Skip to content

fix: Validate auth callback state#12802

Merged
anthonyshew merged 1 commit into
mainfrom
shew/turbo-5521-5516-auth-state
May 14, 2026
Merged

fix: Validate auth callback state#12802
anthonyshew merged 1 commit into
mainfrom
shew/turbo-5521-5516-auth-state

Conversation

@anthonyshew

@anthonyshew anthonyshew commented May 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor
  • Adds CSRF state generation and validation to self-hosted login and SSO callback flows.
  • Rejects missing or mismatched callback state before accepting returned tokens.

@anthonyshew anthonyshew requested a review from a team as a code owner May 14, 2026 17:59
@anthonyshew anthonyshew requested review from tknickman and removed request for a team May 14, 2026 17:59
@vercel

vercel Bot commented May 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
examples-basic-web Ready Ready Preview, Comment, Open in v0 May 14, 2026 6:07pm
examples-designsystem-docs Ready Ready Preview, Comment, Open in v0 May 14, 2026 6:07pm
examples-gatsby-web Ready Ready Preview, Comment, Open in v0 May 14, 2026 6:07pm
examples-kitchensink-blog Ready Ready Preview, Comment, Open in v0 May 14, 2026 6:07pm
examples-nonmonorepo Ready Ready Preview, Comment, Open in v0 May 14, 2026 6:07pm
examples-svelte-web Ready Ready Preview, Comment, Open in v0 May 14, 2026 6:07pm
examples-tailwind-web Ready Ready Preview, Comment, Open in v0 May 14, 2026 6:07pm
examples-vite-web Ready Ready Preview, Comment, Open in v0 May 14, 2026 6:07pm
turbo-site Ready Ready Preview, Comment, Open in v0 May 14, 2026 6:07pm

@anthonyshew anthonyshew force-pushed the shew/turbo-5521-5516-auth-state branch from 16d443d to d211dfc Compare May 14, 2026 18:06
@anthonyshew anthonyshew force-pushed the shew/turbo-5473-vscode-safe-task-run branch from b3ef80f to 7a9f95d Compare May 14, 2026 18:06
@anthonyshew anthonyshew changed the base branch from shew/turbo-5473-vscode-safe-task-run to main May 14, 2026 18:06
@anthonyshew anthonyshew enabled auto-merge (squash) May 14, 2026 18:20
@anthonyshew anthonyshew merged commit 84f4508 into main May 14, 2026
58 of 67 checks passed
@anthonyshew anthonyshew deleted the shew/turbo-5521-5516-auth-state branch May 14, 2026 18:22
@anthonyshew anthonyshew mentioned this pull request May 14, 2026
Merged
@github-actions github-actions Bot mentioned this pull request May 14, 2026
Closed
anthonyshew added a commit that referenced this pull request May 14, 2026
@anthonyshew
chore: Release 2.9.13 (#12803)
fb8c9ae 
## Summary

- Recreates the release PR that the failed v2.9.13 workflow never
opened.
- Advances `version.txt` to `2.9.14-canary.0` so the next release does
not retry `2.9.13`.
- Keeps package and Turborepo skill metadata aligned with the attempted
`2.9.13` release state.

## Context

The v2.9.13 release failed during npm publishing after a partial native
package publish. This PR only moves repository state forward; it does
not create a `v2.9.13` tag or complete the npm publish.

## Changes Since v2.9.12

- release(turborepo): 2.9.12 (#12774) (`c1f923a`)
- fix: Restore docs mobile menu (#12782) (`859c629`)
- ci: Use `pull_request` for PR title linting (#12787) (`4cf9fab`)
- ci: Scope GitHub Actions caches by branch (#12788) (`5fcb960`)
- test: Validate lockfiles without dependency downloads (#12789)
(`71f8c90`)
- Removed unneeded import form hash creation script in docs (#12799)
(`1779ad7`)
- fix: Validate auth callback state (#12802) (`84f4508`)
- fix: Harden VS Code extension command execution (#12800) (`91c90cb`)
- fix: Avoid project-local Yarn during detection (#12801) (`e8e629d`)
@github-actions github-actions Bot mentioned this pull request May 14, 2026
Merged
anthonyshew pushed a commit that referenced this pull request May 15, 2026
@github-actions
release(turborepo): 2.9.14 (#12805)
da36727 
## Release v2.9.14

> [!CAUTION]
> Versioned docs aliasing FAILED. [View
logs](https://github.com/vercel/turborepo/actions/runs/25882155729)

### Changes

- release(turborepo): 2.9.12 (#12774) (`c1f923a`)
- fix: Restore docs mobile menu (#12782) (`859c629`)
- ci: Use `pull_request` for PR title linting (#12787) (`4cf9fab`)
- ci: Scope GitHub Actions caches by branch (#12788) (`5fcb960`)
- test: Validate lockfiles without dependency downloads (#12789)
(`71f8c90`)
- Removed unneeded import form hash creation script in docs (#12799)
(`1779ad7`)
- fix: Validate auth callback state (#12802) (`84f4508`)
- fix: Harden VS Code extension command execution (#12800) (`91c90cb`)
- fix: Avoid project-local Yarn during detection (#12801) (`e8e629d`)
- chore: Release 2.9.13 (#12803) (`fb8c9ae`)

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tknickman tknickman Awaiting requested review from tknickman tknickman is a code owner automatically assigned from vercel/turbo-oss

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anthonyshew