[Docs] Block direct sign-in flow initiation from browser SPAs#3455
[Docs] Block direct sign-in flow initiation from browser SPAs#3455Malith-19 wants to merge 1 commit into
Conversation
|
Important Review skippedIgnore keyword(s) in the title. ⛔ Ignored keywords (2)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Bundle ReportBundle size has no change ✅ |
ce6a417 to
cc8ac5f
Compare
22d22d3 to
a9dbe11
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
a9dbe11 to
18792bf
Compare
Browser SPAs cannot initiate a sign-in flow directly via POST /flow/execute; they must use the redirect-based authorization_code + PKCE flow. Document this in the SDK overview pages and the react-vanilla sample. - Add callouts to the javascript, browser, react and vue SDK overview docs. - Add a notice to the react-vanilla sample steering browser SPAs to the redirect-based react-sdk-sample. The SDK code change lives in thunder-id/javascript-sdks (the SDKs were moved out of this repo in thunder-id#3456). Refs thunder-id#3217 Refs thunder-id#3219
18792bf to
aee89c5
Compare
| > `POST /flow/execute` directly from the browser (the "app-native" pattern). Browser single-page | ||
| > applications are **not supported** for direct sign-in initiation and must sign in using the | ||
| > redirect-based OAuth2 `authorization_code` + PKCE flow — see the | ||
| > [`react-sdk-sample`](../react-sdk-sample) for the recommended approach. This sample is kept only |
There was a problem hiding this comment.
Not related to this PR, but related to your effort... IMO we shouldn't provide a sample for a non recommended implementation. Instead we should give a nextJS sample maybe.
Purpose
Document that browser SPAs must use the redirect-based sign-in flow and cannot initiate a sign-in flow directly via
POST /flow/execute.This is the documentation companion to the SDK change. The JavaScript SDKs were moved out of this monorepo into
thunder-id/javascript-sdks(#3456), so the actual SDK code change (the runtime block + JSDoc + README + tests) now lives there: thunder-id/javascript-sdks#3. This PR carries only the docs-site and sample changes that remain in this repo.Approach
:::warningcallouts added to the javascript, browser, react and vue SDK overview pages: browser SPAs must sign in via the redirect-based OAuth2authorization_code+ PKCE flow (<SignInButton />/signIn()); initiating a sign-in flow directly in the browser is not supported and throws at runtime.react-vanilla-samplesteering browser SPAs to the redirect-basedreact-sdk-sample./authorizeinitiates authentication only, so registration and recovery have no redirect-based equivalent and remain documented as-is.Related Issues
Related PRs
Checklist
breaking changelabel added.Security checks
Note
[WIP] — paired with thunder-id/javascript-sdks#3; for testing and fine-tuning before review.