Open
Conversation
…ed builtFrontEnd var in deployFrontEnd()
…d against null distributionList.Items (line 671);
…ss hanging operations with timeout;
This commit adds comprehensive Auth0 authentication support to the basic site template, enabling OAuth2/OIDC authentication for Pushkin users. The implementation is backward-compatible and only activates when useAuth is enabled in pushkin.yaml.
Key Changes:
- Added Auth0 authentication components (Login, Logout, Profile)
- Added AuthSync component to synchronize Auth0 state with Redux
- Enhanced Redux infrastructure to handle both Auth0 and session-based auth
- Updated Header component with conditional auth buttons and 'My account' link
- Added conditional Auth0Provider wrapper in index.js
- Created config.js to expose authDomain and authClientID from pushkin.yaml
- Added @auth0/auth0-react dependency to package.json
- Added /profile route to App.js
Features:
- Dual authentication modes: Auth0 (when configured) and session-based (fallback)
- Conditional rendering based on useAuth config setting
- Seamless integration with existing Redux state management
- User profile management via Auth0 dashboard
- Automatic token refresh and localStorage caching
Configuration:
Sites can enable Auth0 by setting in pushkin.yaml:
addons:
useAuth: true
authDomain: your-domain.auth0.com
authClientID: your-client-id
All changes are backward-compatible. Sites without Auth0 configuration will continue using session-based authentication.
- Header's useEffect now skips dispatching getUser() when Auth0 is enabled - Auth0 users are managed by AuthSync component via SET_AUTH0_USER action - This prevents session-based user IDs from replacing Auth0 user IDs in Redux 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
🦋 Changeset detectedLatest commit: 95e6442 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
cherriechang
changed the title
cherriechang
added
enhancement
This was referenced Nov 24, 2025
This commit adds comprehensive Auth0 authentication support to the basic site template, enabling OAuth2/OIDC authentication for Pushkin users. The implementation is backward-compatible and only activates when useAuth is enabled in pushkin.yaml.
Key Changes:
- Added Auth0 authentication components (Login, Logout, Profile)
- Added AuthSync component to synchronize Auth0 state with Redux
- Enhanced Redux infrastructure to handle both Auth0 and session-based auth
- Updated Header component with conditional auth buttons and 'My account' link
- Added conditional Auth0Provider wrapper in index.js
- Created config.js to expose authDomain and authClientID from pushkin.yaml
- Added @auth0/auth0-react dependency to package.json
- Added /profile route to App.js
Features:
- Dual authentication modes: Auth0 (when configured) and session-based (fallback)
- Conditional rendering based on useAuth config setting
- Seamless integration with existing Redux state management
- User profile management via Auth0 dashboard
- Automatic token refresh and localStorage caching
Configuration:
Sites can enable Auth0 by setting in pushkin.yaml:
addons:
useAuth: true
authDomain: your-domain.auth0.com
authClientID: your-client-id
All changes are backward-compatible. Sites without Auth0 configuration will continue using session-based authentication.
- Add heartbeat: 30 configuration to amqp.connect() in pushkin-worker - Upgrade RabbitMQ from 3.6 to 3.12 in docker-compose template - Add RABBITMQ_HEARTBEAT environment variable This fixes the "Heartbeat timeout" error that was preventing experiment workers from completing database operations. The 30-second heartbeat interval ensures the connection stays alive during long-running tasks.
…ections - Fix "Cannot read properties of undefined" error by checking if worker service exists - Use 'test_db' and 'test_transaction_db' Docker service names instead of localhost - Use internal port 5432 instead of host-mapped port for TRANS_PORT - Fixes ECONNREFUSED errors when workers try to connect to databases This ensures workers can communicate with databases via Docker networking.
session_id persistence in users database
…TaskCreator() Problem: When processing multiple workers (e.g., ew_test_worker, ew_test_2_worker): 1. First iteration created a reference to the template object 2. Modified the Docker image property (which mutated the shared template) 3. Second iteration reused the same mutated template object 4. Result: All workers ended up with the last processed worker's Docker image This caused deployment failures where: - ew_test_worker service used ew_test_2_worker:latest image (wrong!) - Workers consumed from incorrect RabbitMQ queues - Experiments failed to respond to API requests
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| user: process.env.DB_USER, | ||
| password: process.env.DB_PASS, | ||
| database: process.env.DB_DB, | ||
| ssl: process.env.DB_HOST && process.env.DB_HOST.includes('rds.amazonaws.com') ? { rejectUnauthorized: false } : false |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix this error, we should parse the database host to extract the top-level domain and compare it exactly (or dot-suffix match) to 'rds.amazonaws.com', rather than using substring matching. This prevents hosts like 'evil.rds.amazonaws.com.evil.com' or 'rds.amazonaws.com.evil.com' from matching, and only applies the special SSL option for true RDS hosts.
The best way is to use the standard Node.js url library (or new URL(...)) to parse the host if it is a URL, or simply match the string if it's just a hostname. If you can't be sure whether it's a hostname or a full URL, you can handle both cases.
In this file (templates/sites/basic/src/pushkin/api/src/users_controller.js), update line 12 to safely parse the host with Node.js standard tools, compare it using a .endsWith('.rds.amazonaws.com') or exact match or suffix match (so 'foo.rds.amazonaws.com' is permitted but 'foo.rds.amazonaws.com.evil.com' is not), and update the conditional accordingly.
No extra dependencies are needed; use the built-in URL class.
Suggested changeset
1
templates/sites/basic/src/pushkin/api/src/users_controller.js
| @@ -9,7 +9,21 @@ | ||
| user: process.env.DB_USER, | ||
| password: process.env.DB_PASS, | ||
| database: process.env.DB_DB, | ||
| ssl: process.env.DB_HOST && process.env.DB_HOST.includes('rds.amazonaws.com') ? { rejectUnauthorized: false } : false | ||
| ssl: (() => { | ||
| const dbHost = process.env.DB_HOST; | ||
| let hostname = dbHost; | ||
| try { | ||
| // If dbHost looks like a URL, extract the host. | ||
| if (dbHost && (dbHost.startsWith('postgres://') || dbHost.startsWith('pgsql://') || dbHost.startsWith('http://') || dbHost.startsWith('https://'))) { | ||
| hostname = (new URL(dbHost)).hostname; | ||
| } | ||
| // Suffix match for rds.amazonaws.com (e.g., foo.rds.amazonaws.com, but NOT evil.com/foo.rds.amazonaws.com) | ||
| if (hostname && (hostname === 'rds.amazonaws.com' || hostname.endsWith('.rds.amazonaws.com'))) { | ||
| return { rejectUnauthorized: false }; | ||
| } | ||
| } catch (e) {} | ||
| return false; | ||
| })() | ||
| }; | ||
|
|
||
| const db = knex({ |
Copilot is powered by AI and may make mistakes. Always verify output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Auth0 authentication as an optional feature for Pushkin sites. When enabled in
pushkin.yaml, sites get:Changes
@auth0/auth0-reactSDKpushkin.yaml)google-oauth2|123...) flow through React → Redux → Experiments → APItemplates/sites/basic/src/pushkin/front-end/Configuration
In
pushkin.yaml:Testing
Next Steps
Test on fresh Pushkin site to verify full database flowTest on gww-site deploymentTest on AWS production deployment🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com