Security Release for Redwood Apps Using Clerk

Note

You can skip this notice if you're not using Clerk as an auth provider.

We've made a security improvement to the getCurrentUser function in the api-side Clerk auth template (PR here: #7668). Existing projects using Clerk as an auth provider should run the codemod or make the changes manually.

In detail, with Clerk, you can set privateMetadata on a user. (Note that you have to set data on this property via the Clerk API for there to be data there.) The template getCurrentUser was returning this data to the frontend by default, making it available to your frontend code when a user was logged in.

Clerk users should run this codemod:

npx @redwoodjs/codemods@canary update-clerk-get-current-user

Or make the changes manually:

 // api/src/lib/auth.ts

 export const getCurrentUser = async (
   decoded,
   /* eslint-disable-next-line @typescript-eslint/no-unused-vars */
   { token, type },
   /* eslint-disable-next-line @typescript-eslint/no-unused-vars */
   { event, context }
 ) => {
   if (!decoded) {
     logger.warn('Missing decoded user')
     return null
   }

   const { roles } = parseJWT({ decoded })

+  const { privateMetadata, ...userWithoutPrivateMetadata } = decoded

   if (roles) {
-    return { ...decoded, roles }
+    return { ...userWithoutPrivateMetadata, roles }
   }

-  return { ...decoded }
+  return { ...userWithoutPrivateMetadata }
 }

Changelog

Features

7482/validators exclude include caseinsensitive #7573 by @taivo

Fixed

fix(clerk): Remove privateMetadata property from getCurrentUser #7668 by @anagstef
Fix yarn rw exec to set nonzero exit code on error #7660 by @rcrogers
Get rid of red squiggles in new lambda functions #7640 by @Tobbe
Forms: Export EmptyAsValue #7656 by @Tobbe

Docs

Update CORS docs to reflect Redwood 4 changes #7627 by @schybo
fix(docs): typo in GraphQL docs #7634 by @BlackHawkSigma
Fix the world's most minor typo (txs -> tsx) #7658 by @CarlQLange
Update useRequireAuth docs to v4 auth #7646 by @Tobbe
Update directives.md #7670 by @alirezaRaisSattari

Chore

chore(deps): bump @sideway/formula from 3.0.0 to 3.0.1 in /docs #7593 by @dependabot
chore(CI): CI telemetry checking #7623 by @Josh-Walker-GM

Core dependencies

fix(deps): update prisma monorepo to v4.10.1 #7601
fix(deps): update dependency fastify to v4.13.0 #7604

Dependencies

Click to see all upgraded dependencies

fix(deps): update dependency @clerk/clerk-sdk-node to v4.7.1 #7589
chore(deps): update dependency supertokens-auth-react to v0.31.0 #7588
chore(deps): update dependency @clerk/clerk-react to v4.11.1 #7585
chore(deps): update dependency @replayio/playwright to v0.3.19 #7590
fix(deps): update prisma monorepo to v4.10.0 #7591
chore(deps): update dependency supertokens-node to v13 #7595
fix(deps): update typescript-eslint monorepo to v5.51.0 #7592
fix(deps): update prisma monorepo to v4.10.1 #7601
fix(deps): update dependency pino to v8.10.0 #7599
chore(deps): update dependency esbuild to v0.17.7 #7603
fix(deps): update dependency fastify to v4.13.0 #7604
fix(deps): update dependency @whatwg-node/fetch to v0.7.1 #7600
fix(deps): update dependency @whatwg-node/fetch to v0.8.1 #7609
fix(deps): update dependency @fastify/static to v6.9.0 #7610
fix(deps): update dependency react-player to v2.11.2 #7594
chore(deps): update dependency @replayio/playwright to v0.3.20 #7613
chore(deps): update dependency esbuild to v0.17.8 #7626
fix(deps): update dependency systeminformation to v5.17.9 #7622
fix(deps): update dependency eslint to v8.34.0 #7615
chore(deps): update dependency @clerk/types to v3.27.0 #7614
chore(deps): update dependency supertokens-node to v13.0.2 #7629
chore(deps): update dependency @types/vscode to v1.75.1 #7630
chore(deps): update dependency supertokens-auth-react to v0.31.1 #7628
chore(deps): update dependency @replayio/playwright to v0.3.21 #7643
chore(deps): update dependency @clerk/clerk-react to v4.11.3 #7642
fix(deps): update dependency @clerk/clerk-sdk-node to v4.7.3 #7645
chore(deps): update dependency lerna to v6.5.1 #7631
chore(deps): update dependency esbuild to v0.17.10 #7662
fix(deps): update dependency yargs to v17.7.1 #7667
fix(deps): update dependency @fastify/url-data to v5.3.1 #7665
fix(deps): update dependency vite to v4.1.3 #7664
fix(deps): update dependency @clerk/clerk-sdk-node to v4.7.4 #7663
fix(deps): update dependency core-js to v3.28.0 #7666
fix(deps): update dependency vscode-languageserver-types to v3.17.3 #7636

@redwoodjs/core 4.2.0 v4.2.0 on Node.js NPM