fix: Preserve Legacy Vercel Auth Compatibility#12627
Open
anthonyshew wants to merge 9 commits intomainfrom
Open
fix: Preserve Legacy Vercel Auth Compatibility#12627anthonyshew wants to merge 9 commits intomainfrom
anthonyshew wants to merge 9 commits intomainfrom
Conversation
…Grant (RFC 8628) Replace the axum-based localhost HTTP server login flow with the OAuth 2.0 Device Authorization Grant (RFC 8628). The user now visits a URL and enters a code in the browser instead of relying on a localhost redirect. - Add device_flow module implementing RFC 8628 (discover, device auth, token polling, introspection) - Remove login_server.rs, axum/axum-server/async-trait/anyhow dependencies - Remove TURBO_SSO_LOGIN_CALLBACK_PORT env var and sso_login_callback_port config - SSO flow still uses a one-shot TcpListener for redirect, now with spawn_blocking, bounded reads, timeouts, and CSRF state validation - Write OAuth tokens to both Vercel CLI auth.json and turbo config.json - Custom Debug impl on TokenSet to redact secrets - Validate OIDC discovery endpoint origins against issuer domain - Derive OIDC issuer from login_url to support self-hosted deployments
- Display user_code during device flow per RFC 8628 §3.3 MUST requirement - Loop listener.accept in login/SSO redirects to handle browser preflight and favicon requests instead of consuming the single-shot listener - Deduplicate is_vercel into auth/mod.rs - Add subdomain validation test proving ends_with check is correct - Add CSPRNG note on rand::random() usage for CSRF state generation
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vca_access tokens to the legacyturborepo/config.jsonslot that older Turbo releases still validate via/v5/user/tokens/current.turborepo/auth.jsoninstead, and teach auth lookup plus logout to prefer and clear that file while still falling back to shared Vercel auth and legacy config tokens.How to Test
Upgrade and downgrade between affected versions and you'll get breakages against Vercel APIs. Those will now be resolved with this PR.