You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(fraud): thread deviceTrackingToken through the login/signup IdP entry point
The maxmind fix earlier today only threaded deviceTrackingToken through
sso-action.ts's runSsoAction (the SSO management/account-linking action).
It missed the actual PRIMARY entry point both /login and /signup's "Sign in
with Google" buttons use: login.service.ts's startIdpIntent, driven by the
shared loginIdpSchema. That schema had no deviceTrackingToken field, so zod
silently stripped it from the submitted form even though the hidden input
was correctly populated client-side — confirmed live: the token was present
in sessionStorage and the rendered form field, but never made it onto the
/sso callback URL.
- loginIdpSchema: add deviceTrackingToken (optional).
- login.service.ts startIdpIntent: accept it, thread into idpReturnUrls
(which already supported the field from the earlier fix).
- routes/login/index.tsx and routes/signup/index.tsx: forward it from
parsed.data into startIdpIntent.
Scoped deliberately: /sso/link (linking an additional IdP to an already
signed-in, already-scored account) is a GET-driven flow with a different
transport mechanism and lower fraud-signal value — left out of scope.
TDD: RED test confirmed the success URL was missing the param, GREEN after
the fix. Full suite: 426/426 passing, tsc clean.
0 commit comments