fix: Don't store JWT token in an SSR environment

[devcshort]

What - This change makes it so that JWT doesn't get stored on the Medusa client when in an SSR environment.

Why - Currently when the Medusa client is used in an SSR environment, the last logged in user's JWT gets stored on the Medusa client. This causes customer information to be leaked when it shouldn't be.

How - To keep things DRY, I added a typeof check to the jwt-token-manager that checks if the window is undefined. If it's undefined, I'm simply just returning as I don't believe any further action is needed.

This fixes the issue referenced here #6889

[changeset-bot]

⚠️ No Changeset found

Latest commit: eb74321

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

@devcshort is attempting to deploy a commit to the medusajs Team on Vercel.

A member of the Team first needs to authorize it.

[u11d-bartlomiej-galezowski]

@sradevski @olivermrbl @shahednasser can we ask for your review? This fix is really urgent for us.

[thetutlage]

Looks fine to me. I will let @olivermrbl and @sradevski look into it once and especially the failing CI tests

[devcshort]

@olivermrbl @sradevski any updates on this? This is a fairly urgent request for us and is a prerequisite before we can go to production. Thanks!

[olivermrbl]

LGTM, thanks!

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
medusa-docs	⬜️ Ignored (Inspect)	Visit Preview		Dec 9, 2024 8:55am

[u11d-bartlomiej-galezowski]

Can we expect the fix in v1.20.11?

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[devcshort]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Not stale

[devcshort]

@olivermrbl @kasperkristensen what is your release cycle like? Curious when we can expect this change for the v1 Medusajs client to be released. Thanks!

[SalahAdDin]

@olivermrbl @kasperkristensen, what is your release cycle like? I'm curious when we can expect this change for the v1 Medusajs client to be released. Thanks!

Being a security issue, they may release it to version 1 too.

[olivermrbl]

@devcshort, there is no release cycle for v1, since PRs are very rarely merged. We tend to do it shortly after this happens, so I expect to cut a new version later today.

[devcshort]

@olivermrbl sounds great, thank you for the update!