From e9b98de4d51baad0195a89db72d6d765fbbea76a Mon Sep 17 00:00:00 2001 From: Jeff Dyke Date: Wed, 5 Nov 2025 10:27:24 -0500 Subject: [PATCH 1/6] initial commit for brining back csrf headers --- src/app-fp.ts | 8 +++++++- src/config.ts | 21 ++++++++------------- src/fp/services/redis.ts | 7 ++++--- src/routes/device.ts | 15 ++++++++++++--- src/routes/logout-fp.ts | 12 +++++++++--- src/setup/index.ts | 3 ++- 6 files changed, 42 insertions(+), 24 deletions(-) diff --git a/src/app-fp.ts b/src/app-fp.ts index a16689b..2e2a50d 100644 --- a/src/app-fp.ts +++ b/src/app-fp.ts @@ -23,6 +23,7 @@ import { createLoginRouter } from './routes/login-fp.js' import { createLogoutRouter } from './routes/logout-fp.js' import { createTokenRouter } from './routes/passthrough-auth-fp.js' import { OAuth2ApiLayer } from './setup/hydra.js' +import { doubleCsrfProtection } from './setup/index.js' import proxyMiddleware from './setup/proxy.js' import { ErrorPage } from './views/index.js' import type { NextFunction, Response, Request } from 'express' @@ -93,7 +94,11 @@ app.use( app.use('/oauth2/auth', proxyMiddleware) app.use(bodyParser.json()) app.use(bodyParser.urlencoded({ extended: false })) -app.use(cookieParser(process.env.SECRETS_SYSTEM ?? 'G6KaOf8aJsLagw566he8yxOTTO3tInKD')) +app.use(cookieParser(appConfig.security.cookieSecret)) + +// CSRF Protection - Must come after session and body parser +// Protects POST routes in OAuth2 flows (login, consent, logout, device) +app.use(doubleCsrfProtection) app.use(favicon(path.join(__dirname, '..', 'public', 'favicon.ico'))) app.use(express.static(path.join(dirname(import.meta.url), 'public'))) @@ -106,6 +111,7 @@ app.use(addUniqueToken) // Functional routes with Effect Layer injection // All templates use @kitajs/html for type-safe, functional rendering +// CSRF tokens are generated per-request and passed to templates app.use('/login', createLoginRouter(serviceLayer)) app.use('/logout', createLogoutRouter(serviceLayer, logoutConfig)) app.use('/consent', createConsentRouter(serviceLayer, consentConfig)) diff --git a/src/config.ts b/src/config.ts index 16dbb70..17c6080 100644 --- a/src/config.ts +++ b/src/config.ts @@ -4,11 +4,7 @@ */ import connectPgSimple from 'connect-pg-simple' import session from 'express-session' -import { - loadAppConfigSync, - getHydraAdminUrl, - getHydraInternalUrl -} from './fp/config.js' +import { loadAppConfigSync, getHydraAdminUrl, getHydraInternalUrl } from './fp/config.js' /** * Load configuration from environment @@ -53,15 +49,14 @@ export const pgConfig = { export const DCR_MASTER_CLIENT_ID = appConfig.dcrMasterClientId /** - * Static CSRF token (for development) + * CSRF token generation + * + * Re-exported from setup/index.ts for convenience. + * Uses csrf-csrf's double-submit cookie pattern. + * + * @deprecated Import directly from './setup/index.js' instead */ -export const STATIC_CSRF = 'YOU-ARE-USING-THE-STATIC-CSRF' - -/** - * Generate CSRF token - * Currently returns static token, should be replaced with proper CSRF generation - */ -export const generateCsrfToken = (_req: any, _res: any) => STATIC_CSRF +export { generateCsrfToken, doubleCsrfProtection } from './setup/index.js' /** * PostgreSQL session store diff --git a/src/fp/services/redis.ts b/src/fp/services/redis.ts index ec18cd8..d17eccf 100644 --- a/src/fp/services/redis.ts +++ b/src/fp/services/redis.ts @@ -3,16 +3,17 @@ * All Redis operations return Effect */ import { Effect, pipe, Context, Layer } from 'effect' +import type { Schema } from 'effect' import { RedisConnectionError, RedisKeyNotFound, RedisParseError, RedisWriteError, RedisDeleteError, - type RedisError, - SchemaValidationError} from '../errors.js' + type SchemaValidationError, + type RedisError +} from '../errors.js' import { validateSchema } from '../validation.js' -import type { Schema} from 'effect'; import type { Redis } from 'ioredis' /** diff --git a/src/routes/device.ts b/src/routes/device.ts index a05d10c..a60713a 100644 --- a/src/routes/device.ts +++ b/src/routes/device.ts @@ -1,9 +1,15 @@ +/** + * OAuth2 Device Authorization Flow (RFC 8628) + * + * Handles device code verification with CSRF protection. + */ import url from 'url' import { Effect, pipe } from 'effect' import express from 'express' import { OAuth2ApiService } from '../api/oauth2.js' import { appConfig } from '../config.js' import { type AppError } from '../fp/errors.js' +import { generateCsrfToken } from '../setup/index.js' import { DeviceVerify, DeviceSuccess } from '../views/index.js' import type { Layer } from 'effect' @@ -34,13 +40,16 @@ router.get('/verify', (req, res, next) => { return } + // Generate CSRF token for the device verification form + const csrfToken = generateCsrfToken(req, res) + res.send( DeviceVerify({ action: '/device/verify', - csrfToken: '', - envXsrfToken: appConfig.xsrfHeaderName, + csrfToken, + envXsrfToken: appConfig.security.xsrfHeaderName, challenge, - userCode: String(query.user_code), + userCode: String(query.user_code || ''), }) ) }) diff --git a/src/routes/logout-fp.ts b/src/routes/logout-fp.ts index fbff5e1..955d61f 100644 --- a/src/routes/logout-fp.ts +++ b/src/routes/logout-fp.ts @@ -1,11 +1,14 @@ /** * Functional logout route using Effect + * + * Handles OAuth2 RP-initiated logout flow with CSRF protection. */ import { Effect, pipe } from 'effect' import express from 'express' -import { generateCsrfToken } from '../config.js' +import { appConfig } from '../config.js' import { type AppError } from '../fp/errors.js' import { getLogoutInfo, acceptLogout, rejectLogout } from '../fp/services/logout.js' +import { generateCsrfToken } from '../setup/index.js' import { Logout } from '../views/index.js' import type { HydraService } from '../fp/services/hydra.js' import type { Logger } from '../fp/services/token.js' @@ -64,10 +67,13 @@ const createLogoutGetHandler = ( const { status, message } = mapErrorToHttp(result.left) res.status(status).send(message) } else { + // Generate CSRF token for the logout form + const csrfToken = generateCsrfToken(req, res) + res.send( Logout({ - csrfToken: generateCsrfToken(req, res), - envXsrfToken: config.hostName, + csrfToken, + envXsrfToken: appConfig.security.xsrfHeaderName, challenge: result.right.challenge, action: `${config.hostName}/logout`, }) diff --git a/src/setup/index.ts b/src/setup/index.ts index e75d72f..f09d413 100644 --- a/src/setup/index.ts +++ b/src/setup/index.ts @@ -73,7 +73,8 @@ function base64URLEncode(buffer: Buffer): string { .replace(/\//g, "_") .replace(/=/g, "") } -export {generateCsrfToken, RedisPKCE, validatePKCE, RedisRefreshToken, GoogleTokenResponse, base64URLEncode} +export { doubleCsrfProtection, generateCsrfToken, validatePKCE, base64URLEncode } +export type { RedisPKCE, RedisRefreshToken, GoogleTokenResponse } // const configureCSRF = (app: express.Application) => { // app.use(doubleCsrfProtection); From caddd3b07883eb9755dfa621b437080e0d1b517a Mon Sep 17 00:00:00 2001 From: Jeff Dyke Date: Wed, 5 Nov 2025 11:51:31 -0500 Subject: [PATCH 2/6] set proper grants --- build/oauth2-client-meta.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/oauth2-client-meta.sh b/build/oauth2-client-meta.sh index acc9e84..eb5e3fa 100644 --- a/build/oauth2-client-meta.sh +++ b/build/oauth2-client-meta.sh @@ -58,7 +58,7 @@ authClient() { --response-type "code,id_token" \ --format json \ --token-endpoint-auth-method none \ - --scope "openid,offline" \ + --scope "openid,email,profile,offline_access" \ --redirect-uri "${CALLBACK_HOST}/callback" \ --format json ) From 90cdc18128d1ee276f32824335de5ee5d50e1235 Mon Sep 17 00:00:00 2001 From: Jeff Dyke Date: Wed, 5 Nov 2025 12:27:38 -0500 Subject: [PATCH 3/6] add nginx configuration to read me and a help file --- README.md | 7 +-- build/support_files/nginx/hydra.conf | 73 ++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+), 3 deletions(-) create mode 100644 build/support_files/nginx/hydra.conf diff --git a/README.md b/README.md index 2cda8d5..ab414b9 100644 --- a/README.md +++ b/README.md @@ -29,9 +29,10 @@ Simply change into the root of the repository: ## Installing Docker Environment -- sudo docker compose up -d --build +- TODO -Nginx and HAProxy configs to be provided +### Nginx Configuration +[Virtual Host configuration](build/support_files/nginx/hydra.conf), for Nginx. -### Nginx Configuration +- A single variable `private_ip` is required to speak to the upstream docker containers diff --git a/build/support_files/nginx/hydra.conf b/build/support_files/nginx/hydra.conf new file mode 100644 index 0000000..d43528e --- /dev/null +++ b/build/support_files/nginx/hydra.conf @@ -0,0 +1,73 @@ +# Ory Hydra and HydraAdmin +upstream public_api { + server {{private_ip}}:4444; +} +upstream admin_api { + server {{private_ip}}:4445; +} +# Example of further upstreams when the client is authorized +upstream mcp_proxy { + server {{private_ip}}:8080; +} +upstream mcp_inspector { + server {{private_ip}}:6274; +} +# End MCP Servers +# The port is only known by HAProxy in a current configuration, change to your needs. +server { + listen 8888; + server_name auth.staging.domain.tld; + add_header 'Access-Control-Allow-Credentials' 'true'; + + location ~ ^/(admin|clients|keys|health|metrics|version|oauth2/auth/requests|oauth2/introspect|oauth2/flush)/? { + + proxy_pass http://admin_api; + proxy_redirect off; + proxy_set_header Cookie $http_cookie; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header X-CSRF-TOKEN $http_x_csrf_token; + proxy_set_header X-XSRF-TOKEN $http_x_xsrf_token; + } + location = /.well-known/oauth-authorization-server { + proxy_pass http://public_api/.well-known/openid-configuration; + } + location = /.well-known/oauth-protected-resource { + proxy_pass http://public_api/.well-known/openid-configuration; + } + # oauth2/auth and oauth2/token are both managed by hydra-headless-ts + # the former is proxied to hydra, the latter is all in the application + location ~ ^/(.well-known|oauth2/sessions|oauth2/revoke|oauth2/fallbacks/consent|oauth2/fallbacks/error|userinfo)/? { + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Allow-Origin' "$http_origin" always; # Allow all origins + add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; + add_header 'Vary' 'Origin'; + + proxy_pass http://public_api; + proxy_set_header Cookie $http_cookie; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header X-CSRF-TOKEN $http_x_csrf_token; + proxy_set_header X-XSRF-TOKEN $http_x_xsrf_token; + } + + location / { + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Allow-Origin' "$http_origin" always; # Allow all origins + add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; + add_header 'Vary' 'Origin'; + try_files $uri $uri/ @hydra-headless-ts; + } + location @hydra-headless-ts { + proxy_pass http://{{private_ip}}:3000; + } + +} From 59a9d54ef878dc0c28a3c8486887c3517cff8813 Mon Sep 17 00:00:00 2001 From: Jeff Dyke Date: Wed, 5 Nov 2025 12:33:58 -0500 Subject: [PATCH 4/6] add generic domain.tld value everywhere --- build/hydra_pillar.yml | 6 ++--- build/oauth2-client-meta.sh | 8 +++--- src/env/staging.env | 8 +++--- src/fp/config.test.ts | 52 ++++++++++++++++++------------------- 4 files changed, 37 insertions(+), 37 deletions(-) diff --git a/build/hydra_pillar.yml b/build/hydra_pillar.yml index a81b629..f22c739 100644 --- a/build/hydra_pillar.yml +++ b/build/hydra_pillar.yml @@ -1,6 +1,6 @@ base: &defaults - base_url: "http://dev.bondlink.org:3000" - admin_local: "http://dev.bondlink.org:4445" + base_url: "http://dev.domain.tld:3000" + admin_local: "http://dev.domain.tld:4445" is_dev: true secrets_system: "G6KaOf8aJsLagw566he8yxOTTO3tInKD" secrets_cookie: "G6KaOf8aJsLagw566he8yxBLOTTO3tIn" @@ -9,5 +9,5 @@ base: &defaults pg_dsn: "DSN=postgres://hydra:my-super-secret-password@postgres:5432/hydra?sslmode=disable" staging: <<: *defaults - base_url: "https://auth.staging.bondlink.org" + base_url: "https://auth.staging.domain.tld" admin_local: "http://10.1.1.230:4445" diff --git a/build/oauth2-client-meta.sh b/build/oauth2-client-meta.sh index eb5e3fa..5de6f03 100644 --- a/build/oauth2-client-meta.sh +++ b/build/oauth2-client-meta.sh @@ -2,7 +2,7 @@ set -e OPERATION=$1 shift -COOKIE_DOMAIN="bondlink.org" +COOKIE_DOMAIN="domain.tld" HOST_IP= ISSUER= ISSUER_ADMIN= @@ -25,10 +25,10 @@ if [ "$(uname)" = "Darwin" ]; then ISSUER_ADMIN="http://${HOST_IP}:4445" CALLBACK_HOST="http://${SERVER_NAME}:3000" elif [[ "$(hostname)" == "staging"* ]]; then - SERVER_NAME="auth.staging.bondlink.org" + SERVER_NAME="auth.staging.${COOKIE_DOMAIN}" HOST_IP=$(hostname -I | cut -d ' ' -f1) ISSUER_ADMIN="http://${HOST_IP}:4445" - CALLBACK_HOST="https://auth.staging.bondlink.org" + CALLBACK_HOST="https://auth.staging.${COOKIE_DOMAIN}" ISSUER="https://${SERVER_NAME}" fi @@ -144,7 +144,7 @@ URLS_LOGIN=${CALLBACK_HOST}/login BASE_URL=${CALLBACK_HOST} REDIRECT_URL=${CALLBACK_HOST}/callback NODE_ENV=development -SERVE_COOKIES_DOMAIN=bondlink.org +SERVE_COOKIES_DOMAIN=domain.tld SERVE_PUBLIC_CORS_ENABLED=false SERVE_ADMIN_CORS_ENABLED=false SERVE_PUBLIC_CORS_ALLOWED_ORIGINS="*" diff --git a/src/env/staging.env b/src/env/staging.env index 0eeeadb..ea54a80 100644 --- a/src/env/staging.env +++ b/src/env/staging.env @@ -1,10 +1,10 @@ APP_ENV=staging -BASE_URL=https://auth.staging.bondlink.org -PUBLIC_DOMAIN=auth.staging.bondlink.org +BASE_URL=https://auth.staging.domain.tld +PUBLIC_DOMAIN=auth.staging.domain.tld PRIVATE_HOST=10.1.1.230 # Hydra -HYDRA_PUBLIC_URL=https://auth.staging.bondlink.org +HYDRA_PUBLIC_URL=https://auth.staging.domain.tld HYDRA_ADMIN_HOST=10.1.1.230 HYDRA_ADMIN_PORT=4445 @@ -19,4 +19,4 @@ POSTGRES_HOST=10.1.1.230 # Google OAuth GOOGLE_CLIENT_ID=your-staging-client-id GOOGLE_CLIENT_SECRET=your-staging-secret -GOOGLE_REDIRECT_URI=https://auth.staging.bondlink.org/callback +GOOGLE_REDIRECT_URI=https://auth.staging.domain.tld/callback diff --git a/src/fp/config.test.ts b/src/fp/config.test.ts index ecb58d5..0b7b26d 100644 --- a/src/fp/config.test.ts +++ b/src/fp/config.test.ts @@ -20,10 +20,10 @@ describe('fp/config', () => { describe('appConfigEffect - development environment', () => { it('should load local development config with defaults', async () => { process.env.APP_ENV = 'development' - process.env.BASE_URL = 'http://dev.bondlink.org:3000' - process.env.PUBLIC_DOMAIN = 'dev.bondlink.org' + process.env.BASE_URL = 'http://dev.domain.tld:3000' + process.env.PUBLIC_DOMAIN = 'dev.domain.tld' process.env.PRIVATE_HOST = 'localhost' - process.env.HYDRA_PUBLIC_URL = 'http://dev.bondlink.org:4444' + process.env.HYDRA_PUBLIC_URL = 'http://dev.domain.tld:4444' process.env.GOOGLE_CLIENT_ID = 'test-client-id' process.env.GOOGLE_CLIENT_SECRET = 'test-secret' @@ -35,10 +35,10 @@ describe('fp/config', () => { const result = await Effect.runPromise(program) expect(result.environment).toBe('development') - expect(result.domain.public).toBe('dev.bondlink.org') + expect(result.domain.public).toBe('dev.domain.tld') expect(result.domain.private).toBe('localhost') expect(result.port).toBe(3000) - expect(result.baseUrl).toContain('dev.bondlink.org') + expect(result.baseUrl).toContain('dev.domain.tld') expect(result.google.clientId).toBe('test-client-id') expect(result.google.clientSecret).toBe('test-secret') expect(result.security.secure).toBe(false) // Development should be insecure @@ -46,10 +46,10 @@ describe('fp/config', () => { it('should use http for development environment', async () => { process.env.APP_ENV = 'development' - process.env.BASE_URL = 'http://dev.bondlink.org:3000' - process.env.PUBLIC_DOMAIN = 'dev.bondlink.org' + process.env.BASE_URL = 'http://dev.domain.tld:3000' + process.env.PUBLIC_DOMAIN = 'dev.domain.tld' process.env.PRIVATE_HOST = 'localhost' - process.env.HYDRA_PUBLIC_URL = 'http://dev.bondlink.org:4444' + process.env.HYDRA_PUBLIC_URL = 'http://dev.domain.tld:4444' const program = Effect.gen(function* () { const config = yield* appConfigEffect @@ -66,10 +66,10 @@ describe('fp/config', () => { describe('appConfigEffect - staging environment', () => { it('should load staging config with https', async () => { process.env.APP_ENV = 'staging' - process.env.BASE_URL = 'https://auth.staging.bondlink.org' - process.env.PUBLIC_DOMAIN = 'auth.staging.bondlink.org' + process.env.BASE_URL = 'https://auth.staging.domain.tld' + process.env.PUBLIC_DOMAIN = 'auth.staging.domain.tld' process.env.PRIVATE_HOST = '10.1.1.230' - process.env.HYDRA_PUBLIC_URL = 'https://auth.staging.bondlink.org' + process.env.HYDRA_PUBLIC_URL = 'https://auth.staging.domain.tld' process.env.HYDRA_ADMIN_HOST = '10.1.1.230' process.env.HYDRA_ADMIN_PORT = '4445' process.env.REDIS_HOST = '10.1.1.230' @@ -86,7 +86,7 @@ describe('fp/config', () => { const result = await Effect.runPromise(program) expect(result.environment).toBe('staging') - expect(result.domain.public).toBe('auth.staging.bondlink.org') + expect(result.domain.public).toBe('auth.staging.domain.tld') expect(result.domain.private).toBe('10.1.1.230') expect(result.baseUrl).toMatch(/^https:\/\//) expect(result.hydra.admin.host).toBe('10.1.1.230') @@ -100,7 +100,7 @@ describe('fp/config', () => { describe('appConfigEffect - production environment', () => { it('should load production config with strict security', async () => { process.env.APP_ENV = 'production' - process.env.PUBLIC_DOMAIN = 'auth.bondlink.org' + process.env.PUBLIC_DOMAIN = 'auth.domain.tld' process.env.PRIVATE_HOST = '10.0.0.100' process.env.HYDRA_ADMIN_HOST = '10.0.0.100' process.env.HYDRA_ADMIN_PORT = '4445' @@ -127,7 +127,7 @@ describe('fp/config', () => { it('should allow optional Google OAuth credentials in production', async () => { process.env.APP_ENV = 'production' - process.env.PUBLIC_DOMAIN = 'auth.bondlink.org' + process.env.PUBLIC_DOMAIN = 'auth.domain.tld' process.env.PRIVATE_HOST = '10.0.0.100' process.env.HYDRA_ADMIN_HOST = '10.0.0.100' process.env.DSN = 'postgres://user:pass@host:5432/db' @@ -162,9 +162,9 @@ describe('fp/config', () => { it('should handle custom port from environment', async () => { process.env.APP_ENV = 'development' - process.env.PUBLIC_DOMAIN = 'dev.bondlink.org' + process.env.PUBLIC_DOMAIN = 'dev.domain.tld' process.env.PRIVATE_HOST = 'localhost' - process.env.HYDRA_PUBLIC_URL = 'http://dev.bondlink.org:4444' + process.env.HYDRA_PUBLIC_URL = 'http://dev.domain.tld:4444' process.env.PORT = '4000' const program = Effect.gen(function* () { @@ -180,9 +180,9 @@ describe('fp/config', () => { it('should parse database DSN correctly', async () => { process.env.APP_ENV = 'development' - process.env.PUBLIC_DOMAIN = 'dev.bondlink.org' + process.env.PUBLIC_DOMAIN = 'dev.domain.tld' process.env.PRIVATE_HOST = 'localhost' - process.env.HYDRA_PUBLIC_URL = 'http://dev.bondlink.org:4444' + process.env.HYDRA_PUBLIC_URL = 'http://dev.domain.tld:4444' process.env.DSN = 'postgres://testuser:testpass@dbhost:5555/testdb?sslmode=disable' const program = Effect.gen(function* () { @@ -204,14 +204,14 @@ describe('fp/config', () => { describe('loadAppConfigSync', () => { it('should synchronously load config', () => { process.env.APP_ENV = 'development' - process.env.PUBLIC_DOMAIN = 'dev.bondlink.org' + process.env.PUBLIC_DOMAIN = 'dev.domain.tld' process.env.PRIVATE_HOST = 'localhost' - process.env.HYDRA_PUBLIC_URL = 'http://dev.bondlink.org:4444' + process.env.HYDRA_PUBLIC_URL = 'http://dev.domain.tld:4444' const config = loadAppConfigSync() expect(config.environment).toBe('development') - expect(config.domain.public).toBe('dev.bondlink.org') + expect(config.domain.public).toBe('dev.domain.tld') }) it('should throw on invalid config', () => { @@ -224,7 +224,7 @@ describe('fp/config', () => { describe('DomainConfig', () => { it('should support separate public and private domains', async () => { process.env.APP_ENV = 'staging' - process.env.PUBLIC_DOMAIN = 'auth.staging.bondlink.org' + process.env.PUBLIC_DOMAIN = 'auth.staging.domain.tld' process.env.PRIVATE_HOST = '10.1.1.230' process.env.HYDRA_ADMIN_HOST = '10.1.1.230' process.env.DSN = 'postgres://user:pass@host:5432/db' @@ -236,9 +236,9 @@ describe('fp/config', () => { const result = await Effect.runPromise(program) - expect(result.domain.public).toBe('auth.staging.bondlink.org') + expect(result.domain.public).toBe('auth.staging.domain.tld') expect(result.domain.private).toBe('10.1.1.230') - expect(result.baseUrl).toContain('auth.staging.bondlink.org') + expect(result.baseUrl).toContain('auth.staging.domain.tld') expect(result.hydra.admin.host).toBe('10.1.1.230') }) }) @@ -246,9 +246,9 @@ describe('fp/config', () => { describe('Environment defaults', () => { it('should default to local when APP_ENV is not set', async () => { delete process.env.APP_ENV - process.env.PUBLIC_DOMAIN = 'dev.bondlink.org' + process.env.PUBLIC_DOMAIN = 'dev.domain.tld' process.env.PRIVATE_HOST = 'localhost' - process.env.HYDRA_PUBLIC_URL = 'http://dev.bondlink.org:4444' + process.env.HYDRA_PUBLIC_URL = 'http://dev.domain.tld:4444' const program = Effect.gen(function* () { const config = yield* appConfigEffect From df6312f6a10a01b0f8429318d855680720f4c264 Mon Sep 17 00:00:00 2001 From: Jeff Dyke Date: Wed, 5 Nov 2025 13:06:21 -0500 Subject: [PATCH 5/6] remove ory template --- .github/pull_request_template.md | 51 -------------------------------- 1 file changed, 51 deletions(-) delete mode 100644 .github/pull_request_template.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index f46e04d..0000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,51 +0,0 @@ - - -## Related Issue or Design Document - - - -## Checklist - - - -- [ ] I have read the [contributing guidelines](../blob/master/CONTRIBUTING.md) and signed the CLA. -- [ ] I have referenced an issue containing the design document if my change introduces a new feature. -- [ ] I have read the [security policy](../security/policy). -- [ ] I confirm that this pull request does not address a security vulnerability. - If this pull request addresses a security vulnerability, - I confirm that I got approval (please contact [security@ory.com](mailto:security@ory.com)) from the maintainers to push the changes. -- [ ] I have added tests that prove my fix is effective or that my feature works. -- [ ] I have added the necessary documentation within the code base (if appropriate). - -## Further comments - - From afaa44de9a74d7247ea2cfba5a2960ed817cb414 Mon Sep 17 00:00:00 2001 From: Jeff Dyke Date: Wed, 5 Nov 2025 13:08:14 -0500 Subject: [PATCH 6/6] remove other connections to the original repo, as they no longer apply, but have been kept --- .github/CODEOWNERS | 1 - .github/FUNDING.yml | 8 -- .github/ISSUE_TEMPLATE/BUG-REPORT.yml | 122 -------------------- .github/ISSUE_TEMPLATE/DESIGN-DOC.yml | 125 --------------------- .github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml | 86 -------------- .github/ISSUE_TEMPLATE/config.yml | 14 --- .github/auto_assign.yml | 16 --- .github/config.yml | 6 - .github/workflows/closed_references.yml | 30 ----- .github/workflows/conventional_commits.yml | 59 ---------- .github/workflows/format.yml | 17 --- .github/workflows/labels.yml | 25 ----- .github/workflows/licenses.yml | 35 ------ .github/workflows/stale.yml | 47 -------- .github/workflows/test.yml | 44 -------- 15 files changed, 635 deletions(-) delete mode 100644 .github/CODEOWNERS delete mode 100644 .github/FUNDING.yml delete mode 100644 .github/ISSUE_TEMPLATE/BUG-REPORT.yml delete mode 100644 .github/ISSUE_TEMPLATE/DESIGN-DOC.yml delete mode 100644 .github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml delete mode 100644 .github/ISSUE_TEMPLATE/config.yml delete mode 100644 .github/auto_assign.yml delete mode 100644 .github/config.yml delete mode 100644 .github/workflows/closed_references.yml delete mode 100644 .github/workflows/conventional_commits.yml delete mode 100644 .github/workflows/format.yml delete mode 100644 .github/workflows/labels.yml delete mode 100644 .github/workflows/licenses.yml delete mode 100644 .github/workflows/stale.yml delete mode 100644 .github/workflows/test.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS deleted file mode 100644 index 23df77a..0000000 --- a/.github/CODEOWNERS +++ /dev/null @@ -1 +0,0 @@ -* @ory/maintainers diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml deleted file mode 100644 index c440360..0000000 --- a/.github/FUNDING.yml +++ /dev/null @@ -1,8 +0,0 @@ -# AUTO-GENERATED, DO NOT EDIT! -# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/FUNDING.yml - -# These are supported funding model platforms - -# github: -patreon: _ory -open_collective: ory diff --git a/.github/ISSUE_TEMPLATE/BUG-REPORT.yml b/.github/ISSUE_TEMPLATE/BUG-REPORT.yml deleted file mode 100644 index 1cf41a0..0000000 --- a/.github/ISSUE_TEMPLATE/BUG-REPORT.yml +++ /dev/null @@ -1,122 +0,0 @@ -# # AUTO-GENERATED, DO NOT EDIT! -# # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/BUG-REPORT.yml - -# description: "Create a bug report" -# labels: -# - bug -# name: "Bug Report" -# body: -# - attributes: -# value: "Thank you for taking the time to fill out this bug report!\n" -# type: markdown -# - attributes: -# label: "Preflight checklist" -# options: -# - label: -# "I could not find a solution in the existing issues, docs, nor -# discussions." -# required: true -# - label: -# "I agree to follow this project's [Code of -# Conduct](https://github.com/ory/hydra-headless-ts/blob/master/CODE_OF_CONDUCT.md)." -# required: true -# - label: -# "I have read and am following this repository's [Contribution -# Guidelines](https://github.com/ory/hydra-login-consent-node/blob/master/CONTRIBUTING.md)." -# required: true -# - label: -# "I have joined the [Ory Community Slack](https://slack.ory.com)." -# - label: -# "I am signed up to the [Ory Security Patch -# Newsletter](https://www.ory.com/l/sign-up-newsletter)." -# id: checklist -# type: checkboxes -# - attributes: -# description: -# "Enter the slug or API URL of the affected Ory Network project. Leave -# empty when you are self-hosting." -# label: "Ory Network Project" -# placeholder: "https://.projects.oryapis.com" -# id: ory-network-project -# type: input -# - attributes: -# description: "A clear and concise description of what the bug is." -# label: "Describe the bug" -# placeholder: "Tell us what you see!" -# id: describe-bug -# type: textarea -# validations: -# required: true -# - attributes: -# description: | -# Clear, formatted, and easy to follow steps to reproduce the behavior: -# placeholder: | -# Steps to reproduce the behavior: - -# 1. Run `docker run ....` -# 2. Make API Request to with `curl ...` -# 3. Request fails with response: `{"some": "error"}` -# label: "Reproducing the bug" -# id: reproduce-bug -# type: textarea -# validations: -# required: true -# - attributes: -# description: -# "Please copy and paste any relevant log output. This will be -# automatically formatted into code, so no need for backticks. Please -# redact any sensitive information" -# label: "Relevant log output" -# render: shell -# placeholder: | -# log=error .... -# id: logs -# type: textarea -# - attributes: -# description: -# "Please copy and paste any relevant configuration. This will be -# automatically formatted into code, so no need for backticks. Please -# redact any sensitive information!" -# label: "Relevant configuration" -# render: yml -# placeholder: | -# server: -# admin: -# port: 1234 -# id: config -# type: textarea -# - attributes: -# description: "What version of our software are you running?" -# label: Version -# id: version -# type: input -# validations: -# required: true -# - attributes: -# label: "On which operating system are you observing this issue?" -# options: -# - Ory Network -# - macOS -# - Linux -# - Windows -# - FreeBSD -# - Other -# id: operating-system -# type: dropdown -# - attributes: -# label: "In which environment are you deploying?" -# options: -# - Ory Network -# - Docker -# - "Docker Compose" -# - "Kubernetes with Helm" -# - Kubernetes -# - Binary -# - Other -# id: deployment -# type: dropdown -# - attributes: -# description: "Add any other context about the problem here." -# label: Additional Context -# id: additional -# type: textarea diff --git a/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml b/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml deleted file mode 100644 index afbf15e..0000000 --- a/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml +++ /dev/null @@ -1,125 +0,0 @@ -# # AUTO-GENERATED, DO NOT EDIT! -# # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml - -# description: -# "A design document is needed for non-trivial changes to the code base." -# labels: -# - rfc -# name: "Design Document" -# body: -# - attributes: -# value: | -# Thank you for writing this design document. - -# One of the key elements of Ory's software engineering culture is the use of defining software designs through design docs. These are relatively informal documents that the primary author or authors of a software system or application create before they embark on the coding project. The design doc documents the high level implementation strategy and key design decisions with emphasis on the trade-offs that were considered during those decisions. - -# Ory is leaning heavily on [Google's design docs process](https://www.industrialempathy.com/posts/design-docs-at-google/) -# and [Golang Proposals](https://github.com/golang/proposal). - -# Writing a design doc before contributing your change ensures that your ideas are checked with -# the community and maintainers. It will save you a lot of time developing things that might need to be changed -# after code reviews, and your pull requests will be merged faster. -# type: markdown -# - attributes: -# label: "Preflight checklist" -# options: -# - label: -# "I could not find a solution in the existing issues, docs, nor -# discussions." -# required: true -# - label: -# "I agree to follow this project's [Code of -# Conduct](https://github.com/ory/hydra-login-consent-node/blob/master/CODE_OF_CONDUCT.md)." -# required: true -# - label: -# "I have read and am following this repository's [Contribution -# Guidelines](https://github.com/ory/hydra-login-consent-node/blob/master/CONTRIBUTING.md)." -# required: true -# - label: -# "I have joined the [Ory Community Slack](https://slack.ory.com)." -# - label: -# "I am signed up to the [Ory Security Patch -# Newsletter](https://www.ory.com/l/sign-up-newsletter)." -# id: checklist -# type: checkboxes -# - attributes: -# description: -# "Enter the slug or API URL of the affected Ory Network project. Leave -# empty when you are self-hosting." -# label: "Ory Network Project" -# placeholder: "https://.projects.oryapis.com" -# id: ory-network-project -# type: input -# - attributes: -# description: | -# This section gives the reader a very rough overview of the landscape in which the new system is being built and what is actually being built. This isn’t a requirements doc. Keep it succinct! The goal is that readers are brought up to speed but some previous knowledge can be assumed and detailed info can be linked to. This section should be entirely focused on objective background facts. -# label: "Context and scope" -# id: scope -# type: textarea -# validations: -# required: true - -# - attributes: -# description: | -# A short list of bullet points of what the goals of the system are, and, sometimes more importantly, what non-goals are. Note, that non-goals aren’t negated goals like “The system shouldn’t crash”, but rather things that could reasonably be goals, but are explicitly chosen not to be goals. A good example would be “ACID compliance”; when designing a database, you’d certainly want to know whether that is a goal or non-goal. And if it is a non-goal you might still select a solution that provides it, if it doesn’t introduce trade-offs that prevent achieving the goals. -# label: "Goals and non-goals" -# id: goals -# type: textarea -# validations: -# required: true - -# - attributes: -# description: | -# This section should start with an overview and then go into details. -# The design doc is the place to write down the trade-offs you made in designing your software. Focus on those trade-offs to produce a useful document with long-term value. That is, given the context (facts), goals and non-goals (requirements), the design doc is the place to suggest solutions and show why a particular solution best satisfies those goals. - -# The point of writing a document over a more formal medium is to provide the flexibility to express the problem at hand in an appropriate manner. Because of this, there is no explicit guidance on how to actually describe the design. -# label: "The design" -# id: design -# type: textarea -# validations: -# required: true - -# - attributes: -# description: | -# If the system under design exposes an API, then sketching out that API is usually a good idea. In most cases, however, one should withstand the temptation to copy-paste formal interface or data definitions into the doc as these are often verbose, contain unnecessary detail and quickly get out of date. Instead, focus on the parts that are relevant to the design and its trade-offs. -# label: "APIs" -# id: apis -# type: textarea - -# - attributes: -# description: | -# Systems that store data should likely discuss how and in what rough form this happens. Similar to the advice on APIs, and for the same reasons, copy-pasting complete schema definitions should be avoided. Instead, focus on the parts that are relevant to the design and its trade-offs. -# label: "Data storage" -# id: persistence -# type: textarea - -# - attributes: -# description: | -# Design docs should rarely contain code, or pseudo-code except in situations where novel algorithms are described. As appropriate, link to prototypes that show the feasibility of the design. -# label: "Code and pseudo-code" -# id: pseudocode -# type: textarea - -# - attributes: -# description: | -# One of the primary factors that would influence the shape of a software design and hence the design doc, is the degree of constraint of the solution space. - -# On one end of the extreme is the “greenfield software project”, where all we know are the goals, and the solution can be whatever makes the most sense. Such a document may be wide-ranging, but it also needs to quickly define a set of rules that allow zooming in on a manageable set of solutions. - -# On the other end are systems where the possible solutions are very well defined, but it isn't at all obvious how they could even be combined to achieve the goals. This may be a legacy system that is difficult to change and wasn't designed to do what you want it to do or a library design that needs to operate within the constraints of the host programming language. - -# In this situation, you may be able to enumerate all the things you can do relatively easily, but you need to creatively put those things together to achieve the goals. There may be multiple solutions, and none of them are great, and hence such a document should focus on selecting the best way given all identified trade-offs. -# label: "Degree of constraint" -# id: constrait -# type: textarea - -# - attributes: -# description: | -# This section lists alternative designs that would have reasonably achieved similar outcomes. The focus should be on the trade-offs that each respective design makes and how those trade-offs led to the decision to select the design that is the primary topic of the document. - -# While it is fine to be succinct about a solution that ended up not being selected, this section is one of the most important ones as it shows very explicitly why the selected solution is the best given the project goals and how other solutions, that the reader may be wondering about, introduce trade-offs that are less desirable given the goals. - -# label: Alternatives considered -# id: alternatives -# type: textarea diff --git a/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml b/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml deleted file mode 100644 index 7da058f..0000000 --- a/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml +++ /dev/null @@ -1,86 +0,0 @@ -# AUTO-GENERATED, DO NOT EDIT! -# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml - -description: - "Suggest an idea for this project without a plan for implementation" -labels: - - feat -name: "Feature Request" -body: - - attributes: - value: | - Thank you for suggesting an idea for this project! - - If you already have a plan to implement a feature or a change, please create a [design document](https://github.com/aeneasr/gh-template-test/issues/new?assignees=&labels=rfc&template=DESIGN-DOC.yml) instead if the change is non-trivial! - type: markdown - - attributes: - label: "Preflight checklist" - options: - - label: - "I could not find a solution in the existing issues, docs, nor - discussions." - required: true - - label: - "I agree to follow this project's [Code of - Conduct](https://github.com/ory/hydra-login-headless-ts/blob/master/CODE_OF_CONDUCT.md)." - required: true - - label: - "I have read and am following this repository's [Contribution - Guidelines](https://github.com/ory/hydra-login-headless-ts/blob/master/CONTRIBUTING.md)." - required: true - - label: - "I have joined the [Ory Community Slack](https://slack.ory.com)." - - label: - "I am signed up to the [Ory Security Patch - Newsletter](https://www.ory.com/l/sign-up-newsletter)." - id: checklist - type: checkboxes - - attributes: - description: - "Enter the slug or API URL of the affected Ory Network project. Leave - empty when you are self-hosting." - label: "Ory Network Project" - placeholder: "https://.projects.oryapis.com" - id: ory-network-project - type: input - - attributes: - description: - "Is your feature request related to a problem? Please describe." - label: "Describe your problem" - placeholder: - "A clear and concise description of what the problem is. Ex. I'm always - frustrated when [...]" - id: problem - type: textarea - validations: - required: true - - attributes: - description: | - Describe the solution you'd like - placeholder: | - A clear and concise description of what you want to happen. - label: "Describe your ideal solution" - id: solution - type: textarea - validations: - required: true - - attributes: - description: "Describe alternatives you've considered" - label: "Workarounds or alternatives" - id: alternatives - type: textarea - validations: - required: true - - attributes: - description: "What version of our software are you running?" - label: Version - id: version - type: input - validations: - required: true - - attributes: - description: - "Add any other context or screenshots about the feature request here." - label: Additional Context - id: additional - type: textarea diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml deleted file mode 100644 index aa19763..0000000 --- a/.github/ISSUE_TEMPLATE/config.yml +++ /dev/null @@ -1,14 +0,0 @@ -# AUTO-GENERATED, DO NOT EDIT! -# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/config.yml - -blank_issues_enabled: false -contact_links: - - name: Ory Hydra Login, Logout And Consent Node Example Forum - url: https://github.com/orgs/ory/discussions - about: - Please ask and answer questions here, show your implementations and - discuss ideas. - - name: Ory Chat - url: https://www.ory.com/chat - about: - Hang out with other Ory community members to ask and answer questions. diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml deleted file mode 100644 index c6cf23b..0000000 --- a/.github/auto_assign.yml +++ /dev/null @@ -1,16 +0,0 @@ -# AUTO-GENERATED, DO NOT EDIT! -# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/auto_assign.yml - -# Set to true to add reviewers to pull requests -addReviewers: true - -# Set to true to add assignees to pull requests -addAssignees: true - -# A list of reviewers to be added to pull requests (GitHub user name) -assignees: - - ory/maintainers - -# A number of reviewers added to the pull request -# Set 0 to add all the reviewers (default: 0) -numberOfReviewers: 0 diff --git a/.github/config.yml b/.github/config.yml deleted file mode 100644 index 4fed118..0000000 --- a/.github/config.yml +++ /dev/null @@ -1,6 +0,0 @@ -# AUTO-GENERATED, DO NOT EDIT! -# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/config.yml - -todo: - keyword: "@todo" - label: todo diff --git a/.github/workflows/closed_references.yml b/.github/workflows/closed_references.yml deleted file mode 100644 index 9a1b483..0000000 --- a/.github/workflows/closed_references.yml +++ /dev/null @@ -1,30 +0,0 @@ -# AUTO-GENERATED, DO NOT EDIT! -# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/closed_references.yml - -name: Closed Reference Notifier - -on: - schedule: - - cron: "0 0 * * *" - workflow_dispatch: - inputs: - issueLimit: - description: Max. number of issues to create - required: true - default: "5" - -jobs: - find_closed_references: - if: github.repository_owner == 'ory' - runs-on: ubuntu-latest - name: Find closed references - steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2-beta - with: - node-version: "14" - - uses: ory/closed-reference-notifier@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - issueLabels: upstream,good first issue,help wanted - issueLimit: ${{ github.event.inputs.issueLimit || '5' }} diff --git a/.github/workflows/conventional_commits.yml b/.github/workflows/conventional_commits.yml deleted file mode 100644 index c4d3905..0000000 --- a/.github/workflows/conventional_commits.yml +++ /dev/null @@ -1,59 +0,0 @@ -# AUTO-GENERATED, DO NOT EDIT! -# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/conventional_commits.yml - -name: Conventional commits - -# This GitHub CI Action enforces that pull request titles follow conventional commits. -# More info at https://www.conventionalcommits.org. -# -# The Ory-wide defaults for commit titles and scopes are below. -# Your repository can add/replace elements via a configuration file at the path below. -# More info at https://github.com/ory/ci/blob/master/conventional_commit_config/README.md - -on: - pull_request_target: - types: - - edited - - opened - - ready_for_review - - reopened - # pull_request: # for debugging, uses config in local branch but supports only Pull Requests from this repo - -jobs: - main: - name: Validate PR title - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - id: config - uses: ory/ci/conventional_commit_config@master - with: - config_path: .github/conventional_commits.json - default_types: | - feat - fix - revert - docs - style - refactor - test - build - autogen - security - ci - chore - default_scopes: | - deps - docs - default_require_scope: false - - uses: amannn/action-semantic-pull-request@v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - types: ${{ steps.config.outputs.types }} - scopes: ${{ steps.config.outputs.scopes }} - requireScope: ${{ steps.config.outputs.requireScope }} - subjectPattern: ^(?![A-Z]).+$ - subjectPatternError: | - The subject should start with a lowercase letter, yours is uppercase: - "{subject}" diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml deleted file mode 100644 index a7a720e..0000000 --- a/.github/workflows/format.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Format - -on: - pull_request: - push: - -jobs: - format: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v3 - with: - go-version: 1.19 - - run: make format - - name: Indicate formatting issues - run: git diff HEAD --exit-code --color diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml deleted file mode 100644 index e903667..0000000 --- a/.github/workflows/labels.yml +++ /dev/null @@ -1,25 +0,0 @@ -# AUTO-GENERATED, DO NOT EDIT! -# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/labels.yml - -name: Synchronize Issue Labels - -on: - workflow_dispatch: - push: - branches: - - master - -jobs: - milestone: - if: github.repository_owner == 'ory' - name: Synchronize Issue Labels - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Synchronize Issue Labels - uses: ory/label-sync-action@v0 - with: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - dry: false - forced: true diff --git a/.github/workflows/licenses.yml b/.github/workflows/licenses.yml deleted file mode 100644 index 4d99650..0000000 --- a/.github/workflows/licenses.yml +++ /dev/null @@ -1,35 +0,0 @@ -# AUTO-GENERATED, DO NOT EDIT! -# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/licenses.yml - -name: Licenses - -on: - pull_request: - push: - branches: - - main - - v3 - - master - -jobs: - licenses: - name: License compliance - runs-on: ubuntu-latest - steps: - - name: Install script - uses: ory/ci/licenses/setup@master - with: - token: ${{ secrets.ORY_BOT_PAT || secrets.GITHUB_TOKEN }} - - name: Check licenses - uses: ory/ci/licenses/check@master - - name: Write, commit, push licenses - uses: ory/ci/licenses/write@master - if: - ${{ github.ref == 'refs/heads/main' || github.ref == - 'refs/heads/master' || github.ref == 'refs/heads/v3' }} - with: - author-email: - ${{ secrets.ORY_BOT_PAT && - '60093411+ory-bot@users.noreply.github.com' || - format('{0}@users.noreply.github.com', github.actor) }} - author-name: ${{ secrets.ORY_BOT_PAT && 'ory-bot' || github.actor }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml deleted file mode 100644 index ac48a5e..0000000 --- a/.github/workflows/stale.yml +++ /dev/null @@ -1,47 +0,0 @@ -# AUTO-GENERATED, DO NOT EDIT! -# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/stale.yml - -name: "Close Stale Issues" -on: - workflow_dispatch: - schedule: - - cron: "0 0 * * *" - -jobs: - stale: - if: github.repository_owner == 'ory' - runs-on: ubuntu-latest - steps: - - uses: actions/stale@v4 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: | - Hello contributors! - - I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue - - - open a PR referencing and resolving the issue; - - leave a comment on it and discuss ideas on how you could contribute towards resolving it; - - leave a comment and describe in detail why this issue is critical for your use case; - - open a new issue with updated details and a plan for resolving the issue. - - Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic. - - Unfortunately, [burnout](https://www.jeffgeerling.com/blog/2016/why-i-close-prs-oss-project-maintainer-notes) has become a [topic](https://opensource.guide/best-practices/#its-okay-to-hit-pause) of [concern](https://docs.brew.sh/Maintainers-Avoiding-Burnout) amongst open-source projects. - - It can lead to severe personal and health issues as well as [opening](https://haacked.com/archive/2019/05/28/maintainer-burnout/) catastrophic [attack vectors](https://www.gradiant.org/en/blog/open-source-maintainer-burnout-as-an-attack-surface/). - - The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone. - - If this issue was marked as stale erroneously you can exempt it by adding the `backlog` label, assigning someone, or setting a milestone for it. - - Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you! - - Thank you 🙏✌️ - stale-issue-label: "stale" - exempt-issue-labels: "bug,blocking,docs,backlog" - days-before-stale: 365 - days-before-close: 30 - exempt-milestones: true - exempt-assignees: true - only-pr-labels: "stale" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index 648cb16..0000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: test and release - -on: - push: - branches: - - master - tags: - - "*" - pull_request: - -jobs: - test: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: setup node - uses: actions/setup-node@v3 - with: - node-version: 23.7.0 - - name: install dependencies - run: npm ci - - name: build project - run: npm run build - - release: - runs-on: ubuntu-latest - if: startsWith(github.ref, 'refs/tags/') - needs: test - steps: - - uses: actions/checkout@v3 - - name: setup node - uses: actions/setup-node@v3 - with: - node-version: 23.7.0 - - name: install dependencies - run: npm ci - - name: configure npm token - run: - echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN_AENEASR - }}" > ~/.npmrc - - name: set package version - run: npm version -f --no-git-tag-version "${GITHUB_REF#refs/tags/}" - - name: publish package - run: npm publish --access public