Skip to content

qa -> main#15

Merged
rlyhan merged 13 commits into
mainfrom
qa
May 27, 2026
Merged

qa -> main#15
rlyhan merged 13 commits into
mainfrom
qa

Conversation

@rlyhan

@rlyhan rlyhan commented May 27, 2026

Copy link
Copy Markdown
Owner

No description provided.

rlyhan added 11 commits May 26, 2026 18:19
Browsers block third-party cookies from touchgrass-api.fly.dev when the
page is served from touchgrass-mobile.vercel.app. Enable better-auth's
bearer plugin server-side so Authorization: Bearer tokens are accepted,
and persist the session token in localStorage on web. Native flow
(SecureStore via @better-auth/expo) is unchanged.
Adds a GitHub Action that runs flyctl deploy --remote-only against
touchgrass-api-qa whenever qa is updated and the change touches API
sources, Dockerfile, fly.toml, or lockfiles. Requires FLY_API_TOKEN
repo secret (create with: fly tokens create deploy).
Mirrors the QA workflow but targets touchgrass-api-prod via
fly.prod.toml on push to main. Uses a separate FLY_API_TOKEN_PROD
secret so the QA and prod deploy tokens can be scoped/rotated
independently.
- eas.json: point preview at touchgrass-api-qa.fly.dev and production
  at touchgrass-api-prod.fly.dev (were still hitting the old Render URL)
- Remove the Render keep-warm GitHub Action — Fly uses suspend with
  ~1-3s resume, so the workaround is no longer needed
- Drop 'credentials: include' on web fetches — third-party cookies are
  blocked and bearer tokens now carry the session
- Require signed bearer tokens (bearer({ requireSignature: true })) so a
  leaked raw session id alone is not a usable credential — only the
  HMAC-signed value emitted via the set-auth-token response header
  works.
- Web client now picks up the signed token from the set-auth-token
  response header in the onSuccess hook and drops the signIn/signUp
  wrappers that read the raw token from the response body. Keeps the
  session id out of bodies that may be logged.
- authedFetch on web also clears the stored token on 401, so revoked
  sessions don't leave a stale token in localStorage extending the XSS
  exfil window.
- Split CORS origins from better-auth trustedOrigins: cors() now only
  receives http(s):// entries, app-scheme values (touchgrass://, exp://)
  remain only on the better-auth side where they're meaningful.
fix: deploy actions and security issues
@vercel

vercel Bot commented May 27, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
touchgrass-mobile Ready Ready Preview, Comment May 27, 2026 5:46am
touchgrass-mobile-qa Ready Ready Preview, Comment May 27, 2026 5:46am

rlyhan added 2 commits May 27, 2026 17:33
Reduces the chance an XSS bug can execute in the web client — the
primary mitigation against localStorage bearer-token exfiltration on
the cross-site setup, where HttpOnly cookies are not an option.

- vercel.json: add Content-Security-Policy-Report-Only plus
  X-Content-Type-Options, X-Frame-Options, Referrer-Policy and a
  Permissions-Policy disabling camera/microphone/geolocation/
  interest-cohort. CSP is report-only on first deploy because Expo
  Router's static export may emit inline hydration scripts that
  violate script-src 'self'; flip the header name to
  Content-Security-Policy after verifying no console violations.
- Bump version to 1.2.4.
fix: add browser security headers and CSP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant