Skip to content

fix: issue a session on OTP-based registration#42

Merged
Bccorb merged 1 commit into
devfrom
fix/registration-session-cookie
Jun 28, 2026
Merged

fix: issue a session on OTP-based registration#42
Bccorb merged 1 commit into
devfrom
fix/registration-session-cookie

Conversation

@Bccorb

@Bccorb Bccorb commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

What

Make OTP-based registration issue a session. Registration now starts with just an
email; verifying the registration email OTP completes sign-up and returns a session.

Why

The adapter routed /otp/verify-email-otp and /otp/verify-phone-otp through a plain
proxy (proxyWithIdentity(..., "preAuth"), no cookie), while only the verify-login-*
variants set the session cookie. So a browser user who registered via OTP finished
unauthenticated — the React starter bounced back to /login after a "successful"
registration. (Surfaced by the seamless verify conformance harness.)

Changes

  • core: refactor verifyLoginOtpHandler to share a verifyOtp helper and add
    verifyRegistrationOtpHandler (posts to the registration verify paths). The shared
    helper tolerates a response with no session yet (e.g. a phone-first step), returning
    the body without cookies.
  • express: add verifyRegistrationOtp (same cookie handling as verifyLoginOtp) and
    wire /otp/verify-email-otp + /otp/verify-phone-otp to it.

Verification

seamless verify --local is green, including a new adapter case asserting
register + verify email OTP -> /users/me 200 (session cookie set).

Registration now starts with just an email; verifying the registration email OTP
completes sign-up and returns a session. Add verifyRegistrationOtpHandler (core)
and verifyRegistrationOtp (express) so /otp/verify-email-otp and
/otp/verify-phone-otp set the session cookies — they previously proxied without
cookies, leaving browser users unauthenticated after registering. The shared
verify helper tolerates a phone-first step that returns no session yet.
@Bccorb Bccorb merged commit 18df90e into dev Jun 28, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant