ultimate-jekyll-manager 1.3.6 → 1.3.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +7 -0
- package/dist/assets/js/libs/auth.js +17 -5
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -14,6 +14,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
|
14
14
|
- `Fixed` for any bug fixes.
|
|
15
15
|
- `Security` in case of vulnerabilities.
|
|
16
16
|
|
|
17
|
+
---
|
|
18
|
+
## [1.3.7] - 2026-05-24
|
|
19
|
+
|
|
20
|
+
### Fixed
|
|
21
|
+
|
|
22
|
+
- **Reverse-signup detection on `/signin` was completely broken.** The reverse-signup-on-/signin flow in `src/assets/js/libs/auth.js` (lines 289 and 664) was reading `result.additionalUserInfo?.isNewUser` directly off the `UserCredential` returned by `getRedirectResult()` and `signInWithPopup()`. That property does NOT exist on the v9+ modular SDK — verified against `@firebase/auth`'s `auth-public.d.ts`, which declares `UserCredential` as exactly `{ user, providerId, operationType }`. The legacy compat SDK exposed `additionalUserInfo` as a direct property, hence the v9 migration footgun. On the modular SDK you must call the standalone helper `getAdditionalUserInfo(userCredential): AdditionalUserInfo | null` to access `isNewUser`. Result: `isNewUser` was always `undefined` → always falsy → the `if (isNewUser && !isSignupPage)` reverse gate at line 296 never fired in production. New Google accounts on `/signin` got signed in straight to `/account` with no consent on record, despite the reverse-signup code existing in the bundle since multiple versions ago. Confirmed live on Somiibo (Test 4 of `TODO-CONSENT-LIVETEST.md` failed 3× in a row with `operationType: 'signIn'` and no `[Auth] Reversing accidental signup` log line). Now both sites import `getAdditionalUserInfo` and call it on the result. Added two `console.warn` diagnostic logs (one per site) so future regressions surface immediately — can be removed once we're confident the fix sticks.
|
|
23
|
+
|
|
17
24
|
---
|
|
18
25
|
## [1.3.6] - 2026-05-24
|
|
19
26
|
|
|
@@ -266,7 +266,7 @@ export default function () {
|
|
|
266
266
|
async function handleRedirectResult() {
|
|
267
267
|
try {
|
|
268
268
|
// Import Firebase auth functions
|
|
269
|
-
const { getAuth, getRedirectResult } = await import('@firebase/auth');
|
|
269
|
+
const { getAuth, getRedirectResult, getAdditionalUserInfo } = await import('@firebase/auth');
|
|
270
270
|
const auth = getAuth();
|
|
271
271
|
|
|
272
272
|
// Check for redirect result
|
|
@@ -285,10 +285,17 @@ export default function () {
|
|
|
285
285
|
// Determine the provider from the result
|
|
286
286
|
const providerId = result.providerId || result.user.providerData?.[0]?.providerId || 'unknown';
|
|
287
287
|
|
|
288
|
-
// Track based on whether this is a new user
|
|
289
|
-
|
|
288
|
+
// Track based on whether this is a new user. Firebase Auth v9+ modular SDK
|
|
289
|
+
// does NOT expose additionalUserInfo as a direct property on UserCredential —
|
|
290
|
+
// you must call getAdditionalUserInfo(result) to get it. The legacy compat SDK
|
|
291
|
+
// exposed it as a direct property, hence the v9 migration footgun. Verified
|
|
292
|
+
// against @firebase/auth's auth-public.d.ts: UserCredential only declares
|
|
293
|
+
// { user, providerId, operationType }.
|
|
294
|
+
const additionalUserInfo = getAdditionalUserInfo(result);
|
|
295
|
+
const isNewUser = additionalUserInfo?.isNewUser;
|
|
290
296
|
const pagePath = document.documentElement.getAttribute('data-page-path');
|
|
291
297
|
const isSignupPage = pagePath === '/signup';
|
|
298
|
+
console.warn('[Auth] redirect additionalUserInfo:', additionalUserInfo, 'isNewUser:', isNewUser, 'pagePath:', pagePath, 'isSignupPage:', isSignupPage, 'operationType:', result.operationType);
|
|
292
299
|
|
|
293
300
|
// Google quirk: if a new account was auto-created during a signin attempt
|
|
294
301
|
// (user came back from OAuth via the redirect path on /signin, not /signup),
|
|
@@ -598,6 +605,7 @@ export default function () {
|
|
|
598
605
|
getAuth,
|
|
599
606
|
signInWithPopup,
|
|
600
607
|
signInWithRedirect,
|
|
608
|
+
getAdditionalUserInfo,
|
|
601
609
|
GoogleAuthProvider,
|
|
602
610
|
FacebookAuthProvider,
|
|
603
611
|
TwitterAuthProvider,
|
|
@@ -660,8 +668,12 @@ export default function () {
|
|
|
660
668
|
const result = await signInWithPopup(auth, provider);
|
|
661
669
|
console.log('[Auth] Successfully authenticated via popup:', result.user.email);
|
|
662
670
|
|
|
663
|
-
// Track based on whether this is a new user
|
|
664
|
-
|
|
671
|
+
// Track based on whether this is a new user. v9 modular SDK requires
|
|
672
|
+
// getAdditionalUserInfo(result) — the legacy `result.additionalUserInfo`
|
|
673
|
+
// direct property does NOT exist on UserCredential in v9+.
|
|
674
|
+
const additionalUserInfoPopup = getAdditionalUserInfo(result);
|
|
675
|
+
const isNewUser = additionalUserInfoPopup?.isNewUser;
|
|
676
|
+
console.warn('[Auth] popup additionalUserInfo:', additionalUserInfoPopup, 'isNewUser:', isNewUser, 'action:', action);
|
|
665
677
|
|
|
666
678
|
// Google quirk: signInWithPopup auto-creates accounts. If a brand-new visitor
|
|
667
679
|
// clicks "Sign in with Google" on the SIGNIN page (not signup), reverse the
|