValid, throwErr, and
StackAssertionError in this block).

🧹 Nitpick comments (1)

packages/stack-shared/src/interface/client-interface.ts (1)
1061-1073: Add comments explaining the any casts.

Per coding guidelines, avoid any type or leave a comment explaining why it's used. Lines 1066-1067 use (e.cause as any) to access custom properties from the OAuth error response. Consider adding a brief comment explaining the expected structure comes from the backend's custom error format.
💡 Suggested improvement
     try {
       result = await oauth.processAuthorizationCodeResponse(as, client, response);
     } catch (e) {
       if (e instanceof oauth.ResponseBodyError) {
+        // The backend returns custom error codes in the OAuth error response body.
+        // e.cause contains the parsed JSON with `code` and optional `details`.
         if ((e.cause as any).code === "MULTI_FACTOR_AUTHENTICATION_REQUIRED") {
           throw new KnownErrors.MultiFactorAuthenticationRequired((e.cause as any).details.attempt_code);
         }

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 05023a5 and 1f26cb7.

📒 Files selected for processing (1)

packages/stack-shared/src/interface/client-interface.ts

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{tsx,ts,jsx,js}

📄 CodeRabbit inference engine (AGENTS.md)

For blocking alerts and errors, never use toast; instead, use alerts as toasts are easily missed by the user

Files:

packages/stack-shared/src/interface/client-interface.ts

**/*.{tsx,ts}

📄 CodeRabbit inference engine (AGENTS.md)

NEVER use Next.js dynamic functions if avoidable; prefer using client components instead to keep pages static (e.g., use usePathname instead of await params)

Files:

packages/stack-shared/src/interface/client-interface.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx,js,jsx}: NEVER try-catch-all, NEVER void a promise, and NEVER use .catch(console.error) or similar; use loading indicators instead; if asynchronous handling is necessary, use runAsynchronously or runAsynchronouslyWithAlert instead
Use ES6 maps instead of records wherever possible

Files:

packages/stack-shared/src/interface/client-interface.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Code defensively; prefer ?? throwErr(...) over non-null assertions with good error messages explicitly stating violated assumptions
Avoid the any type; when necessary, leave a comment explaining why it's used, why the type system fails, and how errors would be caught at compile-, test-, or runtime

Files:

packages/stack-shared/src/interface/client-interface.ts

🧠 Learnings (5)

📚 Learning: 2025-12-03T07:19:44.433Z

Learnt from: madster456
Repo: stack-auth/stack-auth PR: 1040
File: packages/stack-shared/src/interface/crud/oauth-providers.ts:62-87
Timestamp: 2025-12-03T07:19:44.433Z
Learning: In packages/stack-shared/src/interface/crud/oauth-providers.ts and similar CRUD files, the tag "Oauth" (not "OAuth") is the correct capitalization format as it's used by the documentation generation system and follows OpenAPI conventions.

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2025-10-11T04:13:19.308Z

Learnt from: N2D4
Repo: stack-auth/stack-auth PR: 943
File: examples/convex/app/action/page.tsx:23-28
Timestamp: 2025-10-11T04:13:19.308Z
Learning: In the stack-auth codebase, use `runAsynchronouslyWithAlert` from `stackframe/stack-shared/dist/utils/promises` for async button click handlers and form submissions instead of manual try/catch blocks. This utility automatically handles errors and shows alerts to users.

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/*.{ts,tsx} : Code defensively; prefer `?? throwErr(...)` over non-null assertions with good error messages explicitly stating violated assumptions

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/*.{ts,tsx} : Avoid the `any` type; when necessary, leave a comment explaining why it's used, why the type system fails, and how errors would be caught at compile-, test-, or runtime

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : NEVER try-catch-all, NEVER void a promise, and NEVER use .catch(console.error) or similar; use loading indicators instead; if asynchronous handling is necessary, use `runAsynchronously` or `runAsynchronouslyWithAlert` instead

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

GitHub Check: Vercel Agent Review
GitHub Check: lint_and_build (latest)
GitHub Check: docker
GitHub Check: restart-dev-and-test
GitHub Check: all-good
GitHub Check: build (22.x)
GitHub Check: E2E Tests (Node 22.x, Freestyle mock)
GitHub Check: build (22.x)
GitHub Check: setup-tests-with-custom-base-port
GitHub Check: setup-tests
GitHub Check: E2E Tests (Node 22.x, Freestyle prod)
GitHub Check: restart-dev-and-test-with-custom-base-port
GitHub Check: check_prisma_migrations (22.x)

🔇 Additional comments (2)

packages/stack-shared/src/interface/client-interface.ts (2)

8-8: LGTM!

The import of getNodeEnvironment is appropriate for the new environment-aware insecure HTTP handling.

157-178: LGTM!

The changes correctly adapt to oauth4webapi v3.x requirements:

ClientSecretPost for explicit client authentication

allowInsecureRequests scoped safely to test environment + HTTP endpoints

packages/stack-shared/src/interface/client-interface.ts

cmux-agent · 2026-01-12T21:44:04Z

Older cmux preview screenshots (latest comment is below)

Preview Screenshots

Open Diff Heatmap

⏳ Preview screenshots are being captured...

Workspace and dev browser links will appear here once the preview environment is ready.

Generated by cmux preview system

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @packages/stack-shared/src/interface/client-interface.ts:
- Around line 199-212: The try-catch is too broad and re-wraps intentionally
thrown errors; limit the try to only await oauth.processRefreshTokenResponse(as,
client, response) and let post-response validation run outside it: call and
await oauth.processRefreshTokenResponse inside a try that only catches
oauth.ResponseBodyError, assign its return to result, then after the try
validate result.access_token and call
AccessToken.createIfValid(result.access_token) (or throwErr/StackAssertionError)
so intentionally thrown errors from the validation (StackAssertionError or
throwErr) are not caught and re-wrapped.

🧹 Nitpick comments (2)

packages/stack-shared/src/interface/client-interface.ts (2)
1064-1067: Add comment explaining any cast usage.

Per coding guidelines, any usage should include a comment explaining why it's necessary. The e.cause type from ResponseBodyError doesn't expose the custom Stack Auth error shape.
♻️ Suggested comment
       if (e instanceof oauth.ResponseBodyError) {
+        // `e.cause` is typed as unknown by oauth4webapi, but Stack Auth's token endpoint returns
+        // structured error objects with `code` and `details` fields that we need to access
         if ((e.cause as any).code === "MULTI_FACTOR_AUTHENTICATION_REQUIRED") {
           throw new KnownErrors.MultiFactorAuthenticationRequired((e.cause as any).details.attempt_code);
         }
Based on coding guidelines: "Avoid the any type; when necessary, leave a comment explaining why it's used".

1060-1072: Consider defensive null check before accessing e.cause properties.

If e.cause is unexpectedly null or doesn't have the expected shape, accessing (e.cause as any).code could throw. Consider adding a guard.
♻️ Suggested defensive check
     } catch (e) {
       if (e instanceof oauth.ResponseBodyError) {
-        if ((e.cause as any).code === "MULTI_FACTOR_AUTHENTICATION_REQUIRED") {
-          throw new KnownErrors.MultiFactorAuthenticationRequired((e.cause as any).details.attempt_code);
+        const cause = e.cause as { code?: string; details?: { attempt_code?: string } } | null;
+        if (cause?.code === "MULTI_FACTOR_AUTHENTICATION_REQUIRED") {
+          throw new KnownErrors.MultiFactorAuthenticationRequired(
+            cause.details?.attempt_code ?? throwErr("MFA required but attempt_code missing", { cause })
+          );
         }
Based on coding guidelines: "Code defensively; prefer ?? throwErr(...) over non-null assertions".

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1f26cb7 and 8eed602.

📒 Files selected for processing (1)

packages/stack-shared/src/interface/client-interface.ts

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{tsx,ts,jsx,js}

📄 CodeRabbit inference engine (AGENTS.md)

For blocking alerts and errors, never use toast; instead, use alerts as toasts are easily missed by the user

Files:

packages/stack-shared/src/interface/client-interface.ts

**/*.{tsx,ts}

📄 CodeRabbit inference engine (AGENTS.md)

NEVER use Next.js dynamic functions if avoidable; prefer using client components instead to keep pages static (e.g., use usePathname instead of await params)

Files:

packages/stack-shared/src/interface/client-interface.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx,js,jsx}: NEVER try-catch-all, NEVER void a promise, and NEVER use .catch(console.error) or similar; use loading indicators instead; if asynchronous handling is necessary, use runAsynchronously or runAsynchronouslyWithAlert instead
Use ES6 maps instead of records wherever possible

Files:

packages/stack-shared/src/interface/client-interface.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Code defensively; prefer ?? throwErr(...) over non-null assertions with good error messages explicitly stating violated assumptions
Avoid the any type; when necessary, leave a comment explaining why it's used, why the type system fails, and how errors would be caught at compile-, test-, or runtime

Files:

packages/stack-shared/src/interface/client-interface.ts

🧠 Learnings (5)

📚 Learning: 2025-12-03T07:19:44.433Z

Learnt from: madster456
Repo: stack-auth/stack-auth PR: 1040
File: packages/stack-shared/src/interface/crud/oauth-providers.ts:62-87
Timestamp: 2025-12-03T07:19:44.433Z
Learning: In packages/stack-shared/src/interface/crud/oauth-providers.ts and similar CRUD files, the tag "Oauth" (not "OAuth") is the correct capitalization format as it's used by the documentation generation system and follows OpenAPI conventions.

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2025-10-11T04:13:19.308Z

Learnt from: N2D4
Repo: stack-auth/stack-auth PR: 943
File: examples/convex/app/action/page.tsx:23-28
Timestamp: 2025-10-11T04:13:19.308Z
Learning: In the stack-auth codebase, use `runAsynchronouslyWithAlert` from `stackframe/stack-shared/dist/utils/promises` for async button click handlers and form submissions instead of manual try/catch blocks. This utility automatically handles errors and shows alerts to users.

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/*.{ts,tsx} : Code defensively; prefer `?? throwErr(...)` over non-null assertions with good error messages explicitly stating violated assumptions

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/*.{ts,tsx} : Avoid the `any` type; when necessary, leave a comment explaining why it's used, why the type system fails, and how errors would be caught at compile-, test-, or runtime

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : NEVER try-catch-all, NEVER void a promise, and NEVER use .catch(console.error) or similar; use loading indicators instead; if asynchronous handling is necessary, use `runAsynchronously` or `runAsynchronouslyWithAlert` instead

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

GitHub Check: Vercel Agent Review
GitHub Check: check_prisma_migrations (22.x)
GitHub Check: docker
GitHub Check: setup-tests
GitHub Check: build (22.x)
GitHub Check: setup-tests-with-custom-base-port
GitHub Check: E2E Tests (Node 22.x, Freestyle mock)
GitHub Check: restart-dev-and-test
GitHub Check: E2E Tests (Node 22.x, Freestyle prod)
GitHub Check: lint_and_build (latest)
GitHub Check: all-good
GitHub Check: build (22.x)
GitHub Check: restart-dev-and-test-with-custom-base-port

🔇 Additional comments (3)

packages/stack-shared/src/interface/client-interface.ts (3)

8-8: LGTM!

Import correctly added for the new environment detection functionality.

157-177: LGTM!

The OAuth client authentication and insecure request handling correctly addresses the oauth4webapi 3.x breaking changes. The test-environment exception for HTTP is appropriately scoped.

1037-1057: LGTM!

The client authentication and insecure request handling correctly implements the oauth4webapi 3.x changes. The try-catch around validateAuthResponse is appropriately scoped.

packages/stack-shared/src/interface/client-interface.ts

cmux-agent · 2026-01-12T22:20:07Z

Older cmux preview screenshots (latest comment is below)

Preview Screenshots

Open Workspace (1 hr expiry) · Open Dev Browser (1 hr expiry) · Open Diff Heatmap

Screenshot capture was skipped.

No UI changes detected - screenshots skipped

Generated by cmux preview system

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/stack-shared/src/interface/client-interface.ts (1)

1062-1074: MFA error handling uses untyped access to error cause.

The (e.cause as any).code and (e.cause as any).details.attempt_code casts bypass type safety. Per coding guidelines, any usage should include a comment explaining why it's necessary and how errors would be caught.

Consider adding a type guard or documenting the expected structure:

💡 Suggested improvement for type safety

     try {
       result = await oauth.processAuthorizationCodeResponse(as, client, response);
     } catch (e) {
       if (e instanceof oauth.ResponseBodyError) {
-        if ((e.cause as any).code === "MULTI_FACTOR_AUTHENTICATION_REQUIRED") {
-          throw new KnownErrors.MultiFactorAuthenticationRequired((e.cause as any).details.attempt_code);
+        // oauth4webapi ResponseBodyError.cause contains the parsed JSON error body
+        // Type assertion needed because oauth4webapi doesn't export the error body type
+        const errorBody = e.cause as { code?: string; details?: { attempt_code?: string } };
+        if (errorBody.code === "MULTI_FACTOR_AUTHENTICATION_REQUIRED") {
+          throw new KnownErrors.MultiFactorAuthenticationRequired(errorBody.details?.attempt_code ?? throwErr("MFA attempt_code missing from error response"));
         }
         // TODO Handle OAuth 2.0 response body error
         throw new StackAssertionError("Outer OAuth error during authorization code response", { cause: e.cause });
       }

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8eed602 and 9bce4d8.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (13)

apps/backend/package.json
apps/dashboard/package.json
docs/package.json
packages/js/package.json
packages/react/package.json
packages/stack-shared/package.json
packages/stack-shared/src/interface/client-interface.ts
packages/stack-ui/package.json
packages/stack/package.json
packages/template/package-template.json
packages/template/package.json
packages/template/src/components/oauth-button.tsx
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

🚧 Files skipped from review as they are similar to previous changes (9)

apps/dashboard/package.json
packages/react/package.json
apps/backend/package.json
docs/package.json
packages/js/package.json
packages/template/src/components/oauth-button.tsx
packages/stack/package.json
packages/template/package.json
packages/stack-shared/package.json

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{tsx,ts,jsx,js}

📄 CodeRabbit inference engine (AGENTS.md)

For blocking alerts and errors, never use toast; instead, use alerts as toasts are easily missed by the user

Files:

packages/stack-shared/src/interface/client-interface.ts
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

**/*.{tsx,ts}

📄 CodeRabbit inference engine (AGENTS.md)

NEVER use Next.js dynamic functions if avoidable; prefer using client components instead to keep pages static (e.g., use usePathname instead of await params)

Files:

packages/stack-shared/src/interface/client-interface.ts
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx,js,jsx}: NEVER try-catch-all, NEVER void a promise, and NEVER use .catch(console.error) or similar; use loading indicators instead; if asynchronous handling is necessary, use runAsynchronously or runAsynchronouslyWithAlert instead
Use ES6 maps instead of records wherever possible

Files:

packages/stack-shared/src/interface/client-interface.ts
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Code defensively; prefer ?? throwErr(...) over non-null assertions with good error messages explicitly stating violated assumptions
Avoid the any type; when necessary, leave a comment explaining why it's used, why the type system fails, and how errors would be caught at compile-, test-, or runtime

Files:

packages/stack-shared/src/interface/client-interface.ts
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

🧠 Learnings (8)

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to {packages/stack,packages/js}/**/*.{ts,tsx,js,jsx} : NEVER UPDATE packages/stack OR packages/js; instead, update packages/template as those packages are copies of it

Applied to files:

packages/template/package-template.json
packages/stack-ui/package.json

📚 Learning: 2026-01-08T20:30:36.983Z

Learnt from: nams1570
Repo: stack-auth/stack-auth PR: 1091
File: apps/backend/src/lib/email-rendering.tsx:49-54
Timestamp: 2026-01-08T20:30:36.983Z
Learning: In apps/backend/src/lib/email-rendering.tsx, the nodeModules constant intentionally pins React and react-dom to version 19.1.1 (rather than matching the project's React version) because pinning provides more reliability for email rendering in the sandbox environment.

Applied to files:

packages/template/package-template.json
packages/stack-ui/package.json

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/config/schema.ts,**/config/**/*.{ts,tsx} : Whenever making backwards-incompatible changes to the config schema, update the migration functions in `packages/stack-shared/src/config/schema.ts`

Applied to files:

packages/stack-ui/package.json
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

📚 Learning: 2025-12-03T07:19:44.433Z

Learnt from: madster456
Repo: stack-auth/stack-auth PR: 1040
File: packages/stack-shared/src/interface/crud/oauth-providers.ts:62-87
Timestamp: 2025-12-03T07:19:44.433Z
Learning: In packages/stack-shared/src/interface/crud/oauth-providers.ts and similar CRUD files, the tag "Oauth" (not "OAuth") is the correct capitalization format as it's used by the documentation generation system and follows OpenAPI conventions.

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2025-10-11T04:13:19.308Z

Learnt from: N2D4
Repo: stack-auth/stack-auth PR: 943
File: examples/convex/app/action/page.tsx:23-28
Timestamp: 2025-10-11T04:13:19.308Z
Learning: In the stack-auth codebase, use `runAsynchronouslyWithAlert` from `stackframe/stack-shared/dist/utils/promises` for async button click handlers and form submissions instead of manual try/catch blocks. This utility automatically handles errors and shows alerts to users.

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/*.{ts,tsx} : Code defensively; prefer `?? throwErr(...)` over non-null assertions with good error messages explicitly stating violated assumptions

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/*.{ts,tsx} : Avoid the `any` type; when necessary, leave a comment explaining why it's used, why the type system fails, and how errors would be caught at compile-, test-, or runtime

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : NEVER try-catch-all, NEVER void a promise, and NEVER use .catch(console.error) or similar; use loading indicators instead; if asynchronous handling is necessary, use `runAsynchronously` or `runAsynchronouslyWithAlert` instead

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

🪛 Biome (2.1.2)

packages/template/package-template.json

[error] 90-90: The key // was already declared.

This where a duplicated key was declared again.

If a key is defined multiple times, only the last definition takes effect. Previous definitions are ignored.

(lint/suspicious/noDuplicateObjectKeys)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

GitHub Check: Vercel Agent Review
GitHub Check: setup-tests
GitHub Check: all-good
GitHub Check: check_prisma_migrations (22.x)
GitHub Check: build (22.x)
GitHub Check: E2E Tests (Node 22.x, Freestyle prod)
GitHub Check: E2E Tests (Node 22.x, Freestyle mock)
GitHub Check: setup-tests-with-custom-base-port
GitHub Check: docker
GitHub Check: restart-dev-and-test-with-custom-base-port
GitHub Check: lint_and_build (latest)
GitHub Check: build (22.x)
GitHub Check: restart-dev-and-test

🔇 Additional comments (10)

packages/stack-ui/package.json (1)

31-31: Peer dependency version bump looks good.

The yup peer dependency update to ^1.7.1 aligns with the coordinated version bump across the monorepo to resolve incompatibility issues with yup 1.4.x.

packages/template/package-template.json (1)

88-115: Dependency version bumps are correctly coordinated.

The major version bumps for oauth4webapi (^3.8.3), cookie (^1.1.1), jose (^6.1.3), and color (^5.0.3) align with the PR objectives. The @hookform/resolvers bump to ^5.2.2 correctly pairs with react-hook-form ^7.70.0 (which satisfies the >=7.55.0 requirement).

Note: The static analysis warning about duplicate "//" keys is a false positive—these are intentional markers for the platform-conditional build system.

packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts (4)

455-476: Cookie parsing migration looks correct.

The parameter type change from string | null to string | undefined aligns with the cookie library v1.x type change where cookie.Cookies values are string | undefined. The falsy check on line 456 correctly handles both undefined and empty string cases.

477-506: Type migration for cookie extraction is well-implemented.

The switch to cookie.Cookies type is consistent with the updated cookie library. The access pattern cookies[name] correctly handles the string | undefined values, and the structured cookie parsing flow properly validates presence before use.

541-546: Cookie API migration completed correctly.

The switch from cookie.parse to cookie.parseCookie correctly adapts to the cookie v1.x breaking change. The return type cookie.Cookies is properly typed.

777-780: Consistent cookie parsing in request token store.

The migration to cookie.parseCookie is consistently applied here for parsing the cookie header from incoming requests.

packages/stack-shared/src/interface/client-interface.ts (4)

157-177: OAuth token refresh adapted for oauth4webapi 3.x.

The changes correctly address oauth4webapi 3.x breaking changes:

ClientSecretPost for explicit client authentication (now required)

allowInsecureRequests option for test environment HTTP endpoints

Token endpoint URL centralized

199-214: Error handling for token refresh response is appropriate.

The try/catch correctly handles the oauth4webapi 3.x change where processRefreshTokenResponse throws errors instead of returning error objects. Wrapping in StackAssertionError is appropriate since these represent unexpected failures in the token refresh flow.

1043-1051: Authorization response validation adapted correctly.

The try/catch for validateAuthResponse properly handles the oauth4webapi 3.x change from returning error objects to throwing AuthorizationResponseError. The error wrapping with context is appropriate.

1039-1041: Test environment insecure HTTP handling is appropriate.

The allowInsecure flag correctly gates HTTP-only requests to test environments, preventing accidental insecure requests in production while supporting localhost testing.

cmux-agent · 2026-01-12T22:35:42Z

Preview Screenshots

Open Diff Heatmap

⏳ Preview screenshots are being captured...

Workspace and dev browser links will appear here once the preview environment is ready.

Generated by cmux preview system

coderabbitai

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

packages/stack-ui/package.json (1)

84-84: Update react-hook-form to 7.70.0 for consistency with other packages.

Most packages in this monorepo have been updated to ^7.70.0 (packages/stack, packages/react, packages/template), but this file and apps/dashboard remain at ^7.53.1. This inconsistency should be resolved to align with the PR objectives.

packages/template/package-template.json (1)

143-143: Remove @types/cookie — it is deprecated and no longer needed.

The [email protected] package provides its own built-in TypeScript types. The @types/cookie stub package is deprecated and unnecessary; keeping it alongside the native types may cause conflicts. Remove this dependency and rely on cookie's native type definitions instead.

🧹 Nitpick comments (1)

packages/stack-shared/src/interface/client-interface.ts (1)
1062-1074: Consider adding a comment explaining the any casts for MFA error extraction.

The (e.cause as any).code and (e.cause as any).details.attempt_code casts access custom error properties from the oauth4webapi ResponseBodyError.cause. While necessary for handling the server's custom MFA error response, adding a brief comment would clarify why any is used here.
📝 Suggested comment
     try {
       result = await oauth.processAuthorizationCodeResponse(as, client, response);
     } catch (e) {
       if (e instanceof oauth.ResponseBodyError) {
+        // ResponseBodyError.cause contains the parsed error body from the server.
+        // We use `any` to access custom Stack Auth error properties (code, details).
         if ((e.cause as any).code === "MULTI_FACTOR_AUTHENTICATION_REQUIRED") {
           throw new KnownErrors.MultiFactorAuthenticationRequired((e.cause as any).details.attempt_code);
         }

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9bce4d8 and 5b2d985.

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (13)

apps/backend/package.json
apps/dashboard/package.json
docs/package.json
packages/js/package.json
packages/react/package.json
packages/stack-shared/package.json
packages/stack-shared/src/interface/client-interface.ts
packages/stack-ui/package.json
packages/stack/package.json
packages/template/package-template.json
packages/template/package.json
packages/template/src/components/oauth-button.tsx
packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts

🚧 Files skipped from review as they are similar to previous changes (6)

apps/dashboard/package.json
packages/stack-shared/package.json
packages/js/package.json
packages/template/src/components/oauth-button.tsx
packages/stack/package.json
packages/react/package.json

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{tsx,ts,jsx,js}

📄 CodeRabbit inference engine (AGENTS.md)

For blocking alerts and errors, never use toast; instead, use alerts as toasts are easily missed by the user

Files:

packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts
packages/stack-shared/src/interface/client-interface.ts

**/*.{tsx,ts}

📄 CodeRabbit inference engine (AGENTS.md)

NEVER use Next.js dynamic functions if avoidable; prefer using client components instead to keep pages static (e.g., use usePathname instead of await params)

Files:

packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts
packages/stack-shared/src/interface/client-interface.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx,js,jsx}: NEVER try-catch-all, NEVER void a promise, and NEVER use .catch(console.error) or similar; use loading indicators instead; if asynchronous handling is necessary, use runAsynchronously or runAsynchronouslyWithAlert instead
Use ES6 maps instead of records wherever possible

Files:

packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts
packages/stack-shared/src/interface/client-interface.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Code defensively; prefer ?? throwErr(...) over non-null assertions with good error messages explicitly stating violated assumptions
Avoid the any type; when necessary, leave a comment explaining why it's used, why the type system fails, and how errors would be caught at compile-, test-, or runtime

Files:

packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts
packages/stack-shared/src/interface/client-interface.ts

🧠 Learnings (8)

📚 Learning: 2026-01-08T20:30:36.983Z

Learnt from: nams1570
Repo: stack-auth/stack-auth PR: 1091
File: apps/backend/src/lib/email-rendering.tsx:49-54
Timestamp: 2026-01-08T20:30:36.983Z
Learning: In apps/backend/src/lib/email-rendering.tsx, the nodeModules constant intentionally pins React and react-dom to version 19.1.1 (rather than matching the project's React version) because pinning provides more reliability for email rendering in the sandbox environment.

Applied to files:

apps/backend/package.json
packages/template/package.json
packages/stack-ui/package.json
packages/template/package-template.json

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to {packages/stack,packages/js}/**/*.{ts,tsx,js,jsx} : NEVER UPDATE packages/stack OR packages/js; instead, update packages/template as those packages are copies of it

Applied to files:

packages/template/package.json
packages/stack-ui/package.json
packages/template/package-template.json

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/config/schema.ts,**/config/**/*.{ts,tsx} : Whenever making backwards-incompatible changes to the config schema, update the migration functions in `packages/stack-shared/src/config/schema.ts`

Applied to files:

packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts
packages/stack-ui/package.json

📚 Learning: 2025-12-03T07:19:44.433Z

Learnt from: madster456
Repo: stack-auth/stack-auth PR: 1040
File: packages/stack-shared/src/interface/crud/oauth-providers.ts:62-87
Timestamp: 2025-12-03T07:19:44.433Z
Learning: In packages/stack-shared/src/interface/crud/oauth-providers.ts and similar CRUD files, the tag "Oauth" (not "OAuth") is the correct capitalization format as it's used by the documentation generation system and follows OpenAPI conventions.

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2025-10-11T04:13:19.308Z

Learnt from: N2D4
Repo: stack-auth/stack-auth PR: 943
File: examples/convex/app/action/page.tsx:23-28
Timestamp: 2025-10-11T04:13:19.308Z
Learning: In the stack-auth codebase, use `runAsynchronouslyWithAlert` from `stackframe/stack-shared/dist/utils/promises` for async button click handlers and form submissions instead of manual try/catch blocks. This utility automatically handles errors and shows alerts to users.

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/*.{ts,tsx} : Code defensively; prefer `?? throwErr(...)` over non-null assertions with good error messages explicitly stating violated assumptions

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/*.{ts,tsx} : Avoid the `any` type; when necessary, leave a comment explaining why it's used, why the type system fails, and how errors would be caught at compile-, test-, or runtime

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

📚 Learning: 2026-01-07T00:55:19.871Z

Learnt from: CR
Repo: stack-auth/stack-auth PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-07T00:55:19.871Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : NEVER try-catch-all, NEVER void a promise, and NEVER use .catch(console.error) or similar; use loading indicators instead; if asynchronous handling is necessary, use `runAsynchronously` or `runAsynchronouslyWithAlert` instead

Applied to files:

packages/stack-shared/src/interface/client-interface.ts

🧬 Code graph analysis (1)

packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts (2)

packages/template/src/lib/stack-app/apps/implementations/common.ts (1)

TokenObject (148-151)

packages/stack-shared/src/utils/env.tsx (1)

isBrowserLike (4-6)

🪛 Biome (2.1.2)

packages/template/package-template.json

[error] 90-90: The key // was already declared.

This where a duplicated key was declared again.

If a key is defined multiple times, only the last definition takes effect. Previous definitions are ignored.

(lint/suspicious/noDuplicateObjectKeys)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

GitHub Check: all-good
GitHub Check: E2E Tests (Node 22.x, Freestyle prod)
GitHub Check: E2E Tests (Node 22.x, Freestyle mock)
GitHub Check: Vercel Agent Review
GitHub Check: build (22.x)
GitHub Check: setup-tests
GitHub Check: build (22.x)
GitHub Check: setup-tests-with-custom-base-port
GitHub Check: restart-dev-and-test-with-custom-base-port
GitHub Check: restart-dev-and-test
GitHub Check: docker
GitHub Check: check_prisma_migrations (22.x)
GitHub Check: lint_and_build (latest)

🔇 Additional comments (13)

packages/stack-ui/package.json (1)

31-31: LGTM on yup peer dependency bump.

The update from ^1.4.0 to ^1.7.1 aligns with the workspace-wide yup version bump mentioned in the PR objectives.

packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts (4)

455-476: LGTM - Parameter type aligned with cookie.Cookies value type.

The change from string | null to string | undefined correctly aligns with the cookie.Cookies type from cookie 1.1.1, which defines values as string | undefined.

477-506: LGTM - Type signature updated for cookie library migration.

The parameter type change to cookie.Cookies is consistent with the library upgrade. The implementation correctly handles the string | undefined values.

541-546: LGTM - Migrated to cookie.parseCookie API.

Correctly uses the new parseCookie function from cookie 1.1.1 (replacing the deprecated parse). Return type properly reflects the library's Cookies type.

556-570: LGTM - Consistent cookie type migrations across helper methods.

All cookie-handling methods properly updated to use cookie.Cookies type and cookie.parseCookie API, maintaining consistency throughout the file.

Also applies to: 571-588, 777-778

packages/stack-shared/src/interface/client-interface.ts (4)

157-177: LGTM - oauth4webapi 3.x migration with explicit client authentication.

The changes correctly implement the breaking changes from oauth4webapi 3.x:

Uses ClientSecretPost for explicit client authentication (required in v3)

Properly handles allowInsecureRequests for test environments with HTTP endpoints

Token endpoint is now explicitly defined

199-214: LGTM - Error handling updated for oauth4webapi 3.x throwing behavior.

The try/catch properly handles the new error-throwing behavior where processRefreshTokenResponse now throws ResponseBodyError instead of returning an error object. Wrapping in StackAssertionError maintains the existing error handling pattern.

1043-1051: LGTM - Authorization response validation updated for oauth4webapi 3.x.

The try/catch correctly handles AuthorizationResponseError which is now thrown instead of being returned as an error result.

1039-1041: LGTM - Secure allowInsecure guard for test environments.

The allowInsecure check appropriately restricts HTTP usage to test environments only, maintaining security in production while allowing localhost testing.

docs/package.json (1)

43-43: LGTM!

Patch bump for jose aligns with the workspace-wide upgrade to ^6.1.3.

apps/backend/package.json (1)

85-85: LGTM!

Major bump to jose@^6.1.3 and yup@^1.7.1 aligns with the workspace-wide SDK upgrade. Per PR objectives, the jose v6 breaking changes (e.g., importJwk returning CryptoKey) are handled in related code updates.

Also applies to: 103-103

packages/template/package-template.json (1)

88-115: LGTM on dependency bumps.

All major version updates align with workspace-wide SDK upgrades. Per PR objectives, breaking changes for oauth4webapi (error handling), cookie (API changes), color (type usage), and jose (CryptoKey returns) are handled in related code updates.

packages/template/package.json (1)

65-85: LGTM!

Auto-generated file correctly reflects the dependency bumps from package-template.json. The same @types/cookie version alignment concern flagged in the template applies here as well.

packages/stack-shared/src/interface/client-interface.ts

Several breaking changes here. isOAuth2Error has been removed. Now process funcs return ResponseBodyErrors. And validateAuth func returns AuthorizationResponseErrors. From their docs, looks like our error info will appear in the .cause of the ResponseBodyError. We also perform a try-catch pattern to keep the new code in line with how the old code checked for errors, and to be more explicit. The package now reject requests to non-HTTPS endpoints by default, but we add a carve out for tests.

Minor breaking change with switching to ColorInstance for typing.

Types for cookie.parse changed to return Record<string, string | undefined> instead of Record<string, string>. Also, cookie enforces types more strictly I used the exported type directly. parse is now an alias for parseCookie maintained just for backwards compatibility. I changed it to parseCookie to future proof it.

jose changes: importJWK now returns a cryptoKey object. We have a use of it in jwt.tsx. Rimraf has no major changes from v5 to v6, so it should be a clean update

hookform/resolvers requires v7.55.0+ of react-hook-form. We jump two major versions with resolvers.

We had to update yup across the codebase due to an incompatibility issue.

Because 5->6 changes return types of importJwk along with a few other significant changes, we want to avoid future incompatibility issues across the monorepo by bumping the versions everywhere.

There's no need to do a network retry for a synchronous func like validateAuthResponse.

token_endpoint_auth_method with the recent bump to oauth4webapi is now optional. At worst it can conflict with the client authentication.

freestyle mock server now supports new endpoint. v0.1.6 of freestyle switched the endpoint to v2/execute. Also, they flattened the config in runs.create

github-actions bot assigned nams1570 Jan 12, 2026

nams1570 marked this pull request as ready for review January 12, 2026 19:33

Copilot AI review requested due to automatic review settings January 12, 2026 19:33

Copilot started reviewing on behalf of nams1570 January 12, 2026 19:34 View session

nams1570 requested a review from N2D4 January 12, 2026 19:35

Copilot AI reviewed Jan 12, 2026

View reviewed changes

packages/stack-shared/src/interface/client-interface.ts Show resolved Hide resolved

packages/stack-shared/src/interface/client-interface.ts Show resolved Hide resolved

coderabbitai bot reviewed Jan 12, 2026

View reviewed changes

packages/js/package.json Show resolved Hide resolved

packages/stack-shared/src/interface/client-interface.ts Show resolved Hide resolved

greptile-apps bot reviewed Jan 12, 2026

View reviewed changes

packages/stack-shared/src/interface/client-interface.ts Outdated Show resolved Hide resolved

coderabbitai bot reviewed Jan 12, 2026

View reviewed changes

packages/stack-shared/src/interface/client-interface.ts Show resolved Hide resolved

vercel bot reviewed Jan 12, 2026

View reviewed changes

packages/stack-shared/src/interface/client-interface.ts Show resolved Hide resolved

coderabbitai bot reviewed Jan 12, 2026

View reviewed changes

packages/stack-shared/src/interface/client-interface.ts Show resolved Hide resolved

nams1570 force-pushed the bump-sdk-packages branch from 8eed602 to 9bce4d8 Compare January 12, 2026 22:20

coderabbitai bot reviewed Jan 12, 2026

View reviewed changes

nams1570 force-pushed the bump-sdk-packages branch from 9bce4d8 to 5b2d985 Compare January 12, 2026 22:35

coderabbitai bot reviewed Jan 12, 2026

View reviewed changes

N2D4 approved these changes Jan 13, 2026

View reviewed changes

packages/stack-shared/src/interface/client-interface.ts Show resolved Hide resolved

packages/stack-shared/src/interface/client-interface.ts Outdated Show resolved Hide resolved

packages/stack-shared/src/interface/client-interface.ts Show resolved Hide resolved

nams1570 requested a review from N2D4 January 14, 2026 19:32

N2D4 approved these changes Jan 16, 2026

View reviewed changes

nams1570 force-pushed the bump-sdk-packages branch from 5b2d985 to cf6b08b Compare January 16, 2026 23:31

nams1570 added 3 commits January 16, 2026 15:32

bump: Update oauth4webapi to latest for sdk

ba0794e

bump: Update color to latest version

deb1030

Minor breaking change with switching to ColorInstance for typing.

nams1570 added 7 commits January 16, 2026 15:32

chore: bump jose and rimraf

67bd261

jose changes: importJWK now returns a cryptoKey object. We have a use of it in jwt.tsx. Rimraf has no major changes from v5 to v6, so it should be a clean update

chore: bump react-hook-form and hookform/resolvers

c3702b3

hookform/resolvers requires v7.55.0+ of react-hook-form. We jump two major versions with resolvers.

chore: minor bumps to packages

ea96063

We had to update yup across the codebase due to an incompatibility issue.

chore: bump jose versions outside sdk

7d4e4f7

Because 5->6 changes return types of importJwk along with a few other significant changes, we want to avoid future incompatibility issues across the monorepo by bumping the versions everywhere.

fix: Unwrap validateAuthResponse

bfa1599

There's no need to do a network retry for a synchronous func like validateAuthResponse.

refactor: remove redundant argument

2a13aad

token_endpoint_auth_method with the recent bump to oauth4webapi is now optional. At worst it can conflict with the client authentication.

nams1570 force-pushed the bump-sdk-packages branch from cf6b08b to 9cc08fa Compare January 16, 2026 23:32

chore: bump freestyle to 0.1.6

c861fa2

freestyle mock server now supports new endpoint. v0.1.6 of freestyle switched the endpoint to v2/execute. Also, they flattened the config in runs.create

nams1570 force-pushed the bump-sdk-packages branch from 9cc08fa to c861fa2 Compare January 16, 2026 23:47

nams1570 merged commit 091d3f2 into dev Jan 17, 2026
24 checks passed

nams1570 deleted the bump-sdk-packages branch January 17, 2026 00:02

This was referenced Jan 27, 2026

[Fix] [Feat] Update OAuth Sign-In and Get Token Functions to Work #1130

Merged

[Refactor] [Fix] Email Rendering Pipeline Refactor, Error Handling, and Bug Fixes #1140

Open

Update SDK dependencies to latest version and handle the breaking changes #1100

Update SDK dependencies to latest version and handle the breaking changes #1100

Uh oh!

Conversation

nams1570 commented Jan 12, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

cmux-agent bot commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Preview Screenshots

Uh oh!

vercel bot commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai bot commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Other AI code review bot(s) detected

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Possibly related PRs

Suggested reviewers

Poem

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

greptile-apps bot commented Jan 12, 2026

Greptile Overview

Greptile Summary

Summary

Key Dependency Updates

Code Changes

Critical Issue Found

Testing Considerations

Confidence Score: 3/5

Important Files Changed

Sequence Diagram

Uh oh!

greptile-apps bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

cmux-agent bot commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Preview Screenshots

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

cmux-agent bot commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Preview Screenshots

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

cmux-agent bot commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Preview Screenshots

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

cmux-agent bot commented Jan 12, 2026

Preview Screenshots

nams1570 commented Jan 12, 2026 •

edited by coderabbitai bot

Loading

cmux-agent bot commented Jan 12, 2026 •

edited

Loading

vercel bot commented Jan 12, 2026 •

edited

Loading

coderabbitai bot commented Jan 12, 2026 •

edited

Loading

cmux-agent bot commented Jan 12, 2026 •

edited

Loading

cmux-agent bot commented Jan 12, 2026 •

edited

Loading

cmux-agent bot commented Jan 12, 2026 •

edited

Loading