Skip to content

Release v2.10.0 #945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gyaneshgouraw-okta merged 2 commits into from
Dec 4, 2025
Merged

Release v2.10.0 #945

gyaneshgouraw-okta merged 2 commits into from
Dec 4, 2025

Conversation

@gyaneshgouraw-okta
Copy link
Contributor

@gyaneshgouraw-okta gyaneshgouraw-okta commented Dec 4, 2025

Added

@gyaneshgouraw-okta gyaneshgouraw-okta requested a review from a team as a code owner December 4, 2025 21:43
@arpit-jn
Copy link
Contributor

arpit-jn commented Dec 4, 2025

@claude

@github-actions
Copy link

github-actions bot commented Dec 4, 2025
edited
Loading

Claude finished @arpit-jn's task —— View job

Review Complete

I've reviewed this release PR which adds custom token exchange support (RFC 8693) to auth0-react. Here are my findings:

Critical Issues Found

1. Race Condition and Error Handling Bug - src/auth0-provider.tsx:282-304

The exchangeToken implementation has a critical flaw in its error handling:

try {
  tokenResponse = await client.exchangeToken(options);
} catch (error) {
  throw tokenError(error);
} finally {
  // This ALWAYS executes, even on error!
  dispatch({
    type: 'GET_ACCESS_TOKEN_COMPLETE',
    user: await client.getUser(),
  });
}

Problems:

  • The finally block executes even when token exchange fails, causing state updates with potentially stale/incorrect user data
  • client.getUser() in the finally block has no error handling and can throw an unhandled promise rejection
  • On token exchange failure, the app still dispatches GET_ACCESS_TOKEN_COMPLETE, updating isAuthenticated based on existing user state rather than the failed operation
  • This creates an inconsistent state where the token exchange failed but the user appears authenticated

Impact: High - This can mask authentication failures and leave the application in an inconsistent security state.

2. Security: Missing Input Validation - src/auth0-provider.tsx:282-304

The exchangeToken function accepts CustomTokenExchangeOptions without any validation before passing to the underlying client:

Missing validations:

  • No validation that subject_token is non-empty or properly formatted
  • No validation that subject_token_type follows the required URI format
  • No length limits on input parameters (DoS risk)
  • No sanitization of scope values

Security Risk: While the underlying Auth0 SDK may handle some validation, the React wrapper should validate inputs at the API boundary to:

  1. Provide better error messages to developers
  2. Prevent unnecessary network requests with invalid data
  3. Enforce security best practices at the framework level

3. Documentation Security Gap - EXAMPLES.md

The example code and documentation has a critical security warning that needs more prominence:

const handleExchange = async (externalToken) => {
  const tokenResponse = await exchangeToken({
    subject_token: externalToken,
    subject_token_type: 'urn:your-company:legacy-system-token',

Issue: The documentation mentions token validation in a note at the bottom, but doesn't emphasize that:

  • The external token MUST be cryptographically validated in Auth0 Actions before acceptance
  • Using weak or no validation can lead to authentication bypass
  • The subject_token_type URI MUST be under your organization's control to prevent token type confusion attacks

Recommendation: Add a prominent security warning at the top of the example explaining the validation requirements.

Code Quality Issues

4. Inconsistent Error Handling Pattern

Comparing exchangeToken to handleRedirectCallback (lines 306-319), both use identical finally block patterns with await client.getUser(). This suggests a systemic issue:

  • Both functions can fail to update state correctly if getUser() fails
  • Both have the same race condition vulnerability
  • The pattern is repeated, indicating it needs a refactor

Recommendation: Extract error handling to a shared helper function and only update state on success.

5. Missing JSDoc Parameter Documentation

While exchangeToken has good high-level documentation, it lacks detailed parameter documentation:

exchangeToken: (
  options: CustomTokenExchangeOptions
) => Promise<TokenEndpointResponse>;

The JSDoc should document:

  • Required vs optional fields in CustomTokenExchangeOptions
  • Format requirements for subject_token_type
  • What happens with audience and scope defaults
  • Error types that can be thrown

Performance Considerations

6. Unnecessary getUser() Call After Token Exchange

The implementation calls client.getUser() after every token exchange:

dispatch({
  type: 'GET_ACCESS_TOKEN_COMPLETE',
  user: await client.getUser(),
});

Issues:

  • Token exchange doesn't always modify user state - it's primarily for getting tokens
  • This adds an extra network round-trip on every token exchange
  • The reducer checks if (state.user === action.user) but only for reference equality, not deep equality

Impact: Unnecessary network overhead, especially for high-frequency token exchanges.

Testing Gaps

7. Missing Edge Case Tests

The test suite covers happy path and basic error handling, but misses:

  • What happens if getUser() fails in the finally block?
  • Race condition scenarios (concurrent exchangeToken calls)
  • Token exchange with malformed subject_token_type URIs
  • Empty or null subject_token values
  • Network timeout scenarios

Security Best Practices

8. Token Logging Risk

The example code includes:

console.log('Access Token:', tokenResponse.access_token);
console.log('ID Token:', tokenResponse.id_token);

Risk: This encourages developers to log sensitive tokens, which can lead to:

  • Tokens appearing in browser console logs
  • Tokens being included in error reporting tools
  • Tokens persisting in log aggregation systems

Recommendation: Remove token logging from examples or add a prominent warning.

Overall Assessment

❌ This pull request has critical issues that should be addressed. The error handling bug in the token exchange flow can cause authentication state inconsistencies and potential security issues.

Primary Concerns:

  1. Critical bug: The finally block pattern causes state updates even on errors
  2. Security: Missing input validation and documentation gaps around token validation requirements
  3. Reliability: Unhandled promise rejections possible in error paths

Recommended Actions:

  1. Fix the error handling to only update state on success
  2. Add error handling for client.getUser() calls
  3. Add input validation for token exchange parameters
  4. Enhance security warnings in documentation
  5. Add edge case tests for error scenarios

@gyaneshgouraw-okta
Copy link
Contributor Author

gyaneshgouraw-okta commented Dec 4, 2025
edited
Loading

Concerns raised by Claude review seem to be already addressed in the original PR description, so some of the comments may not fully apply in this context. Refer original PR and related discussion - #928

@gyaneshgouraw-okta gyaneshgouraw-okta merged commit f0b9fb0 into main Dec 4, 2025
12 checks passed
@gyaneshgouraw-okta gyaneshgouraw-okta deleted the release/v2.10.0 branch December 4, 2025 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arpit-jn arpit-jn arpit-jn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gyaneshgouraw-okta @arpit-jn @frederikprijck