Turnstile integration for fraud protection#1239
Merged
mantrakp04 merged 96 commits intodevfrom Mar 20, 2026
Merged
Conversation
…ng. Introduced new functions for calculating derived country codes and risk scores, updated API request handling to support optional risk scores, and improved validation for user input in the dashboard. Updated tests to cover new functionality and ensure proper handling of country codes and risk scores in user creation and updates.
…entralized `countryCodeSchema` for validation and normalization, updated relevant components and APIs to utilize this schema, and replaced ad-hoc country code handling with a new `CountryCodeSelect` component. Enhanced tests to ensure proper validation of country codes in various contexts, including sign-up rules and user dialogs.
…o, removing email-based inference. Update related functions and tests to reflect this change, ensuring proper handling of null values. Preserve existing country codes during anonymous user upgrades when geo is unavailable.
…ountryCodeSet` for improved consistency across the application. Update relevant imports and functions to utilize the new set, ensuring proper handling of country codes in user sign-up and validation processes.
… country code inference. Update related API and tests to accommodate the new email parameter, ensuring accurate country code derivation from both request geo and email tags. Maintain existing functionality for handling null values.
…d country code handling. Introduced new validation logic for `restricted_by_admin` fields and updated risk score schema. Enhanced consistency and maintainability of user-related data structures.
…e user schema to include risk scores. Enhanced tests to validate new fields and ensure proper handling of country codes and risk scores across various endpoints.
…. Enhanced test coverage for user data structures to ensure proper handling of new attributes across various scenarios.
…res fields. Improved test coverage for user data structures, ensuring proper handling of new attributes across various scenarios.
…structures. Adjusted status codes and error messages for team membership actions, and removed unnecessary fields from user responses. Enhanced test coverage for user data structures, ensuring proper handling of new attributes across various scenarios.
…ded tests to verify behavior of 'in_list' and 'equals' operations for country codes. Updated user dialog and country code select components to handle null values and improve validation logic. Refactored condition builder to ensure proper handling of single values and arrays for country code conditions.
…ttributes and country code. Updated conditions for setting `restricted_by_admin` and added `country_code` to the user response structure. Enhanced test snapshots to reflect these changes, ensuring accurate representation of user data.
…. Introduced new risk score calculations based on disposable email patterns, enhancing fraud detection capabilities. Updated tests to validate the new heuristics and their integration into the sign-up process.
STACK_RISK_BOT_DISPOSABLE_EMAIL_WEIGHT and STACK_RISK_FTA_DISPOSABLE_EMAIL_WEIGHT (both default to 100). Clamp final score to 0-100 instead of requiring sum=100. Made-with: Cursor
…istics. Added new fields to the ProjectUser model for tracking sign-up IP and email normalization. Updated environment configurations for Emailable API keys and adjusted risk score calculations to incorporate new heuristics. Enhanced tests for email validation and sign-up processes to ensure accurate handling of new attributes.
…ilities. Updated vitest.shared.ts to include new aliases for React and stack-shared utilities, and improved test pool options. Modified tsconfig.json files in backend and dashboard to support new path mappings for stack-shared utilities. Refactored imports across various files to align with updated paths, ensuring consistency and improved maintainability.
<!-- This is an auto-generated comment: release notes by coderabbit.ai --> * **New Features** * Added Stack CLI with authentication (login/logout) commands. * Added project management commands to list and create projects. * Added configuration management to pull and push project settings. * Added code execution capability to run JavaScript expressions. * Added initialization command for Stack Auth setup. * **Tests** * Added comprehensive end-to-end test suite for CLI functionality. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Make sure you've read the CONTRIBUTING.md guidelines: https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Managed email domain onboarding: setup, DNS provisioning, verification, status checks, and apply flow (Resend-backed). * **UI** * Project email settings: managed-provider setup dialog, managed sender fields, status display, and test-send mapping. * **Integrations** * DNS provider automation and Resend webhook handling for domain status updates; scoped keys for sending. * **API** * Admin endpoints / client APIs to setup, check, list, and apply managed email domains. * **Tests** * End-to-end tests covering the full onboarding flow. * **Chores** * Added environment variables and config schema support for Resend and DNS integrations. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
- Updated the test for syncing users in the external DB to include timeoutMs and intervalMs parameters, improving test reliability and performance. - Adjusted the description for clarity on the test's purpose and execution timing.
Collaborator
Author
|
@greptile-ai review and re-score |
nams1570
approved these changes
Mar 19, 2026
- Updated the OAuth authorization route to support a union response schema, allowing for both JSON and text responses with appropriate status codes. - Improved the OTP sign-in code route by incorporating request context serialization for new users, ensuring accurate tracking of sign-up details. - Refactored the verification code handler to deserialize stored sign-up request context, enhancing user experience during sign-in. - Added new utility functions for serializing and deserializing sign-up request context, improving data handling across authentication flows. - Enhanced tests to validate the new request context handling in OTP sign-in scenarios.
Collaborator
Author
|
@greptile-ai full review and rescore |
- Updated the OTP sign-in verification code handler to make `turnstile_result` optional, ensuring backward compatibility with existing stored codes. - Enhanced the sign-up context schema fields to be optional, allowing for more flexible data handling during user sign-up. - Introduced a new function to deserialize stored turnstile assessments, improving the handling of verification results. - Adjusted related tests to validate the new optional fields and ensure proper deserialization behavior.
Collaborator
Author
|
@greptile-ai review and rescore |
…ents - Introduced a new environment variable `STACK_ALLOW_SIGN_UP_ON_VISIBLE_BOT_CHALLENGE_FAILURE` to control sign-up behavior during visible bot challenge failures. - Enhanced the Turnstile verification logic to allow sign-ups to proceed when the visible challenge is unavailable, based on the new environment variable. - Updated the user sign-up handling to enforce the new policy, ensuring that sign-ups are blocked by default after a visible challenge failure unless explicitly allowed. - Added tests to validate the new sign-up policy and the handling of bot challenge unavailability in various scenarios. - Refactored related components to support the new logic and ensure consistent behavior across the application.
Collaborator
Author
|
@greptile-ai review |
- Added handling for `BotChallengeFailed` errors in the shared client interface, ensuring that both `BotChallengeRequired` and `BotChallengeFailed` are caught during authentication flows. - Updated the `StackClientInterface` methods to return appropriate `Result` errors for magic link requests, credential sign-ups, and OAuth authorizations when encountering bot challenge failures. - Introduced utility functions to streamline bot challenge error processing and improve code readability. - Enhanced tests to validate the new error handling behavior across various authentication scenarios.
- Updated the OpenAPI parsing logic to accommodate multiple response schemas for route handlers, enhancing flexibility in API response definitions. - Introduced a new `responseVariants` structure to encapsulate response descriptions, types, and status codes, improving the clarity and organization of response handling. - Removed deprecated functions related to response description retrieval and merging, streamlining the codebase. - Enhanced type definitions for better type safety and clarity in the parsing process.
Collaborator
Author
|
@greptile-ai review and rescore |
- Introduced a new `unavailable` flag in the `BotChallengeInput` type to explicitly indicate when bot challenge infrastructure is unavailable. - Updated the `getBotChallengeRequestFields` function to handle the new `unavailable` flag, ensuring it cannot be combined with a token or phase. - Refactored the `_toInterfaceBotChallengeInput` method to accommodate the new flag for magic link requests and other authentication flows. - Enhanced tests to validate the handling of bot challenge unavailability across various scenarios, ensuring robust error handling and user experience.
Collaborator
Author
|
@greptile-ai review and rescore |
- Added a new environment variable `STACK_DISABLE_BOT_CHALLENGE` to allow disabling the Turnstile bot challenge during local development. - Updated the Turnstile verification logic to skip bot challenge assessments when the new variable is set to true. - Enhanced the OAuth callback handling to accommodate the disabled bot challenge scenario, ensuring smooth user sign-up flow. - Added tests to validate the behavior when the bot challenge is disabled, improving overall test coverage for authentication flows.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enhances sign-up process with Turnstile integration for fraud protection. Builds on top of fraud-protection-temp-emails.
Made with Cursor
Summary by CodeRabbit
New Features
Bug Fixes
Documentation