fix: correct passwordless login copy and doc drift#47
Merged
Conversation
eccd810 to
c480552
Compare
Fix a passwordless copy slip in the built-in Login view (it suggested resetting a password on an unexpected error; there are no passwords here). Refresh docs that had drifted from the actual client surface: - README OAuth callback example now reads the provider from sessionStorage (matching the bundled flow) instead of hardcoding "google" - README built-in routes list adds /oauth/callback - README backend expectations add the login-OTP variants and organization routes - AGENTS.md refreshes the stale public API export/type list, completes the assumed-endpoints list, and documents that the express adapter mounts /webAuthn (camelCase) with case-sensitive cookie-path matching, so client paths must stay byte-for-byte aligned with the adapter Note: an earlier revision of this branch also lowercased the client's /webAuthn paths. That was reverted: the @seamless-auth/express adapter matches cookie-requirement paths case-sensitively against camelCase keys, so changing only the client would break WebAuthn login through the adapter. The casing is instead being made robust in the server adapter.
c480552 to
55d5855
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Safe consistency fixes surfaced by a cross-repo review of
@seamless-auth/reactagainstseamless-auth-apiand the@seamless-auth/expressadapter. Docs/copy only — no request-path behavior changes.Changes
Loginview no longer suggests "resetting your password" on an unexpected error (there are no passwords in this system).providerId = 'google'with the realsessionStorage.getItem('seamless:oauth:provider')pattern the bundledOAuthCallbackview uses./oauth/callbackroute./otp/*-login-*) and the/organizations/*family the client actually calls.@seamless-auth/expressadapter mounts/webAuthn(camelCase) and matches cookie-requirement paths case-sensitively, so client paths must stay byte-for-byte aligned with the adapter.Note on WebAuthn path casing (reverted)
An earlier revision of this branch lowercased the client's
/webAuthnpaths to match the raw API. That was reverted: the@seamless-auth/expressadapter — the actual/authbackend the SDK targets — matches cookie-requirement paths case-sensitively against camelCase keys, and a no-match silently skips cookie loading. Changing only the npm-published client would break WebAuthn login/registration for any adopter whose adapter wasn't updated in lockstep. The casing is instead being made robust in the server adapter (case-insensitive path matching) as part of the TOTP work.Verification
npm run lint— cleannpm test -- --runInBand— 151/151 passnpm run build— succeedsIncludes a patch changeset for the adopter-facing copy fix.