Ma/dbconnections

[markusahlstrand]

Migrate dbconnections and added a new email service to use the emailProfders

Summary by CodeRabbit

Release Notes

• New Features

  • Introduced new email sending functionalities, including sendEmail, sendResetPassword, and sendValidateEmailAddress.
  • Added routes for user signup and password change in the API.
  • Implemented a new method for validating password strength.
  • Enhanced routing capabilities with the addition of database connection handling.
  • Added a new constant for session expiration time.

• Updates

  • Updated several package versions, including authhero to 0.26.0 and @authhero/kysely-adapter to 0.25.3.
  • Enhanced token creation process with improved error handling for reserved claims.
  • Incremented version numbers for multiple packages, including @authhero/demo to 0.5.4 and @authhero/adapter-interfaces to 0.33.0.
  • Updated changelogs across multiple packages to reflect recent changes and version updates.

• Bug Fixes

  • Improved error handling for user signup and password change scenarios.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
authhero-react-admin	❌ Failed (Inspect)			Dec 16, 2024 9:12am

[coderabbitai]

Warning

There were issues while running some tools. Please review the errors and either fix the tool’s configuration or disable the tool if it’s a critical failure.

🔧 eslint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

packages/authhero/src/emails/index.ts

Oops! Something went wrong! :(

ESLint: 9.5.0

file:///eslint.config.mjs?mtime=1734340370156:6
import { configs, rules as reactRules } from "eslint-plugin-react";
^^^^^^^
SyntaxError: Named export 'configs' not found. The requested module 'eslint-plugin-react' is a CommonJS module, which may not support all module.exports as named exports.
CommonJS modules can always be imported via the default export, for example using:

import pkg from 'eslint-plugin-react';
const { configs, rules: reactRules } = pkg;

at ModuleJob._instantiate (node:internal/modules/esm/module_job:171:21)
at async ModuleJob.run (node:internal/modules/esm/module_job:254:5)
at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:483:26)
at async loadFlatConfigFile (/node_modules/.pnpm/[email protected]/node_modules/eslint/lib/eslint/eslint.js:316:21)
at async calculateConfigArray (/node_modules/.pnpm/[email protected]/node_modules/eslint/lib/eslint/eslint.js:396:28)
at async ESLint.lintFiles (/node_modules/.pnpm/[email protected]/node_modules/eslint/lib/eslint/eslint.js:815:25)
at async Object.execute (/node_modules/.pnpm/[email protected]/node_modules/eslint/lib/cli.js:500:23)
at async main (/node_modules/.pnpm/[email protected]/node_modules/eslint/bin/eslint.js:153:22)

Walkthrough

This pull request modifies several components within the AuthHero package, primarily focusing on the build process, email services, and authentication flows. Key changes include updating the pre-commit command, adding email handling functions, introducing new API routes for user signup and password changes, and updating type definitions to accommodate these enhancements. Additionally, version increments reflect updates across multiple packages, ensuring alignment with the latest dependencies and functionalities.

Changes

File	Change Summary
.husky/pre-commit	Replaced pnpm kysely authhero with pnpm authhero build
apps/demo/CHANGELOG.md	Updated changelog for version 0.5.4, noting dependency updates
apps/demo/package.json	Incremented version from 0.5.3 to 0.5.4, updated dependencies
packages/adapter-interfaces/CHANGELOG.md	Updated changelog for version 0.33.0, detailing minor changes
packages/adapter-interfaces/package.json	Incremented version from 0.32.0 to 0.33.0
packages/adapter-interfaces/src/types/Client.ts	Changed email_service type to optional string
packages/adapter-interfaces/src/types/Domain.ts	Changed email_service type to optional string
packages/authhero/CHANGELOG.md	Updated changelog for version 0.26.0, noting new features
packages/authhero/package.json	Incremented version from 0.25.0 to 0.26.0, added new dependency
packages/authhero/src/auth-app.ts	Added new route for database connection handling
packages/authhero/src/authentication-flows/common.ts	Enhanced createAuthTokens function with reserved claims logic
packages/authhero/src/constants.ts	Added UNIVERSAL_AUTH_SESSION_EXPIRES_IN_SECONDS constant
packages/authhero/src/emails/index.ts	Introduced functions for sending emails
packages/authhero/src/routes/auth-api/dbconnections.ts	Added /signup and /change_password routes
packages/authhero/src/routes/auth-api/index.ts	Exported database connection routes
packages/authhero/src/types/Bindings.ts	Made hooks optional and added emailProviders property
packages/authhero/src/types/EmailService.ts	Introduced new types for email service functionality
packages/authhero/src/types/Hooks.ts	Added idToken property for custom claims
packages/authhero/src/utils/client-info.ts	Added getClientInfo function
packages/authhero/src/utils/password.ts	Added validatePasswordStrength function
packages/authhero/test/helpers/mock-email-service.ts	Introduced MockEmailService class for testing
packages/authhero/test/helpers/test-server.ts	Integrated MockEmailService into test server
packages/authhero/test/routes/auth-api/dbconnections.spec.ts	Added tests for /signup and /change_password functionalities
packages/drizzle/CHANGELOG.md	Updated changelog for version updates
packages/drizzle/package.json	Incremented version from 0.1.68 to 0.1.70
packages/kysely/CHANGELOG.md	Updated changelog for version updates
packages/kysely/package.json	Incremented version from 0.25.1 to 0.25.3

Sequence Diagram

sequenceDiagram
    participant Client
    participant AuthServer
    participant EmailService
    participant Database

    Client->>AuthServer: Request Signup
    AuthServer->>Database: Check Client Existence
    AuthServer->>Database: Validate User Doesn't Exist
    AuthServer->>Database: Create User
    AuthServer->>EmailService: Send Validation Email
    EmailService-->>Client: Validation Link
    AuthServer-->>Client: Signup Confirmation

Loading

Possibly related PRs

• Ma/email providers #4: The changes in this PR involve updates to dependencies, specifically the authhero package, which is relevant as the main PR also modifies the authhero command in the .husky/pre-commit file.
• add ip to logins table #5: This PR adds an IP address field to the logins table, which is related to the changes in the main PR as both involve updates to the authhero package and its functionality.
• Token endpoint #6: This PR modifies the .husky/pre-commit file to change the command sequence, which is directly related to the changes made in the main PR that also modifies the same file.
• add silent auth for the code flow #7: This PR introduces silent authentication for the code flow, which is relevant as it enhances the authentication capabilities, similar to the changes in the main PR that focus on the build process for authhero.
• Update demo #8: The updates in this PR include enhancements to the demo functionality, which may relate to the overall improvements in the authhero package as seen in the main PR.
• migrate auth routes #10: This PR focuses on migrating authentication routes, which could be related to the changes in the main PR that involve the authhero package and its routing capabilities.
• Ma/token hook #11: This PR introduces a token hook, which is relevant as it enhances the token management capabilities within the authhero package, similar to the focus of the main PR.
• update hook signature #12: This PR updates the hook signature, which is relevant as it reflects ongoing improvements in the authhero package, aligning with the changes made in the main PR.

Poem

🐰 Hop, hop, hooray! A new release is here today,
Email services dancing with flair,
Routes and tokens beyond compare!
AuthHero's magic spreads its wings,
Bringing joy to authentication things! 🔐✨

Tip

CodeRabbit's docstrings feature is now available as part of our Early Access Program! Simply use the command @coderabbitai generate docstrings to have CodeRabbit automatically generate docstrings for your pull request.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 17

🧹 Nitpick comments (21)

packages/adapter-interfaces/CHANGELOG.md (1)

7-8: Consider adding more details to the changelog entries.

While the entries capture the main changes, they could be more descriptive to help users understand:

• Which database connections were migrated
• What email provider setup was implemented
• Any configuration requirements for SendGrid and Postmark

Example format:

- add sendgrid and postmark mail services
- migrate dbconnections and setup email providers
+ Added support for SendGrid and Postmark email service providers
+ Migrated database connections to improve <benefit>
+ Implemented email provider setup with configuration support for <features>

packages/drizzle/CHANGELOG.md (2)

7-8: Remove duplicate "Updated dependencies" line

The phrase "Updated dependencies" appears twice consecutively, which seems redundant.

### Patch Changes

- Updated dependencies
- Updated dependencies
  - @authhero/[email protected]
+### Patch Changes
+
+- Updated dependencies
+  - @authhero/[email protected]

🧰 Tools

🪛 LanguageTool

[grammar] ~7-~7: This phrase is duplicated. You should probably use “Updated dependencies” only once.
Context: ...rizzle ## 0.1.70 ### Patch Changes - Updated dependencies - Updated dependencies - @authhero/[email protected]...

(PHRASE_REPETITION)

---

3-16: Consider adding more context about database migration changes

Given that this PR involves database connections migration, it would be helpful to add more descriptive information about these changes in the latest version entry (0.1.70). This helps users understand the impact and purpose of the update.

Consider adding details about:

• Database migration changes
• Any breaking changes or required actions
• Impact on existing implementations

🧰 Tools

🪛 LanguageTool

[grammar] ~7-~7: This phrase is duplicated. You should probably use “Updated dependencies” only once.
Context: ...rizzle ## 0.1.70 ### Patch Changes - Updated dependencies - Updated dependencies - @authhero/[email protected]...

(PHRASE_REPETITION)

packages/authhero/src/types/Hooks.ts (1)

15-17: Consider using a more specific type than any

The implementation looks good and maintains consistency with the existing accessToken structure. However, consider using a more specific type than any for the value parameter to improve type safety.

-    setCustomClaim: (claim: string, value: any) => void;
+    setCustomClaim: (claim: string, value: string | number | boolean | object) => void;

packages/adapter-interfaces/src/types/Client.ts (1)

Line range hint 14-18: Consider documenting the relationship between domains and connections

Given this PR involves database connection migration, it would be helpful to document how email services in domains interact with the connections array, especially for new email providers.

apps/demo/CHANGELOG.md (1)

7-8: Remove duplicate "Updated dependencies" line

The "Updated dependencies" line appears twice unnecessarily.

### Patch Changes

-  - Updated dependencies
-  - Updated dependencies
+  - Updated dependencies
   - [email protected]
   - @authhero/[email protected]

🧰 Tools

🪛 LanguageTool

[grammar] ~7-~7: This phrase is duplicated. You should probably use “Updated dependencies” only once.
Context: ...ro/demo ## 0.5.4 ### Patch Changes - Updated dependencies - Updated dependencies - [email protected] - @authhero/kysel...

(PHRASE_REPETITION)

packages/authhero/src/routes/auth-api/dbconnections.ts (1)

69-73: Provide detailed password strength feedback

The current implementation throws a generic error message when the password doesn't meet the requirements. To enhance user experience, consider providing specific feedback on password strength criteria.

Apply this change to include detailed validation messages:

if (!validatePasswordStrength(password)) {
-  throw new HTTPException(400, {
-    message: "Password does not meet the requirements",
-  });
+  const validationMessage = validatePasswordStrength(password);
+  throw new HTTPException(400, {
+    message: `Password validation failed: ${validationMessage}`,
+  });
}

Ensure that validatePasswordStrength returns meaningful messages describing why the password is weak.

packages/authhero/src/constants.ts (1)

3-3: Consider making the session expiration configurable

Hardcoding the session expiration time may reduce flexibility. Consider allowing UNIVERSAL_AUTH_SESSION_EXPIRES_IN_SECONDS to be configurable via environment variables or client settings.

Example change:

-export const UNIVERSAL_AUTH_SESSION_EXPIRES_IN_SECONDS = 24 * 60 * 60; // 1 day
+export const UNIVERSAL_AUTH_SESSION_EXPIRES_IN_SECONDS = parseInt(process.env.SESSION_EXPIRES_IN_SECONDS) || 24 * 60 * 60; // 1 day

Ensure to document the new environment variable and provide a default value.

packages/authhero/test/helpers/mock-email-service.ts (1)

6-13: Enhance thread safety for the mock email service

If tests are run in parallel, sentEmails could be accessed concurrently, leading to race conditions. Consider ensuring thread safety or isolating test instances.

If not running tests in parallel, you may disregard this comment.

packages/authhero/src/utils/client-info.ts (1)

3-14: Enhance documentation and use constants for magic numbers.

The current documentation could be more descriptive, and the magic numbers should be constants for better maintainability.

+const MAX_LENGTHS = {
+  AUTH0_CLIENT: 255,
+  IP: 45,
+  USER_AGENT: 512,
+} as const;
+
 /**
  * Return information about the request
+ * @param req - The Hono request object
+ * @returns {Object} Client information
+ *   @returns {string|undefined} auth0Client - The auth0 client identifier (max 255 chars)
+ *   @returns {string|undefined} ip - The client IP address (max 45 chars)
+ *   @returns {string|undefined} useragent - The client user agent (max 512 chars)
  */
 export function getClientInfo(req: HonoRequest) {
   return {
-    auth0Client: req.query("auth0Client")?.slice(0, 255),
-    ip: req.header("x-real-ip")?.slice(0, 45),
-    useragent: req.header("user-agent")?.slice(0, 512),
+    auth0Client: req.query("auth0Client")?.slice(0, MAX_LENGTHS.AUTH0_CLIENT),
+    ip: req.header("x-real-ip")?.slice(0, MAX_LENGTHS.IP),
+    useragent: req.header("user-agent")?.slice(0, MAX_LENGTHS.USER_AGENT),
   };
 }

packages/authhero/src/utils/password.ts (2)

4-4: Track temporary implementation with issue.

The TODO comment indicates this is a temporary implementation.

Would you like me to create a GitHub issue to track the implementation of comprehensive password validation using the validator library?

---

6-19: Consider removing commented code.

The commented validation configuration provides good insight but should be moved to documentation or tests instead of remaining as commented code.

packages/authhero/src/emails/index.ts (1)

6-30: Consider adding retry mechanism for email sending.

The email sending functionality should include a retry mechanism to handle temporary failures from the email service.

Consider implementing an exponential backoff retry strategy or using a reliable email queue system.

packages/authhero/test/helpers/test-server.ts (1)

84-84: Optimize method binding for MockEmailService.

Consider binding the methods at service instantiation rather than at usage points to improve code clarity and prevent potential binding issues.

-  const mockEmailService = new MockEmailService();
+  const mockEmailService = new MockEmailService().bindMethods();

   // ... later in the code ...
-    getSentEmails: mockEmailService.getSentEmails.bind(mockEmailService),
+    getSentEmails: mockEmailService.getSentEmails,

Also applies to: 114-114

packages/authhero/test/routes/auth-api/dbconnections.spec.ts (3)

8-97: Consider adding email validation test cases

While the current test suite covers essential scenarios, consider adding test cases for:

• Invalid email format
• Empty email/password
• Special characters in email

---

99-164: Consider enhancing error message specificity

The current error message "Invalid sign up" could be more specific to help users understand the exact issue.

Consider updating the error message to: "User with this email already exists"

---

167-236: Enhance password change test coverage

Consider adding test cases for:

• Invalid email address
• Non-existent user
• Email content verification

packages/authhero/CHANGELOG.md (1)

12-14: Remove duplicate "Updated dependencies" line

The "Updated dependencies" line is duplicated unnecessarily.

- Updated dependencies
- Updated dependencies
+ Updated dependencies

🧰 Tools

🪛 LanguageTool

[grammar] ~12-~12: This phrase is duplicated. You should probably use “Updated dependencies” only once.
Context: ...p email providers ### Patch Changes - Updated dependencies - Updated dependencies - @authhero/[email protected]...

(PHRASE_REPETITION)

packages/authhero/src/emails/templates/password-reset.ts (3)

230-234: Enhance password reset link security

The password reset link should:

1. Include a secure, time-limited token
2. Be single-use only
3. Include rate limiting on the endpoint

Consider implementing these security measures in the backend:

interface PasswordResetToken {
  userId: string;
  expiresAt: Date;
  used: boolean;
}

// Example implementation (pseudo-code)
function generatePasswordResetUrl(userId: string): string {
  const token = generateSecureToken();
  const expiresAt = new Date(Date.now() + 3600000); // 1 hour expiry
  
  storeToken({
    userId,
    token,
    expiresAt,
    used: false
  });
  
  return `${baseUrl}/reset-password?token=${token}`;
}

---

167-252: Improve email template accessibility

The main content section could be enhanced for better accessibility:

1. Add ARIA labels for interactive elements
2. Ensure sufficient color contrast for text
3. Add alt text for decorative images

-<td align="center" bgcolor="{{buttonColor}}" role="presentation"
+<td align="center" bgcolor="{{buttonColor}}" role="button" aria-label="{{resetPasswordEmailReset}}"

-<img alt="" width="14" height="14"
+<img alt="Support icon" width="14" height="14"

---

12-164: Optimize CSS for email clients

The CSS includes comprehensive styles for email client compatibility. Consider:

1. Using inline styles for better email client support
2. Adding support for dark mode
3. Testing with email testing services

Add dark mode support:

+@media (prefers-color-scheme: dark) {
+  body {
+    background-color: #1a1a1a !important;
+  }
+  .text-style {
+    color: #e0e0e0 !important;
+  }
+}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0c61fdf and 2242489.

📒 Files selected for processing (28)

• .husky/pre-commit (1 hunks)
• apps/demo/CHANGELOG.md (1 hunks)
• apps/demo/package.json (1 hunks)
• packages/adapter-interfaces/CHANGELOG.md (1 hunks)
• packages/adapter-interfaces/package.json (1 hunks)
• packages/adapter-interfaces/src/types/Client.ts (1 hunks)
• packages/adapter-interfaces/src/types/Domain.ts (1 hunks)
• packages/authhero/CHANGELOG.md (1 hunks)
• packages/authhero/package.json (1 hunks)
• packages/authhero/src/auth-app.ts (2 hunks)
• packages/authhero/src/authentication-flows/common.ts (5 hunks)
• packages/authhero/src/constants.ts (1 hunks)
• packages/authhero/src/emails/index.ts (1 hunks)
• packages/authhero/src/emails/templates/password-reset.ts (1 hunks)
• packages/authhero/src/routes/auth-api/dbconnections.ts (1 hunks)
• packages/authhero/src/routes/auth-api/index.ts (1 hunks)
• packages/authhero/src/types/Bindings.ts (2 hunks)
• packages/authhero/src/types/EmailService.ts (1 hunks)
• packages/authhero/src/types/Hooks.ts (1 hunks)
• packages/authhero/src/utils/client-info.ts (1 hunks)
• packages/authhero/src/utils/password.ts (1 hunks)
• packages/authhero/test/helpers/mock-email-service.ts (1 hunks)
• packages/authhero/test/helpers/test-server.ts (3 hunks)
• packages/authhero/test/routes/auth-api/dbconnections.spec.ts (1 hunks)
• packages/drizzle/CHANGELOG.md (1 hunks)
• packages/drizzle/package.json (1 hunks)
• packages/kysely/CHANGELOG.md (1 hunks)
• packages/kysely/package.json (1 hunks)

✅ Files skipped from review due to trivial changes (6)

• packages/authhero/src/routes/auth-api/index.ts
• packages/adapter-interfaces/package.json
• packages/authhero/package.json
• packages/drizzle/package.json
• packages/kysely/package.json
• apps/demo/package.json

🧰 Additional context used

🪛 Biome (1.9.4)

packages/authhero/src/types/EmailService.ts

[error] 8-8: Don't use '{}' as a type.

Prefer explicitly define the object shape. '{}' means "any non-nullable value".

(lint/complexity/noBannedTypes)

🪛 LanguageTool

packages/authhero/CHANGELOG.md

[grammar] ~12-~12: This phrase is duplicated. You should probably use “Updated dependencies” only once.
Context: ...p email providers ### Patch Changes - Updated dependencies - Updated dependencies - @authhero/[email protected]...

(PHRASE_REPETITION)

apps/demo/CHANGELOG.md

[grammar] ~7-~7: This phrase is duplicated. You should probably use “Updated dependencies” only once.
Context: ...ro/demo ## 0.5.4 ### Patch Changes - Updated dependencies - Updated dependencies - [email protected] - @authhero/kysel...

(PHRASE_REPETITION)

packages/drizzle/CHANGELOG.md

[grammar] ~7-~7: This phrase is duplicated. You should probably use “Updated dependencies” only once.
Context: ...rizzle ## 0.1.70 ### Patch Changes - Updated dependencies - Updated dependencies - @authhero/[email protected]...

(PHRASE_REPETITION)

packages/kysely/CHANGELOG.md

[grammar] ~7-~7: This phrase is duplicated. You should probably use “Updated dependencies” only once.
Context: ...dapter ## 0.25.3 ### Patch Changes - Updated dependencies - Updated dependencies - @authhero/[email protected]...

(PHRASE_REPETITION)

🔇 Additional comments (17)

packages/adapter-interfaces/CHANGELOG.md (2)

3-4: LGTM! Version bump follows semantic versioning.

The version increment to 0.33.0 correctly reflects the addition of new features as minor changes.

---

14-14: LGTM! Patch changes are properly documented.

The patch change entry follows the conventional format.

packages/authhero/src/types/Hooks.ts (1)

15-17: Verify implementations using this type

Let's ensure all implementations of OnExecuteCredentialsExchangeAPI are updated to handle the new idToken property.

✅ Verification successful

Let me gather more context about the test implementation to better understand how the API is being used.

---

Let me check if there are any other files that might be using this API, particularly focusing on the actual implementation rather than just the test file.

---

Let me check the implementation in the authentication-flows to see how the API is being used in the actual code.

---

No updates needed - implementation already handles the idToken property

Looking at the implementation in authentication-flows/common.ts, the code already properly implements the idToken.setCustomClaim functionality. The hook implementation correctly provides both accessToken and idToken APIs to the callback, and the idToken claims are properly set when an ID token is being generated (when OpenID scope is present and user exists). The test case can be enhanced to cover ID token scenarios, but the implementation is correct.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for implementations of OnExecuteCredentialsExchangeAPI
# Description: Look for files that might need updates to handle the new idToken property

# Find potential implementations
rg -l "OnExecuteCredentialsExchangeAPI" --type ts

# Look for existing usage of accessToken.setCustomClaim to find patterns that might need idToken.setCustomClaim
rg "accessToken\.setCustomClaim" --type ts -A 5

Length of output: 620

---

Script:

#!/bin/bash
# Get the full test file content to understand the implementation context
cat packages/authhero/test/hooks/credentials-exchange.spec.ts

# Also search for any interface implementations or type usage
ast-grep --pattern 'implements OnExecuteCredentialsExchangeAPI'

Length of output: 1590

---

Script:

#!/bin/bash
# Search for any files containing onExecuteCredentialsExchange
rg "onExecuteCredentialsExchange" --type ts -A 5

# Also check for any other test or implementation files
fd "credentials-exchange" --type f --extension ts

Length of output: 1765

---

Script:

#!/bin/bash
# Get the content of the common.ts file to see the implementation
cat packages/authhero/src/authentication-flows/common.ts

# Also check the type definition file to understand the full API surface
cat packages/authhero/src/types/Hooks.ts

Length of output: 4378

packages/kysely/CHANGELOG.md (4)

3-10: LGTM: Latest version entry follows the standard format.

The version 0.25.3 entry maintains the expected changesets structure with proper versioning and dependency updates.

🧰 Tools

🪛 LanguageTool

[grammar] ~7-~7: This phrase is duplicated. You should probably use “Updated dependencies” only once.
Context: ...dapter ## 0.25.3 ### Patch Changes - Updated dependencies - Updated dependencies - @authhero/[email protected]...

(PHRASE_REPETITION)

---

11-17: Version 0.25.2 aligns with build system updates.

The changes appropriately document the build package updates and corresponding interface version bump.

---

Line range hint 1-400: Historical changes support the PR objectives.

The changelog shows relevant historical changes that align with the PR objectives:

• Version 0.22.0 added email providers
• Multiple versions include database-related changes
• Connection and authentication flow updates are documented

This history provides good context for the current changes related to database connections migration and email service implementation.

🧰 Tools

🪛 LanguageTool

[grammar] ~7-~7: This phrase is duplicated. You should probably use “Updated dependencies” only once.
Context: ...dapter ## 0.25.3 ### Patch Changes - Updated dependencies - Updated dependencies - @authhero/[email protected]...

(PHRASE_REPETITION)

---

1-1: Verify the version bumps align with semantic versioning.

The recent changes show only patch version increments (0.25.1 -> 0.25.2 -> 0.25.3) despite introducing potential breaking changes in the adapter interfaces (0.32.0 -> 0.32.1 -> 0.33.0).

Also applies to: 3-24

✅ Verification successful

Let me generate additional scripts to check the actual changes in the adapter interfaces and the kysely adapter versions.

This will help us verify:

1. The version progression of the kysely adapter
2. The actual changes in adapter interfaces to determine if they were breaking changes

---

Let me try a different approach to check the version history and changes.

---

Let me check the actual changes in the adapter interfaces by looking at recent commits.

---

Based on the gathered information, I can now provide the final response:

Version bumps are correctly aligned with semantic versioning

The version changes in the kysely adapter (0.25.1 -> 0.25.2 -> 0.25.3) are patch updates, which is appropriate as they don't introduce breaking changes. The adapter-interfaces updates (0.32.0 -> 0.32.1 -> 0.33.0) follow semantic versioning correctly:

• 0.32.1 was a patch for build package updates
• 0.33.0 was a minor version bump for adding new features (sendgrid/postmark mail services)

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if version bumps align with semantic versioning by analyzing the dependency changes

# Check the version changes in adapter-interfaces
rg -A 1 "@authhero/adapter-interfaces@" | sort -V

Length of output: 18806

---

Script:

#!/bin/bash
# Check the version history of kysely adapter
rg "## \[" packages/kysely/CHANGELOG.md

# Check the actual changes in adapter interfaces between 0.32.0 and 0.33.0
git diff v0.32.0..v0.33.0 -- packages/adapter-interfaces/

Length of output: 140

---

Script:

#!/bin/bash
# Check the version history of kysely adapter from the changelog
rg "^## " packages/kysely/CHANGELOG.md

# List all tags to see the correct tag format
git tag -l

# Check the content of adapter interfaces package.json for version info
cat packages/adapter-interfaces/package.json

Length of output: 2013

---

Script:

#!/bin/bash
# Check recent commits affecting adapter-interfaces
git log --oneline -p -- packages/adapter-interfaces/ | head -n 100

# Check the changelog of adapter-interfaces
cat packages/adapter-interfaces/CHANGELOG.md

Length of output: 5432

packages/adapter-interfaces/src/types/Domain.ts (1)

9-9: Consider maintaining type safety with a broader enum instead of string

Changing from a strict enum to an open string type reduces type safety and runtime validation. While this change enables supporting more email service providers, consider maintaining type safety by:

1. Using an expanded enum that includes all supported providers
2. Adding runtime validation for supported values
3. Documenting valid values in comments/docs

Let's check for email service provider references in the codebase:

packages/adapter-interfaces/src/types/Client.ts (1)

11-11: Ensure consistent validation between Domain and Client schemas

The change to string().optional() matches Domain.ts, but consider:

1. Extracting a shared email service type/schema to ensure consistency
2. Adding migration notes for existing clients using "mailgun" or "mailchannels"
3. Updating API documentation to reflect the expanded provider support

Let's check for existing clients and validation:

.husky/pre-commit (1)

3-3: Verify the new authhero build command

The command change from pnpm kysely authhero to pnpm authhero build appears to align with the database connection migration objectives. However, let's verify that the new command is properly configured.

✅ Verification successful

The pnpm authhero build command is properly configured

The command change is valid and properly configured in the workspace. The root package.json has an authhero script that filters to the authhero package ("authhero": "pnpm --filter authhero"), and the authhero package itself has a properly defined build script that handles TypeScript compilation, Vite build, and type generation.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the authhero build command configuration

# Check if the build script is defined in package.json
jq '.scripts | select(.build != null) // empty' package.json

# Check for any references to the old command
rg "kysely authhero" -g '!.git'

Length of output: 96

---

Script:

#!/bin/bash
# Let's check package.json content directly and look for authhero related scripts
cat package.json

# Also search for any authhero related commands or configurations
rg "authhero" -g '!.git'

# Check if there's a separate package for authhero
fd "package.json" -x cat {} | grep -A 5 -B 5 "authhero"

Length of output: 51610

---

Script:

#!/bin/bash
# Let's check the package.json in the authhero package for build script
cat packages/authhero/package.json

# Also check if there are any build-related scripts in the workspace
rg "\"build\":" -g "package.json"

Length of output: 1824

apps/demo/CHANGELOG.md (1)

9-10: Verify version compatibility

Let's ensure that the updated versions of authhero and @authhero/kysely-adapter are compatible with each other and that they include the necessary changes for database connection migration.

✅ Verification successful

Let me gather more information about the specific versions and their compatibility.

---

Let me try one more verification to check for any breaking changes or compatibility issues in the recent commits.

---

Version update appears safe to proceed

Based on the verification results:

• Both packages are part of the same ecosystem and were updated together
• The changes are related to exposing migration scripts and adding tests
• No breaking changes or incompatibilities are reported in the changelogs
• The demo app explicitly defines these exact versions as dependencies
• No conflicting peer dependency requirements exist between the packages

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check version compatibility and changes

# Check for breaking changes in the dependencies
gh api graphql -f query='
{
  repository(owner: "markusahlstrand", name: "authhero") {
    release(tagName: "v0.26.0") {
      description
    }
  }
}'

# Look for migration-related changes
rg -i "migration|database connection" --type md

Length of output: 887

---

Script:

#!/bin/bash
# Check package.json files for dependency relationships and version constraints
fd package.json --type f --exec cat {} \; | jq -c 'select(.dependencies != null) | {name: .name, deps: .dependencies | with_entries(select(.key | contains("authhero")))}' 

# Check changelogs for both packages around these versions
rg -A 5 "## \[0\.26\.0\]|## \[0\.25\.3\]" packages/authhero/CHANGELOG.md packages/kysely/CHANGELOG.md

Length of output: 772

---

Script:

#!/bin/bash
# Check recent commits in both packages for breaking changes
rg -i "breaking|incompatible|migration" packages/*/CHANGELOG.md -A 3

# Check if there are any peer dependency requirements
fd package.json --type f --exec cat {} \; | jq -c 'select(.peerDependencies != null) | {name: .name, peers: .peerDependencies | with_entries(select(.key | contains("authhero")))}'

Length of output: 1972

packages/authhero/src/auth-app.ts (1)

11-11: LGTM! Verify route registration order.

The integration of dbConnectionRoutes is clean and follows the existing patterns. The route is properly registered under /dbconnections.

Let's verify the route registration order and potential conflicts:

Also applies to: 30-31

✅ Verification successful

Route registration order is correct and no conflicts found

The /dbconnections route is registered after /oauth/token with no overlapping paths, maintaining a clean routing structure. The registration order follows a logical pattern and there are no potential conflicts that could cause routing issues.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for potential route conflicts and validate registration order
# Look for other route definitions that might conflict with /dbconnections

rg -A 2 "route\(['\"]\/dbconnections" 
rg -A 2 "route\(['\"]\/oauth" 

Length of output: 275

---

Script:

#!/bin/bash
# Let's fix the regex and search for route registrations
rg "route.*(/dbconnections|/oauth)" -A 2

Length of output: 295

packages/authhero/src/authentication-flows/common.ts (4)

16-16: LGTM: Well-defined security measure for JWT claims

The RESERVED_CLAIMS constant correctly includes all standard JWT claims, preventing accidental overwriting of critical token fields.

---

77-91: LGTM: Robust custom claim handling

The implementation properly validates custom claims against reserved claims for both access and ID tokens, with appropriate error handling.

---

105-122: LGTM: Secure JWT creation implementation with proper key management

The JWT creation logic follows security best practices with RS256 algorithm and proper key ID handling.

✅ Verification successful

LGTM: JWT implementation is secure with proper key rotation support

The implementation follows security best practices:

• Uses RS256 algorithm with proper key management
• Implements key rotation through kid in headers
• Has proper key revocation tracking (revoked_at)
• Uses the oslo/jwt library for JWT creation
• Sets reasonable expiration time (1 day)
• Validates and filters out revoked keys before signing

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for key rotation implementation
rg -A 5 "revoked_at"
ast-grep --pattern 'function createJWT'

Length of output: 3140

---

Script:

#!/bin/bash
# Let's check the createJWT implementation and its usage
ast-grep --pattern 'createJWT($$$)'
rg -A 10 "createJWT" 

Length of output: 5663

---

46-64: LGTM: OpenID Connect compliant ID token implementation

The ID token payload correctly includes all standard OpenID Connect claims and is properly conditioned on the 'openid' scope presence.

✅ Verification successful

Let me gather more information about the OpenID Connect implementation to verify the compliance.

---

Let me check the userinfo endpoint and token implementation to complete the OpenID Connect compliance verification.

---

ID token implementation verified and compliant with OpenID Connect

The implementation is correctly following OpenID Connect specifications with:

• Proper ID token payload construction with standard claims
• OpenID configuration and JWKS endpoints available
• Correct scope-based conditional ID token issuance
• Token endpoint supporting ID token responses
• Userinfo endpoint present for additional claims
• Test coverage demonstrating OpenID flow handling

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify OpenID Connect endpoints and configurations
rg -A 5 "/.well-known/openid-configuration" 
rg -A 5 "/.well-known/jwks.json"

Length of output: 1535

---

Script:

#!/bin/bash
# Check the OpenID configuration endpoint implementation
ast-grep --pattern 'export async function openidConfiguration($$$) {
  $$$
}'

# Check JWKS endpoint implementation
ast-grep --pattern 'export async function jwks($$$) {
  $$$
}'

# Check for additional OpenID related configurations
rg -l "openid" --type ts

Length of output: 699

---

Script:

#!/bin/bash
# Check userinfo endpoint implementation
ast-grep --pattern 'export async function userinfo($$$) {
  $$$
}'

# Check token endpoint for id_token handling
rg -A 10 "id_token" packages/authhero/src/routes/auth-api/token.ts

# Check OpenID scopes handling
rg "scope.*openid" --type ts

Length of output: 1315

packages/authhero/src/emails/templates/password-reset.ts (1)

62-64: Security: Review external resource dependency

The template loads fonts from assets.sesamy.dev. Ensure:

1. The domain is properly secured with HTTPS (currently using HTTPS, good!)
2. Consider adding a Content Security Policy (CSP) header
3. Add fallback fonts in case the external resource is unavailable

✅ Verification successful

Let me check the email template for fallback fonts and CSP headers.

---

Security review completed - External font resource properly configured

The verification shows:

1. ✅ HTTPS is properly configured with CloudFront CDN and S3 encryption
2. ✅ Fallback fonts are properly defined: font-family: KHTeka, Helvetica, sans-serif
3. ℹ️ CSP headers for email templates are typically handled by email clients, not the sending application, so this is not a concern in this context

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the security headers of the external font resource
curl -I https://assets.sesamy.dev/static/fonts/khteka.css

Length of output: 980

---

Script:

#!/bin/bash
# Check email template for font-family declarations and CSP headers
rg -A 3 "font-family" packages/authhero/src/emails/templates/password-reset.ts

# Check if CSP headers are defined anywhere in the codebase
rg -i "content-security-policy" 

Length of output: 2724

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

packages/authhero/src/routes/auth-api/dbconnections.ts (1)

78-88: Add rate limiting for signup attempts

The signup endpoint should implement rate limiting to prevent brute force attacks and abuse.

Consider implementing rate limiting based on IP address and/or email domain. I can help implement this if you'd like.

packages/authhero/test/routes/auth-api/dbconnections.spec.ts (3)

8-72: Add tests for email validation edge cases

Consider adding tests for:

• Emails with special characters
• International domain names
• Maximum length emails

---

17-34: Reduce test setup duplication

The email provider setup code is duplicated across multiple tests. Consider extracting it into a helper function.

Example implementation:

async function setupEmailProvider(managementClient: any, token: string) {
  await managementClient.email.providers.$post(
    {
      header: { "tenant-id": "tenantId" },
      json: {
        name: "mock-email",
        credentials: { api_key: "apiKey" },
      },
    },
    {
      headers: { authorization: `Bearer ${token}` },
    },
  );
}

Also applies to: 108-125, 178-195, 248-265

---

167-289: Enhance password reset test coverage

Consider adding tests for:

• Session expiration scenarios
• Validation of email content and reset links
• Multiple reset attempts
• Rate limiting (once implemented)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2242489 and 5db636b.

📒 Files selected for processing (2)

• packages/authhero/src/routes/auth-api/dbconnections.ts (1 hunks)
• packages/authhero/test/routes/auth-api/dbconnections.spec.ts (1 hunks)

🧰 Additional context used

📓 Learnings (1)

packages/authhero/src/routes/auth-api/dbconnections.ts (1)

Learnt from: markusahlstrand
PR: markusahlstrand/authhero#13
File: packages/authhero/src/routes/auth-api/dbconnections.ts:33-33
Timestamp: 2024-12-16T07:28:50.646Z
Learning: The Zod email validation with `z.string().email()` doesn't handle special characters, so we should use `z.string()` for email fields instead.

🔇 Additional comments (2)

packages/authhero/src/routes/auth-api/dbconnections.ts (2)

107-111: ⚠️ Potential issue

Use asynchronous password hashing

The synchronous bcryptjs.hashSync can block the event loop under load. Consider using the asynchronous version instead.

Apply this change:

-        password: bcryptjs.hashSync(password, 10),
+        password: await bcryptjs.hash(password, 10),

Likely invalid or redundant comment.

---

85-88: ⚠️ Potential issue

Use constant-time comparison for user existence check

The current implementation might be vulnerable to timing attacks. Consider using a constant-time comparison when checking for existing users.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/authhero/test/helpers/test-server.ts (1)

88-90: Consider adding more test scenarios

While the basic mock email provider is set up correctly, consider adding providers for different test scenarios.

 emailProviders: {
   "mock-email": mockEmailService.sendEmail.bind(mockEmailService),
+  "mock-email-error": () => Promise.reject(new Error("Simulated email error")),
+  "mock-email-timeout": async (...args) => {
+    await new Promise(resolve => setTimeout(resolve, 5000));
+    return mockEmailService.sendEmail.bind(mockEmailService)(...args);
+  }
 },

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5db636b and 4430ec4.

📒 Files selected for processing (4)

• packages/authhero/src/emails/index.ts (1 hunks)
• packages/authhero/src/routes/auth-api/dbconnections.ts (1 hunks)
• packages/authhero/src/types/Bindings.ts (2 hunks)
• packages/authhero/test/helpers/test-server.ts (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• packages/authhero/src/types/Bindings.ts
• packages/authhero/src/routes/auth-api/dbconnections.ts
• packages/authhero/src/emails/index.ts

🔇 Additional comments (3)

packages/authhero/test/helpers/test-server.ts (3)

13-13: LGTM: Clean import statement

The import follows TypeScript conventions and is properly placed with related imports.

---

114-114: Verify test coverage using getSentEmails

The method exposure looks good. Let's verify its usage in tests.

✅ Verification successful

getSentEmails is properly used in test assertions

The method is correctly used in multiple test cases within dbconnections.spec.ts to verify email sending behavior:

• Used to verify single email sent during signup
• Used to verify multiple emails sent during password reset flow
• Used to verify no emails sent in certain scenarios

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check usage of getSentEmails in tests
rg -A 2 "getSentEmails" --type ts

Length of output: 2368

---

84-84: Verify MockEmailService implementation

The service instantiation looks good, but let's verify the implementation of MockEmailService.

✅ Verification successful

MockEmailService implementation is complete and correct

The implementation contains all expected methods with proper functionality:

• sendEmail: Stores email params and returns empty object
• getSentEmails: Returns stored emails for verification
• Uses sentEmails array to track email history

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check MockEmailService implementation for required methods
ast-grep --pattern 'class MockEmailService {
  $$$
  sendEmail($$$) {
    $$$
  }
  getSentEmails($$$) {
    $$$
  }
  $$$
}'

Length of output: 1016

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/authhero/src/utils/password.ts (1)

3-15: Strong implementation with room for minor improvements.

The implementation combines zxcvbn's entropy-based scoring with explicit complexity rules, which is a robust approach. However, consider these enhancements:

1. Add input validation for null/undefined
2. Consider extracting magic numbers/regex patterns as named constants
3. Add JSDoc documentation describing the validation rules

Here's a suggested improvement:

+/**
+ * Validates password strength using zxcvbn scoring and complexity rules.
+ * Requirements:
+ * - zxcvbn score >= 3
+ * - Minimum 8 characters
+ * - At least one lowercase letter
+ * - At least one uppercase letter
+ * - At least one number
+ * - At least one special character
+ * @param password The password to validate
+ * @returns boolean indicating if password meets strength requirements
+ * @throws {Error} If password is null or undefined
+ */
+const MIN_LENGTH = 8;
+const MIN_ZXCVBN_SCORE = 3;
+const PATTERNS = {
+  LOWERCASE: /[a-z]/,
+  UPPERCASE: /[A-Z]/,
+  NUMBER: /[0-9]/,
+  SPECIAL: /[^A-Za-z0-9]/
+} as const;
+
 export default function validatePasswordStrength(password: string) {
+  if (!password) throw new Error('Password is required');
+
   // Check overall strength with zxcvbn
-  if (zxcvbn(password).score < 3) return false;
+  if (zxcvbn(password).score < MIN_ZXCVBN_SCORE) return false;

   // Additional complexity rules.
   return (
-    password.length >= 8 && // Minimum length
-    /[a-z]/.test(password) && // At least one lowercase letter
-    /[A-Z]/.test(password) && // At least one uppercase letter
-    /[0-9]/.test(password) && // At least one number
-    /[^A-Za-z0-9]/.test(password) // At least one special character
+    password.length >= MIN_LENGTH &&
+    PATTERNS.LOWERCASE.test(password) &&
+    PATTERNS.UPPERCASE.test(password) &&
+    PATTERNS.NUMBER.test(password) &&
+    PATTERNS.SPECIAL.test(password)
   );
 }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4430ec4 and d2bc076.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• packages/authhero/package.json (2 hunks)
• packages/authhero/src/utils/password.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/authhero/package.json

🔇 Additional comments (1)

packages/authhero/src/utils/password.ts (1)

1-1: Consider using a more actively maintained password strength library.

The zxcvbn package hasn't been updated since 2017. Consider using @zxcvbn-ts/core which is actively maintained and provides the same functionality with TypeScript support.

Let's verify the package status and alternatives:

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d2bc076 and f1fa745.

📒 Files selected for processing (1)

• packages/authhero/src/emails/index.ts (1 hunks)

🔇 Additional comments (4)

packages/authhero/src/emails/index.ts (4)

1-5: LGTM! Imports and type declarations are clean.

All necessary imports are present and properly typed.

---

19-22: Fix typo and error message in email service validation.

Two issues in this code segment:

1. Typo in environment property access: emailProviders
2. Incorrect error message for email service not found

---

45-45: URL encode parameters in reset password link.

The state and code parameters should be properly encoded to handle special characters.

---

59-59: Add validation token to email verification URL.

The email validation URL needs proper parameters for secure verification.