medusa
medusa copied to clipboard
medusajs
fix: Don't store JWT token in an SSR environment
What - This change makes it so that JWT doesn't get stored on the Medusa client when in an SSR environment.
Why - Currently when the Medusa client is used in an SSR environment, the last logged in user's JWT gets stored on the Medusa client. This causes customer information to be leaked when it shouldn't be.
How - To keep things DRY, I added a typeof check to the jwt-token-manager that checks if the window is undefined. If it's undefined, I'm simply just returning as I don't believe any further action is needed.
This fixes the issue referenced here https://github.com/medusajs/medusa/issues/6889
⚠️ No Changeset found
Latest commit: eb74321c1d1f6a5415e4e3543a02b7d67b45bcad
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
![changeset-bot[bot] avatar](https://avatars.githubusercontent.com/in/28616?v=4 "Published by a pub.dev verified publisher"){kind=small}
@devcshort is attempting to deploy a commit to the medusajs Team on Vercel.
A member of the Team first needs to authorize it.
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
@sradevski @olivermrbl @shahednasser can we ask for your review? This fix is really urgent for us.
Looks fine to me. I will let @olivermrbl and @sradevski look into it once and especially the failing CI tests
@olivermrbl @sradevski any updates on this? This is a fairly urgent request for us and is a prerequisite before we can go to production. Thanks!
The latest updates on your projects. Learn more about Vercel for Git ↗︎
1 Skipped Deployment
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| medusa-docs | ⬜️ Ignored (Inspect) | Visit Preview | Dec 9, 2024 8:55am |
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
Not stale
@olivermrbl @kasperkristensen what is your release cycle like? Curious when we can expect this change for the v1 Medusajs client to be released. Thanks!
@olivermrbl @kasperkristensen, what is your release cycle like? I'm curious when we can expect this change for the v1 Medusajs client to be released. Thanks!
Being a security issue, they may release it to version 1 too.
@devcshort, there is no release cycle for v1, since PRs are very rarely merged. We tend to do it shortly after this happens, so I expect to cut a new version later today.
