Escape store auth session keys#7864
Merged
Merged
Conversation
This was referenced Jun 19, 2026
Contributor
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. |
github-actions
Bot
added
the
no-changelog
isaacroldan
reviewed
Jun 19, 2026
| } | ||
|
|
||
| function escapeStoreAuthSessionKeySegment(value: string): string { | ||
| return value.replace(/\./g, '\\.') |
Contributor
There was a problem hiding this comment.
is it better to escape or to replace them? maybe is safer to use -?
Contributor
Author
There was a problem hiding this comment.
I think escaping is safer here than replacing with -: - is valid in store domains, so replacement can create collisions between distinct domains. dot-prop explicitly supports escaped dots for this exact case, and the persisted JSON key remains the original domain string rather than an encoded/replaced value. If we want to avoid relying on dot-prop escaping semantics entirely, I think encodeURIComponent(store) would be the safer alternative over - replacement.
alfonso-noriega
force-pushed
the
donald/store-auth-escaped-session-keys
branch
from
a571bc3 to
9e2c4f3
Compare
alfonso-noriega
force-pushed
the
donald/store-list-local-fallback
branch
2 times, most recently
from
067f712 to
57d47f2
Compare
alfonso-noriega
force-pushed
the
donald/store-auth-escaped-session-keys
branch
3 times, most recently
from
a868c3a to
c324278
Compare
alfonso-noriega
force-pushed
the
donald/store-list-local-fallback
branch
from
57d47f2 to
3f7e81a
Compare
isaacroldan
approved these changes
Jun 19, 2026
alfonso-noriega
force-pushed
the
donald/store-auth-escaped-session-keys
branch
from
c324278 to
fcf52d3
Compare
alfonso-noriega
force-pushed
the
donald/store-list-local-fallback
branch
from
3f7e81a to
849999d
Compare
Contributor
Differences in type declarationsWe detected differences in the type declarations generated by Typescript for this branch compared to the baseline ('main' branch). Please, review them to ensure they are backward-compatible. Here are some important things to keep in mind:
New type declarationsWe found no new type declarations in this PR Existing type declarationspackages/cli-kit/dist/public/node/local-storage.d.ts@@ -1,3 +1,14 @@
+/**
+ * Escape a value so it can be safely used as a single path segment.
+ *
+ * treats dots and brackets as path syntax (via dot-prop), so dynamic
+ * segments containing those characters need to be escaped before they are used
+ * in local storage keys.
+ *
+ * @param value - The dynamic local storage key segment to escape.
+ * @returns The escaped key segment.
+ */
+export declare function localStorageKeySegment(value: string): string;
/**
* A wrapper around the package that provides a strongly-typed interface
* for accessing the local storage.
|
alfonso-noriega
force-pushed
the
donald/store-auth-escaped-session-keys
branch
from
fcf52d3 to
1957170
Compare
Assisted-By: devx/a802aefd-9486-4d1e-bf5d-9541c093b99d
alfonso-noriega
force-pushed
the
donald/store-auth-escaped-session-keys
branch
from
1957170 to
6bc6e16
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
WHY are these changes introduced?
Follow-up to discussion on #7709 about avoiding recursive crawling of
confstorage for store-auth sessions.WHAT is this pull request doing?
Escapes dots in store-auth session keys before passing them to
conf, so a store domain is persisted as one top-level key instead of a nested dotted path. The listing code now scans only top-level store-auth buckets and ignores legacy nested entries.This intentionally means stores authenticated with the old nested key format may need to be re-authenticated.
How to test your changes?
Post-release steps
None.
Checklist
patchfor bug fixes ·minorfor new features ·majorfor breaking changes) and added a changeset withpnpm changeset add