#41 (critical): Replace plain Error throws in authorize() with CredentialsSignin subclasses (MfaRequiredError / MfaRequiredSetupError / InvalidTotpError). Auth.js v5 forwards CredentialsSignin.code to the client via SignInResponse.code; plain throws become CallbackRouteError and the message is never visible. Signin page now checks result.code ?? result.error for exact code matching. #38: MfaPromptBanner converted to fully client-side component via trpc.user.getMfaStatus.useQuery() — disappears immediately after MFA enable without requiring page reload. Snooze key remains userId-scoped via useSession(). Server-side prisma.user.findUnique call removed from (app)/layout.tsx. #40: NEXTAUTH_URL default fallback removed from docker-compose.yml. The variable is now required (:?) — docker compose up fails with a descriptive error if the value is missing, preventing silent localhost redirect bugs. Tests: auth.test.ts (5), MfaPromptBanner.test.ts (7), reset-password.test.ts (6) All new tests green. pnpm --filter @capakraken/web exec tsc --noEmit clean. Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
@@ -27,30 +27,31 @@ export default function SignInPage() {
|
||||
});
|
||||
|
||||
if (result?.error) {
|
||||
// Auth.js wraps authorize() errors in the error field
|
||||
if (result.error.includes("MFA_REQUIRED_SETUP")) {
|
||||
// Auth.js v5: CredentialsSignin subclasses forward their `code` via
|
||||
// SignInResponse.code (and sometimes also as result.error).
|
||||
// Check both fields for compatibility across beta versions.
|
||||
const code = result.code ?? result.error;
|
||||
|
||||
if (code === "MFA_REQUIRED_SETUP") {
|
||||
// User's role requires MFA but it hasn't been set up yet — redirect to setup
|
||||
setLoading(false);
|
||||
router.push("/account/security?mfa_required=1");
|
||||
return;
|
||||
}
|
||||
if (result.error.includes("MFA_REQUIRED")) {
|
||||
if (code === "MFA_REQUIRED") {
|
||||
setMfaRequired(true);
|
||||
setLoading(false);
|
||||
// Focus the TOTP input after render
|
||||
setTimeout(() => totpInputRef.current?.focus(), 100);
|
||||
return;
|
||||
}
|
||||
if (result.error.includes("INVALID_TOTP")) {
|
||||
if (code === "INVALID_TOTP") {
|
||||
setError("Invalid verification code. Please try again.");
|
||||
setTotp("");
|
||||
setLoading(false);
|
||||
return;
|
||||
}
|
||||
if (result.error.includes("Too many login attempts")) {
|
||||
setError("Too many login attempts. Please try again later.");
|
||||
} else {
|
||||
setError("Invalid email or password");
|
||||
}
|
||||
setError("Invalid email or password");
|
||||
// Reset MFA state on credential error
|
||||
if (mfaRequired) {
|
||||
setMfaRequired(false);
|
||||
|
||||
Reference in New Issue
Block a user