You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(auth): address code-review findings (HIGH→LOW) on the re-auth guard + infra
Re-auth identity guard — close the gaps the review found, via a shared helper so every
login factor agrees (checkReauthIntent, case-insensitive):
- H-1 passkey & security-key: add the guard to the shared webauthn-verify factory action
(was bypassed → a passkey re-auth could complete as the wrong identity / never clear the
intent). Now match-checks + clears + bounces to the picker on mismatch.
- H-2/H-3 SSO link / auto-link / link-needs-auth / auto-create: clear the reauth-intent
cookie so a stale marker can't false-mismatch a later login (notably link-needs-auth →
/login → password).
- Case-insensitive comparison (was exact) so IdP/SAML casing differences don't false-mismatch.
- password + IdP paths refactored onto the shared checkReauthIntent.
Correctness / quality:
- H-5 removeAccount: build the redirect via paths.accounts() (no hand-rolled URL string).
- H-6 RateLimiter: type the store as the RateLimitStore INTERFACE + narrow the union return
(remove the unsafe cast) so the Redis seam is real.
- userCode: bound to the OAuth device user_code shape in switch/remove schemas.
- listAccounts: stop threading the stale cookie-baked requestId into display-only nextPath.
- /authorize prompt=login freshness window now honors a stricter org passwordCheckLifetimeMs
(only ever tightens); explicit sessionId guard instead of byId('').
- rate-limit-store: record windowMs per bucket so the sweep is correct under a shared store.
- Extracted /logout into session-logout.service.ts (session.service 793->657 lines), re-exported;
registered both modules in the auth-event coverage registry.
Deps / docs: re-pin remix-utils to 9.3.1 (stop floating) + refresh csrf comment; document the
CSP unsafe-inline accepted risk; de-TODO the LDAP-link + split-layout design notes.
NOTE: js-yaml is KEPT — it satisfies @datum-cloud/datum-ui's optional peer (removing it repeats
the @tanstack/react-virtual clean-install break); the review's 'unused dep' was a false positive.
Tests: reauth-intent cookie + shared checkReauthIntent (match/mismatch/case-insensitive/clear);
IdP guard case-insensitive case.
Copy file name to clipboardExpand all lines: app/modules/i18n/locales/en.po
+10-10Lines changed: 10 additions & 10 deletions
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ msgstr ""
13
13
"Plural-Forms: \n"
14
14
15
15
#. placeholder {0}: attempts.count
16
-
#:app/routes/login/password.tsx:158
16
+
#:app/routes/login/password.tsx:157
17
17
msgid"{0, plural, one {# attempt remaining.} other {# attempts remaining.}}"
18
18
msgstr"{0, plural, one {# attempt remaining.} other {# attempts remaining.}}"
19
19
@@ -191,7 +191,7 @@ msgstr "Continue"
191
191
msgid"Continue with your provider"
192
192
msgstr"Continue with your provider"
193
193
194
-
#:app/routes/login/password.tsx:106
194
+
#:app/routes/login/password.tsx:105
195
195
msgid"Could not verify password"
196
196
msgstr"Could not verify password"
197
197
@@ -302,8 +302,8 @@ msgstr "Enter your authenticator code"
302
302
msgid"Enter your email code"
303
303
msgstr"Enter your email code"
304
304
305
-
#:app/routes/login/password.tsx:126
306
-
#:app/routes/login/password.tsx:143
305
+
#:app/routes/login/password.tsx:125
306
+
#:app/routes/login/password.tsx:142
307
307
msgid"Enter your password"
308
308
msgstr"Enter your password"
309
309
@@ -315,7 +315,7 @@ msgstr "Enter your SMS code"
315
315
msgid"Finish creating your account"
316
316
msgstr"Finish creating your account"
317
317
318
-
#:app/routes/login/password.tsx:189
318
+
#:app/routes/login/password.tsx:188
319
319
msgid"Forgot password?"
320
320
msgstr"Forgot password?"
321
321
@@ -432,7 +432,7 @@ msgstr "Phone"
432
432
msgid"Phone sign-in isn't available — use your email or username."
433
433
msgstr"Phone sign-in isn't available — use your email or username."
434
434
435
-
#:app/routes/login/password.tsx:177
435
+
#:app/routes/login/password.tsx:176
436
436
#:app/utils/errors/auth-error-messages.tsx:27
437
437
msgid"Please check your input and try again."
438
438
msgstr"Please check your input and try again."
@@ -530,13 +530,13 @@ msgstr "Set up security key"
530
530
msgid"Set up SMS one-time code"
531
531
msgstr"Set up SMS one-time code"
532
532
533
-
#:app/routes/login/password.tsx:182
533
+
#:app/routes/login/password.tsx:181
534
534
#:app/routes/signup/index.tsx:286
535
535
#:app/routes/sso/ldap.tsx:82
536
536
msgid"Sign in"
537
537
msgstr"Sign in"
538
538
539
-
#:app/routes/login/password.tsx:171
539
+
#:app/routes/login/password.tsx:170
540
540
#:app/routes/logout/success.tsx:22
541
541
#:app/utils/errors/auth-error-recovery.tsx:47
542
542
msgid"Sign in again"
@@ -815,7 +815,7 @@ msgstr "You're almost done! <0>{loginName}</0>"
815
815
msgid"You've been signed out"
816
816
msgstr"You've been signed out"
817
817
818
-
#:app/routes/login/password.tsx:153
818
+
#:app/routes/login/password.tsx:152
819
819
msgid"Your account is temporarily locked after too many attempts."
820
820
msgstr"Your account is temporarily locked after too many attempts."
821
821
@@ -839,7 +839,7 @@ msgstr "Your password has expired. Please reset it to continue."
839
839
msgid"Your session has ended and you've been securely signed out of Datum. You can safely close this tab, or sign back in any time to pick up where you left off."
840
840
msgstr"Your session has ended and you've been securely signed out of Datum. You can safely close this tab, or sign back in any time to pick up where you left off."
0 commit comments