Skip to content

feat(auth0): switch from cosmiconfig to configliere (#362)#363

Open
a-kriya wants to merge 3 commits into
thefrontside:mainfrom
a-kriya:config
Open

feat(auth0): switch from cosmiconfig to configliere (#362)#363
a-kriya wants to merge 3 commits into
thefrontside:mainfrom
a-kriya:config

Conversation

@a-kriya

@a-kriya a-kriya commented Apr 11, 2026

Copy link
Copy Markdown
Contributor

Motivation

Migrates from cosmiconfig to in-house configliere for parsing configuration options.

Adds a protocol config option to allow users to choose serving over http or https.

Summary by CodeRabbit

  • New Features

    • Auth0 simulator now supports CLI-driven configuration with --help and explicit start command.
    • Configuration via CLI flags, JSON files, environment variables (UPPER_SNAKE_CASE), or programmatic options.
  • Documentation

    • Expanded Auth0 simulator README with detailed configuration guidance and field references.
  • Chores

    • Updated Auth0 library dependency to version 9.32.0.

@pkg-pr-new

pkg-pr-new Bot commented Apr 11, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@simulacrum/auth0-simulator@363
npm i https://pkg.pr.new/@simulacrum/foundation-simulator@363
npm i https://pkg.pr.new/@simulacrum/github-api-simulator@363
npm i https://pkg.pr.new/@simulacrum/server@363

commit: 35e0d00

@frontsidejack

frontsidejack commented Apr 11, 2026

Copy link
Copy Markdown
Member

Package Changes Through 646b85b

No changes.

Add a change file through the GitHub UI by following this link.


Read about change files or the docs at github.com/jbolda/covector

@a-kriya

a-kriya commented Apr 11, 2026

Copy link
Copy Markdown
Contributor Author

@jbolda Will you be able to help test this, and make improvements. I can't login with the default user due to SSL errors even when setting PROTOCOL=http.

@jbolda

jbolda commented Apr 12, 2026

Copy link
Copy Markdown
Member

Hmm, how are you testing it out? If it uses the auth0 libs, those tend to throw errors if they aren't pointing at https. Is that the error you are getting? That is why we had the instructions to use mkcert on first run. I might expect the tests to pass at least without setting up that cert.

@a-kriya

a-kriya commented Apr 13, 2026

Copy link
Copy Markdown
Contributor Author

I was running the start script, which executes ./example/index.mts. Then going to the /login route and entering the default user credentials. Auth0 webAuth was hitting https://localhost because the domain passed to it did not specify protocol (domain: new URL(serviceURL(req)).host). I'll ignore that for now.

For the unit tests, I modified them in a separate commit to pass protocol: 'http' option, so they now all pass without depending on system state.

image

@a-kriya a-kriya marked this pull request as ready for review April 13, 2026 04:07
@jbolda

jbolda commented Apr 14, 2026

Copy link
Copy Markdown
Member

As a bit of a separate question, do you have some requirements that prevent you from installing a local dev-only cert? I was considering automating that process more, a few libs can help some with it, but it the ramifications of trying to do it automatically were unclear.

@a-kriya

a-kriya commented Apr 14, 2026

Copy link
Copy Markdown
Contributor Author

Not really, mkcert is a dependency that hasn't been maintained for a few years. While I realize it might just be "complete" and doesn't require further work, I was just a bit wary of installing it and wanted to first figure out if the test suite can pass without it. And it did, so if it provides the same confidence it seems like an improvement because of a simpler setup.

Regardless, if you want to drop the third commit of this PR, please feel free.

debug: boolean,
): Record<Routes, RequestHandler> => {
let { audience, scope, clientID, rulesDirectory } = options;
let { audience, scope, clientId, rulesDirectory } = options;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think clientID was explicitly used as that aligns with Auth0 docs. Could we confirm that and maybe link it to their docs for future reference?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The WebAuth instantiation in views/login.ts still specifies clientID, but using it as our config option was creating --client-i-d and CLIENT_I_D as the parameters.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahhh I see. @cowboyd do we have a good way to deal with this?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we are going to have to put in an override API into configliere for this use case. I will do my best to whip that up here. I suspect that we are going to run into issues otherwise in getting it to work with auth0 libs if we don't follow their semantics.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright. Although I do think that this project should be able to use any naming format within itself, and only the interface layer with Auth0 needs to worry about using parameters that Auth0 accepts.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't inherently disagree. We want the incoming config to match whatever official auth0 accepts though. Also some of those variables are leaky into like the JWT if I recall.

I did get the PR going though, so we can update that soon here.
thefrontside/configliere#19

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah right, makes sense.

Comment thread packages/auth0/src/views/login.ts
Comment thread packages/auth0/src/config/get-config.ts Outdated
Comment on lines +32 to +38
const envs = [{ name: "env", value: process.env as Record<string, string> }];
const values = [{ name: "options", value: options }];
const result = auth0Program.parse({ args, envs, values });

if (!result.ok) throw result.error;

return result.value.config;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like you have some good progress here. We will need to parse with a file as well. The inject is the new part of the API to help in handling it. This example that uses the newer inject which we will need to load a config file. After we have our parser, the return of that is effectively an object. That object is what we can pass directly to the auth0 simulator.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need some help here. Would you mind taking this further in the direction that we want to go to?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure I can toss a commit here in a little bit.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok I pushed a commit. I think this is a good direction. We will still want to check the APIs to make sure we understand any breaking changes.

Comment thread packages/auth0/src/index.ts Outdated

export const simulation: Auth0Simulator = (args = {}) => {
const config = getConfig(args.options);
const config = getConfig(args.options, args.args);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The slight adjustment here is that we don't do the config handling here. args.options should just be passed all of the data that we get from config. We won't parse in this function as that should be complete by the time we call this function. I don't think it will create a breaking change as before and after we only have an object. This distinction though means we can do more advanced parsing and pass in the result here.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would start.cjs look? Would index.ts export getConfig which start.cjs will call and pass to simulation()?

@jbolda jbolda Apr 17, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep! Or at least the config parser. getConfig() could probably be removed as you would want to handle commands and then call simulation only in some cases (instead of the early return that you have).

Comment thread packages/auth0/test/ci-smoke.test.ts
Comment thread packages/auth0/test/openid-handlers.test.ts Outdated
Comment thread packages/foundation/src/store/index.ts Outdated
@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Replaces cosmiconfig with configliere for Auth0 simulator configuration loading. Introduces a configFields map and ConfigFieldDef type as the single source of truth for the Zod schema. Adds auth0Program CLI with a start command, normalizeConfig for domain/port reconciliation, and rewrites the bin/start.mjs entrypoint. Renames clientId to clientID in handlers and expands README documentation.

Changes

Auth0 configliere migration and CLI

Layer / File(s) Summary
Config field definitions and schema refactor
packages/auth0/src/types.ts, packages/auth0/package.json
Adds ConfigFieldDef interface and configFields map; rebuilds configurationSchema derived from configFields, removing cookie-related fields. Swaps cosmiconfig for configliere@^0.4.0.
Config parser, normalizer, and auth0Program CLI
packages/auth0/src/config/get-config.ts
Builds auth0ConfigParser and auth0Program (with start command) from configFields. Adds normalizeConfig for domain/port conflict resolution, readJsonConfig, parseAuth0Config, and delegates getConfig to the new parser pipeline.
Simulator args, conditional server options, and re-exports
packages/auth0/src/index.ts
Adds optional config field to Auth0Simulator args; simulation prefers args.config over getConfig(args.options); removes hardcoded port/protocol defaults; re-exports new config utilities.
clientIdclientID rename in handlers
packages/auth0/src/handlers/auth0-handlers.ts
Renames responseClientId to responseClientID in /login, /usernamepassword/login, and /oauth/token handlers; adds explicit string type annotations.
CLI bin entrypoint and example startup
packages/auth0/bin/start.mjs, packages/auth0/example/index.mts
Rewrites bin/start.mjs to parse CLI via auth0Program, dispatch on command, load optional JSON config, resolve hostname from server.address(), and handle errors with non-zero exit. Updates example to use promise-based listen with the same hostname logic.
Config parsing tests
packages/auth0/test/config.test.ts
New Vitest suite covering --port parsing, JSON config file loading via -c, help text output, domain derivation from port, and domain/port conflict errors.
README rewrite, SDK bump, clientID doc fix
packages/auth0/README.md, packages/auth0/src/views/login.ts
Rewrites Configuration section to document configliere, CLI flags, JSON config files, environment variables, programmatic options, and an options reference table. Updates clientIdclientID in example JSON. Bumps auth0.js CDN from 9.19.0 to 9.32.0.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 Hopped away from cosmiconfig's maze,
Now configliere sets the auth stage ablaze!
A start command flags the port just right,
normalizeConfig keeps domain and port tight.
clientID is spelled correctly at last —
This rabbit types fast! 🐾

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: migrating the Auth0 configuration system from cosmiconfig to configliere, which is the primary objective of this PR.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
packages/auth0/src/handlers/auth0-handlers.ts (1)

130-134: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Assertion checks the wrong client ID variable in failed-login flow.

Line 133 asserts clientID, but this branch uses responseClientID = query.client_id ?? clientID. The assert should validate responseClientID to match the actual value sent to loginView.

💡 Proposed fix
-        assert(!!clientID, `no clientID assigned`);
+        assert(!!responseClientID, `no clientID assigned`);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/auth0/src/handlers/auth0-handlers.ts` around lines 130 - 134, The
assertion at line 133 checks the wrong variable in the failed-login flow. The
code assigns `responseClientID` as either `query.client_id` or `clientID`, and
this `responseClientID` value is what gets sent to `loginView`. However, the
assert statement validates `clientID` instead of `responseClientID`. Update the
assertion to check `responseClientID` instead of `clientID` to ensure the actual
value being used downstream is properly assigned.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/auth0/bin/start.mjs`:
- Around line 53-59: The startup URL construction in the console.log statement
hardcodes the protocol as https:// instead of using the configured protocol
parameter, and does not handle IPv6 address formatting (which requires brackets
around the address in URLs). Modify the URL string construction to use the
protocol variable that should be available from the command-line arguments or
configuration, and add logic to check if the host is an IPv6 address (contains
colons) and wrap it in brackets before inserting it into the URL template.

In `@packages/auth0/example/index.mts`:
- Around line 15-21: The startup message in the console.log statement hardcodes
"https://" in the URL regardless of the actual protocol configuration of the
simulator, and IPv6 addresses like "::" need to be wrapped in brackets to form
valid URLs. Modify the console.log message to use the correct protocol that
matches the simulator's actual configuration (likely HTTP for a local simulator)
and ensure IPv6 addresses are wrapped in brackets when constructing the URL
string for host.

In `@packages/auth0/README.md`:
- Line 31: The README.md file at line 31 contains an instance of "github issue"
that should be capitalized as "GitHub issue" to follow proper product naming
conventions. Locate the text "please create a github issue to start a
conversation about" and capitalize the "g" in "github" to "GitHub" to match the
official product name.
- Around line 39-41: The README documentation contains an inconsistency between
the HTTPS requirement stated in lines 39-41 and the Quick Start protocol example
on line 48. Update the default startup URL example on line 48 from using HTTP to
HTTPS protocol (change http://localhost:4400 to https://localhost:4400) to align
with both the Auth0 client HTTPS requirement documented in lines 39-41 and the
default config sample shown in lines 56-57, ensuring consistent messaging
throughout the documentation.

In `@packages/auth0/src/types.ts`:
- Around line 28-32: The validation message for the clientID field is misleading
because it says "must be 32 characters long" but the schema uses .max(32) which
only enforces a maximum length, not an exact length. Either change the
validation to use .length(32) to enforce exactly 32 characters (which appears to
match the 32-character default value), or update the error message to say "must
be at most 32 characters long" to accurately reflect the maximum length
constraint. Choose based on whether exact or maximum length validation is
actually required for the clientID field.

---

Outside diff comments:
In `@packages/auth0/src/handlers/auth0-handlers.ts`:
- Around line 130-134: The assertion at line 133 checks the wrong variable in
the failed-login flow. The code assigns `responseClientID` as either
`query.client_id` or `clientID`, and this `responseClientID` value is what gets
sent to `loginView`. However, the assert statement validates `clientID` instead
of `responseClientID`. Update the assertion to check `responseClientID` instead
of `clientID` to ensure the actual value being used downstream is properly
assigned.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 79b2a5b4-8b0c-49d4-b0f9-96ab85c87183

📥 Commits

Reviewing files that changed from the base of the PR and between 1d85e34 and 646b85b.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (10)
  • packages/auth0/README.md
  • packages/auth0/bin/start.mjs
  • packages/auth0/example/index.mts
  • packages/auth0/package.json
  • packages/auth0/src/config/get-config.ts
  • packages/auth0/src/handlers/auth0-handlers.ts
  • packages/auth0/src/index.ts
  • packages/auth0/src/types.ts
  • packages/auth0/src/views/login.ts
  • packages/auth0/test/config.test.ts

Comment on lines +53 to +59
const host =
typeof info === "object" && info?.address && !["::", "0.0.0.0"].includes(info.address)
? info.address
: "localhost";
console.log(
`Auth0 simulation server started at https://${host}:${port}\n` +
`Visit the root route to view all available routes.\n\n` +

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use the configured protocol in the startup URL (and normalize IPv6 host formatting).

Line 58 hardcodes https://, so --protocol http still prints an HTTPS URL. Also, IPv6 addresses like ::1 should be bracketed before composing a URL.

💡 Proposed fix
-      const host =
-        typeof info === "object" && info?.address && !["::", "0.0.0.0"].includes(info.address)
-          ? info.address
-          : "localhost";
+      const protocol = result.value.protocol ?? "https";
+      const rawHost =
+        typeof info === "object" && info?.address && !["::", "0.0.0.0"].includes(info.address)
+          ? info.address
+          : "localhost";
+      const host = rawHost.includes(":") ? `[${rawHost}]` : rawHost;
       console.log(
-        `Auth0 simulation server started at https://${host}:${port}\n` +
+        `Auth0 simulation server started at ${protocol}://${host}:${port}\n` +
           `Visit the root route to view all available routes.\n\n` +
           `Point your configuration at this simulation server and use the default user below.\n` +
           `Email: ${defaultUser.email}\nPassword: ${defaultUser.password}\n` +
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const host =
typeof info === "object" && info?.address && !["::", "0.0.0.0"].includes(info.address)
? info.address
: "localhost";
console.log(
`Auth0 simulation server started at https://${host}:${port}\n` +
`Visit the root route to view all available routes.\n\n` +
const protocol = result.value.protocol ?? "https";
const rawHost =
typeof info === "object" && info?.address && !["::", "0.0.0.0"].includes(info.address)
? info.address
: "localhost";
const host = rawHost.includes(":") ? `[${rawHost}]` : rawHost;
console.log(
`Auth0 simulation server started at ${protocol}://${host}:${port}\n` +
`Visit the root route to view all available routes.\n\n` +
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/auth0/bin/start.mjs` around lines 53 - 59, The startup URL
construction in the console.log statement hardcodes the protocol as https://
instead of using the configured protocol parameter, and does not handle IPv6
address formatting (which requires brackets around the address in URLs). Modify
the URL string construction to use the protocol variable that should be
available from the command-line arguments or configuration, and add logic to
check if the host is an IPv6 address (contains colons) and wrap it in brackets
before inserting it into the URL template.

Comment on lines +15 to +21
const host =
typeof info === "object" && info?.address && !["::", "0.0.0.0"].includes(info.address)
? info.address
: "localhost";
console.log(
`auth0 simulation server started at https://localhost:4400\nusername: default@example.com\npassword: 12345\n`,
),
);
`Auth0 simulation server started at https://${host}:${port}\n` +
`username: default@example.com\n` +

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Startup message should not hardcode HTTPS in the example output.

Line 20 always prints https://... even when the simulator is configured for HTTP, and raw IPv6 hosts should be bracketed for a valid URL string.

💡 Proposed fix
 app.listen().then(({ server, port }) => {
   const info = server.address();
-  const host =
+  const protocol = "https"; // or derive from configured protocol if exposed in this example
+  const rawHost =
     typeof info === "object" && info?.address && !["::", "0.0.0.0"].includes(info.address)
       ? info.address
       : "localhost";
+  const host = rawHost.includes(":") ? `[${rawHost}]` : rawHost;
   console.log(
-    `Auth0 simulation server started at https://${host}:${port}\n` +
+    `Auth0 simulation server started at ${protocol}://${host}:${port}\n` +
       `username: default@example.com\n` +
       `password: 12345\n`,
   );
 });
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const host =
typeof info === "object" && info?.address && !["::", "0.0.0.0"].includes(info.address)
? info.address
: "localhost";
console.log(
`auth0 simulation server started at https://localhost:4400\nusername: default@example.com\npassword: 12345\n`,
),
);
`Auth0 simulation server started at https://${host}:${port}\n` +
`username: default@example.com\n` +
const protocol = "https"; // or derive from configured protocol if exposed in this example
const rawHost =
typeof info === "object" && info?.address && !["::", "0.0.0.0"].includes(info.address)
? info.address
: "localhost";
const host = rawHost.includes(":") ? `[${rawHost}]` : rawHost;
console.log(
`Auth0 simulation server started at ${protocol}://${host}:${port}\n` +
`username: default@example.com\n` +
`password: 12345\n`,
);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/auth0/example/index.mts` around lines 15 - 21, The startup message
in the console.log statement hardcodes "https://" in the URL regardless of the
actual protocol configuration of the simulator, and IPv6 addresses like "::"
need to be wrapped in brackets to form valid URLs. Modify the console.log
message to use the correct protocol that matches the simulator's actual
configuration (likely HTTP for a local simulator) and ensure IPv6 addresses are
wrapped in brackets when constructing the URL string for host.

Comment thread packages/auth0/README.md
flow](https://developer.okta.com/docs/concepts/oauth-openid/).

If this does not meet your needs then please create a github issue to start a conversation about adding new OpenID flows.
If this does not meet your needs then please create a github issue to start a conversation about

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Capitalize “GitHub” in user-facing docs.

Line 31 should use GitHub issue for correct product naming.

🧰 Tools
🪛 LanguageTool

[uncategorized] ~31-~31: The official name of this software platform is spelled with a capital “H”.
Context: ...ot meet your needs then please create a github issue to start a conversation about add...

(GITHUB)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/auth0/README.md` at line 31, The README.md file at line 31 contains
an instance of "github issue" that should be capitalized as "GitHub issue" to
follow proper product naming conventions. Locate the text "please create a
github issue to start a conversation about" and capitalize the "g" in "github"
to "GitHub" to match the official product name.

Source: Linters/SAST tools

Comment thread packages/auth0/README.md
Comment on lines +39 to +41
> The Auth0 clients expect the server to be served as `https`, and will throw an error if it is
> served as `http`. Currently, we rely on a certificate available in the home directory. On first
> run, you will see instructions on how to set up this certificate through `mkcert`.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Quick Start protocol example is inconsistent with the surrounding HTTPS guidance.

Line 48 says the default startup URL is http://localhost:4400, while Lines 39-41 and the default config sample (Lines 56-57) point to HTTPS. Please align these to a single default behavior to avoid setup confusion.

Also applies to: 48-48, 56-57

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/auth0/README.md` around lines 39 - 41, The README documentation
contains an inconsistency between the HTTPS requirement stated in lines 39-41
and the Quick Start protocol example on line 48. Update the default startup URL
example on line 48 from using HTTP to HTTPS protocol (change
http://localhost:4400 to https://localhost:4400) to align with both the Auth0
client HTTPS requirement documented in lines 39-41 and the default config sample
shown in lines 56-57, ensuring consistent messaging throughout the
documentation.

Comment on lines +28 to +32
clientID: {
schema: z.optional(z.string().max(32, "must be 32 characters long")),
description: "auth0 client ID",
default: "00000000000000000000000000000000" as const,
},

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Misleading validation message for clientID.

The validation message says "must be 32 characters long" but max(32) enforces a maximum length, not an exact length. If exact length is required, use .length(32). If up to 32 is correct, update the message.

Suggested fix

If max length is intended:

  clientID: {
-   schema: z.optional(z.string().max(32, "must be 32 characters long")),
+   schema: z.optional(z.string().max(32, "must be at most 32 characters")),
    description: "auth0 client ID",
    default: "00000000000000000000000000000000" as const,
  },

Or if exact length is intended:

  clientID: {
-   schema: z.optional(z.string().max(32, "must be 32 characters long")),
+   schema: z.optional(z.string().length(32, "must be exactly 32 characters")),
    description: "auth0 client ID",
    default: "00000000000000000000000000000000" as const,
  },
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
clientID: {
schema: z.optional(z.string().max(32, "must be 32 characters long")),
description: "auth0 client ID",
default: "00000000000000000000000000000000" as const,
},
clientID: {
schema: z.optional(z.string().length(32, "must be exactly 32 characters")),
description: "auth0 client ID",
default: "00000000000000000000000000000000" as const,
},
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/auth0/src/types.ts` around lines 28 - 32, The validation message for
the clientID field is misleading because it says "must be 32 characters long"
but the schema uses .max(32) which only enforces a maximum length, not an exact
length. Either change the validation to use .length(32) to enforce exactly 32
characters (which appears to match the 32-character default value), or update
the error message to say "must be at most 32 characters long" to accurately
reflect the maximum length constraint. Choose based on whether exact or maximum
length validation is actually required for the clientID field.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants