fix(auth): stop wiki login loop to coming-soon and surface non-member state

Members (and pre-registrants) hitting wiki.ghostguild.org were getting bounced to /coming-soon with a "Pre-Register" link, even when the OIDC flow was working correctly. - Allowlist /auth/oidc-error, /auth/logout-confirm, /auth/logout-success, and /verify in the coming-soon middleware so OIDC errors and main-site magic links stop redirecting to the pre-register page. - Raise OIDC Interaction TTL from 10m to 15m so it outlives the magic-link JWT and legitimate members don't hit expired-interaction errors when they click the email a few minutes late. - Differentiate the "email isn't a registered member" response on the wiki login route and show a dedicated "Not a member yet" state with a pre-register link and contact email, instead of the misleading "Check your inbox" that silently failed.
2026-04-15 17:55:55 +01:00 · 2026-04-15 17:55:55 +01:00 · 1e9e9c4d97
commit 1e9e9c4d97
parent 2394248d53
4 changed files with 70 additions and 22 deletions
--- a/app/pages/auth/wiki-login.vue
+++ b/app/pages/auth/wiki-login.vue
@ -8,6 +8,7 @@ const uid = route.query.uid as string;

 const email = ref("");
 const sent = ref(false);
+const notRegistered = ref(false);
 const loading = ref(false);
 const error = ref("");

@ -15,13 +16,21 @@ async function sendMagicLink() {
  if (!email.value || !uid) return;
  loading.value = true;
  error.value = "";
+  notRegistered.value = false;

  try {
-    await $fetch("/oidc/interaction/login", {
-      method: "POST",
-      body: { email: email.value, uid },
-    });
-    sent.value = true;
+    const response = await $fetch<{ success: boolean; registered: boolean }>(
+      "/oidc/interaction/login",
+      {
+        method: "POST",
+        body: { email: email.value, uid },
+      }
+    );
+    if (response.registered === false) {
+      notRegistered.value = true;
+    } else {
+      sent.value = true;
+    }
  } catch (e: any) {
    error.value =
      e?.data?.statusMessage || "Something went wrong. Please try again.";
@ -29,6 +38,12 @@ async function sendMagicLink() {
    loading.value = false;
  }
 }
+
+function resetForm() {
+  sent.value = false;
+  notRegistered.value = false;
+  email.value = "";
+}
 </script>

 <template>
@ -39,11 +54,11 @@ async function sendMagicLink() {
        <h1 class="wiki-login-title">Wiki</h1>
      </header>

-      <hr class="section-divider" />
+      <hr class="section-divider" >

      <Transition name="wiki-fade" mode="out-in">
        <form
-          v-if="!sent"
+          v-if="!sent && !notRegistered"
          key="form"
          class="wiki-login-form"
          @submit.prevent="sendMagicLink"
@ -58,7 +73,7 @@ async function sendMagicLink() {
              autocomplete="email"
              placeholder="you@example.com"
              :disabled="loading"
-            />
+            >
          </div>

          <p
@ -89,7 +104,7 @@ async function sendMagicLink() {
        </form>

        <div
-          v-else
+          v-else-if="sent"
          key="sent"
          class="wiki-login-sent"
          role="status"
@ -99,13 +114,35 @@ async function sendMagicLink() {
          <p class="wiki-login-sent-detail">
            A sign-in link was sent to <strong>{{ email }}</strong>
          </p>
-          <button
-            class="wiki-login-reset"
-            @click="
-              sent = false;
-              email = '';
-            "
-          >
+          <button class="wiki-login-reset" @click="resetForm">
+            Try a different email
+          </button>
+        </div>
+
+        <div
+          v-else
+          key="not-registered"
+          class="wiki-login-sent"
+          role="status"
+          aria-live="polite"
+        >
+          <h2 class="wiki-login-sent-heading">Not a member yet</h2>
+          <p class="wiki-login-sent-detail">
+            <strong>{{ email }}</strong> isn't registered as a Ghost Guild
+            member. If you've pre-registered, an admin needs to invite you
+            before you can sign in.
+          </p>
+          <p class="wiki-login-sent-detail">
+            <a href="https://babyghosts.org/ghost-guild/" class="wiki-login-link"
+              >Pre-register at Baby Ghosts</a
+            >
+            or email
+            <a href="mailto:hello@babyghosts.org" class="wiki-login-link"
+              >hello@babyghosts.org</a
+            >
+            if you think this is a mistake.
+          </p>
+          <button class="wiki-login-reset" @click="resetForm">
            Try a different email
          </button>
        </div>
@ -220,6 +257,16 @@ async function sendMagicLink() {
  font-weight: 600;
 }

+.wiki-login-link {
+  color: var(--candle);
+  text-decoration: underline;
+  text-underline-offset: 2px;
+}
+
+.wiki-login-link:hover {
+  color: var(--candle-dim);
+}
+
 .wiki-login-reset {
  font-family: "Commit Mono", monospace;
  font-size: 12px;