Commit 2cc83ee
harden(account): packaged builds ignore development Clerk config (#851)
* harden(account): ignore development Clerk config in packaged builds
A developer project that sets CLERK_ISSUER/CLERK_JWKS_URL/
CLERK_OAUTH_CLIENT_ID (or ADE_ACCOUNT_DIRECTORY_URL) to ADE's
development Clerk instance leaked into the packaged production app's
brain, which then authenticated against dev Clerk and got a 401
"invalid token" from the production account directory.
Packaged builds now set ADE_RUNTIME_PACKAGED=1 (bootstrap.ts via the
existing source-checkout check; desktop main.ts via app.isPackaged).
When set, the account resolvers discard any Clerk override that
resolves to a development instance (*.clerk.accounts.dev, incl.
trailing-dot aliases) or the development account directory — atomically
snapping issuer, JWKS, client, and directory back to the built-in
production defaults (never a hybrid) and logging one warning. The
machine publisher's directory override is guarded the same way.
Source-checkout/dev builds are unchanged; ADE_ALLOW_DEVELOPMENT_CLERK=1
is a deliberate escape hatch. Non-development custom issuer overrides
are still honored.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* harden(account): fix packaged detection + close directory guard gaps
Independent review findings:
- Packaged detection keyed off the module filename (bootstrap.cjs), but
bootstrap is bundled into main.cjs/cli.cjs, so dev builds running built
bundles misidentified as packaged and would auth against production
Clerk. Extract isSourceCheckoutRuntimeModule to runtimePackaging.ts and
make it directory-based (matches an apps/{ade-cli,desktop}/{src,dist}/
path segment) — packaged resources have no such segment.
- Route accountMachineDirectoryService's raw ADE_ACCOUNT_DIRECTORY_URL env
fallback through the dev-directory guard (was a latent bypass).
- Match the development account directory by host, so a dev-host URL with
an extra path/subdomain is also caught.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* harden(account): also reject the development OAuth client id
The packaged-build enforcement discarded dev issuers and dev JWKS hosts
but not the development OAuth client id, so a custom issuer paired with
DEVELOPMENT_ADE_CLERK_OAUTH_CLIENT_ID survived. Treat the dev client id
as an independent development-instance marker in both enforcement
functions, replacing the whole tuple with production defaults. Tests
cover a dev client id behind a custom issuer/JWKS for OAuth and
attestation.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* harden(account): derive sign-in availability from the hardened resolver
isLoginConfigured() read the raw CLERK_* values, so in a packaged build a
stale partial development secret (issuer or client id only) reported
configured=false and disabled the Account-page sign-in — even though the
hardened resolver would fall back to production and log in fine. Derive
it from the same resolveAccountOAuthConfig() the login flow uses (which
applies the packaged development-Clerk-ignore policy), and drop the now
dead readProjectSecret helper.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* harden(account): reject stored development sessions in packaged builds
The config resolvers were hardened, but a stored account.session.v1
created against dev Clerk bypassed them: getAccessToken() returned the
stored dev access token directly and refreshed against the stored dev
oauthConfig, so a packaged build with a pre-existing dev session kept
hitting the production directory with a dev token (401) until manual
sign-out.
In packaged mode (and equally for ADE_ACCOUNT_TOKEN credentials), reject
any session whose stored oauthConfig issuer/client is a development
instance or whose access-token `iss` claim is a dev host, before token
return, refresh, userinfo, or directory use. A persisted dev session is
compare-and-deleted from the shared credential store (only when the
stored value still matches what we read) so status flips to signed-out
without erasing a newer peer-written session, and the user re-signs-in
against production. ADE_ALLOW_DEVELOPMENT_CLERK=1 still keeps dev working;
source checkouts are unchanged. Swept the whole account surface
(getAccessToken, refresh, status, userinfo, env-token, publisher,
directory) for equivalent bypasses.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* harden(account): make dev-session invalidation race-safe and signed-out
Two review findings on the stored-session rejection:
- The updateSync-less fallback in invalidateStoredSessionIfCurrent did a
non-atomic getSync-then-deleteSync, which could delete a production
credential a peer wrote between the two calls. Drop the non-atomic
delete: use atomic compare-and-delete when available, otherwise leave
the value in place and reject the development session on every read.
- A rejected development ADE_ACCOUNT_TOKEN reported source: "env-token"
with signedIn: false, so downstream treated it as an active env
credential and blocked production re-auth. Report a fully signed-out
status (source: null) instead.
Adds coverage for a store without atomic compare-and-delete (rejected,
not clobbered).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* harden(account): unblock re-auth and honor the post-invalidation retry
Two final review findings on the packaged dev-Clerk policy:
- startLogin()/startDeviceLogin()/createToken() blocked whenever a raw
ADE_ACCOUNT_TOKEN was present, so after a rejected development token
correctly reported signed-out, Sign In threw "already providing"
instead of starting production login. Route every login-gating path
through readAcceptedEnvCredential(), which treats a rejected
development credential as absent, so production login proceeds.
- readSession() returned null right after invalidating a development
session, ignoring the promised retry: when the atomic compare-and-delete
saw a peer had already replaced it with a production session, that
record stayed but the read still reported signed-out. Re-read once and
return the peer-written production session in the same call; only a
still-rejectable or absent session yields signed-out. Retry at most once.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>1 parent 3dbab90 commit 2cc83ee
19 files changed
Lines changed: 1377 additions & 95 deletions
File tree
- apps
- ade-cli/src
- services/account
- desktop/src
- main
- services/account
- docs
- features/sync-and-multi-device
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | 3 | | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
4 | 23 | | |
5 | 24 | | |
6 | 25 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| 7 | + | |
7 | 8 | | |
8 | 9 | | |
9 | 10 | | |
| |||
307 | 308 | | |
308 | 309 | | |
309 | 310 | | |
310 | | - | |
311 | | - | |
312 | | - | |
313 | | - | |
314 | 311 | | |
315 | 312 | | |
316 | 313 | | |
| 314 | + | |
| 315 | + | |
| 316 | + | |
| 317 | + | |
| 318 | + | |
| 319 | + | |
| 320 | + | |
317 | 321 | | |
318 | 322 | | |
319 | 323 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
35 | 35 | | |
36 | 36 | | |
37 | 37 | | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
38 | 42 | | |
39 | 43 | | |
40 | 44 | | |
| |||
344 | 348 | | |
345 | 349 | | |
346 | 350 | | |
| 351 | + | |
| 352 | + | |
| 353 | + | |
| 354 | + | |
| 355 | + | |
| 356 | + | |
| 357 | + | |
| 358 | + | |
| 359 | + | |
| 360 | + | |
| 361 | + | |
| 362 | + | |
| 363 | + | |
| 364 | + | |
| 365 | + | |
| 366 | + | |
| 367 | + | |
| 368 | + | |
| 369 | + | |
| 370 | + | |
| 371 | + | |
| 372 | + | |
| 373 | + | |
| 374 | + | |
| 375 | + | |
| 376 | + | |
| 377 | + | |
| 378 | + | |
| 379 | + | |
| 380 | + | |
| 381 | + | |
| 382 | + | |
| 383 | + | |
| 384 | + | |
| 385 | + | |
347 | 386 | | |
348 | 387 | | |
349 | 388 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
102 | 102 | | |
103 | 103 | | |
104 | 104 | | |
| 105 | + | |
105 | 106 | | |
106 | 107 | | |
107 | 108 | | |
| |||
18213 | 18214 | | |
18214 | 18215 | | |
18215 | 18216 | | |
18216 | | - | |
| 18217 | + | |
| 18218 | + | |
| 18219 | + | |
| 18220 | + | |
| 18221 | + | |
| 18222 | + | |
| 18223 | + | |
18217 | 18224 | | |
18218 | 18225 | | |
18219 | 18226 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
0 commit comments