ultimate-jekyll-manager 1.3.7 → 1.3.8

package/CHANGELOG.md

@@ -14,6 +14,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+---
+## [1.3.8] - 2026-05-24
+
+### Fixed
+
+- **Reverse-signup now keeps the user on `/signin` so they actually see the inline error.** v1.3.7 fixed `isNewUser` detection, but a follow-on race appeared: when Firebase's `getRedirectResult()` returns a fresh-signup user, the auth-state-change listener in `core/auth.js` fires `state.user = <about-to-be-deleted>` BEFORE `reverseAccidentalSignup`'s `await newUser.delete() → signOut()` chain completes. The listener's `policy === 'unauthenticated'` branch then redirects to `/account` (or `authReturnUrl`), and by the time the inline `showError()` call fires, the user is already off the page. Fixed with a `window.__UJM_REVERSING_SIGNUP` flag set synchronously before the delete + cleared after signOut's followup state-change. The listener checks the flag at the top and short-circuits the entire callback — no redirect, no metadata POST, no consent guard, nothing — until the reversal completes and the user lands on `user = null` with the inline error visible on `/signin`.
+
 ---
 ## [1.3.7] - 2026-05-24
 

package/dist/assets/js/core/auth.js

@@ -51,6 +51,16 @@ export default function () {
       // Log
       console.log('[Auth] state changed:', state);
 
+      // Short-circuit if a reverse-signup is in progress (libs/auth.js#reverseAccidentalSignup
+      // sets this synchronously before .delete() + signOut()). Without this, the brief
+      // window where Firebase shows user=<about-to-be-deleted-account> would trigger the
+      // policy-based redirect to /account (or authReturnUrl) BEFORE the user sees the
+      // inline error on /signin. Flag is cleared at the end of reverseAccidentalSignup.
+      if (window.__UJM_REVERSING_SIGNUP) {
+        console.warn('[Auth] Skipping state-change processing — reverse-signup in progress');
+        return;
+      }
+
       // Set user ID for analytics tracking
       setAnalyticsUserId(user);
 

package/dist/assets/js/libs/auth.js

@@ -125,6 +125,16 @@ export default function () {
   async function reverseAccidentalSignup(newUser) {
     console.warn('[Auth] Reversing accidental signup from /signin (new Google account created with no consent on record)');
 
+    // SYNCHRONOUSLY flag the reversal so the auth-state-change listener in
+    // core/auth.js short-circuits its policy-based redirect for this user.
+    // Without this, Firebase's redirect-result-success path triggers an auth
+    // state change with user=<the-about-to-be-deleted-account> BEFORE we
+    // finish .delete() + signOut(), and the listener redirects to /account
+    // (or authReturnUrl) before the user ever sees the inline error.
+    // Cleared in the finally block after signOut() has fired the followup
+    // auth-state-change with user=null.
+    window.__UJM_REVERSING_SIGNUP = true;
+
     try {
       await newUser.delete();
     } catch (e) {
@@ -152,6 +162,11 @@ export default function () {
       formManager.showError(`This account doesn't exist. Try signing up first or use a different account.`);
       formManager.ready();
     }
+
+    // Clear the flag now that signOut() has fired its auth-state-change
+    // with user=null. Future state changes (e.g. user re-clicks Continue
+    // with Google after seeing the error) get normal listener processing.
+    window.__UJM_REVERSING_SIGNUP = false;
   }
 
   // Validate that the user has agreed to the legal terms. Instead of highlighting the

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ultimate-jekyll-manager",
-  "version": "1.3.7",
+  "version": "1.3.8",
   "description": "Ultimate Jekyll dependency manager",
   "main": "dist/index.js",
   "exports": {