Conversation
Browsers block third-party cookies from touchgrass-api.fly.dev when the page is served from touchgrass-mobile.vercel.app. Enable better-auth's bearer plugin server-side so Authorization: Bearer tokens are accepted, and persist the session token in localStorage on web. Native flow (SecureStore via @better-auth/expo) is unchanged.
feat: qa env setup
Adds a GitHub Action that runs flyctl deploy --remote-only against touchgrass-api-qa whenever qa is updated and the change touches API sources, Dockerfile, fly.toml, or lockfiles. Requires FLY_API_TOKEN repo secret (create with: fly tokens create deploy).
Mirrors the QA workflow but targets touchgrass-api-prod via fly.prod.toml on push to main. Uses a separate FLY_API_TOKEN_PROD secret so the QA and prod deploy tokens can be scoped/rotated independently.
- eas.json: point preview at touchgrass-api-qa.fly.dev and production at touchgrass-api-prod.fly.dev (were still hitting the old Render URL) - Remove the Render keep-warm GitHub Action — Fly uses suspend with ~1-3s resume, so the workaround is no longer needed - Drop 'credentials: include' on web fetches — third-party cookies are blocked and bearer tokens now carry the session
- Require signed bearer tokens (bearer({ requireSignature: true })) so a
leaked raw session id alone is not a usable credential — only the
HMAC-signed value emitted via the set-auth-token response header
works.
- Web client now picks up the signed token from the set-auth-token
response header in the onSuccess hook and drops the signIn/signUp
wrappers that read the raw token from the response body. Keeps the
session id out of bodies that may be logged.
- authedFetch on web also clears the stored token on 401, so revoked
sessions don't leave a stale token in localStorage extending the XSS
exfil window.
- Split CORS origins from better-auth trustedOrigins: cors() now only
receives http(s):// entries, app-scheme values (touchgrass://, exp://)
remain only on the better-auth side where they're meaningful.
fix: deploy actions and security issues
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Reduces the chance an XSS bug can execute in the web client — the primary mitigation against localStorage bearer-token exfiltration on the cross-site setup, where HttpOnly cookies are not an option. - vercel.json: add Content-Security-Policy-Report-Only plus X-Content-Type-Options, X-Frame-Options, Referrer-Policy and a Permissions-Policy disabling camera/microphone/geolocation/ interest-cohort. CSP is report-only on first deploy because Expo Router's static export may emit inline hydration scripts that violate script-src 'self'; flip the header name to Content-Security-Policy after verifying no console violations. - Bump version to 1.2.4.
fix: add browser security headers and CSP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.