Skip to content

production.mdx

Latest commit

 

History

History
121 lines (96 loc) · 6.02 KB

production.mdx

File metadata and controls

121 lines (96 loc) · 6.02 KB
title Production
description Steps to prepare Stack for production use

Stack makes development easy with various default settings, but these settings need to be optimized for security and user experience when moving to production. Here's a checklist of things you need to do before switching to production mode:

Domains

By default, Stack allows all localhost paths as valid callback URLs. This is convenient for development but poses a security risk in production because attackers could use their own domains as callback URLs to intercept sensitive information. Therefore, in production, Stack must know your domain (e.g., https://your-website.com) and only allow callbacks from those domains.

Follow these steps when you're ready to push your application to production:

## Add Your Domain Navigate to the `Domain & Handlers` tab in the Stack dashboard. If you haven't configured your handler, you can leave it as the default. (Learn more about handlers [here](../sdk/objects/stack-app.mdx)). ## Disable Localhost Callbacks For enhanced security, disable the `Allow all localhost callbacks for development` option.

OAuth providers

Stack uses shared OAuth keys for development to simplify setup when using "Sign in with Google/GitHub/etc." However, this isn't secure for production as it displays "Stack Development" on the providers' consent screens, making it unclear to users if the OAuth request is genuinely from your site. Thus, you should configure your own OAuth keys with the providers and connect them to Stack.

To use your own OAuth provider setups in production, follow these steps for each provider you use:

## Create an OAuth App On the provider's website, create an OAuth app and set the callback URL to the corresponding Stack callback URL. Copy the client ID and client secret. Google GitHub Facebook Microsoft Spotify Gitlab Bitbucket LinkedIn X 
 <TabsContent value="google">
   [Google OAuth Setup Guide](https://developers.google.com/identity/protocols/oauth2#1.-obtain-oauth-2.0-credentials-from-the-dynamic_data.setvar.console_name-.)  
   Callback URL:  
   `https://api.stack-auth.com/api/v1/auth/oauth/callback/google`
 </TabsContent>
 
 <TabsContent value="github">
   [GitHub OAuth Setup Guide](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app)  
   Callback URL:  
   `https://api.stack-auth.com/api/v1/auth/oauth/callback/github`
 </TabsContent>
 
 <TabsContent value="facebook">
   [Facebook OAuth Setup Guide](https://developers.facebook.com/docs/development/create-an-app/facebook-login-use-case)  
   Callback URL:  
   `https://api.stack-auth.com/api/v1/auth/oauth/callback/facebook`
 </TabsContent>
 
 <TabsContent value="microsoft">
   [Microsoft Azure OAuth Setup Guide](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)  
   Callback URL:  
   `https://api.stack-auth.com/api/v1/auth/oauth/callback/microsoft`
 </TabsContent>
 
 <TabsContent value="spotify">
   [Spotify OAuth Setup Guide](https://developer.spotify.com/documentation/general/guides/app-settings/)  
   Callback URL:  
   `https://api.stack-auth.com/api/v1/auth/oauth/callback/spotify`
 </TabsContent>
 
 <TabsContent value="gitlab">
   [Gitlab OAuth Setup Guide](https://docs.gitlab.com/ee/integration/oauth_provider.html)  
   Callback URL:  
   `https://api.stack-auth.com/api/v1/auth/oauth/callback/gitlab`
 </TabsContent>
 
 <TabsContent value="bitbucket">
   [Bitbucket OAuth Setup Guide](https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud)  
   Callback URL:  
   `https://api.stack-auth.com/api/v1/auth/oauth/callback/bitbucket`
 </TabsContent>
 
 <TabsContent value="linkedin">
   [LinkedIn OAuth Setup Guide](https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin%2Fcontext&tabs=HTTPS1)  
   Callback URL:  
   `https://api.stack-auth.com/api/v1/auth/oauth/callback/linkedin`
 </TabsContent>
 
 <TabsContent value="x">
   [X OAuth Setup Guide](https://developer.x.com/en/docs/apps/overview)  
   Callback URL:  
   `https://api.stack-auth.com/api/v1/auth/oauth/callback/x`
 </TabsContent>
## Enter OAuth Credentials Go to the `Auth Methods` section in the Stack dashboard, open the provider's settings, switch from shared keys to custom keys, and enter the client ID and client secret.

Email server

For development, Stack uses a shared email server, which sends emails from Stack's domain. This is not ideal for production as users may not trust emails from an unfamiliar domain. You should set up an email server connected to your own domain.

Steps to connect your own email server with Stack:

  1. Setup Email Server: Configure your own email server and connect it to your domain (this step is beyond Stack's documentation scope).
  2. Configure Stack's Email Settings: Navigate to the Emails section in the Stack dashboard, click Edit in the Email Server section, switch from Shared to Custom SMTP server, enter your SMTP configurations, and save.

Enabling production mode

After completing the steps above, you can enable production mode on the Project Settings tab in the Stack dashboard, ensuring that your website runs securely with Stack in a production environment.