Skip to content

fix(express): forward access token on req.user in requireAuth#53

Merged
Bccorb merged 3 commits into
mainfrom
fix/require-auth-forward-access-token
Jul 10, 2026
Merged

fix(express): forward access token on req.user in requireAuth#53
Bccorb merged 3 commits into
mainfrom
fix/require-auth-forward-access-token

Conversation

@Bccorb

@Bccorb Bccorb commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Problem

requireAuth verified the access cookie and populated req.user, but it omitted the inner access token from the cookie payload. Downstream, getSeamlessUser and buildServiceAuthorization read req.user.token to build the bearer credential for calls to the auth server. With that field missing, the auth server responded with "Missing bearer" and every requireUser/getSeamlessUser-protected route on trusted server adapters returned 401.

This surfaced in the Seamless Auth Portal API: after a successful login the session cookies were set, but /users/me (and all authenticated routes) returned 401, so users never appeared logged in.

Fix

  • requireAuth now attaches the inner access token as req.user.token.
  • SeamlessAuthUser gains an optional token field (additive, non-breaking).
  • Added a regression test asserting req.user.token is populated from the cookie payload.

Testing

  • pnpm --filter @seamless-auth/express test passes (12 suites, 31 tests).
  • Verified end to end against the portal API: register/verify and returning login now resolve /users/me with 200.

Release

Includes a patch changeset for @seamless-auth/express (core is linked, so both bump to 0.7.1).

Bccorb added 3 commits July 9, 2026 22:13
requireAuth built req.user without the inner access token, so getSeamlessUser
and buildServiceAuthorization could not send a bearer credential to the auth
server. Trusted server adapters received a "Missing bearer" error and every
authenticated route returned 401.

Attach payload.token as req.user.token, add token to the SeamlessAuthUser
type, and cover it with a regression test.
@Bccorb Bccorb merged commit ce6a577 into main Jul 10, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant