Merge branch 'fraud-protection' into fraud-protection-country-code

Author: mantrakp04

.github/workflows/docker-emulator-test.yaml

@@ -0,0 +1,179 @@
+name: Runs E2E API Tests (Local Emulator)
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' }}
+
+jobs:
+  build:
+    name: E2E Tests (Local Emulator, Node ${{ matrix.node-version }})
+    runs-on: ubicloud-standard-8
+    env:
+      NODE_ENV: test
+      NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR: "true"
+      STACK_ENABLE_HARDCODED_PASSKEY_CHALLENGE_FOR_TESTING: yes
+      STACK_DATABASE_CONNECTION_STRING: "postgres://postgres:PASSWORD-PLACEHOLDER--uqfEC1hmmv@localhost:8128/stackframe"
+      STACK_EXTERNAL_DB_SYNC_MAX_DURATION_MS: "20000"
+      STACK_EXTERNAL_DB_SYNC_DIRECT: "false"
+
+    strategy:
+      matrix:
+        node-version: [22.x]
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      # Even just starting the Docker Compose as a daemon is slow because we have to download and build the images
+      # so, we run it in the background
+      - name: Start Docker Compose in background
+        uses: JarvusInnovations/background-action@v1.0.7
+        with:
+          run: docker compose -f docker/dependencies/docker.compose.yaml up --pull always -d &
+          # we don't need to wait on anything, just need to start the daemon
+          wait-on: /dev/null
+          tail: true
+          wait-for: 3s
+          log-output-if: true
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Create .env.test.local file for apps/backend
+        run: cp apps/backend/.env.development apps/backend/.env.test.local
+
+      - name: Create .env.test.local file for apps/dashboard
+        run: cp apps/dashboard/.env.development apps/dashboard/.env.test.local
+
+      - name: Create .env.test.local file for apps/e2e
+        run: cp apps/e2e/.env.development apps/e2e/.env.test.local
+
+      - name: Create .env.test.local file for docs
+        run: cp docs/.env.development docs/.env.test.local
+
+      - name: Create .env.test.local file for examples/cjs-test
+        run: cp examples/cjs-test/.env.development examples/cjs-test/.env.test.local
+
+      - name: Create .env.test.local file for examples/demo
+        run: cp examples/demo/.env.development examples/demo/.env.test.local
+
+      - name: Create .env.test.local file for examples/docs-examples
+        run: cp examples/docs-examples/.env.development examples/docs-examples/.env.test.local
+
+      - name: Create .env.test.local file for examples/e-commerce
+        run: cp examples/e-commerce/.env.development examples/e-commerce/.env.test.local
+
+      - name: Create .env.test.local file for examples/middleware
+        run: cp examples/middleware/.env.development examples/middleware/.env.test.local
+
+      - name: Create .env.test.local file for examples/supabase
+        run: cp examples/supabase/.env.development examples/supabase/.env.test.local
+
+      - name: Create .env.test.local file for examples/convex
+        run: cp examples/convex/.env.development examples/convex/.env.test.local
+
+      - name: Build
+        run: pnpm build
+
+      - name: Wait on Postgres
+        run: pnpm run wait-until-postgres-is-ready:pg_isready
+
+      - name: Wait on Inbucket
+        run: pnpx wait-on tcp:localhost:8129
+
+      - name: Wait on Svix
+        run: pnpx wait-on tcp:localhost:8113
+
+      - name: Wait on QStash
+        run: pnpx wait-on tcp:localhost:8125
+
+      - name: Wait on ClickHouse
+        run: pnpx wait-on http://localhost:8136/ping
+
+      - name: Initialize database
+        run: pnpm run db:init
+
+      - name: Start stack-backend in background
+        uses: JarvusInnovations/background-action@v1.0.7
+        with:
+          run: pnpm run start:backend --log-order=stream &
+          wait-on: |
+            http://localhost:8102
+          tail: true
+          wait-for: 30s
+          log-output-if: true
+
+      - name: Start stack-dashboard in background
+        uses: JarvusInnovations/background-action@v1.0.7
+        with:
+          run: pnpm run start:dashboard --log-order=stream &
+          wait-on: |
+            http://localhost:8101
+          tail: true
+          wait-for: 30s
+          log-output-if: true
+
+      - name: Start mock-oauth-server in background
+        uses: JarvusInnovations/background-action@v1.0.7
+        with:
+          run: pnpm run start:mock-oauth-server --log-order=stream &
+          wait-on: |
+            http://localhost:8102
+          tail: true
+          wait-for: 30s
+          log-output-if: true
+
+      - name: Start run-email-queue in background
+        uses: JarvusInnovations/background-action@v1.0.7
+        with:
+          run: pnpm -C apps/backend run run-email-queue --log-order=stream &
+          wait-on: |
+            http://localhost:8102
+          tail: true
+          wait-for: 30s
+          log-output-if: true
+
+      - name: Start run-cron-jobs in background
+        uses: JarvusInnovations/background-action@v1.0.7
+        with:
+          run: pnpm -C apps/backend run run-cron-jobs:test --log-order=stream &
+          wait-on: |
+            http://localhost:8102
+          tail: true
+          wait-for: 30s
+          log-output-if: true
+
+      - name: Wait 10 seconds
+        run: sleep 10
+
+      - name: Run tests
+        run: pnpm test run
+
+      - name: Run tests again (attempt 1)
+        if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev'
+        run: pnpm test run
+
+      - name: Run tests again (attempt 2)
+        if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev'
+        run: pnpm test run
+
+      - name: Verify data integrity
+        run: pnpm run verify-data-integrity --no-bail
+
+      - name: Print Docker Compose logs
+        if: always()
+        run: docker compose -f docker/dependencies/docker.compose.yaml logs

.github/workflows/e2e-api-tests-local-emulator.yaml

@@ -13,6 +13,8 @@ debug.log
 
 
 .vercel
+.output
+.nitro
 
 # https://stackoverflow.com/questions/76510164/can-i-safely-delete-vite-config-ts-timestamp-files
 vite.config.ts.timestamp-*

.gitignore

@@ -1,6 +1,7 @@
 # Basic
 NEXT_PUBLIC_STACK_API_URL=# the base URL of Stack's backend/API. For local development, this is `http://localhost:8102`; for the managed service, this is `https://api.stack-auth.com`.
 NEXT_PUBLIC_STACK_DASHBOARD_URL=# the URL of Stack's dashboard. For local development, this is `http://localhost:8101`; for the managed service, this is `https://app.stack-auth.com`.
+NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR=# set to true to enable local emulator-only behaviors (internal local emulator endpoints, read-only environment config overrides, and local emulator auth UX)
 STACK_SECRET_SERVER_KEY=# a random, unguessable secret key generated by `pnpm generate-keys`
 
 

apps/backend/.env

@@ -1,5 +1,6 @@
 NEXT_PUBLIC_STACK_API_URL=http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}02
 NEXT_PUBLIC_STACK_DASHBOARD_URL=http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}01
+NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR=false
 STACK_SERVER_SECRET=23-wuNpik0gIW4mruTz25rbIvhuuvZFrLOLtL7J4tyo
 
 STACK_CHANGELOG_URL=https://raw.githubusercontent.com/stack-auth/stack-auth/refs/heads/dev/CHANGELOG.md

apps/backend/.env.development

@@ -90,6 +90,7 @@
     "dotenv": "^16.4.5",
     "dotenv-cli": "^7.3.0",
     "freestyle-sandboxes": "^0.1.6",
+    "jiti": "^2.6.1",
     "jose": "^6.1.3",
     "json-diff": "^1.0.6",
     "next": "16.1.5",

apps/backend/package.json

@@ -0,0 +1,17 @@
+CREATE TABLE "LocalEmulatorProject" (
+  "absoluteFilePath" TEXT NOT NULL,
+  "projectId" TEXT NOT NULL,
+  "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  "updatedAt" TIMESTAMP(3) NOT NULL,
+
+  CONSTRAINT "LocalEmulatorProject_pkey" PRIMARY KEY ("absoluteFilePath")
+);
+
+CREATE UNIQUE INDEX "LocalEmulatorProject_projectId_key" ON "LocalEmulatorProject"("projectId");
+
+ALTER TABLE "LocalEmulatorProject"
+ADD CONSTRAINT "LocalEmulatorProject_projectId_fkey"
+FOREIGN KEY ("projectId")
+REFERENCES "Project"("id")
+ON DELETE CASCADE
+ON UPDATE CASCADE;

apps/backend/prisma/migrations/20260226100000_add_local_emulator_project_mapping/migration.sql

@@ -0,0 +1,30 @@
+import { randomUUID } from "crypto";
+import type { Sql } from "postgres";
+import { expect } from "vitest";
+
+export const preMigration = async (sql: Sql) => {
+  const projectId = `test-${randomUUID()}`;
+  await sql`
+    INSERT INTO "Project" ("id", "createdAt", "updatedAt", "displayName", "description", "isProductionMode")
+    VALUES (${projectId}, NOW(), NOW(), 'Cascade Test Project', '', false)
+  `;
+  return { projectId };
+};
+
+export const postMigration = async (sql: Sql, ctx: Awaited<ReturnType<typeof preMigration>>) => {
+  const absoluteFilePath = `/tmp/${randomUUID()}/stack.config.ts`;
+
+  await sql`
+    INSERT INTO "LocalEmulatorProject" ("absoluteFilePath", "projectId", "createdAt", "updatedAt")
+    VALUES (${absoluteFilePath}, ${ctx.projectId}, NOW(), NOW())
+  `;
+
+  await sql`DELETE FROM "Project" WHERE "id" = ${ctx.projectId}`;
+
+  const rows = await sql`
+    SELECT "absoluteFilePath"
+    FROM "LocalEmulatorProject"
+    WHERE "absoluteFilePath" = ${absoluteFilePath}
+  `;
+  expect(rows).toHaveLength(0);
+};

apps/backend/prisma/migrations/20260226100000_add_local_emulator_project_mapping/tests/cascades-on-project-delete.ts

@@ -0,0 +1,44 @@
+import { randomUUID } from "crypto";
+import type { Sql } from "postgres";
+import { expect } from "vitest";
+
+export const preMigration = async (sql: Sql) => {
+  const projectId1 = `test-${randomUUID()}`;
+  const projectId2 = `test-${randomUUID()}`;
+
+  await sql`
+    INSERT INTO "Project" ("id", "createdAt", "updatedAt", "displayName", "description", "isProductionMode")
+    VALUES (${projectId1}, NOW(), NOW(), 'Local Emulator Project 1', '', false)
+  `;
+  await sql`
+    INSERT INTO "Project" ("id", "createdAt", "updatedAt", "displayName", "description", "isProductionMode")
+    VALUES (${projectId2}, NOW(), NOW(), 'Local Emulator Project 2', '', false)
+  `;
+
+  return { projectId1, projectId2 };
+};
+
+export const postMigration = async (sql: Sql, ctx: Awaited<ReturnType<typeof preMigration>>) => {
+  const path1 = `/tmp/${randomUUID()}/stack.config.ts`;
+  const path2 = `/tmp/${randomUUID()}/stack.config.ts`;
+
+  await sql`
+    INSERT INTO "LocalEmulatorProject" ("absoluteFilePath", "projectId", "createdAt", "updatedAt")
+    VALUES (${path1}, ${ctx.projectId1}, NOW(), NOW())
+  `;
+
+  await expect(sql`
+    INSERT INTO "LocalEmulatorProject" ("absoluteFilePath", "projectId", "createdAt", "updatedAt")
+    VALUES (${path1}, ${ctx.projectId2}, NOW(), NOW())
+  `).rejects.toThrow(/LocalEmulatorProject_pkey/);
+
+  await expect(sql`
+    INSERT INTO "LocalEmulatorProject" ("absoluteFilePath", "projectId", "createdAt", "updatedAt")
+    VALUES (${path2}, ${ctx.projectId1}, NOW(), NOW())
+  `).rejects.toThrow(/LocalEmulatorProject_projectId_key/);
+
+  await sql`
+    INSERT INTO "LocalEmulatorProject" ("absoluteFilePath", "projectId", "createdAt", "updatedAt")
+    VALUES (${path2}, ${ctx.projectId2}, NOW(), NOW())
+  `;
+};

apps/backend/prisma/migrations/20260226100000_add_local_emulator_project_mapping/tests/persists-and-enforces-uniqueness.ts

@@ -41,10 +41,21 @@ model Project {
   tenancies                  Tenancy[]
   branchConfigOverrides      BranchConfigOverride[]
   environmentConfigOverrides EnvironmentConfigOverride[]
+  localEmulatorProject       LocalEmulatorProject?
 
   @@index([ownerTeamId], map: "Project_ownerTeamId_idx")
 }
 
+model LocalEmulatorProject {
+  absoluteFilePath String @id
+  projectId        String @unique
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  project Project @relation(fields: [projectId], references: [id], onDelete: Cascade)
+}
+
 model Tenancy {
   id String @id @default(uuid()) @db.Uuid