Skip to content

feat: add Descope#7756

Open
mariamantsurova wants to merge 3 commits into
TanStack:mainfrom
mariamantsurova:docs/add-start-descope-example
Open

feat: add Descope#7756
mariamantsurova wants to merge 3 commits into
TanStack:mainfrom
mariamantsurova:docs/add-start-descope-example

Conversation

@mariamantsurova

@mariamantsurova mariamantsurova commented Jul 8, 2026

Copy link
Copy Markdown

This PR introduces a TanStack Start sample app showcasing Descope authentication and adds it to the documentation.

Cap.2026-07-08.at.14.47.43.mp4

Summary by CodeRabbit

  • New Features
    • Added a new React “TanStack Start + Descope” example with sign-in, protected profile, and logout.
    • Includes session-aware routing, a profile widget integration, and polished error/not-found screens.
  • Documentation
    • Updated getting-started/example listings and added a full README with environment variable guidance and run/build commands.
  • Development Setup
    • Added local dev support for the example (dev container config) along with standard template files for environment and tooling.

@socket-security

socket-security Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​descope/​react-sdk@​2.30.3981009599100
Added@​descope/​node-sdk@​2.12.0981009999100

View full report

@socket-security

socket-security Bot commented Jul 8, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Medium
Low adoption: npm @descope/outbound-applications-widget

Location: Package overview

From: pnpm-lock.yamlnpm/@descope/react-sdk@2.30.3npm/@descope/outbound-applications-widget@0.5.2

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@descope/outbound-applications-widget@0.5.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 73304314-d394-42d3-93c9-bd318e782a9d

📥 Commits

Reviewing files that changed from the base of the PR and between 1156615 and d3fb2c0.

📒 Files selected for processing (3)
  • examples/react/start-descope/.gitignore
  • examples/react/start-descope/src/integrations/descope/session.server.ts
  • examples/react/start-descope/src/routes/logout.tsx
✅ Files skipped from review due to trivial changes (1)
  • examples/react/start-descope/.gitignore
🚧 Files skipped from review as they are similar to previous changes (2)
  • examples/react/start-descope/src/routes/logout.tsx
  • examples/react/start-descope/src/integrations/descope/session.server.ts

📝 Walkthrough

Walkthrough

This PR adds a new TanStack Start React example for Descope authentication, including example docs and scaffolding, Descope session middleware and server helpers, router/root setup, and login/logout/protected routes.

Changes

Descope example app

Layer / File(s) Summary
Docs and project scaffolding
docs/start/config.json, docs/start/framework/react/getting-started.md, examples/react/start-descope/.devcontainer/..., .env.example, .gitignore, .prettierignore, .vscode/settings.json, README.md, package.json, tsconfig.json, vite.config.ts, pnpm-workspace.yaml
Adds the example to docs and creates the project manifest, environment template, ignore files, workspace settings, README, build config, and pnpm trust-policy entry.
Session resolution and middleware
examples/react/start-descope/src/integrations/descope/*, src/start.ts
Adds Descope session parsing/refresh, cookie clearing, request middleware, client provider wiring, and Start instance middleware setup.
Router tree and app shell
examples/react/start-descope/src/routeTree.gen.ts, src/router.tsx, src/routes/__root.tsx, src/components/*, src/utils/seo.ts, src/styles/app.css
Adds the generated route tree, router setup, root document shell, shared UI components, SEO helper, and global styling.
Authenticated and public routes
examples/react/start-descope/src/routes/_authed*.tsx, src/routes/index.tsx, src/routes/login.tsx, src/routes/logout.tsx
Adds the auth guard, profile page, home page, and login/logout flows tied to Descope session state.

Estimated code review effort: 3 (Moderate) | ~30 minutes

Possibly related PRs

  • TanStack/router#7425: Both PRs modify pnpm-workspace.yaml trust-policy settings for pnpm dependency handling.
  • TanStack/router#7547: Both PRs change the DefaultCatchBoundary root-check logic to use pathname-based routing state.
  • TanStack/router#7643: Both PRs update pnpm-workspace.yaml trustPolicyExclude entries.

Suggested labels: documentation

Suggested reviewers: SeanCassiere

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: adding a new Descope example app and documenting it.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@examples/react/start-descope/.gitignore`:
- Around line 15-16: The .gitignore entry is malformed because the Sentry
comment is attached to the /public/build ignore pattern, so the pattern is not
applied correctly. Update the ignore rules in the .gitignore file for the react
start-descope example so /public/build stands alone and the Sentry Config File
note is placed on its own separate comment line before .env.sentry-build-plugin.

In `@examples/react/start-descope/package.json`:
- Around line 18-19: The dependency versions for `@tanstack/react-router` and
`@tanstack/react-router-devtools` are out of sync, which can lead to
incompatibilities. Update the `@tanstack/react-router-devtools` entry in
package.json to match the same minor version as `@tanstack/react-router`, and keep
the versions aligned so both packages resolve together consistently.

In `@examples/react/start-descope/src/integrations/descope/session.server.ts`:
- Around line 49-55: The rotated session cookie set in session.server.ts via the
SESSION_COOKIE write should be marked secure because it stores a JWT in a
browser cookie. Update the cookie options in the authInfo.jwt rotation path to
include the secure flag alongside the existing httpOnly, sameSite, and path
settings so it is only sent over HTTPS.

In `@examples/react/start-descope/src/routes/logout.tsx`:
- Around line 15-30: The logout flow in doLogout only catches errors from
sdk.logout(), so failures in clearServerSession(), router.invalidate(), or
router.navigate() can reject unhandled and leave the user stuck on the
signing-out screen. Wrap the post-logout cleanup/navigation steps in the same
try/catch (or a second one around the remaining awaits) and ensure errors are
logged while still allowing the UI to recover. Keep the existing
useEffect/doLogout structure, but make the full logout sequence resilient to any
thrown promise from clearServerSession, router.invalidate, and router.navigate.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0352abff-733f-405d-86cc-fe8b4b73ce7a

📥 Commits

Reviewing files that changed from the base of the PR and between a3e24c3 and 1156615.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (30)
  • docs/start/config.json
  • docs/start/framework/react/getting-started.md
  • examples/react/start-descope/.devcontainer/devcontainer.json
  • examples/react/start-descope/.env.example
  • examples/react/start-descope/.gitignore
  • examples/react/start-descope/.prettierignore
  • examples/react/start-descope/.vscode/settings.json
  • examples/react/start-descope/README.md
  • examples/react/start-descope/package.json
  • examples/react/start-descope/src/components/DefaultCatchBoundary.tsx
  • examples/react/start-descope/src/components/DescopeLogo.tsx
  • examples/react/start-descope/src/components/NotFound.tsx
  • examples/react/start-descope/src/integrations/descope/middleware.ts
  • examples/react/start-descope/src/integrations/descope/provider.tsx
  • examples/react/start-descope/src/integrations/descope/server.ts
  • examples/react/start-descope/src/integrations/descope/session.server.ts
  • examples/react/start-descope/src/routeTree.gen.ts
  • examples/react/start-descope/src/router.tsx
  • examples/react/start-descope/src/routes/__root.tsx
  • examples/react/start-descope/src/routes/_authed.tsx
  • examples/react/start-descope/src/routes/_authed/profile.tsx
  • examples/react/start-descope/src/routes/index.tsx
  • examples/react/start-descope/src/routes/login.tsx
  • examples/react/start-descope/src/routes/logout.tsx
  • examples/react/start-descope/src/start.ts
  • examples/react/start-descope/src/styles/app.css
  • examples/react/start-descope/src/utils/seo.ts
  • examples/react/start-descope/tsconfig.json
  • examples/react/start-descope/vite.config.ts
  • pnpm-workspace.yaml

Comment thread examples/react/start-descope/.gitignore Outdated
Comment on lines +18 to +19
"@tanstack/react-router": "^1.170.17",
"@tanstack/react-router-devtools": "^1.167.0",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Version mismatch between @tanstack/react-router and @tanstack/react-router-devtools.

@tanstack/react-router is at ^1.170.17 while @tanstack/react-router-devtools is at ^1.167.0. The devtools package should track the same minor version as the router to avoid API incompatibilities. With ^ ranges, the devtools could resolve to a version several minors behind the router.

🔧 Proposed fix
-    "`@tanstack/react-router-devtools`": "^1.167.0",
+    "`@tanstack/react-router-devtools`": "^1.170.0",
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"@tanstack/react-router": "^1.170.17",
"@tanstack/react-router-devtools": "^1.167.0",
"`@tanstack/react-router`": "^1.170.17",
"`@tanstack/react-router-devtools`": "^1.170.0",
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@examples/react/start-descope/package.json` around lines 18 - 19, The
dependency versions for `@tanstack/react-router` and
`@tanstack/react-router-devtools` are out of sync, which can lead to
incompatibilities. Update the `@tanstack/react-router-devtools` entry in
package.json to match the same minor version as `@tanstack/react-router`, and keep
the versions aligned so both packages resolve together consistently.

Comment thread examples/react/start-descope/src/routes/logout.tsx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant