Actions cannot be updated due to keyword preservation #1319
Description
Checklist
- I have looked into the README and have not found a suitable solution or answer.
- I have looked into the documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have upgraded to the latest version of this tool and the issue still persists.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
I use the latest version 8.29.0 of auth0-deploy-cli and run into issues while exporting resources using "AUTH0_PRESERVE_KEYWORDS": true. I tested it with version 8.26.0 as well but same issue exists. Here's what happens:
I got an action that should only if the login has been initiated from specific applications. Each application has a different client ID depending on the Auth0 environment (we use development, staging and production). In order to achieve this, we use keywords for the client ID of the applications in our Auth0 deploy configuration files:
{
"AUTH0_PRESERVE_KEYWORDS": true,
"AUTH0_KEYWORD_REPLACE_MAPPINGS": {
"FIRST_APPLICATION_ID": "robkqXymKTioghjisJNyJofUAWgJQksnf",
"SECOND_APPLICATION_ID": "tupWHHtoVBTPpQgfbBFLxUJbaKeihmZNR",
...
},
...
}
Within the Auth0 action, we then verify if the login event has been initiated by one of those two applications before executing the remaining code:
/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
const ALLOWED_APPLICATION_IDS = [
'##FIRST_APPLICATION_ID##',
'##SECOND_APPLICATION_ID##'
];
if (!ALLOWED_APPLICATION_IDS.includes(event.client.client_id)) {
return;
}
...
}
Everything worked fine until we tried to export the resources from Auth0 today after changing the action (in this example, the scope write:users has been added). The command didn't replace the action that has been modified in Auth0. Instead, it printed this warning:
WARNING! The remote value with address of actions.[name=...].code has value of "/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
const ALLOWED_APPLICATION_IDS = [
'robkqXymKTioghjisJNyJofUAWgJQksnf',
'tupWHHtoVBTPpQgfbBFLxUJbaKeihmZNR'
];
if (!ALLOWED_APPLICATION_IDS.includes(event.client.client_id)) {
return;
}
var scopes = ['openid', 'profile'];
scopes.push('read:users', 'write:users');
...
}" but will be preserved with "/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
const ALLOWED_APPLICATION_IDS = [
'robkqXymKTioghjisJNyJofUAWgJQksnf',
'tupWHHtoVBTPpQgfbBFLxUJbaKeihmZNR'
];
if (!ALLOWED_APPLICATION_IDS.includes(event.client.client_id)) {
return;
}
scopes.push('read:users');
...
}" due to keyword preservation.
I'd appreciate if somebody could look into this issue because in this state the Auth0 deploy tool is unusable.
Expectation
- I'd have expected that keyword replacement is limited to the string defined by the keyword. But that's clearly not the case because the whole action code is being rejected not just the string matching the keyword.
- My change was completely unrelated to any of my keywords (just added an additional scope). If I compare the code of the two versions from the warning message, I can see that the actions are identical except for the additional scope. This means that the keywords are matching. In this case, I'd have expected that the local action code gets replaced with the one from Auth0 without any issues.
Reproduction
- Use
"AUTH0_PRESERVE_KEYWORDS": truein the configuration of the Auth0 deploy tool and two keywords:
{
"AUTH0_PRESERVE_KEYWORDS": true,
"AUTH0_KEYWORD_REPLACE_MAPPINGS": {
"FIRST_APPLICATION_ID": "robkqXymKTioghjisJNyJofUAWgJQksnf",
"SECOND_APPLICATION_ID": "tupWHHtoVBTPpQgfbBFLxUJbaKeihmZNR",
}
}
- Create an action with following code:
/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
const ALLOWED_APPLICATION_IDS = [
'##FIRST_APPLICATION_ID##',
'##SECOND_APPLICATION_ID##'
];
if (!ALLOWED_APPLICATION_IDS.includes(event.client.client_id)) {
return;
}
var scopes = ['openid', 'profile'];
scopes.push('read:users');
}
- In Auth0, modify the action and add a scope:
/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
const ALLOWED_APPLICATION_IDS = [
'##FIRST_APPLICATION_ID##',
'##SECOND_APPLICATION_ID##'
];
if (!ALLOWED_APPLICATION_IDS.includes(event.client.client_id)) {
return;
}
var scopes = ['openid', 'profile'];
scopes.push('read:users', 'write:users');
}
- Execute
a0deploy export --config_file config/config.development.json --output_folder src --format directory
Deploy CLI version
8.29.0
Node version
v22.22.0