Skip to content

Dev#48

Merged
Bccorb merged 12 commits into
mainfrom
dev
Jul 8, 2026
Merged

Dev#48
Bccorb merged 12 commits into
mainfrom
dev

Conversation

@Bccorb

@Bccorb Bccorb commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

No description provided.

Bccorb added 12 commits May 30, 2026 20:04
Registration now starts with just an email; verifying the registration email OTP
completes sign-up and returns a session. Add verifyRegistrationOtpHandler (core)
and verifyRegistrationOtp (express) so /otp/verify-email-otp and
/otp/verify-phone-otp set the session cookies — they previously proxied without
cookies, leaving browser users unauthenticated after registering. The shared
verify helper tolerates a phone-first step that returns no session yet.
authFetch now parses response bodies defensively: a plain-text error (e.g. a
rate-limited 429) or an empty body (204) no longer throws in handlers that read
the body before checking status, which previously crashed the adapter process.
Non-JSON -> { message: text }, empty -> undefined. Adds authFetch regression tests.
Mount the TOTP surface in @seamless-auth/express so frontends can drive TOTP
enrollment, management, and TOTP-based step-up verification:

- GET  /auth/totp/status
- POST /auth/totp/enroll/start
- POST /auth/totp/enroll/verify
- POST /auth/totp/disable
- POST /auth/totp/verify-mfa

These proxy the caller's access session upstream, matching the step-up route
pattern. They update server-side state only and mint no new session cookies.
TOTP as a login second factor is intentionally out of scope: the auth API does
not gate login on TOTP today, so /totp/verify-login has no trigger yet.

@seamless-auth/core gains the matching access-cookie requirements and now
matches cookie requirements case-insensitively. Express route matching is
case-insensitive by default, so a client path whose casing differed from the
mounted route (e.g. /webauthn vs /webAuthn) previously failed the case-sensitive
requirement lookup, silently skipped cookie loading, and broke the request. The
lookup is normalized to lower case on both sides.

Adds core unit tests for the TOTP requirements and case-insensitive matching,
and an express integration test covering each proxied TOTP route.
@Bccorb Bccorb merged commit 2b1a07a into main Jul 8, 2026
3 checks passed
@Bccorb Bccorb deleted the dev branch July 8, 2026 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant