fix(server-auth-actions): accept member-expression auth calls like auth0.getSession() (#239)#264
Closed
NisargIO wants to merge 2 commits into
Closed
Conversation
…uth0.getSession()` (#239) `containsAuthCheck` only recognised auth calls with a bare `Identifier` callee (`auth()`, `getSession()`, …), so every `auth0.getSession()`, `supabase.auth.getSession()`, `clerkClient.getUser()` was missed and the whole server action got flagged. One reporter hit 139 false positives — essentially every server action in the repo. Route every CallExpression through the existing `getCalleeName` utility, which already resolves both Identifier and MemberExpression callees to a single name. `walkAst` already descends into `AwaitExpression` / `ChainExpression` children, so `await auth0.getSession()` and `auth0?.getSession()` fall out for free with no extra branching. Closes #239. Supersedes PR #240. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
|
🔴 React Review — 0/100 (unchanged) · No new issues Reviewed by react-review for commit 5bff156. Configure here. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
NisargIO
force-pushed
the
fix/nextjs-get-handler-side-effects-206
branch
from
71ecf0a to
bd9778a
Compare
Member
Author
|
Closing in favor of reopened #261 (same diff, same branch). |
NisargIO
force-pushed
the
fix/server-auth-actions-member-call-239
branch
from
3b9af6a to
5bff156
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Re-opens #261, which GitHub auto-closed after a force-push during rebase. Stacked on top of #263.
server-auth-actionsonly recognised auth calls when the callee was a bareIdentifier—auth(),getSession(),getUser(), etc. Every member-expression flavour (auth0.getSession(),supabase.auth.getSession(),clerkClient.getUser(userId),request.auth()) slipped through and the whole server action got flagged as missing an auth check. One reporter in #239 hit 139 false positives — essentially every server action in the repo.Route every
CallExpressionthrough the existinggetCalleeNameutility, which already resolves bothIdentifierandMemberExpressioncallees to a single name.walkAstalready descends intoAwaitExpression/ChainExpressionchildren, so awaited (await auth0.getSession()) and optional-chained (auth0?.getSession()) variants fall out for free with no extra branching.This is more elegant than #240 (which adds a second
else ifbranch duplicating the identifier check) and reuses code we already have.Now accepted as an auth check
await auth0.getSession()— the verbatim reproauth0.getSession()(non-awaited)await supabase.auth.getSession()(chained member expression)await clerkClient.getUser(userId)await auth0?.getSession()(optional chaining)await auth()/await getSession()(the original Identifier forms — still works)Still flagged
.something()member methods.Test plan
packages/react-doctor/tests/regressions/server-auth-actions-member-call.test.tswith 6 false-negative cases and 3 true-positive cases.nr typecheck,nr lint,nr test(918/918),nr format:checkall pass.server-auth-actionsregressions inpackages/react-doctor/tests/run-oxlint/nextjs.test.tsstill pass.Closes #239. Supersedes #240.
Made with Cursor