@akinon/next 2.0.27-beta.0 → 2.0.27
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -2
- package/api/auth.ts +14 -4
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
# @akinon/next
|
|
2
2
|
|
|
3
|
-
## 2.0.27
|
|
3
|
+
## 2.0.27
|
|
4
4
|
|
|
5
5
|
### Patch Changes
|
|
6
6
|
|
|
7
|
-
-
|
|
7
|
+
- 1afe5df: ZERO-4550: Scope the auth stale-session cleanup to password login. Register and OTP-login verify submits are still anonymous (no user pk yet), but their session carries the pending OTP challenge; clearing it on those flows made the backend re-issue the code on every verify instead of validating it. The cleanup now only runs for `formType === 'login'` (preserving the ZERO-4247 fix), so register/OTP flows keep their session and the entered code is verified.
|
|
8
8
|
|
|
9
9
|
## 2.0.26
|
|
10
10
|
|
package/api/auth.ts
CHANGED
|
@@ -173,8 +173,13 @@ const getDefaultAuthConfig = () => {
|
|
|
173
173
|
if (sessionCookie) {
|
|
174
174
|
reqHeaders.set('cookie', sessionCookie);
|
|
175
175
|
}
|
|
176
|
-
} else {
|
|
177
|
-
// Stale session cookie —
|
|
176
|
+
} else if (credentials.formType === 'login') {
|
|
177
|
+
// Stale session cookie — only clear it before a fresh password
|
|
178
|
+
// login (ZERO-4247). Register and OTP flows are still anonymous at
|
|
179
|
+
// this point (no pk yet), but their session carries the pending OTP
|
|
180
|
+
// challenge; clearing it here makes the backend lose the challenge
|
|
181
|
+
// and re-issue the code on every verify (ZERO-4550).
|
|
182
|
+
// remove from headers and clear in browser
|
|
178
183
|
const currentCookies = reqHeaders.get('cookie') || '';
|
|
179
184
|
const cleanedCookies = currentCookies
|
|
180
185
|
.split(';')
|
|
@@ -456,8 +461,13 @@ const defaultNextAuthOptionsV4 = (req: any, res: any) => {
|
|
|
456
461
|
if (sessionCookie) {
|
|
457
462
|
reqHeaders.set('cookie', sessionCookie);
|
|
458
463
|
}
|
|
459
|
-
} else {
|
|
460
|
-
// Stale session cookie —
|
|
464
|
+
} else if (credentials.formType === 'login') {
|
|
465
|
+
// Stale session cookie — only clear it before a fresh password
|
|
466
|
+
// login (ZERO-4247). Register and OTP flows are still anonymous at
|
|
467
|
+
// this point (no pk yet), but their session carries the pending OTP
|
|
468
|
+
// challenge; clearing it here makes the backend lose the challenge
|
|
469
|
+
// and re-issue the code on every verify (ZERO-4550).
|
|
470
|
+
// remove from headers and clear in browser
|
|
461
471
|
const currentCookies = reqHeaders.get('cookie') || '';
|
|
462
472
|
const cleanedCookies = currentCookies
|
|
463
473
|
.split(';')
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@akinon/next",
|
|
3
3
|
"description": "Core package for Project Zero Next",
|
|
4
|
-
"version": "2.0.27
|
|
4
|
+
"version": "2.0.27",
|
|
5
5
|
"private": false,
|
|
6
6
|
"license": "MIT",
|
|
7
7
|
"bin": {
|
|
@@ -36,7 +36,7 @@
|
|
|
36
36
|
"set-cookie-parser": "2.6.0"
|
|
37
37
|
},
|
|
38
38
|
"devDependencies": {
|
|
39
|
-
"@akinon/eslint-plugin-projectzero": "2.0.27
|
|
39
|
+
"@akinon/eslint-plugin-projectzero": "2.0.27",
|
|
40
40
|
"@babel/core": "7.26.10",
|
|
41
41
|
"@babel/preset-env": "7.26.9",
|
|
42
42
|
"@babel/preset-typescript": "7.27.0",
|