mirror of
https://github.com/stack-auth/stack.git
synced 2026-06-21 21:09:49 +08:00
b874da4a1b
The session-ownership guard recomputed the key from the session's existing
refresh token, so refresh-backed sessions accepted any access token. Validate
the incoming token pair against this.sessionKey instead, so a foreign token
can't be installed into either an access-only or a refresh-backed session.
Also route the sign-in current-user prefetch through runAsynchronously instead
of swallowing failures with .catch(() => {}), per the project's async-error
handling guideline.
|
||
|---|---|---|
| .. | ||
| src | ||
| .eslintrc.cjs | ||
| LICENSE | ||
| package.json | ||
| tsconfig.json | ||
| tsdown.config.ts | ||
| vitest.config.ts | ||