Upgrade @objectstack to v2.0.4, add plugin-auth for server-side authentication#434
Merged
Upgrade @objectstack to v2.0.4, add plugin-auth for server-side authentication#434
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
…ide auth - Upgrade all @objectstack packages from ^2.0.1 to ^2.0.4 across 13 package.json files - Add @objectstack/plugin-auth ^2.0.3 to CRM example for server-side authentication - Update CRM server.ts to integrate AuthPlugin into the ObjectKernel - Update OBJECTSTACK_CLIENT_EVALUATION.md with latest versions and plugin-auth documentation Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>
Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Update objectstack client to latest version and add authentication
Upgrade @objectstack to v2.0.4, add plugin-auth for server-side authentication
Feb 10, 2026
github-actions
bot
added
documentation
Contributor
|
@copilot fix all build and test |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the monorepo to newer @objectstack/* versions and wires @objectstack/plugin-auth into the CRM example to demonstrate server-side authentication, along with corresponding documentation updates.
Changes:
- Bump
@objectstack/*dependencies from^2.0.1→^2.0.4across the workspace and refreshpnpm-lock.yaml. - Add
@objectstack/plugin-auth@^2.0.3and registerAuthPlugininexamples/crm/server.ts. - Update
OBJECTSTACK_CLIENT_EVALUATION.mdto reflect the new versions and document server-side auth setup.
Reviewed changes
Copilot reviewed 15 out of 16 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| pnpm-lock.yaml | Lockfile refresh for @objectstack/* upgrades + new plugin-auth transitive deps |
| package.json | Root devDependency bumps to @objectstack/*@^2.0.4 + hono server plugin bump |
| packages/core/package.json | Bump @objectstack/spec to ^2.0.4 |
| packages/react/package.json | Bump @objectstack/spec to ^2.0.4 |
| packages/types/package.json | Bump @objectstack/spec to ^2.0.4 |
| packages/data-objectstack/package.json | Bump @objectstack/client to ^2.0.4 |
| packages/plugin-gantt/package.json | Bump @objectstack/spec to ^2.0.4 |
| packages/plugin-map/package.json | Bump @objectstack/spec to ^2.0.4 |
| packages/plugin-timeline/package.json | Bump @objectstack/spec to ^2.0.4 |
| apps/console/package.json | Bump console’s @objectstack/* dependencies to ^2.0.4 |
| examples/todo/package.json | Bump todo example deps to @objectstack/*@^2.0.4 |
| examples/msw-todo/package.json | Bump msw-todo example deps to @objectstack/*@^2.0.4 |
| examples/kitchen-sink/package.json | Bump kitchen-sink example deps to @objectstack/*@^2.0.4 |
| examples/crm/package.json | Bump CRM example deps to @objectstack/*@^2.0.4 and add @objectstack/plugin-auth |
| examples/crm/server.ts | Register AuthPlugin in the CRM server kernel plugin chain |
| OBJECTSTACK_CLIENT_EVALUATION.md | Update version headers and add server-side auth documentation/diagram |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
Comment on lines
+332
to
+334
| // Provides /api/v1/auth/* endpoints (sign-in, sign-up, session, OAuth, 2FA, etc.) | ||
| await kernel.use(new AuthPlugin({ | ||
| secret: process.env.AUTH_SECRET || 'dev-secret', |
There was a problem hiding this comment.
The server-side setup example uses secret: process.env.AUTH_SECRET || 'dev-secret'. Similar to the CRM server code, a hard-coded fallback secret is unsafe and can be copied into production accidentally. Prefer failing fast when AUTH_SECRET is missing (or gating any fallback behind an explicit dev-only check) and mention required env vars in the example text.
Suggested change
| // Provides /api/v1/auth/* endpoints (sign-in, sign-up, session, OAuth, 2FA, etc.) | |
| await kernel.use(new AuthPlugin({ | |
| secret: process.env.AUTH_SECRET || 'dev-secret', | |
| // Requires AUTH_SECRET to be set in the environment for signing tokens. | |
| // Provides /api/v1/auth/* endpoints (sign-in, sign-up, session, OAuth, 2FA, etc.) | |
| const authSecret = process.env.AUTH_SECRET; | |
| if (!authSecret) { | |
| throw new Error('AUTH_SECRET environment variable must be set for @objectstack/plugin-auth'); | |
| } | |
| await kernel.use(new AuthPlugin({ | |
| secret: authSecret, |
Comment on lines
3936
to
3951
| @@ -3917,6 +3945,10 @@ packages: | |||
| resolution: {integrity: sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==} | |||
| engines: {node: ^14.21.3 || >=16} | |||
|
|
|||
| '@noble/hashes@2.0.1': | |||
| resolution: {integrity: sha512-XlOlEbQcE9fmuXxrVTXCTlG2nlRXa9Rj3rr5Ue/+tX+nmkgbX720YHh0VR3hBF9xDvwnb8D2shVGOwNx+ulArw==} | |||
| engines: {node: '>= 20.19.0'} | |||
|
|
|||
There was a problem hiding this comment.
The lockfile now pulls in @noble/ciphers@2.1.1 and @noble/hashes@2.0.1 which both declare engines.node: >= 20.19.0. The repo root package.json currently allows Node >=20, so installs on Node 20.0–20.18 will violate dependency engine constraints. Consider tightening the repo engine requirement to >=20.19.0 (and aligning CI/dev docs), or pinning transitive deps to versions that support the currently-declared Node range.
Comment on lines
+47
to
+51
| // NOTE: In production, always set AUTH_SECRET env var. The fallback is for local development only. | ||
| const authPlugin = new AuthPlugin({ | ||
| secret: process.env.AUTH_SECRET || 'objectui-dev-secret', | ||
| baseUrl: 'http://localhost:3000', | ||
| }); |
There was a problem hiding this comment.
Avoid using a hard-coded default secret for authentication (even in an example). This makes it easy to accidentally run the server with a known secret. Prefer requiring AUTH_SECRET (fail fast) unless NODE_ENV === 'development', or generating a random dev secret at startup and logging a warning. Also consider sourcing baseUrl from an env var (or deriving it from the configured port) so the example works behind proxies / non-localhost environments.
|
|
||
| return ( | ||
| <AuthProvider authUrl="/api/auth"> | ||
| <AuthProvider authUrl="/api/v1/auth"> |
There was a problem hiding this comment.
This document switches the AuthProvider URL to /api/v1/auth, but the rest of the repo (e.g., @object-ui/auth docs/tests and apps/console) consistently uses /api/auth. Unless the server-side AuthPlugin is explicitly mounted at /api/v1/auth, this is likely to mislead readers. Either keep /api/auth here or add a short note explaining the exact route prefix used by @objectstack/plugin-auth and how to configure it to match.
Suggested change
| <AuthProvider authUrl="/api/v1/auth"> | |
| <AuthProvider authUrl="/api/auth"> |
…@2.0.4 @objectstack/core@2.0.4 statically imports Node.js crypto module for plugin hashing. The code has a browser fallback, so we mark crypto as external in both the console and msw-todo Vite configs to fix browser bundle builds. Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>
Contributor
Author
Fixed in 771fd19. The |
Contributor
📦 Bundle Size Report
Size Limits
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.