Skip to content

stack-cli: support self-hosted URLs and tighten CLI auth polling #1419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mantrakp04 wants to merge 3 commits into
base: dev
Choose a base branch
from
+37 −24
Open

stack-cli: support self-hosted URLs and tighten CLI auth polling #1419

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e0025b2
stack-cli: support self-hosted URLs and tighten CLI auth polling
mantrakp04 May 6, 2026
f9aa931
Merge branch 'dev' into cli/self-host-urls-and-poll-hardening
mantrakp04 May 6, 2026
38a64ff
Update max expiration time for CLI auth polling from 15 minutes to 24…
mantrakp04 May 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 31 additions & 20 deletions apps/backend/src/app/api/latest/auth/cli/poll/route.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,16 @@
import { getPrismaClientForTenancy } from "@/prisma-client";
import { Prisma } from "@/generated/prisma/client";
import { getPrismaClientForTenancy, getPrismaSchemaForTenancy, sqlQuoteIdent } from "@/prisma-client";
import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
import { KnownErrors } from "@stackframe/stack-shared";
import { adaptSchema, clientOrHigherAuthTypeSchema, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";

type CliAuthAttemptRow = {
id: string,
refreshToken: string | null,
expiresAt: Date,
usedAt: Date | null,
};

// Helper function to create response
const createResponse = (status: 'waiting' | 'success' | 'expired' | 'used', refreshToken?: string) => ({
statusCode: status === 'success' ? 201 : 200,
Expand Down Expand Up @@ -38,18 +46,24 @@ export const POST = createSmartRouteHandler({
}),
async handler({ auth: { tenancy }, body: { polling_code } }) {
const prisma = await getPrismaClientForTenancy(tenancy);
const schema = await getPrismaSchemaForTenancy(tenancy);

// Find the CLI auth attempt
const cliAuth = await prisma.cliAuthAttempt.findFirst({
where: {
tenancyId: tenancy.id,
pollingCode: polling_code,
},
});
const cliAuthRows = await prisma.$queryRaw<CliAuthAttemptRow[]>(Prisma.sql`
SELECT
"id",
"refreshToken",
"expiresAt",
"usedAt"
FROM ${sqlQuoteIdent(schema)}."CliAuthAttempt"
WHERE "tenancyId" = ${tenancy.id}::UUID
AND "pollingCode" = ${polling_code}
LIMIT 1
`);

if (!cliAuth) {
if (cliAuthRows.length === 0) {
throw new KnownErrors.InvalidPollingCodeError();
}
const cliAuth = cliAuthRows[0];

if (cliAuth.expiresAt < new Date()) {
return createResponse('expired');
Expand All @@ -64,17 +78,14 @@ export const POST = createSmartRouteHandler({
}

// Mark as used
await prisma.cliAuthAttempt.update({
where: {
tenancyId_id: {
tenancyId: tenancy.id,
id: cliAuth.id,
},
},
data: {
usedAt: new Date(),
},
});
await prisma.$executeRaw(Prisma.sql`
UPDATE ${sqlQuoteIdent(schema)}."CliAuthAttempt"
SET
"usedAt" = NOW(),
"updatedAt" = NOW()
Comment on lines +81 to +85
WHERE "tenancyId" = ${tenancy.id}::UUID
AND "id" = ${cliAuth.id}::UUID
`);
Comment on lines 51 to +88
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security TOCTOU race: refresh token can be returned twice

The SELECT and UPDATE are separate round-trips with no row-level lock or transaction guard. A second polling request that arrives between the $queryRaw (line 51) and the $executeRaw (line 81) will read the same row (usedAt = null, refreshToken set) and also receive a 201 with the same token. An attacker who obtains the polling_code before the legitimate client completes the handshake can race that window to claim the refresh token.

The pre-existing Prisma findFirstupdate had the same gap. Since this PR explicitly migrates to raw SQL, the atomic fix is straightforward: replace the two-step pattern with a single UPDATE ... WHERE "usedAt" IS NULL RETURNING "refreshToken" so the mark-as-used and the token retrieval are one atomic operation.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: apps/backend/src/app/api/latest/auth/cli/poll/route.tsx
Line: 51-88

Comment:
**TOCTOU race: refresh token can be returned twice**

The SELECT and UPDATE are separate round-trips with no row-level lock or transaction guard. A second polling request that arrives between the `$queryRaw` (line 51) and the `$executeRaw` (line 81) will read the same row (`usedAt = null`, `refreshToken` set) and also receive a 201 with the same token. An attacker who obtains the `polling_code` before the legitimate client completes the handshake can race that window to claim the refresh token.

The pre-existing Prisma `findFirst``update` had the same gap. Since this PR explicitly migrates to raw SQL, the atomic fix is straightforward: replace the two-step pattern with a single `UPDATE ... WHERE "usedAt" IS NULL RETURNING "refreshToken"` so the mark-as-used and the token retrieval are one atomic operation.

How can I resolve this? If you propose a fix, please make it concise.

Fix in Claude Code Fix in Cursor Fix in Codex


return createResponse('success', cliAuth.refreshToken);
},
Expand Down
3 changes: 1 addition & 2 deletions apps/backend/src/app/api/latest/auth/cli/route.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ export const POST = createSmartRouteHandler({
tenancy: adaptSchema.defined(),
}).defined(),
body: yupObject({
expires_in_millis: yupNumber().max(1000 * 60 * 60 * 24).default(1000 * 60 * 120), // Default: 2 hours, max: 24 hours
expires_in_millis: yupNumber().max(1000 * 60 * 60 * 24).default(1000 * 60 * 2), // Default: 2 minutes, max: 24 hours
Copy link
Copy Markdown
Collaborator

@BilalG1 BilalG1 May 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 min might be too short, apparently 10 or 15 min is common

anon_refresh_token: yupString().optional(),
}).default({}),
}),
Expand All @@ -42,7 +42,6 @@ export const POST = createSmartRouteHandler({
let anonRefreshToken: string | null = null;

if (anon_refresh_token) {
// ProjectUserRefreshToken lives in the global DB (see tokens.tsx and oauth/model.tsx).
const refreshTokenRows = await globalPrismaClient.$queryRaw<RefreshTokenRow[]>(Prisma.sql`
SELECT "tenancyId", "projectUserId", "expiresAt"
FROM "ProjectUserRefreshToken"
Expand Down
3 changes: 3 additions & 0 deletions docker/server/.env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@

NEXT_PUBLIC_STACK_API_URL=http://localhost:8102
NEXT_PUBLIC_STACK_DASHBOARD_URL=http://localhost:8101
STACK_API_URL=http://localhost:8102
STACK_DASHBOARD_URL=http://localhost:8101
STACK_CLI_PUBLISHABLE_CLIENT_KEY=
Comment on lines +5 to +7
Copy link
Copy Markdown
Collaborator

@BilalG1 BilalG1 May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't think we need these, self-hosters would pass in these when running cli instead


STACK_DATABASE_CONNECTION_STRING=postgres://postgres:password@host.docker.internal:8128/stackframe

Expand Down
4 changes: 2 additions & 2 deletions packages/stack-cli/src/lib/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
import { readConfigValue } from "./config.js";
import { AuthError } from "./errors.js";

export const DEFAULT_API_URL = "https://api.stack-auth.com";
export const DEFAULT_DASHBOARD_URL = "https://app.stack-auth.com";
export const DEFAULT_API_URL = process.env.STACK_API_URL ?? "https://api.stack-auth.com";
export const DEFAULT_DASHBOARD_URL = process.env.STACK_DASHBOARD_URL ?? "https://app.stack-auth.com";
Comment on lines +4 to +5
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 The DEFAULT_API_URL / DEFAULT_DASHBOARD_URL constants now embed the env-var lookup themselves. resolveApiUrl() already checks process.env.STACK_API_URL as its first step, so the env-var inside DEFAULT_API_URL is unreachable via that fallback chain — the constant only ever contributes the hardcoded cloud URL. Using a plain literal for the exported default avoids the misleading double-lookup and keeps the single source of truth inside the resolve* functions.

Suggested change
export const DEFAULT_API_URL = process.env.STACK_API_URL ?? "https://api.stack-auth.com";
export const DEFAULT_DASHBOARD_URL = process.env.STACK_DASHBOARD_URL ?? "https://app.stack-auth.com";
export const DEFAULT_API_URL = "https://api.stack-auth.com";
export const DEFAULT_DASHBOARD_URL = "https://app.stack-auth.com";
Prompt To Fix With AI 
This is a comment left during a code review.
Path: packages/stack-cli/src/lib/auth.ts
Line: 4-5

Comment:
The `DEFAULT_API_URL` / `DEFAULT_DASHBOARD_URL` constants now embed the env-var lookup themselves. `resolveApiUrl()` already checks `process.env.STACK_API_URL` as its first step, so the env-var inside `DEFAULT_API_URL` is unreachable via that fallback chain — the constant only ever contributes the hardcoded cloud URL. Using a plain literal for the exported default avoids the misleading double-lookup and keeps the single source of truth inside the `resolve*` functions.

```suggestion
export const DEFAULT_API_URL = "https://api.stack-auth.com";
export const DEFAULT_DASHBOARD_URL = "https://app.stack-auth.com";
```

How can I resolve this? If you propose a fix, please make it concise.

Fix in Claude Code Fix in Cursor Fix in Codex

export const DEFAULT_PUBLISHABLE_CLIENT_KEY = process.env.STACK_CLI_PUBLISHABLE_CLIENT_KEY ?? "pck_9bbqvqsbh0gdb6smk11d71qg4ktc4rz8ya7cc69yndm7g";

type Flags = {
Expand Down
Loading