Skip to content

fix: correct passwordless login copy and doc drift#47

Merged
Bccorb merged 1 commit into
mainfrom
fix/webauthn-casing-and-doc-consistency
Jul 7, 2026
Merged

fix: correct passwordless login copy and doc drift#47
Bccorb merged 1 commit into
mainfrom
fix/webauthn-casing-and-doc-consistency

Conversation

@Bccorb

@Bccorb Bccorb commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary

Safe consistency fixes surfaced by a cross-repo review of @seamless-auth/react against seamless-auth-api and the @seamless-auth/express adapter. Docs/copy only — no request-path behavior changes.

Changes

  • Passwordless copy fix — the built-in Login view no longer suggests "resetting your password" on an unexpected error (there are no passwords in this system).
  • README OAuth callback example — replaced the hardcoded providerId = 'google' with the real sessionStorage.getItem('seamless:oauth:provider') pattern the bundled OAuthCallback view uses.
  • README built-in routes — added the missing /oauth/callback route.
  • README backend expectations — added the login-OTP variants (/otp/*-login-*) and the /organizations/* family the client actually calls.
  • AGENTS.md — refreshed the stale "Current Public API" export/type list, completed the assumed-endpoints list, and documented that the @seamless-auth/express adapter mounts /webAuthn (camelCase) and matches cookie-requirement paths case-sensitively, so client paths must stay byte-for-byte aligned with the adapter.

Note on WebAuthn path casing (reverted)

An earlier revision of this branch lowercased the client's /webAuthn paths to match the raw API. That was reverted: the @seamless-auth/express adapter — the actual /auth backend the SDK targets — matches cookie-requirement paths case-sensitively against camelCase keys, and a no-match silently skips cookie loading. Changing only the npm-published client would break WebAuthn login/registration for any adopter whose adapter wasn't updated in lockstep. The casing is instead being made robust in the server adapter (case-insensitive path matching) as part of the TOTP work.

Verification

  • npm run lint — clean
  • npm test -- --runInBand — 151/151 pass
  • npm run build — succeeds

Includes a patch changeset for the adopter-facing copy fix.

@Bccorb Bccorb force-pushed the fix/webauthn-casing-and-doc-consistency branch from eccd810 to c480552 Compare July 7, 2026 00:24
@Bccorb Bccorb changed the title fix: align webauthn paths with API and fix doc/copy drift fix: correct passwordless login copy and doc drift Jul 7, 2026
Fix a passwordless copy slip in the built-in Login view (it suggested
resetting a password on an unexpected error; there are no passwords here).

Refresh docs that had drifted from the actual client surface:
- README OAuth callback example now reads the provider from sessionStorage
  (matching the bundled flow) instead of hardcoding "google"
- README built-in routes list adds /oauth/callback
- README backend expectations add the login-OTP variants and organization routes
- AGENTS.md refreshes the stale public API export/type list, completes the
  assumed-endpoints list, and documents that the express adapter mounts
  /webAuthn (camelCase) with case-sensitive cookie-path matching, so client
  paths must stay byte-for-byte aligned with the adapter

Note: an earlier revision of this branch also lowercased the client's
/webAuthn paths. That was reverted: the @seamless-auth/express adapter matches
cookie-requirement paths case-sensitively against camelCase keys, so changing
only the client would break WebAuthn login through the adapter. The casing is
instead being made robust in the server adapter.
@Bccorb Bccorb force-pushed the fix/webauthn-casing-and-doc-consistency branch from c480552 to 55d5855 Compare July 7, 2026 01:19
@Bccorb Bccorb merged commit 0f06cf9 into main Jul 7, 2026
2 of 3 checks passed
@Bccorb Bccorb deleted the fix/webauthn-casing-and-doc-consistency branch July 7, 2026 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant