jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ghostguild-org/server/routes/oidc/interaction/login.post.ts
Jennie Robinson Faber 1e9e9c4d97
Some checks failed
Test / vitest (push) Failing after 6m9s
Details
Test / playwright (push) Has been skipped
Details
Test / visual (push) Has been skipped
Details
Test / Notify on failure (push) Successful in 2s
Details
fix(auth): stop wiki login loop to coming-soon and surface non-member state 
Members (and pre-registrants) hitting wiki.ghostguild.org were getting bounced
to /coming-soon with a "Pre-Register" link, even when the OIDC flow was
working correctly.

- Allowlist /auth/oidc-error, /auth/logout-confirm, /auth/logout-success,
  and /verify in the coming-soon middleware so OIDC errors and main-site
  magic links stop redirecting to the pre-register page.
- Raise OIDC Interaction TTL from 10m to 15m so it outlives the magic-link
  JWT and legitimate members don't hit expired-interaction errors when they
  click the email a few minutes late.
- Differentiate the "email isn't a registered member" response on the wiki
  login route and show a dedicated "Not a member yet" state with a
  pre-register link and contact email, instead of the misleading
  "Check your inbox" that silently failed.
2026-04-15 17:55:55 +01:00

70 lines
1.9 KiB
TypeScript
Raw Blame History

/**
* Handle magic link login request during OIDC interaction flow.
*
* POST /oidc/interaction/login
* Body: { email: string, uid: string }
*
* Sends a magic link email. The link includes the OIDC interaction uid so the
* verify step can complete the interaction after authenticating.
*/
import jwt from "jsonwebtoken";
import { Resend } from "resend";
import Member from "../../../models/member.js";
import { connectDB } from "../../../utils/mongoose.js";
const resend = new Resend(process.env.RESEND_API_KEY);
export default defineEventHandler(async (event) => {
await connectDB();
const body = await readBody(event);
const email = body?.email?.trim()?.toLowerCase();
const uid = body?.uid;
if (!email || !uid) {
throw createError({
statusCode: 400,
statusMessage: "Email and interaction uid are required",
});
}
const member = await (Member as any).findOne({ email });
if (!member) {
return { success: true, registered: false };
}
const config = useRuntimeConfig(event);
const token = jwt.sign(
{ memberId: member._id, oidcUid: uid },
config.jwtSecret,
{ expiresIn: "15m" }
);
const headers = getHeaders(event);
const baseUrl =
process.env.BASE_URL ||
`${headers.host?.includes("localhost") ? "http" : "https"}://${headers.host}`;
try {
await resend.emails.send({
from: "Ghost Guild <ghostguild@babyghosts.org>",
to: email,
subject: "Sign in to Ghost Guild Wiki",
text: `Sign in to the Ghost Guild Wiki
Use this link to sign in:
${baseUrl}/oidc/interaction/verify?token=${token}
This link expires in 15 minutes. If you didn't request this, you can safely ignore this email.`,
});
return { success: true, registered: true };
} catch (error) {
console.error("Failed to send OIDC login email:", error);
throw createError({
statusCode: 500,
statusMessage: "Failed to send login email. Please try again.",
});
}
});
Reference in a new issue View git blame Copy permalink