security: session, token & widget identity hardening (7 fixes)#42
Merged
Conversation
BunsDev
force-pushed
the
consolidate/session-tokens
branch
from
5ab22ba to
e6c8c1b
Compare
There was a problem hiding this comment.
Pull request overview
This PR batches several security-oriented changes across widget identity, Segment webhook verification, and auth logging/account-linking behavior.
Changes:
- Simplifies the unverified widget-session issuance guard in
/api/widget/identify. - Requires and verifies an HMAC signature for all inbound Segment
identifywebhooks, and adds tests for the signature enforcement. - Redacts magic-link request URL tokens in auth logs, and adjusts auth provider account-linking trust configuration.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| apps/web/src/routes/api/widget/identify.ts | Simplifies the unverified identify/session issuance predicate and related call sites. |
| apps/web/src/lib/server/integrations/segment/user-sync.ts | Enforces mandatory shared-secret + HMAC signature verification for inbound Segment identify webhooks. |
| apps/web/src/lib/server/integrations/segment/tests/user-sync.test.ts | Adds coverage for missing secret, missing signature, and valid signature cases. |
| apps/web/src/lib/server/auth/index.ts | Adds magic-link query redaction helper and updates magic-link request/response logging + trusted account-linking providers construction. |
| apps/web/src/lib/server/auth/tests/magic-link-security.test.ts | Updates expectations to assert request-token redaction behavior in auth logging. |
Comments suppressed due to low confidence (2)
apps/web/src/lib/server/auth/index.ts:714
- The magic-link handler is now logging the
Locationresponse header. Magic-link redirects commonly include the one-time token and/or sensitive redirect parameters in the URL, so logginglocationreintroduces a credential/PII leak into server logs (the previous code explicitly avoided this).
const location = response.headers.get('location')
console.log(
`[auth] magic-link response: status=${response.status}, location=${location ?? 'none'}`
)
apps/web/src/lib/server/auth/index.ts:269
- Same as above: adding every built-in social provider to
accountLinking.trustedProvidersimplicitly trusts them for automatic email-based linking. This should be restricted to an explicit allowlist of providers whose email verification semantics you trust.
}
}
socialProviders[provider.id] = providerConfig
trustedProviders.push(provider.id)
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
251
to
255
| ...(creds.tokenUrl && { tokenUrl: creds.tokenUrl }), | ||
| scopes: scopeStr.split(/\s+/).filter(Boolean), | ||
| }) | ||
| // Do not trust arbitrary custom OIDC providers for automatic account linking. | ||
| // Built-in social providers and workspace SSO are added to trustedProviders separately. | ||
| trustedProviders.push(provider.id) | ||
| } else { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Batches 7 Codex security fixes: widget session minting, magic link logging, unsigned segment webhook, invitation magic links, widget bearer token, and two unverified widget identify fixes.