jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(auth): stop wiki login loop to coming-soon and surface non-member state
Some checks failed
Test / vitest (push) Failing after 6m9s
Details
Test / playwright (push) Has been skipped
Details
Test / visual (push) Has been skipped
Details
Test / Notify on failure (push) Successful in 2s
Details

Browse source 
Members (and pre-registrants) hitting wiki.ghostguild.org were getting bounced
to /coming-soon with a "Pre-Register" link, even when the OIDC flow was
working correctly.

- Allowlist /auth/oidc-error, /auth/logout-confirm, /auth/logout-success,
  and /verify in the coming-soon middleware so OIDC errors and main-site
  magic links stop redirecting to the pre-register page.
- Raise OIDC Interaction TTL from 10m to 15m so it outlives the magic-link
  JWT and legitimate members don't hit expired-interaction errors when they
  click the email a few minutes late.
- Differentiate the "email isn't a registered member" response on the wiki
  login route and show a dedicated "Not a member yet" state with a
  pre-register link and contact email, instead of the misleading
  "Check your inbox" that silently failed.
This commit is contained in:
Jennie Robinson Faber 2026-04-15 17:55:55 +01:00
parent 2394248d53
commit 1e9e9c4d97
4 changed files with 70 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

4
app/middleware/coming-soon.global.js
View file

@ -12,6 +12,10 @@ export default defineNuxtRouteMiddleware(async (to, from) => {
if ( if (
to.path === "/coming-soon" || to.path === "/coming-soon" ||
to.path === "/auth/wiki-login" || to.path === "/auth/wiki-login" ||
to.path === "/auth/oidc-error" ||
to.path === "/auth/logout-confirm" ||
to.path === "/auth/logout-success" ||
to.path === "/verify" ||
to.path.startsWith("/admin") to.path.startsWith("/admin")
) { ) {
return; return;

79
app/pages/auth/wiki-login.vue
View file

@ -8,6 +8,7 @@ const uid = route.query.uid as string;
const email = ref(""); const email = ref("");
const sent = ref(false); const sent = ref(false);
const notRegistered = ref(false);
const loading = ref(false); const loading = ref(false);
const error = ref(""); const error = ref("");
@ -15,13 +16,21 @@ async function sendMagicLink() {
if (!email.value || !uid) return; if (!email.value || !uid) return;
loading.value = true; loading.value = true;
error.value = ""; error.value = "";
notRegistered.value = false;
try { try {
await $fetch("/oidc/interaction/login", { const response = await $fetch<{ success: boolean; registered: boolean }>(
method: "POST", "/oidc/interaction/login",
body: { email: email.value, uid }, {
}); method: "POST",
sent.value = true; body: { email: email.value, uid },
}
);
if (response.registered === false) {
notRegistered.value = true;
} else {
sent.value = true;
}
} catch (e: any) { } catch (e: any) {
error.value = error.value =
e?.data?.statusMessage || "Something went wrong. Please try again."; e?.data?.statusMessage || "Something went wrong. Please try again.";
@ -29,6 +38,12 @@ async function sendMagicLink() {
loading.value = false; loading.value = false;
} }
} }
function resetForm() {
sent.value = false;
notRegistered.value = false;
email.value = "";
}
</script> </script>
<template> <template>
@ -39,11 +54,11 @@ async function sendMagicLink() {
<h1 class="wiki-login-title">Wiki</h1> <h1 class="wiki-login-title">Wiki</h1>
</header> </header>
<hr class="section-divider" /> <hr class="section-divider" >
<Transition name="wiki-fade" mode="out-in"> <Transition name="wiki-fade" mode="out-in">
<form <form
v-if="!sent" v-if="!sent && !notRegistered"
key="form" key="form"
class="wiki-login-form" class="wiki-login-form"
@submit.prevent="sendMagicLink" @submit.prevent="sendMagicLink"
@ -58,7 +73,7 @@ async function sendMagicLink() {
autocomplete="email" autocomplete="email"
placeholder="you@example.com" placeholder="you@example.com"
:disabled="loading" :disabled="loading"
/> >
</div> </div>
<p <p
@ -89,7 +104,7 @@ async function sendMagicLink() {
</form> </form>
<div <div
v-else v-else-if="sent"
key="sent" key="sent"
class="wiki-login-sent" class="wiki-login-sent"
role="status" role="status"
@ -99,13 +114,35 @@ async function sendMagicLink() {
<p class="wiki-login-sent-detail"> <p class="wiki-login-sent-detail">
A sign-in link was sent to <strong>{{ email }}</strong> A sign-in link was sent to <strong>{{ email }}</strong>
</p> </p>
<button <button class="wiki-login-reset" @click="resetForm">
class="wiki-login-reset" Try a different email
@click=" </button>
sent = false; </div>
email = '';
" <div
> v-else
key="not-registered"
class="wiki-login-sent"
role="status"
aria-live="polite"
>
<h2 class="wiki-login-sent-heading">Not a member yet</h2>
<p class="wiki-login-sent-detail">
<strong>{{ email }}</strong> isn't registered as a Ghost Guild
member. If you've pre-registered, an admin needs to invite you
before you can sign in.
</p>
<p class="wiki-login-sent-detail">
<a href="https://babyghosts.org/ghost-guild/" class="wiki-login-link"
>Pre-register at Baby Ghosts</a
>
or email
<a href="mailto:hello@babyghosts.org" class="wiki-login-link"
>hello@babyghosts.org</a
>
if you think this is a mistake.
</p>
<button class="wiki-login-reset" @click="resetForm">
Try a different email Try a different email
</button> </button>
</div> </div>
@ -220,6 +257,16 @@ async function sendMagicLink() {
font-weight: 600; font-weight: 600;
} }
.wiki-login-link {
color: var(--candle);
text-decoration: underline;
text-underline-offset: 2px;
}
.wiki-login-link:hover {
color: var(--candle-dim);
}
.wiki-login-reset { .wiki-login-reset {
font-family: "Commit Mono", monospace; font-family: "Commit Mono", monospace;
font-size: 12px; font-size: 12px;

7
server/routes/oidc/interaction/login.post.ts
View file

@ -28,12 +28,9 @@ export default defineEventHandler(async (event) => {
}); });
} }
const GENERIC_MESSAGE =
"If this email is registered, we've sent a login link.";
const member = await (Member as any).findOne({ email }); const member = await (Member as any).findOne({ email });
if (!member) { if (!member) {
return { success: true, message: GENERIC_MESSAGE }; return { success: true, registered: false };
} }
const config = useRuntimeConfig(event); const config = useRuntimeConfig(event);
@ -62,7 +59,7 @@ ${baseUrl}/oidc/interaction/verify?token=${token}
This link expires in 15 minutes. If you didn't request this, you can safely ignore this email.`, This link expires in 15 minutes. If you didn't request this, you can safely ignore this email.`,
}); });
return { success: true, message: GENERIC_MESSAGE }; return { success: true, registered: true };
} catch (error) { } catch (error) {
console.error("Failed to send OIDC login email:", error); console.error("Failed to send OIDC login email:", error);
throw createError({ throw createError({

2
server/utils/oidc-provider.ts
View file

@ -81,7 +81,7 @@ export async function getOidcProvider() {
AuthorizationCode: 600, // 10 minutes AuthorizationCode: 600, // 10 minutes
RefreshToken: 14 * 24 * 60 * 60, // 14 days RefreshToken: 14 * 24 * 60 * 60, // 14 days
Session: 14 * 24 * 60 * 60, // 14 days Session: 14 * 24 * 60 * 60, // 14 days
Interaction: 600, // 10 minutes Interaction: 900, // 15 minutes — must match magic-link JWT TTL so the interaction outlives the token
Grant: 14 * 24 * 60 * 60, // 14 days Grant: 14 * 24 * 60 * 60, // 14 days
}, },