@@ -34,7 +34,6 @@ import { ssoRedirectForEmail } from "~/services/ssoAutoDiscovery.server";
3434import { logger , tryCatch } from "@trigger.dev/core/v3" ;
3535import { env } from "~/env.server" ;
3636import { extractClientIp } from "~/utils/extractClientIp.server" ;
37- import { magicLinkEmailCookie } from "./magicLinkEmailCookie.server" ;
3837
3938export const meta : MetaFunction = ( { matches } ) => {
4039 const parentMeta = matches
@@ -74,12 +73,14 @@ export async function loader({ request }: LoaderFunctionArgs) {
7473 // confirmation renders the flashed error as magicLinkError below.
7574 const url = new URL ( request . url ) ;
7675 const sanitized = sanitizeRedirectPath ( url . searchParams . get ( "redirectTo" ) ) ;
77- // The submitted address is carried in a short-lived cookie (not the URL) so
78- // the confirmation can name it. Validate before echoing it back.
79- const emailCookie = await magicLinkEmailCookie . parse ( request . headers . get ( "Cookie" ) ) ;
76+ // The email-link strategy stores the submitted address in the session
77+ // (`auth:email`) alongside the magic-link key, so read it from there to name
78+ // the confirmation — no address in the URL, and no separate cookie to leak
79+ // into the client bundle. Validate before echoing it back.
80+ const emailValue = session . get ( "auth:email" ) ;
8081 const email =
81- typeof emailCookie === "string" && z . string ( ) . email ( ) . safeParse ( emailCookie ) . success
82- ? emailCookie
82+ typeof emailValue === "string" && z . string ( ) . email ( ) . safeParse ( emailValue ) . success
83+ ? emailValue
8384 : null ;
8485 if ( ! session . has ( "triggerdotdev:magiclink" ) ) {
8586 // Throw (not return) so the redirect doesn't widen the loader's return
@@ -215,20 +216,13 @@ export async function action({ request }: ActionFunctionArgs) {
215216 return redirect ( ssoRedirect ) ;
216217 }
217218
218- // authenticator.authenticate throws its redirect Response; attach the
219- // sent-to email as a short-lived cookie so the confirmation can name it
220- // without putting the address in the URL.
221- try {
222- return await authenticator . authenticate ( "email-link" , request , {
223- successRedirect : "/login/magic" ,
224- failureRedirect : "/login" ,
225- } ) ;
226- } catch ( thrown ) {
227- if ( thrown instanceof Response ) {
228- thrown . headers . append ( "Set-Cookie" , await magicLinkEmailCookie . serialize ( email ) ) ;
229- }
230- throw thrown ;
231- }
219+ // The email-link strategy stores the address in the session (`auth:email`)
220+ // and throws its own redirect Response (with the committed session cookie),
221+ // so return it directly — the confirmation reads the email from the session.
222+ return await authenticator . authenticate ( "email-link" , request , {
223+ successRedirect : "/login/magic" ,
224+ failureRedirect : "/login" ,
225+ } ) ;
232226 }
233227 case "reset" :
234228 default : {
@@ -260,7 +254,7 @@ export default function LoginMagicLinkPage() {
260254 </ Header1 >
261255 < Fieldset className = "flex w-full flex-col items-center gap-y-2" >
262256 < InboxArrowDownIcon className = "mb-4 h-12 w-12 text-indigo-500" />
263- < Paragraph className = "mb-6 text-center [text-wrap:balance] " >
257+ < Paragraph className = "mb-6 text-center" >
264258 { email ? (
265259 < >
266260 We emailed a magic link to < span className = "text-text-bright" > { email } </ span > to
0 commit comments