Skip to content

Merging main into 1.x branch#249

Open
lalwani wants to merge 293 commits into
1.xfrom
main
Open

Merging main into 1.x branch#249
lalwani wants to merge 293 commits into
1.xfrom
main

Conversation

@lalwani

@lalwani lalwani commented Jun 12, 2024

Copy link
Copy Markdown
Collaborator

Cutting the current main into 1.X branch to prepare main for the 2.X

lalwani and others added 30 commits May 25, 2023 16:01
@lalwani
Merge pull request #192 from lalwani/par
76721b8 
Integrating PAR flow
@lalwani
upgrading minSdk version to 26
8447c67
@lalwani
Update README.md
9d9fd9d 
added documentation for using profile prefill feature
@lalwani
Merge pull request #196 from lalwani/readme-1
707165a 
Update README.md
@lalwani
Merge pull request #195 from lalwani/par
3302a0f 
upgrading minSdk version to 26
@lalwani
Update gradle.properties
c5b73ea 
preparing for the next release
@lalwani
updated changelog file
66d1efd
@lalwani
Merge pull request #197 from lalwani/par
46b6bef 
updated changelog file
@lalwani
bumping up the version to prepare for next release
590b69f
@lalwani
Merge pull request #198 from lalwani/master
339d627 
bumping up the version to prepare for next release
@lalwani
created login demo using applink
7748df8
@lalwani
added readme.md
314d594
@lalwani
updated readme
69ec5b5
@lalwani
Added failsafe null check when removing progress indicator
b649c4e
@lalwani
Merge pull request #205 from lalwani/bugfix
d286c74 
Added failsafe null check when removing progress indicator
[Gradle Release Plugin] - pre tag commit: 'vy'.
4bfdc07
@lalwani
removed unneeded onResume call
af69016
@lalwani
Merge pull request #203 from lalwani/login-demo
b8993e8 
created login demo using applink
@lalwani
Update gradle.properties
37de2c4 
removes precommit version y which got committed due to an error in running release script
[Gradle Release Plugin] - pre tag commit: 'v0.10.5'.
9603236
@lalwani
Update gradle.properties
9db435c
[Gradle Release Plugin] - pre tag commit: 'v0.10.5'.
080f66f
@lalwani
Update gradle.properties
3c1591f
[Gradle Release Plugin] - pre tag commit: 'v0.10.6'.
ad5875d
@lalwani
Update gradle.properties
a6684cf 
preparing for next release
@lalwani
[Gradle Release Plugin] - pre tag commit: 'v0.10.7'.
8865da4
@lalwani
Update gradle.properties
45cd479
@lalwani
Update gradle.properties
947ca19 
preparing for release
@lalwani
updated rides java sdk to 0.8.4
2f8d2b3
@lalwani
Merge pull request #206 from lalwani/sdk
72011ec 
updated rides java sdk to 0.8.4
partha-uber and others added 30 commits May 21, 2026 15:07
@partha-uber
Bump to 2.0.4-SNAPSHOT + changelog for 2.0.3 + bump vanniktech for Ce…
7d18aa7 
…ntral Portal

- authentication/core: 2.0.3-SNAPSHOT → 2.0.4-SNAPSHOT (released 2.0.3 to
  Maven Central today)
- gradle/libs.versions.toml: mavenPublish 0.27.0 → 0.33.0
  (Sonatype OSSRH was decommissioned 2025-06-30; vanniktech 0.33.0+ defaults
   to the new Central Portal, which is required for future releases — 0.27.0
   only knows the legacy Nexus staging API which returns HTTP 402 now)
- CHANGELOG.md: add v2.0.3 entry covering PR #268 (UberEnvironment for
  sandbox/production) and PR #265 (graceful PAR failure handling)
@partha-uber
Bump deprecated gradle/wrapper-validation-action to v4
d0bb616 
The v1 standalone action under gradle/wrapper-validation-action has been
deprecated and now fails. The action moved to gradle/actions/wrapper-validation
under the gradle/actions monorepo. Bumping to v4 unblocks CI on this PR
(check job was failing on the deprecated action across all 3 jobs that
used it: check, test matrix, upload-snapshots).

Pre-existing failure on main, surfaced by this PR.
@partha-uber
Merge pull request #269 from uber/sirker-bump-to-2.0.4-snapshot
3718e9c 
Bump to 2.0.4-SNAPSHOT, add 2.0.3 changelog, upgrade vanniktech for Central Portal
@partha-uber
add ubb__signin_margin
60cd952
@partha-uber
Merge pull request #270 from uber/sirker-resource-linking-fix
335d2c6 
Fix missing ub__signin_margin dimen in :core that broke 3P authentication consumers
@partha-uber
Forward optional nonce on /authorize request
0bcd225 
The auth server requires a nonce on /authorize when openid is in the
requested scope, so it can echo it back as the nonce claim of the issued
ID token for replay protection. The SDK previously had no way for
developers to supply one.

Add an optional nonce field on AuthContext that AuthProvider forwards to
UniversalSsoLink (via the existing optionalQueryParams map), so it ends
up as the nonce= query param on /authorize. The SDK does not generate,
store, or validate the value — that stays with the caller's backend.

Test Plan: unit tests covering nonce present and absent.
@partha-uber
Merge pull request #271 from uber/sirker-authorise-nonce-param
625fe24 
Forward optional nonce on /authorize request
@partha-uber
Update CHANGELOG for v2.0.4
247ca8d
@partha-uber
Bump to v2.0.4
a0ca750
@partha-uber
Bump to 2.0.5-SNAPSHOT
d5f5bfe
@partha-uber
[auth] Add state (CSRF) parameter to OAuth flow
b228240 
Summary:
- SDK auto-generates a cryptographically secure `state` parameter on
  every auth request (SecureRandom, 32 bytes, base64url-encoded)
- `state` is always appended to the SSO query params
- `handleAuthCode` validates the returned state; on mismatch calls
  `ssoLink.handleAuthError(INVALID_STATE)` instead of completing normally
- Adds `SsoLink.handleAuthError()` to propagate errors through the
  coroutine-deferred flow
- `@VisibleForTesting generatedState` field for unit-test assertions

This is step 1/3 of iOS parity (PR #337 in uber-ios-sdk).
@partha-uber @claude
Address review feedback: reject missing state and use plain ASCII
93bfa21 
- Treat null state as a mismatch (a malicious callback omitting state
  should not bypass CSRF validation since the SDK always sends it)
- Replace em dash with plain hyphen in INVALID_STATE message

Co-Authored-By: Claude <noreply@anthropic.com>
@partha-uber @claude
Remove hyphen from INVALID_STATE message
b08af0e 
Co-Authored-By: Claude <noreply@anthropic.com>
@partha-uber
Merge pull request #272 from uber/sirker-auth-state-csrf
9d8fcab 
[auth] Add state (CSRF) parameter to OAuth flow
@partha-uber @claude
Add Builder pattern to AuthContext
e3aa306 
Addresses review feedback from PR #271 — the growing list of nullable
constructor parameters makes call sites confusing and error-prone.
The new AuthContext.Builder provides a fluent API while preserving
full backward compatibility with the existing data-class constructor.

Co-Authored-By: Claude <noreply@anthropic.com>
@partha-uber @claude
Apply spotless formatting to AuthContext Builder
75cb9c9 
Co-Authored-By: Claude <noreply@anthropic.com>
@partha-uber @claude
Replace Builder with AuthOptions data class per review feedback
7a82d22 
- Add AuthOptions data class for optional auth params (prefillInfo,
  prompt, environment, nonce)
- Add new AuthContext constructor taking AuthOptions
- Deprecate old flat constructor with @deprecated annotation and
  ReplaceWith hint
- Keep property accessors (prefillInfo, prompt, environment, nonce) on
  AuthContext for internal backward compatibility
- Remove Builder class
- Update tests to verify AuthOptions and deprecated constructor parity

Co-Authored-By: Claude <noreply@anthropic.com>
@partha-uber @claude
Rename AuthOptions to AuthOptionalConfig
51f49f8 
Co-Authored-By: Claude <noreply@anthropic.com>
@partha-uber
Merge pull request #275 from uber/sirker-authcontext-builder
b9e81bb 
Add Builder pattern to AuthContext
@partha-uber @claude
[auth] Auto-generate nonce when caller does not provide one
8e347ae 
- Add effectiveNonce = authContext.nonce ?: generateSecureToken() so a
  cryptographically-secure nonce is always sent on /authorize, even if
  the caller omits one (matches iOS PR #337 behaviour)
- Nonce param is now unconditional in getQueryParams (was optional)
- Update size assertions in existing tests (+1 for the always-present nonce)
- Add 5 new tests covering auto-gen, caller-supplied, stability, PKCE, and
  instance uniqueness

Co-Authored-By: Claude <noreply@anthropic.com>
@partha-uber
Merge pull request #279 from uber/sirker-nonce-autogen
28b2a50 
[auth] Auto-generate nonce when caller does not provide one
@partha-uber
[auth] Add NonceUtil for JWT nonce extraction and id_token field to U…
d6de413 
…berToken
@partha-uber @claude
Add @JvmStatic to NonceUtil.extractNonceFromIdToken for Java interop
7fbb230 
Co-Authored-By: Claude <noreply@anthropic.com>
@partha-uber
Merge pull request #277 from uber/sirker-nonce-util
3f5e1b4 
[auth] Add NonceUtil for JWT nonce extraction and id_token field to UberToken
@partha-uber
[auth] Validate nonce claim in id_token after PKCE token exchange
5a84048
@partha-uber @claude
Remove null guard: nonce validation always runs (effectiveNonce alway…
1aecbd3 
…s set)

Auto-nonce (#279) guarantees effectiveNonce is never null, so the
'if (sentNonce != null)' guard is no longer needed. Validation is now
unconditional — any PKCE response without an id_token nonce claim that
matches effectiveNonce is rejected.

Update existing PKCE tests to provide a matching id_token and add two
new tests covering the always-validated path.

Co-Authored-By: Claude <noreply@anthropic.com>
@partha-uber
Merge pull request #278 from uber/sirker-nonce-pkce-validation
19c2512 
[auth] Validate nonce claim in id_token after PKCE token exchange
@partha-uber
Update CHANGELOG for v2.0.5
35be891
@partha-uber
Bump to v2.0.5
c39b16f
@partha-uber
Bump to 2.0.6-SNAPSHOT
f65ac92
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lalwani @CLAassistant @partha-uber