Security Release for Redwood Apps Using Clerk
Note
You can skip this notice if you're not using Clerk as an auth provider.
We've made a security improvement to the getCurrentUser
function in the api-side Clerk auth template (PR here: #7668). Existing projects using Clerk as an auth provider should run the codemod or make the changes manually.
In detail, with Clerk, you can set privateMetadata
on a user. (Note that you have to set data on this property via the Clerk API for there to be data there.) The template getCurrentUser
was returning this data to the frontend by default, making it available to your frontend code when a user was logged in.
Clerk users should run this codemod:
npx @redwoodjs/codemods@canary update-clerk-get-current-user
Or make the changes manually:
// api/src/lib/auth.ts
export const getCurrentUser = async (
decoded,
/* eslint-disable-next-line @typescript-eslint/no-unused-vars */
{ token, type },
/* eslint-disable-next-line @typescript-eslint/no-unused-vars */
{ event, context }
) => {
if (!decoded) {
logger.warn('Missing decoded user')
return null
}
const { roles } = parseJWT({ decoded })
+ const { privateMetadata, ...userWithoutPrivateMetadata } = decoded
if (roles) {
- return { ...decoded, roles }
+ return { ...userWithoutPrivateMetadata, roles }
}
- return { ...decoded }
+ return { ...userWithoutPrivateMetadata }
}
Changelog
Features
Fixed
- fix(clerk): Remove privateMetadata property from getCurrentUser #7668 by @anagstef
- Fix
yarn rw exec
to set nonzero exit code on error #7660 by @rcrogers - Get rid of red squiggles in new lambda functions #7640 by @Tobbe
- Forms: Export EmptyAsValue #7656 by @Tobbe
Docs
- Update CORS docs to reflect Redwood 4 changes #7627 by @schybo
- fix(docs): typo in
GraphQL
docs #7634 by @BlackHawkSigma - Fix the world's most minor typo (txs -> tsx) #7658 by @CarlQLange
- Update useRequireAuth docs to v4 auth #7646 by @Tobbe
- Update directives.md #7670 by @alirezaRaisSattari
Chore
- chore(deps): bump @sideway/formula from 3.0.0 to 3.0.1 in /docs #7593 by @dependabot
- chore(CI): CI telemetry checking #7623 by @Josh-Walker-GM
Core dependencies
- fix(deps): update prisma monorepo to v4.10.1 #7601
- fix(deps): update dependency fastify to v4.13.0 #7604
Dependencies
Click to see all upgraded dependencies
- fix(deps): update dependency @clerk/clerk-sdk-node to v4.7.1 #7589
- chore(deps): update dependency supertokens-auth-react to v0.31.0 #7588
- chore(deps): update dependency @clerk/clerk-react to v4.11.1 #7585
- chore(deps): update dependency @replayio/playwright to v0.3.19 #7590
- fix(deps): update prisma monorepo to v4.10.0 #7591
- chore(deps): update dependency supertokens-node to v13 #7595
- fix(deps): update typescript-eslint monorepo to v5.51.0 #7592
- fix(deps): update prisma monorepo to v4.10.1 #7601
- fix(deps): update dependency pino to v8.10.0 #7599
- chore(deps): update dependency esbuild to v0.17.7 #7603
- fix(deps): update dependency fastify to v4.13.0 #7604
- fix(deps): update dependency @whatwg-node/fetch to v0.7.1 #7600
- fix(deps): update dependency @whatwg-node/fetch to v0.8.1 #7609
- fix(deps): update dependency @fastify/static to v6.9.0 #7610
- fix(deps): update dependency react-player to v2.11.2 #7594
- chore(deps): update dependency @replayio/playwright to v0.3.20 #7613
- chore(deps): update dependency esbuild to v0.17.8 #7626
- fix(deps): update dependency systeminformation to v5.17.9 #7622
- fix(deps): update dependency eslint to v8.34.0 #7615
- chore(deps): update dependency @clerk/types to v3.27.0 #7614
- chore(deps): update dependency supertokens-node to v13.0.2 #7629
- chore(deps): update dependency @types/vscode to v1.75.1 #7630
- chore(deps): update dependency supertokens-auth-react to v0.31.1 #7628
- chore(deps): update dependency @replayio/playwright to v0.3.21 #7643
- chore(deps): update dependency @clerk/clerk-react to v4.11.3 #7642
- fix(deps): update dependency @clerk/clerk-sdk-node to v4.7.3 #7645
- chore(deps): update dependency lerna to v6.5.1 #7631
- chore(deps): update dependency esbuild to v0.17.10 #7662
- fix(deps): update dependency yargs to v17.7.1 #7667
- fix(deps): update dependency @fastify/url-data to v5.3.1 #7665
- fix(deps): update dependency vite to v4.1.3 #7664
- fix(deps): update dependency @clerk/clerk-sdk-node to v4.7.4 #7663
- fix(deps): update dependency core-js to v3.28.0 #7666
- fix(deps): update dependency vscode-languageserver-types to v3.17.3 #7636