npm @redwoodjs/core 4.2.0
v4.2.0

latest releases: 9.0.0-canary.239, 9.0.0-canary.237, 9.0.0-canary.236...
20 months ago

Security Release for Redwood Apps Using Clerk

Note

You can skip this notice if you're not using Clerk as an auth provider.

We've made a security improvement to the getCurrentUser function in the api-side Clerk auth template (PR here: #7668). Existing projects using Clerk as an auth provider should run the codemod or make the changes manually.

In detail, with Clerk, you can set privateMetadata on a user. (Note that you have to set data on this property via the Clerk API for there to be data there.) The template getCurrentUser was returning this data to the frontend by default, making it available to your frontend code when a user was logged in.

Clerk users should run this codemod:

npx @redwoodjs/codemods@canary update-clerk-get-current-user

Or make the changes manually:

 // api/src/lib/auth.ts

 export const getCurrentUser = async (
   decoded,
   /* eslint-disable-next-line @typescript-eslint/no-unused-vars */
   { token, type },
   /* eslint-disable-next-line @typescript-eslint/no-unused-vars */
   { event, context }
 ) => {
   if (!decoded) {
     logger.warn('Missing decoded user')
     return null
   }

   const { roles } = parseJWT({ decoded })

+  const { privateMetadata, ...userWithoutPrivateMetadata } = decoded

   if (roles) {
-    return { ...decoded, roles }
+    return { ...userWithoutPrivateMetadata, roles }
   }

-  return { ...decoded }
+  return { ...userWithoutPrivateMetadata }
 }

Changelog

Features

  • 7482/validators exclude include caseinsensitive #7573 by @taivo

Fixed

  • fix(clerk): Remove privateMetadata property from getCurrentUser #7668 by @anagstef
  • Fix yarn rw exec to set nonzero exit code on error #7660 by @rcrogers
  • Get rid of red squiggles in new lambda functions #7640 by @Tobbe
  • Forms: Export EmptyAsValue #7656 by @Tobbe

Docs

Chore

Core dependencies

  • fix(deps): update prisma monorepo to v4.10.1 #7601
  • fix(deps): update dependency fastify to v4.13.0 #7604

Dependencies

Click to see all upgraded dependencies
  • fix(deps): update dependency @clerk/clerk-sdk-node to v4.7.1 #7589
  • chore(deps): update dependency supertokens-auth-react to v0.31.0 #7588
  • chore(deps): update dependency @clerk/clerk-react to v4.11.1 #7585
  • chore(deps): update dependency @replayio/playwright to v0.3.19 #7590
  • fix(deps): update prisma monorepo to v4.10.0 #7591
  • chore(deps): update dependency supertokens-node to v13 #7595
  • fix(deps): update typescript-eslint monorepo to v5.51.0 #7592
  • fix(deps): update prisma monorepo to v4.10.1 #7601
  • fix(deps): update dependency pino to v8.10.0 #7599
  • chore(deps): update dependency esbuild to v0.17.7 #7603
  • fix(deps): update dependency fastify to v4.13.0 #7604
  • fix(deps): update dependency @whatwg-node/fetch to v0.7.1 #7600
  • fix(deps): update dependency @whatwg-node/fetch to v0.8.1 #7609
  • fix(deps): update dependency @fastify/static to v6.9.0 #7610
  • fix(deps): update dependency react-player to v2.11.2 #7594
  • chore(deps): update dependency @replayio/playwright to v0.3.20 #7613
  • chore(deps): update dependency esbuild to v0.17.8 #7626
  • fix(deps): update dependency systeminformation to v5.17.9 #7622
  • fix(deps): update dependency eslint to v8.34.0 #7615
  • chore(deps): update dependency @clerk/types to v3.27.0 #7614
  • chore(deps): update dependency supertokens-node to v13.0.2 #7629
  • chore(deps): update dependency @types/vscode to v1.75.1 #7630
  • chore(deps): update dependency supertokens-auth-react to v0.31.1 #7628
  • chore(deps): update dependency @replayio/playwright to v0.3.21 #7643
  • chore(deps): update dependency @clerk/clerk-react to v4.11.3 #7642
  • fix(deps): update dependency @clerk/clerk-sdk-node to v4.7.3 #7645
  • chore(deps): update dependency lerna to v6.5.1 #7631
  • chore(deps): update dependency esbuild to v0.17.10 #7662
  • fix(deps): update dependency yargs to v17.7.1 #7667
  • fix(deps): update dependency @fastify/url-data to v5.3.1 #7665
  • fix(deps): update dependency vite to v4.1.3 #7664
  • fix(deps): update dependency @clerk/clerk-sdk-node to v4.7.4 #7663
  • fix(deps): update dependency core-js to v3.28.0 #7666
  • fix(deps): update dependency vscode-languageserver-types to v3.17.3 #7636

Don't miss a new core release

NewReleases is sending notifications on new releases.