Skip to content

feat(create): add Descope auth add-on for React#483

Open
mariamantsurova wants to merge 2 commits into
TanStack:mainfrom
mariamantsurova:feat/descope-auth-addon
Open

feat(create): add Descope auth add-on for React#483
mariamantsurova wants to merge 2 commits into
TanStack:mainfrom
mariamantsurova:feat/descope-auth-addon

Conversation

@mariamantsurova

@mariamantsurova mariamantsurova commented Jul 8, 2026

Copy link
Copy Markdown

Adds Descope as a managed authentication add-on for the React framework, alongside the existing Clerk and WorkOS options. Selecting it wires Descope auth into a generated TanStack Start app end-to-end.

What's included

  • Provider<AuthProvider> (@descope/react-sdk) wrapped at the app root via VITE_DESCOPE_PROJECT_ID
  • Header user menu — self-contained avatar + "Sign out" (useSession/useUser/useDescope); renders nothing when signed out
  • Demo route/demo/descope rendering the sign-up-or-in flow plus a signed-in greeting
  • Metadatacategory: "auth" and exclusive: ["auth"]
  • Docs + envREADME.md (setup, route protection, production checklist) and .env.local entry
  • Changeset (@tanstack/create, minor)

Summary by CodeRabbit

  • New Features
    • Added a new React authentication add-on for Descope.
    • Included an app-root authentication provider, a header user menu with profile/avatar display, and sign-out support.
    • Added a /demo/descope demo route showing the sign-up/sign-in flow and a signed-in welcome state.
  • Documentation
    • Added step-by-step local setup instructions, required environment configuration, and a production checklist (including route protection guidance).

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b266a9ce-827f-4dba-a89d-ea7185325f3d

📥 Commits

Reviewing files that changed from the base of the PR and between 5b4ecb4 and ddc1ec6.

📒 Files selected for processing (2)
  • packages/create/src/frameworks/react/add-ons/descope/README.md
  • packages/create/src/frameworks/react/add-ons/descope/assets/src/integrations/descope/header-user.tsx
✅ Files skipped from review due to trivial changes (1)
  • packages/create/src/frameworks/react/add-ons/descope/README.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • packages/create/src/frameworks/react/add-ons/descope/assets/src/integrations/descope/header-user.tsx

📝 Walkthrough

Walkthrough

This PR adds a Descope authentication add-on for the React framework generator. It registers the add-on manifest, provider, header user menu, demo route, dependency, local environment placeholder, setup documentation, and changeset entry.

Changes

Descope Add-on Implementation

Layer / File(s) Summary
Add-on manifest, dependency, and env template
packages/create/src/frameworks/react/add-ons/descope/info.json, packages/create/src/frameworks/react/add-ons/descope/package.json, packages/create/src/frameworks/react/add-ons/descope/assets/_dot_env.local.append
Defines the Descope add-on metadata, demo route and integration registrations, the @descope/react-sdk dependency, and the VITE_DESCOPE_PROJECT_ID placeholder.
AppDescopeProvider wiring
packages/create/src/frameworks/react/add-ons/descope/assets/src/integrations/descope/provider.tsx
Reads VITE_DESCOPE_PROJECT_ID from import.meta.env, throws when it is missing, and wraps children with Descope's AuthProvider.
Header user menu and demo route
packages/create/src/frameworks/react/add-ons/descope/assets/src/integrations/descope/header-user.tsx, packages/create/src/frameworks/react/add-ons/descope/assets/src/routes/demo/descope.tsx
Adds the authenticated header user menu, the /demo/descope route, the signed-out Descope flow, and the signed-in greeting/avatar view.
Documentation and changeset
packages/create/src/frameworks/react/add-ons/descope/README.md, .changeset/descope-auth-addon.md
Documents local setup, route and provider wiring, session validation guidance, production checklist, and records the changeset entry.

Estimated code review effort: 2 (Simple) | ~15 minutes

Suggested reviewers: jherr

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the main change: adding a Descope authentication add-on for React.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@socket-security

socket-security Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​descope/​react-sdk@​2.30.3981009599100

View full report

@socket-security

socket-security Bot commented Jul 8, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Medium
Low adoption: npm @descope/outbound-applications-widget

Location: Package overview

From: ?npm/@descope/react-sdk@2.30.3npm/@descope/outbound-applications-widget@0.5.2

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@descope/outbound-applications-widget@0.5.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (3)
packages/create/src/frameworks/react/add-ons/descope/assets/src/routes/demo/descope.tsx (2)

44-55: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Duplicated "Built with DESCOPE" link markup.

The same anchor block appears in both SignedOut (lines 44-55) and SignedInGreeting (lines 93-104). Extract a small shared component to keep them in sync.

♻️ Suggested extraction
+function DescopeAttribution() {
+  return (
+    <p className="demo-muted text-center text-xs">
+      Built with{' '}
+      <a
+        href="https://descope.com"
+        target="_blank"
+        rel="noopener noreferrer"
+        className="font-medium"
+      >
+        DESCOPE
+      </a>
+      .
+    </p>
+  )
+}

Then replace both occurrences with <DescopeAttribution /> (prepending "Sign out from the avatar in the header. " before it in SignedInGreeting).

Also applies to: 93-104

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/create/src/frameworks/react/add-ons/descope/assets/src/routes/demo/descope.tsx`
around lines 44 - 55, The “Built with DESCOPE” anchor markup is duplicated in
both SignedOut and SignedInGreeting, so extract it into a shared
DescopeAttribution component in descope.tsx and replace both inline blocks with
that component. Keep the shared link markup identical in both places, and in
SignedInGreeting prepend the existing “Sign out from the avatar in the header.”
text before DescopeAttribution so both views stay consistent.

38-42: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low value

Hardcoded theme="light" ignores dark mode.

The rest of the add-on (header-user, SignedInGreeting) uses dark: Tailwind variants, indicating the app supports dark mode. The <Descope> widget is fixed to theme="light" and won't adapt. Consider detecting the user's color scheme and passing it dynamically, or at minimum documenting this limitation.

// If the SDK supports a "theme" prop that accepts "auto" or a dynamic value:
<Descope
  flowId="sign-up-or-in"
  theme={document.documentElement.classList.contains('dark') ? 'dark' : 'light'}
  onError={(err) => console.error('Descope flow error', err)}
/>
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/create/src/frameworks/react/add-ons/descope/assets/src/routes/demo/descope.tsx`
around lines 38 - 42, The Descope widget is hardcoded to a light theme, so it
won’t follow the app’s dark-mode support. Update the <Descope> usage in the demo
route to pass a dynamic theme value based on the current color scheme (or the
SDK’s auto mode if available), and keep the existing onError handling unchanged.
Use the <Descope> component and its theme prop as the main touchpoints when
making the change.
packages/create/src/frameworks/react/add-ons/descope/README.md (1)

26-33: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

RedirectToSignIn is illustrative pseudocode.

The RedirectToSignIn component in the route-protection example doesn't exist in the codebase. Consider adding a comment noting this is a placeholder the user must implement, or replace it with a TanStack Router redirect for accuracy.

-  if (!isAuthenticated) return <RedirectToSignIn />
+  // Replace with your own redirect, e.g. `navigate({ to: '/demo/descope' })`
+  if (!isAuthenticated) return <Navigate to="/demo/descope" />
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/create/src/frameworks/react/add-ons/descope/README.md` around lines
26 - 33, The route-protection example in the Descope README uses a non-existent
RedirectToSignIn component, so update the example to avoid implying it is
available. In the ProtectedPage snippet, either add an inline note that
RedirectToSignIn is placeholder pseudocode the user must implement, or replace
it with the actual TanStack Router redirect pattern. Keep the guidance tied to
ProtectedPage and RedirectToSignIn so readers understand what must be changed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@packages/create/src/frameworks/react/add-ons/descope/assets/src/integrations/descope/header-user.tsx`:
- Around line 24-30: The Sign out click handler in header-user.tsx ignores the
Promise returned by sdk.logout(), so logout failures can become unhandled
rejections. Update the onClick path around sdk.logout() to await it or attach a
catch, and surface a visible fallback or error state from this component so
failures are handled cleanly.
- Around line 8-11: The avatar initial in header-user.tsx is rendered before the
user profile has finished loading, which can show the fallback too early. Update
the HeaderUser component to also guard on isUserLoading alongside
isSessionLoading and isAuthenticated, and only compute/render the initial after
user loading completes so the `useUser()` data is available before using
`user?.name` or `user?.email`.

In `@packages/create/src/frameworks/react/add-ons/descope/README.md`:
- Line 16: The README description for the Descope header user menu is inaccurate
because `header-user.tsx` does not render a “Sign in” link when unauthenticated.
Update the documentation text for the `header-user` integration so it matches
the actual `HeaderUser` behavior: it returns nothing when `!isAuthenticated` and
only shows the avatar and “Sign out” state when signed in.

---

Nitpick comments:
In
`@packages/create/src/frameworks/react/add-ons/descope/assets/src/routes/demo/descope.tsx`:
- Around line 44-55: The “Built with DESCOPE” anchor markup is duplicated in
both SignedOut and SignedInGreeting, so extract it into a shared
DescopeAttribution component in descope.tsx and replace both inline blocks with
that component. Keep the shared link markup identical in both places, and in
SignedInGreeting prepend the existing “Sign out from the avatar in the header.”
text before DescopeAttribution so both views stay consistent.
- Around line 38-42: The Descope widget is hardcoded to a light theme, so it
won’t follow the app’s dark-mode support. Update the <Descope> usage in the demo
route to pass a dynamic theme value based on the current color scheme (or the
SDK’s auto mode if available), and keep the existing onError handling unchanged.
Use the <Descope> component and its theme prop as the main touchpoints when
making the change.

In `@packages/create/src/frameworks/react/add-ons/descope/README.md`:
- Around line 26-33: The route-protection example in the Descope README uses a
non-existent RedirectToSignIn component, so update the example to avoid implying
it is available. In the ProtectedPage snippet, either add an inline note that
RedirectToSignIn is placeholder pseudocode the user must implement, or replace
it with the actual TanStack Router redirect pattern. Keep the guidance tied to
ProtectedPage and RedirectToSignIn so readers understand what must be changed.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6579b9d0-eeb2-449f-9297-ccc8b61e9a68

📥 Commits

Reviewing files that changed from the base of the PR and between 12c31df and 5b4ecb4.

⛔ Files ignored due to path filters (2)
  • packages/create/src/frameworks/react/add-ons/descope/logo.svg is excluded by !**/*.svg
  • packages/create/src/frameworks/react/add-ons/descope/small-logo.svg is excluded by !**/*.svg
📒 Files selected for processing (8)
  • .changeset/descope-auth-addon.md
  • packages/create/src/frameworks/react/add-ons/descope/README.md
  • packages/create/src/frameworks/react/add-ons/descope/assets/_dot_env.local.append
  • packages/create/src/frameworks/react/add-ons/descope/assets/src/integrations/descope/header-user.tsx
  • packages/create/src/frameworks/react/add-ons/descope/assets/src/integrations/descope/provider.tsx
  • packages/create/src/frameworks/react/add-ons/descope/assets/src/routes/demo/descope.tsx
  • packages/create/src/frameworks/react/add-ons/descope/info.json
  • packages/create/src/frameworks/react/add-ons/descope/package.json

Comment thread packages/create/src/frameworks/react/add-ons/descope/README.md Outdated
- Gate header avatar on isUserLoading to avoid initial fallback flash
- Handle sdk.logout() promise rejection
- Fix README to match header-user behavior (no sign-in link)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant