Skip to content

feat: Add ALLOWED_ORIGINS environment variable for CSRF protection#725

Merged
kingston merged 1 commit into
mainfrom
kingston/eng-962-introduce-allowed_origins-environment-variable-for-local
Dec 30, 2025
Merged

feat: Add ALLOWED_ORIGINS environment variable for CSRF protection#725
kingston merged 1 commit into
mainfrom
kingston/eng-962-introduce-allowed_origins-environment-variable-for-local

Conversation

@kingston

@kingston kingston commented Dec 30, 2025

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • New Features

    • Added support for an ALLOWED_ORIGINS configuration option to enhance CSRF protection, enabling additional allowed origins via comma-separated list—useful for hosting scenarios with domain rewrites.
  • Documentation

    • Updated guidance on modifying project files and creating changesets to document changes.

✏️ Tip: You can customize this high-level summary in your review settings.

@vercel

vercel Bot commented Dec 30, 2025

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
baseplate-project-builder-web Ready Ready Preview, Comment Dec 30, 2025 2:07pm

@changeset-bot

changeset-bot Bot commented Dec 30, 2025

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 4bcb75e

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 18 packages
Name Type
@baseplate-dev/plugin-auth Patch
@baseplate-dev/project-builder-common Patch
@baseplate-dev/project-builder-cli Patch
@baseplate-dev/project-builder-test Patch
@baseplate-dev/create-project Patch
@baseplate-dev/code-morph Patch
@baseplate-dev/core-generators Patch
@baseplate-dev/fastify-generators Patch
@baseplate-dev/project-builder-lib Patch
@baseplate-dev/project-builder-server Patch
@baseplate-dev/project-builder-web Patch
@baseplate-dev/react-generators Patch
@baseplate-dev/sync Patch
@baseplate-dev/tools Patch
@baseplate-dev/ui-components Patch
@baseplate-dev/utils Patch
@baseplate-dev/plugin-queue Patch
@baseplate-dev/plugin-storage Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai

coderabbitai Bot commented Dec 30, 2025

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Adds ALLOWED_ORIGINS environment variable and configuration field for CSRF protection to support hosting scenarios with rewrites where host and origin headers differ. The field parses a comma-separated list and expands the allowed origins list during request verification.

Changes

Cohort / File(s) Summary
Changesets & Documentation
.changeset/add-allowed-origins-config.md, .claude/skills/modify-generated-code/SKILL.md
Added changeset documenting the new ALLOWED_ORIGINS feature. Updated skill documentation with explicit user guidance for Step 2 and added "Create Changeset" subsection (duplicated in document).
Configuration Schema
examples/blog-with-auth/apps/backend/src/services/config.ts
Added optional ALLOWED_ORIGINS field that transforms comma-separated environment variable into string[], defaulting to empty array.
Origin Verification Implementation
examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.ts, plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts
Updated origin verification in two non-GET/HEAD code paths to include config.ALLOWED_ORIGINS by spreading into allowed origins array ([req.host, ...config.ALLOWED_ORIGINS]).
Plugin Generator
plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
Added ALLOWED_ORIGINS configuration field to auth-module generator with code fragment validator for parsing comma-separated string into trimmed origins array.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title accurately and concisely summarizes the primary change: adding an ALLOWED_ORIGINS environment variable for CSRF protection, which is confirmed across all modified files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
  • 📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (3)
.claude/skills/modify-generated-code/SKILL.md (1)

402-428: Add executable changeset command to make documentation more actionable.

The new section provides helpful guidance on changeset format and package naming. However, the bash code block contains only a comment without the actual command to create a changeset. If users should follow this, consider including the actual command (e.g., npx changeset add, or whatever tool this project uses).

Also, clarify whether "Create Changeset" is a required final step before opening/merging the PR, or if it's optional. The placement after "Sync All Projects" suggests it's final, but this could be explicit.

🔎 Proposed update to make the bash command actionable
  Add a changeset to document the changes for the changelog:
  
  ```bash
- # Create a new changeset file in .changeset/ directory
+ npx changeset add

Alternatively, if the actual command differs (e.g., `pnpm changeset add`), replace accordingly.
</details>

</blockquote></details>
<details>
<summary>plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts (1)</summary><blockquote>

`34-40`: **LGTM! Config field correctly implements comma-separated origin parsing.**

The implementation correctly uses `tsCodeFragment` for code generation and the Zod v4 transform pattern to parse the comma-separated string into an array. The falsy check handles both undefined and empty string cases appropriately.




<details>
<summary>Optional: Consider adding URL validation</summary>

While the current implementation works correctly (invalid values are normalized and filtered by `verifyRequestOrigin`), you could add explicit URL validation to catch configuration errors earlier:

```diff
 configService.configFields.set('ALLOWED_ORIGINS', {
   validator: tsCodeFragment(
-    "z.string().optional().transform((val) => (val ? val.split(',').map((s) => s.trim()) : []))",
+    "z.string().optional().transform((val) => { const origins = val ? val.split(',').map((s) => s.trim()).filter(Boolean) : []; origins.forEach(o => { try { new URL(o); } catch { throw new Error(`Invalid origin URL: ${o}`); } }); return origins; })",
   ),

However, this adds complexity and the current approach of delegating validation to verifyRequestOrigin is acceptable.

Based on learnings and coding guidelines for generator patterns.

examples/blog-with-auth/apps/backend/src/services/config.ts (1)

4-8: LGTM! Config schema correctly parses comma-separated origins.

The Zod v4 transform pattern correctly handles the optional comma-separated string, returning an empty array when undefined or falsy, and splitting/trimming when provided. The output type is consistently string[], which is safely consumed by the origin verification logic.

Optional: Filter empty strings explicitly

Consider explicitly filtering out empty strings after splitting to handle edge cases like trailing commas:

 ALLOWED_ORIGINS: z
   .string()
   .optional()
-  .transform((val) => (val ? val.split(',').map((s) => s.trim()) : [])),
+  .transform((val) => (val ? val.split(',').map((s) => s.trim()).filter(Boolean) : [])),

However, since verifyRequestOrigin already filters out falsy values after normalization, this is a minor refinement rather than a correctness issue.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9638baf and 4bcb75e.

⛔ Files ignored due to path filters (72)
  • examples/blog-with-auth/apps/backend/baseplate/generated/src/modules/accounts/services/user-session.service.ts is excluded by !**/generated/**, !**/generated/**
  • examples/blog-with-auth/apps/backend/baseplate/generated/src/services/config.ts is excluded by !**/generated/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/alert.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/badge.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/breadcrumb.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/calendar.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/card.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/checkbox.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/circular-progress.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/combobox.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/command.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/date-picker-field.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/date-time-picker-field.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/dialog.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/dropdown.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/empty-display.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/error-display.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/form-item.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/label.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/loader.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/multi-combobox.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/navigation-menu.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/popover.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/scroll-area.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/select.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/separator.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/sheet.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/sidebar.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/skeleton.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/switch.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/table.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/textarea.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/components/ui/tooltip.tsx is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/styles.css is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/styles/button.ts is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/styles/input.ts is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/baseplate/generated/src/styles/select.ts is excluded by !**/generated/**, !tests/**, !**/generated/**
  • tests/simple/apps/web/src/components/ui/alert.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/badge.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/breadcrumb.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/calendar.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/card.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/checkbox.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/circular-progress.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/combobox.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/command.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/date-picker-field.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/date-time-picker-field.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/dialog.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/dropdown.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/empty-display.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/error-display.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/form-item.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/label.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/loader.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/multi-combobox.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/navigation-menu.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/popover.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/scroll-area.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/select.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/separator.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/sheet.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/sidebar.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/skeleton.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/switch.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/table.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/textarea.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/components/ui/tooltip.tsx is excluded by !tests/**
  • tests/simple/apps/web/src/styles.css is excluded by !tests/**
  • tests/simple/apps/web/src/styles/button.ts is excluded by !tests/**
  • tests/simple/apps/web/src/styles/input.ts is excluded by !tests/**
  • tests/simple/apps/web/src/styles/select.ts is excluded by !tests/**
📒 Files selected for processing (6)
  • .changeset/add-allowed-origins-config.md
  • .claude/skills/modify-generated-code/SKILL.md
  • examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/services/config.ts
  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts
🧰 Additional context used
📓 Path-based instructions (9)
.changeset/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Add a new Changeset for any new feature or existing feature change in the .changeset/ directory following the form with patch changes

Files:

  • .changeset/add-allowed-origins-config.md
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/code-style.mdc)

**/*.{ts,tsx}: Use TypeScript with strict type checking enabled
Always include return types on top-level functions including React components (React.ReactElement)
Include absolute paths in import statements via tsconfig paths (@src/ is the alias for src/)
If a particular interface or type is not exported, change the file so it is exported
If caught on a typing loop where forcing the any type is necessary, do not iterate too much - leave the typing as broken and let the user fix it

If target code is not easily testable, refactor it to be more testable (e.g., export types or functions)

If a particular interface or type is not exported, change the file so it is exported

Files:

  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/services/config.ts
  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/code-style.mdc)

**/*.{ts,tsx,js}: Node 16 module resolution - include file extensions in imports (.js)
Sort imports by group: external libs first, then local imports
Use camelCase for variables/functions, PascalCase for types/classes
Order functions such that functions are placed below the variables/functions they use
Prefer using nullish coalescing operator (??) instead of logical or (||), enforced via ESLint rule
Prefer barrel exports e.g. export * from './foo.js' instead of individual named exports
Use console.info/warn/error instead of console.log

Files:

  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/services/config.ts
  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/mcp-actions.mdc)

**/*.{js,ts,tsx,jsx}: Use mcp__baseplate_dev_server__diff_project() to generate a diff between generated and current working directory state, with optional parameters for compact format, specific packages, and file glob filtering
Use mcp__baseplate_dev_server__sync_project() to sync a specified project using the baseplate sync engine, with optional parameters for overwrite behavior, command skipping, and custom snapshot directory
Use mcp__baseplate_dev_server__delete_template() to delete templates by providing a file path and optionally the project name, which removes the template file, metadata, and generated files
Use mcp__baseplate_dev_server__extract_templates() to extract templates from a project and app, with optional auto-generation of extractor.json files and directory cleanup control
Use mcp__baseplate_dev_server__generate_templates() to generate typed template files from existing extractor.json configurations with optional project specification and cleanup control
Use mcp__baseplate_dev_server__create_generator() to create new generators with boilerplate code, using naming format 'category/name' and specifying the target directory
Use mcp__baseplate_dev_server__list_templates() to list all available generators with their templates, optionally filtered by project
Use mcp__baseplate_dev_server__show_template_metadata() to retrieve template metadata for a file from .templates-info.json using file path and optional project specification
Use mcp__baseplate_dev_server__snapshot_add() to track files in snapshots for persistent difference tracking, specifying project, app, file paths, and optional deletion markers
Use mcp__baseplate_dev_server__snapshot_remove() to untrack files from snapshot management with project, app, and file path specifications
Use mcp__baseplate_dev_server__snapshot_save() to persist current differences to snapshot with optional force flag to bypass confirmation
Use mcp__baseplate_dev_server__snapshot_show() to dis...

Files:

  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/services/config.ts
  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
**/*.{tsx,ts,jsx,js}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

Import components from '@baseplate-dev/ui-components' package using destructured imports (e.g., import { Button, Input, Card, Dialog } from '@baseplate-dev/ui-components';)

Files:

  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/services/config.ts
  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

Always use compareStrings from @baseplate-dev/utils instead of String.prototype.localeCompare() for code generation, file sorting, and internal data structures

Files:

  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/services/config.ts
  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
**/generators/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/generators/**/*.{ts,tsx}: Follow task-based architecture for generators using createGenerator and createGeneratorTask
Use provider scopes for explicit wiring and to control visibility and prevent collisions between tasks
Use TsCodeFragment for composable code pieces and TsCodeUtils for manipulating fragments in TypeScript code generation
Use the import builder for managing dependencies in TypeScript code generation
Organize complex generation with Task Phases for ordered execution
Use Dynamic Tasks for data-driven generation

Files:

  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts
  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
examples/blog-with-auth/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (examples/blog-with-auth/CLAUDE.md)

examples/blog-with-auth/**/*.{ts,tsx,js,jsx}: Always use .js extensions in import statements, even for TypeScript files (e.g., import { getSystemInfo } from '@src/system-info.js';)
Follow ESM module resolution with TypeScript's NodeNext setting
Add JSDocs to all exported functions, interfaces, and classes with documentation of the function, its parameters, return value, and all fields

Files:

  • examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/services/config.ts
examples/blog-with-auth/**/*.{ts,tsx}

📄 CodeRabbit inference engine (examples/blog-with-auth/CLAUDE.md)

examples/blog-with-auth/**/*.{ts,tsx}: Use import type for type-only imports in TypeScript
Always specify explicit return types for functions in TypeScript

Files:

  • examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.ts
  • examples/blog-with-auth/apps/backend/src/services/config.ts
🧠 Learnings (17)
📚 Learning: 2025-12-30T13:56:01.641Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T13:56:01.641Z
Learning: Applies to .changeset/*.md : Add a new Changeset for any new feature or existing feature change in the `.changeset/` directory following the form with patch changes

Applied to files:

  • .claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__generate_templates()` to generate typed template files from existing extractor.json configurations with optional project specification and cleanup control

Applied to files:

  • .claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__extract_templates()` to extract templates from a project and app, with optional auto-generation of extractor.json files and directory cleanup control

Applied to files:

  • .claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__show_template_metadata()` to retrieve template metadata for a file from .templates-info.json using file path and optional project specification

Applied to files:

  • .claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-11-24T19:44:33.994Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: examples/blog-with-auth/CLAUDE.md:0-0
Timestamp: 2025-11-24T19:44:33.994Z
Learning: Be careful when customizing generated files as they may be overwritten during regeneration

Applied to files:

  • .claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:56:01.641Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T13:56:01.641Z
Learning: Applies to **/generators/**/*.{ts,tsx} : Organize complex generation with Task Phases for ordered execution

Applied to files:

  • .claude/skills/modify-generated-code/SKILL.md
  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__list_templates()` to list all available generators with their templates, optionally filtered by project

Applied to files:

  • .claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:56:01.641Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T13:56:01.641Z
Learning: Applies to **/generators/**/*.{ts,tsx} : Follow task-based architecture for generators using `createGenerator` and `createGeneratorTask`

Applied to files:

  • .claude/skills/modify-generated-code/SKILL.md
  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__create_generator()` to create new generators with boilerplate code, using naming format 'category/name' and specifying the target directory

Applied to files:

  • .claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__snapshot_save()` to persist current differences to snapshot with optional force flag to bypass confirmation

Applied to files:

  • .claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__snapshot_add()` to track files in snapshots for persistent difference tracking, specifying project, app, file paths, and optional deletion markers

Applied to files:

  • .claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-11-24T19:44:33.994Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: examples/blog-with-auth/CLAUDE.md:0-0
Timestamp: 2025-11-24T19:44:33.994Z
Learning: Applies to examples/blog-with-auth/**/tsconfig.json : Use strict type checking in TypeScript configuration

Applied to files:

  • examples/blog-with-auth/apps/backend/src/services/config.ts
📚 Learning: 2025-11-24T19:44:33.994Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: examples/blog-with-auth/CLAUDE.md:0-0
Timestamp: 2025-11-24T19:44:33.994Z
Learning: Applies to examples/blog-with-auth/**/tsconfig.json : Enable `isolatedModules` in TypeScript configuration

Applied to files:

  • examples/blog-with-auth/apps/backend/src/services/config.ts
📚 Learning: 2025-12-30T13:56:01.641Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T13:56:01.641Z
Learning: Applies to **/generators/**/*.{ts,tsx} : Use provider scopes for explicit wiring and to control visibility and prevent collisions between tasks

Applied to files:

  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
📚 Learning: 2025-12-30T13:56:01.641Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T13:56:01.641Z
Learning: Applies to **/generators/**/*.{ts,tsx} : Use Dynamic Tasks for data-driven generation

Applied to files:

  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
📚 Learning: 2025-07-12T19:56:08.559Z
Learnt from: kingston
Repo: halfdomelabs/baseplate PR: 606
File: plugins/plugin-auth/src/auth/core/generators/auth-apollo/auth-apollo.generator.ts:24-32
Timestamp: 2025-07-12T19:56:08.559Z
Learning: For generator functions and configuration object methods like those in createGeneratorTask, inferred return types are acceptable when the structure is clear from the implementation. ESLint rules handle enforcement of explicit return types where truly needed, so manual review for this is not necessary.

Applied to files:

  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
📚 Learning: 2025-05-05T06:37:51.001Z
Learnt from: kingston
Repo: halfdomelabs/baseplate PR: 521
File: packages/react-generators/src/generators/admin/admin-crud-list/admin-crud-list.generator.ts:163-166
Timestamp: 2025-05-05T06:37:51.001Z
Learning: For certain templates in the codebase, the `importMapProviders` property is not explicitly required as the template extractor will automatically determine and infer the necessary import map providers.

Applied to files:

  • plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
🧬 Code graph analysis (2)
plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts (2)
plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/utils/verify-request-origin.ts (1)
  • verifyRequestOrigin (27-45)
examples/blog-with-auth/apps/backend/src/services/config.ts (1)
  • config (23-23)
plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts (1)
packages/core-generators/src/renderers/typescript/fragments/creators.ts (1)
  • tsCodeFragment (73-83)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Test E2E
  • GitHub Check: Lint
  • GitHub Check: test
🔇 Additional comments (4)
.claude/skills/modify-generated-code/SKILL.md (1)

231-231: Clear guardrail added to prevent premature generator modifications.

The explicit warning about NOT modifying generator code before user review is comprehensive and well-placed. This aligns with the code-first development approach outlined in the skill and prevents generator code from diverging from template extractions.

.changeset/add-allowed-origins-config.md (1)

1-8: LGTM! Changeset properly documents the new feature.

The changeset follows the correct format and clearly describes the addition of the ALLOWED_ORIGINS configuration field for CSRF protection.

examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.ts (1)

187-187: LGTM! Origin verification correctly includes additional allowed origins.

The spread operator safely includes config.ALLOWED_ORIGINS alongside req.host for CSRF protection. Since the config transform ensures ALLOWED_ORIGINS is always a string[] (defaulting to []), the spread operation is safe and the logic correctly implements the intended behavior for hosting scenarios with rewrites.

plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts (1)

183-183: LGTM! Template correctly implements origin verification with additional origins.

The template properly generates the same origin verification logic as the example application, ensuring consistency between generated code and the reference implementation. The spread of config.ALLOWED_ORIGINS is safe and correct.

@kingston kingston merged commit b26e6e9 into main Dec 30, 2025
17 checks passed
@kingston kingston deleted the kingston/eng-962-introduce-allowed_origins-environment-variable-for-local branch December 30, 2025 14:11
@github-actions github-actions Bot mentioned this pull request Dec 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant