mirror of
https://github.com/stack-auth/stack.git
synced 2026-06-04 21:04:37 +08:00
dd0d7559b0
Bug 1: Exhausted confirmation code lockout - Add attempts < MAX_ATTEMPTS check to init guard so a fresh code is generated once the previous one is exhausted. Bug 2: Heartbeat code delivery made idempotent - Rename consumeRemoteDevelopmentEnvironmentBrowserSecretConfirmationCodeForCli to peekRemoteDevelopmentEnvironmentBrowserSecretConfirmationCodeForCli (non- destructive). Always return the code until it expires or is consumed by submit. - CLI deduplicates locally so it only logs each code once. Bug 3: Handle browser-secret redirects in config-update - Catch RemoteDevelopmentEnvironmentBrowserSecretRedirectingError and return 'redirecting' instead of throwing. Bug 4: Guard malformed return_to URL - Wrap new URL() in try-catch in sameOriginReturnTo; fail closed to '/'. Bug 5: Localbound helper one-shot enforcement - Close the helper server after successfully issuing a browser secret. Bug 6: Auth gate before body parse in submit-confirmation-code - Run assertRemoteDevelopmentEnvironmentBrowserSecretSetupRequest before reading/parsing the JSON body. Bug 7: Guard response.json() in CLI heartbeat - Wrap response.json() in try-catch to handle unparseable responses. Also: reset process-global browser-secret state between tests and call vi.resetModules() in afterEach. Co-Authored-By: Konstantin Wohlwend <n2d4xc@gmail.com> |
||
|---|---|---|
| .. | ||
| scripts | ||
| src | ||
| .eslintrc.cjs | ||
| package.json | ||
| tsconfig.json | ||
| tsdown.config.ts | ||
| vitest.config.ts | ||