Skip to content

Fix minor issues in SDKs#13

Merged
brionmario merged 2 commits into
thunder-id:mainfrom
brionmario:migrate
Jul 1, 2026
Merged

Fix minor issues in SDKs#13
brionmario merged 2 commits into
thunder-id:mainfrom
brionmario:migrate

Conversation

@brionmario

@brionmario brionmario commented Jul 1, 2026

Copy link
Copy Markdown
Member

Purpose

$subject

Approach

N/A

Related Issues

  • N/A

Related PRs

  • N/A

Checklist

  • Followed the contribution guidelines.
  • Manual test round performed and verified.
  • Documentation provided. (Add links if there are any)
  • Tests provided. (Add links if there are any)
    • Unit Tests
    • Integration Tests
  • Breaking changes. (Fill if applicable)
    • Breaking changes section filled.
    • breaking change label added.

Security checks

  • Followed secure coding standards in WSO2 Secure Coding Guidelines
  • Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.

Summary by CodeRabbit

  • Bug Fixes
    • Improved CommonJS package compatibility by pointing CommonJS entrypoints to the .cjs builds.
    • Strengthened OIDC well-known discovery handling with safer fallbacks and improved error mapping.
    • Removed/adjusted auth route registrations and callback routing in templates/samples.
  • New Features
    • Added a protected dashboard experience to the React Vite template.
    • Added a user dropdown to the new dashboard view.
  • Documentation
    • Updated quickstart environment examples (including local TLS overrides and required env vars).
    • Updated “Sign In” button labeling in templates and samples.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@brionmario, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 13 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 17a74122-a05d-4891-a7c2-9b3ae1e04a78

📥 Commits

Reviewing files that changed from the base of the PR and between c2b4011 and 9f71eae.

📒 Files selected for processing (13)
  • packages/javascript/src/ThunderIDJavaScriptClient.ts
  • samples/browser/quickstart/src/pages/home.js
  • samples/express/quickstart/.env.example
  • samples/nextjs/quickstart/.env.example
  • samples/nextjs/quickstart/app/page.tsx
  • samples/node/quickstart/.env.example
  • samples/nuxt/quickstart/.env.example
  • samples/nuxt/quickstart/pages/index.vue
  • samples/react/quickstart/src/pages/HomePage.jsx
  • samples/vue/quickstart/src/pages/HomePage.vue
  • templates/nextjs/nextjs-template/app/page.tsx
  • templates/react/vite-react-template/src/Home.jsx
  • templates/vue/vite-vue-template/src/App.vue
📝 Walkthrough

Walkthrough

This PR updates CommonJS build outputs to .cjs, changes OIDC discovery fallback behavior, removes a Nuxt branding route, and revises sample/template environment, routing, and sign-in button markup.

Changes

CJS Build Output Rename

Layer / File(s) Summary
Package entrypoint updates
packages/browser/package.json, packages/express/package.json, packages/react-router/package.json, packages/tanstack-router/package.json
Updates main/commonjs and exports.require fields to reference .cjs output files instead of .js.
Rolldown build output paths
packages/browser/rolldown.config.js, packages/react-router/rolldown.config.js, packages/tanstack-router/rolldown.config.js
Updates CJS bundle write/output file paths to .cjs to match the new package entrypoints.

OIDC Discovery Fallback and Nuxt Route Removal

Layer / File(s) Summary
Well-known discovery fallback logic
packages/javascript/src/ThunderIDJavaScriptClient.ts
Fetch/HTTP failures on the well-known endpoint no longer throw immediately; the method falls back to resolving endpoints via baseUrl or throws an "Invalid well-known response" error if no fallback is possible.
Nuxt branding route removal
packages/nuxt/src/module.ts
Removes the branding server route entry (/api/auth/branding) from serverRoutes.

Sample and Template Updates

Layer / File(s) Summary
Sample env example updates
samples/express/quickstart/.env.example, samples/nextjs/quickstart/.env.example, samples/node/quickstart/.env.example, samples/nuxt/quickstart/.env.example
Adds NEXT_PUBLIC_THUNDERID_APPLICATION_ID and NODE_TLS_REJECT_UNAUTHORIZED=0 (with explanatory comment) to example environment files.
React sample callback route removal
samples/react/quickstart/src/App.jsx, samples/react/quickstart/src/main.jsx
Removes the CallbackRoute import//callback route and the afterSignInUrl provider prop.
Vite React template dashboard route
templates/react/vite-react-template/src/App.jsx, templates/react/vite-react-template/src/Dashboard.jsx, templates/react/vite-react-template/src/Home.jsx, templates/react/vite-react-template/src/main.jsx
Replaces /callback with a protected /dashboard route rendering a new Dashboard component, simplifies Home.jsx to only render SignInButton, and removes afterSignInUrl from main.jsx.
Template sign-in button labels
templates/nextjs/nextjs-template/app/page.tsx, templates/vue/vite-vue-template/src/App.vue
Changes SignInButton usage to render explicit Sign In text in the Next.js and Vue templates.

Estimated code review effort: 4 (Complex) | ~45 minutes

Possibly related PRs

  • thunder-id/javascript-sdks#12: Both PRs modify the React Vite template auth routing/provider setup around the /callback flow and afterSignInUrl.

Suggested reviewers: pavinduLakshan, DonOmalVindula

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name Status Explanation Resolution
Description check ⚠️ Warning The template is present, but Purpose and Approach are left as placeholders and the checklist is unfilled. Replace $subject with a real summary, describe the approach, and complete the relevant checklist items, especially tests and security.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ❓ Inconclusive The title is related to the SDK fixes, but it is too broad to identify the main change. Use a more specific title that names the primary change, such as the package entrypoint and auth route updates.
✅ Passed checks (2 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
templates/react/vite-react-template/src/Dashboard.jsx (1)

1-10: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add missing copyright header.

Static analysis flags this new file as missing the required WSO2 Apache 2.0 copyright header enforced by the @thunderid/copyright-header rule.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@templates/react/vite-react-template/src/Dashboard.jsx` around lines 1 - 10,
The new Dashboard component is missing the required WSO2 Apache 2.0 copyright
header. Add the standard copyright notice at the top of the Dashboard.jsx file
before the existing imports, matching the format used by other files covered by
the `@thunderid/copyright-header` rule.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/javascript/src/ThunderIDJavaScriptClient.ts`:
- Around line 356-365: The discovery handling in ThunderIDJavaScriptClient still
throws raw JSON/endpoint-resolution errors for successful HTTP responses instead
of preserving the malformed response on the baseUrl fallback path. Update the
response-handling logic around the response.json() and
authHelper.resolveEndpoints call so failures from parsing/resolving discovery
metadata are caught and routed to the existing baseUrl fallback, and only raise
ThunderIDAuthException if the fallback also fails. While doing so, remove the
unsafe any usage in the catch and ensure ThunderIDAuthException receives a
string message rather than passing the raw error object.

In `@samples/express/quickstart/.env.example`:
- Around line 5-6: The .env.example entry for NODE_TLS_REJECT_UNAUTHORIZED is
too risky to ship as a copy-paste default; update the quickstart example to
avoid encouraging global TLS disablement. Remove NODE_TLS_REJECT_UNAUTHORIZED=0
from the sample env file and document it as an explicit dev-only runtime flag,
or replace it with NODE_EXTRA_CA_CERTS for the self-signed cert; if you keep any
warning text, make it a prominent DANGER note.
- Line 3: The Express quickstart env example includes a stray
NEXT_PUBLIC_THUNDERID_APPLICATION_ID entry that is not used by
samples/express/quickstart/index.js. Update the .env.example contents to match
the Express configuration keys used by the app (THUNDERID_BASE_URL,
THUNDERID_CLIENT_ID, THUNDERID_CLIENT_SECRET) or remove the unused variable so
the example stays consistent with the actual setup.

In `@samples/nextjs/quickstart/.env.example`:
- Around line 6-7: The .env.example entry for NODE_TLS_REJECT_UNAUTHORIZED=0 in
the Next.js quickstart sample should be made safer or more clearly marked as
dangerous. Update the comment near the NODE_TLS_REJECT_UNAUTHORIZED setting to
use a stronger warning (for example a DANGER-style prefix) and/or replace it
with a safer local-dev approach such as NODE_EXTRA_CA_CERTS or a runtime flag so
it is less likely to be copy-pasted into production.

In `@samples/node/quickstart/.env.example`:
- Around line 4-5: The .env.example entry for NODE_TLS_REJECT_UNAUTHORIZED=0 in
the quickstart sample is too easy to copy into production and globally disables
TLS verification. Update the example around the NODE_TLS_REJECT_UNAUTHORIZED
setting to use safer guidance, such as making it clearly local-only with a
stronger warning or replacing it with a more explicit development-only
alternative in the sample config.

In `@samples/nuxt/quickstart/.env.example`:
- Around line 5-6: The .env.example entry for NODE_TLS_REJECT_UNAUTHORIZED=0 is
too easy to copy into production, so update the example in the quickstart
environment file to avoid normalizing global TLS disablement. Either replace it
with a safer local-only alternative or make the warning in the comment much
stronger and more explicit that it must never be used in production, while
keeping the guidance near the NODE_TLS_REJECT_UNAUTHORIZED example.

In `@templates/react/vite-react-template/src/Home.jsx`:
- Around line 1-9: The Home component currently always renders SignInButton, so
authenticated users never get the signed-in experience on the root route. Update
Home in Home.jsx to restore the SignedIn/SignedOut split using the existing auth
components, or otherwise add a dashboard link/redirect for signed-in users so /
still provides dashboard access. Keep the fix localized to the Home component
and preserve the current unauthenticated sign-in behavior.

---

Outside diff comments:
In `@templates/react/vite-react-template/src/Dashboard.jsx`:
- Around line 1-10: The new Dashboard component is missing the required WSO2
Apache 2.0 copyright header. Add the standard copyright notice at the top of the
Dashboard.jsx file before the existing imports, matching the format used by
other files covered by the `@thunderid/copyright-header` rule.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 852eee0f-a1f3-47b3-b73c-343502ac19d4

📥 Commits

Reviewing files that changed from the base of the PR and between 0bdd795 and 8c79277.

📒 Files selected for processing (19)
  • packages/browser/package.json
  • packages/browser/rolldown.config.js
  • packages/express/package.json
  • packages/javascript/src/ThunderIDJavaScriptClient.ts
  • packages/nuxt/src/module.ts
  • packages/react-router/package.json
  • packages/react-router/rolldown.config.js
  • packages/tanstack-router/package.json
  • packages/tanstack-router/rolldown.config.js
  • samples/express/quickstart/.env.example
  • samples/nextjs/quickstart/.env.example
  • samples/node/quickstart/.env.example
  • samples/nuxt/quickstart/.env.example
  • samples/react/quickstart/src/App.jsx
  • samples/react/quickstart/src/main.jsx
  • templates/react/vite-react-template/src/App.jsx
  • templates/react/vite-react-template/src/Dashboard.jsx
  • templates/react/vite-react-template/src/Home.jsx
  • templates/react/vite-react-template/src/main.jsx
💤 Files with no reviewable changes (3)
  • samples/react/quickstart/src/main.jsx
  • packages/nuxt/src/module.ts
  • templates/react/vite-react-template/src/main.jsx

Comment thread packages/javascript/src/ThunderIDJavaScriptClient.ts Outdated
Comment thread samples/express/quickstart/.env.example Outdated
Comment thread samples/express/quickstart/.env.example Outdated
Comment thread samples/nextjs/quickstart/.env.example Outdated
Comment thread samples/node/quickstart/.env.example Outdated
Comment thread samples/nuxt/quickstart/.env.example Outdated
Comment on lines +1 to 9
import { SignInButton } from '@thunderid/react'

export default function Home() {
return (
<main>
<SignedOut>
<h1>Welcome</h1>
<SignInButton />
</SignedOut>
<SignedIn>
<User>{(user) => <h1>Hello, {user.given_name || user.username}.</h1>}</User>
<SignOutButton />
</SignedIn>
<SignInButton />
</main>
)
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

@thunderid/react SignInButton component behavior when user is already signed in

💡 Result:

In the @thunderid/react SDK, the SignInButton component is designed to be used in conjunction with conditional rendering components like SignedIn and SignedOut [1][2]. When a user is already signed in, the SignInButton component is not rendered because developers typically wrap it inside the SignedOut component [1][3][4]. The SignedOut component automatically hides its children when an authentication session is detected [1][4]. If you were to manually render the SignInButton while a user is already signed in, the SDK's internal authentication state management would recognize the active session, and clicking the button would typically result in no action, or it would simply redirect the user back to the application or your configured post-login redirect URI, as the authentication flow is already satisfied [4]. To implement this correctly, use the provided conditional rendering components as shown in the official patterns: import { SignedIn, SignedOut, SignInButton, SignOutButton } from '@thunderid/react'; function App { return ( <> Sign In Sign Out </>); } By following this pattern, the SignInButton is physically removed from the DOM when the user has an active session [1][4].

Citations:


🏁 Script executed:

git ls-files | rg '^(templates/react/vite-react-template|templates/react|.*react.*template).*'

Repository: thunder-id/javascript-sdks

Length of output: 656


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== file list ==\n'
git ls-files templates/react/vite-react-template/src templates/react/vite-react-template/README.md templates/react/vite-react-template/package.json

printf '\n== main.jsx ==\n'
cat -n templates/react/vite-react-template/src/main.jsx

printf '\n== App.jsx ==\n'
cat -n templates/react/vite-react-template/src/App.jsx

printf '\n== Home.jsx ==\n'
cat -n templates/react/vite-react-template/src/Home.jsx

printf '\n== Dashboard.jsx ==\n'
cat -n templates/react/vite-react-template/src/Dashboard.jsx

printf '\n== README.md (relevant lines) ==\n'
rg -n "dashboard|route|react-router|SignedIn|SignedOut|SignInButton|SignOutButton" templates/react/vite-react-template/README.md

Repository: thunder-id/javascript-sdks

Length of output: 2305


Restore the signed-in Home state
templates/react/vite-react-template/src/Home.jsx now always shows SignInButton, so authenticated users no longer get any dashboard affordance on /. Bring back the SignedIn/SignedOut split or add a link/redirect to /dashboard.

🧰 Tools
🪛 ESLint

[error] 1-10: Missing WSO2 Apache 2.0 copyright header

(@thunderid/copyright-header)


[error] 1-1: Unable to resolve path to module '@thunderid/react'.

(import-x/no-unresolved)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@templates/react/vite-react-template/src/Home.jsx` around lines 1 - 9, The
Home component currently always renders SignInButton, so authenticated users
never get the signed-in experience on the root route. Update Home in Home.jsx to
restore the SignedIn/SignedOut split using the existing auth components, or
otherwise add a dashboard link/redirect for signed-in users so / still provides
dashboard access. Keep the fix localized to the Home component and preserve the
current unauthenticated sign-in behavior.

JayaShakthi97
JayaShakthi97 previously approved these changes Jul 1, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@templates/react/vite-react-template/src/Dashboard.jsx`:
- Line 1: The new Dashboard.jsx file is missing the repository’s standard Apache
copyright banner, which will cause lint to fail. Add the required Apache header
comment at the top of the file, above the existing UserDropdown import, matching
the template used by other files in this repository.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d5b62bcb-f827-453f-a60c-cd07bfbec1b5

📥 Commits

Reviewing files that changed from the base of the PR and between 8c79277 and c2b4011.

📒 Files selected for processing (21)
  • packages/browser/package.json
  • packages/browser/rolldown.config.js
  • packages/express/package.json
  • packages/javascript/src/ThunderIDJavaScriptClient.ts
  • packages/nuxt/src/module.ts
  • packages/react-router/package.json
  • packages/react-router/rolldown.config.js
  • packages/tanstack-router/package.json
  • packages/tanstack-router/rolldown.config.js
  • samples/express/quickstart/.env.example
  • samples/nextjs/quickstart/.env.example
  • samples/node/quickstart/.env.example
  • samples/nuxt/quickstart/.env.example
  • samples/react/quickstart/src/App.jsx
  • samples/react/quickstart/src/main.jsx
  • templates/nextjs/nextjs-template/app/page.tsx
  • templates/react/vite-react-template/src/App.jsx
  • templates/react/vite-react-template/src/Dashboard.jsx
  • templates/react/vite-react-template/src/Home.jsx
  • templates/react/vite-react-template/src/main.jsx
  • templates/vue/vite-vue-template/src/App.vue
💤 Files with no reviewable changes (3)
  • templates/react/vite-react-template/src/main.jsx
  • samples/react/quickstart/src/main.jsx
  • packages/nuxt/src/module.ts
✅ Files skipped from review due to trivial changes (3)
  • packages/browser/rolldown.config.js
  • packages/tanstack-router/package.json
  • packages/tanstack-router/rolldown.config.js
🚧 Files skipped from review as they are similar to previous changes (5)
  • packages/react-router/rolldown.config.js
  • packages/browser/package.json
  • samples/react/quickstart/src/App.jsx
  • packages/express/package.json
  • packages/react-router/package.json

@@ -0,0 +1,9 @@
import { UserDropdown } from '@thunderid/react'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Add the standard Apache header.

This new file is missing the repository’s required copyright banner, so the lint step will keep failing until it is added.

🧰 Tools
🪛 ESLint

[error] 1-10: Missing WSO2 Apache 2.0 copyright header

(@thunderid/copyright-header)


[error] 1-1: Unable to resolve path to module '@thunderid/react'.

(import-x/no-unresolved)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@templates/react/vite-react-template/src/Dashboard.jsx` at line 1, The new
Dashboard.jsx file is missing the repository’s standard Apache copyright banner,
which will cause lint to fail. Add the required Apache header comment at the top
of the file, above the existing UserDropdown import, matching the template used
by other files in this repository.

Source: Linters/SAST tools

JayaShakthi97
JayaShakthi97 previously approved these changes Jul 1, 2026
@brionmario brionmario merged commit 3da68e2 into thunder-id:main Jul 1, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants