CapaKraken

Hartmut/CapaKraken

Fork 0

Commit Graph

Author	SHA1	Message	Date
Hartmut	3d8a256d52	fix(auth): use token.sid to avoid Auth.js jti claim conflict Auth.js v5 manages token.jti internally and overwrites it after the jwt callback. Storing our session UUID in token.sid ensures the value we persist in active_sessions matches what the signed cookie carries. - jwt callback: token.sid = jti (was token.jti) - session callback: read from token.sid - signOut event: falls back to token.jti for backward compat with any sessions created before this change Also adds Playwright dev-system test suite (playwright.dev.config.ts + e2e/dev-system/) that validates login, session registry health, and RBAC enforcement against the running localhost:3100 dev server. Co-Authored-By: claude-flow <ruv@ruv.net>	2026-04-01 19:00:44 +02:00

Author

SHA1

Message

Date

Hartmut

3d8a256d52

fix(auth): use token.sid to avoid Auth.js jti claim conflict

Auth.js v5 manages token.jti internally and overwrites it after the jwt
callback. Storing our session UUID in token.sid ensures the value we
persist in active_sessions matches what the signed cookie carries.

- jwt callback: token.sid = jti (was token.jti)
- session callback: read from token.sid
- signOut event: falls back to token.jti for backward compat with any
  sessions created before this change

Also adds Playwright dev-system test suite (playwright.dev.config.ts +
e2e/dev-system/) that validates login, session registry health, and
RBAC enforcement against the running localhost:3100 dev server.

Co-Authored-By: claude-flow <ruv@ruv.net>

2026-04-01 19:00:44 +02:00

1 Commits