Skip to content

"Logged in" not "loggedin"#28

Merged
drewr merged 3 commits into
mainfrom
logged-in-not-loggedin
Dec 5, 2025
Merged

"Logged in" not "loggedin"#28
drewr merged 3 commits into
mainfrom
logged-in-not-loggedin

Conversation

@drewr

@drewr drewr commented Dec 5, 2025

Copy link
Copy Markdown

This is a transient screen but I see it every day and need it to be fixed.

image

@drewr drewr moved this from Backlog to In review in Eng - Datum 1.0 Dec 5, 2025
@drewr

drewr commented Dec 5, 2025

Copy link
Copy Markdown
Author

Repro of the build error (not sure how to fix yet):

git clone git@github.com:nektos/act.git
( cd act && make )
act/dist/local/act pull_request -v --env GITHUB_TOKEN=github_pat_11AAABXXXXXXXXXXXXX

@drewr

drewr commented Dec 5, 2025

Copy link
Copy Markdown
Author

Reproduced the actual linter error. Here's how to fix:

pnpm prettier --write .

@drewr

drewr commented Dec 5, 2025

Copy link
Copy Markdown
Author

Now getting a separate error. I'm going to override the check and just merge it. Clearly there's an outdated image in here somewhere (maybe ghcr.io/zitadel/login?). Not interested in spending this much time satisfying Zitadel's code quality. We can fix it later if needed.

#58 [login-standalone login-standalone-builder 8/9] RUN pnpm exec turbo run build:login:standalone
#58 CANCELED
------
 > [login-test-integration login-test-integration  2/24] ONBUILD RUN bash /opt/installScripts/node/install-node-version.sh 22.16.0:
22.22 + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756
22.76 gpg: key 21D900FFDB233756: new key but contains no user ID - skipped
22.76 gpg: Total number processed: 1
22.76 gpg:           w/o user IDs: 1
22.77 + curl -fsSLO --compressed https://nodejs.org/dist/v22.16.0/node-v22.16.0-linux-x64.tar.xz
23.54 + curl -fsSLO --compressed https://nodejs.org/dist/v22.16.0/SHASUMS256.txt.asc
23.89 + gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc
23.89 gpg: Signature made Wed May 21 15:24:58 2025 UTC
23.89 gpg:                using RSA key C0D6248439F1D5604AAFFB4021D900FFDB233756
23.89 gpg: Can't check signature: No public key

@drewr drewr merged commit a1db7d3 into main Dec 5, 2025
2 of 3 checks passed
@github-project-automation github-project-automation Bot moved this from In review to Done in Eng - Datum 1.0 Dec 5, 2025
@ecv ecv deleted the logged-in-not-loggedin branch May 13, 2026 02:40
yahyafakhroji added a commit that referenced this pull request Jul 5, 2026
Fixes 31 of 32 confirmed findings from the adversarially-verified ultracode audit
of the auth-ui rebuild; #16 is partially fixed with a documented residual. All
changes typecheck clean and pass the mirrored cypress component specs. See
docs/AUDIT-FINDINGS.md for the full per-finding detail and status.

Highlights by subsystem:
- session/device: device-authorization grants no longer auto-complete from the
  forgeable GET /signed-in; they route to the CSRF-protected /device/authorize
  consent screen (explicit Approve showing app + scope). (#10)
- rate-limit: limiters mount on '*' and self-guard on a normalized (lowercased,
  .data-stripped) path, closing the case-variant and single-fetch bypasses. (#1, #11)
- verify: email-code resend is gated on server-verified session ownership and never
  500s / enumerates; requestId validated + encoded into the /authorize hand-back.
  (#9, #25, #30)
- signup: registration policy (allowRegister/allowPassword/passkeysType) enforced in
  the actions; duplicate-email responses emit a Set-Cookie (presence oracle closed,
  content/size residual documented — #16); fingerprintId used instead of the MaxMind
  token; requestId resumed on email-link complete. (#3, #4, #14, #16, #17)
- sso: guarded getSession/startIdpIntent (graceful branded errors, not 500s); LDAP
  reauth cookie cleared; ProviderError on sign-in mapped to the branded page;
  deviceTrackingToken threaded on auto-link. (#2, #5, #6, #13, #19, #20, #21)
- providers/mappers: U2F factor derived from the webAuthN proto factor (fixes the
  U2F login loop); failedAttempts extracted with the proper schema; forceMfaLocalOnly
  kept distinct from forceMfa. (#0, #7, #22)
- session cookie: dual-format (ISO/epoch) timestamp parsing in the eviction pre-pass
  so the 2KB budget is respected. (#8)
- webauthn: real browsers without WebAuthn see the unsupported message instead of
  submitting the Cypress fake credential. (#27)
- fraud: MaxMind token falls back to the cookie when it lands after the poll budget;
  default-org cache keyed per service URL. (#28, #29)
- audit logging: raw loginName replaced with hashActor across OTP/webauthn/password
  reset events. (#23, #24, #26)
- setup: safeParse on tampered skip params; TOTP register guarded. (#12, #31)

Verification (2026-07-04): the 12 findings applied in the prior batch were
independently re-verified (verifier + adversary per finding). 9 closed cleanly;
#10 (device-auth) was incomplete and #30 (resend test) was a regression — both
re-fixed here; #16 (signup enumeration) is partial, with the residual documented
and full closure (sessions-cookie encryption) deferred by owner decision.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017UhyUkaSmoNFax5wu2aHfi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

No open projects
Status: Done

Development

Successfully merging this pull request may close these issues.

1 participant