JWT authentication and authorization #473
Conversation
|
New and updated dependencies detected. Learn more about Socket for GitHub ↗︎
|
|
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎ To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is new author?A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package. Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. What is unstable ownership?A new collaborator has begun publishing package versions. Package stability and security risk may be elevated. Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. What is environment variable access?Package accesses environment variables, which may be a sign of credential stuffing or data theft. Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. What's wrong with minified code?This package contains minified code. This may be harmless in some cases where minified code is included in packaged libraries, however packages on npm should not minify code. In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
thyming
force-pushed
the
jwt-auth
branch
3 times, most recently
from
ceb7372 to
282fa22
Compare
|
@all-contributors add @lucalas on maintenance |
|
I've put up a pull request to add @lucalas! 🎉 |
thyming
force-pushed
the
jwt-auth
branch
3 times, most recently
from
e54931d to
4a33366
Compare
|
Would this work using |
|
does this have any hope of being merged or should i close it? |
This would be so cool. I didn't see this thing: https://turbo.build/repo/docs/reference/login @matteovivona I think we can finally support the 100% login experience. |
|
@all-contributors add @thyming on code |
|
@thyming already contributed before to code |
@thyming Thank you for this excellent contribution. I completely missed out on your PR. |
|
🎉 This PR is included in version 2.3.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
In this PR:
This PR adds authentication via JWTs that are issued by an OIDC server, such as Auth0 or similar.
It also optionally allows scopes in the token to describe read-only access to the cache and reject writes when appropriate scopes are not present on the user's token.
Issues reference:
Checklist:
pnpm lintlocally prior to submission?pnpm buildof your changes locally?pnpm testof your changes locally?