fix: allow trusted TOTP devices on v1 auth login#9163
Conversation
There was a problem hiding this comment.
Code Review
This pull request updates the path of the trusted device cookie from "/api/auth" to "/api" in the authentication API. It also updates the existing test suite to reflect this change and introduces a new test, test_v1_auth_login_skips_totp_when_trusted_cookie_valid, to ensure that the trusted device cookie is correctly applied and verified under the new path during v1 login flows. I have no feedback to provide as there are no review comments.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
539aea8 to
8e5d708
Compare
This PR fixes the trusted-device TOTP flow for the v1 dashboard login endpoint. The dashboard login UI uses
/api/v1/auth/loginas the primary login path, but the trusted-device cookie was scoped to the legacy/api/authpath. Because of that cookie path mismatch, a user who selected "trust this device" during v1 login could still be asked for TOTP again on the next v1 login.Modifications / 改动点
This change scopes the TOTP trusted-device cookie to
/api, so it covers both supported dashboard auth login surfaces:It also clears the previous legacy-scoped trusted-device cookie at
Path=/api/authwhen issuing the new cookie. That avoids leaving two same-name trusted-device cookies with different paths in browsers that already received the old cookie.The existing trusted-device token issuance and database validation logic is unchanged. Password verification, TOTP code verification, recovery-code behavior, JWT cookie handling, trusted-device token format, trusted-device database storage, API key auth, and legacy auth compatibility are not changed.
What Problem This Solves
The dashboard login flow sends login requests through
authApi.login(), which first calls the generated OpenAPI v1 client:The legacy endpoint is only used as a fallback.
When TOTP is enabled, the user can complete the TOTP step with
trust_device_flag: true. The backend correctly verifies the TOTP code and issues a trusted-device token. However,_set_trusted_device_cookie()previously wrote that token as:A cookie scoped to
/api/authcovers legacy auth routes such as/api/auth/login, but it does not cover the v1 auth route/api/v1/auth/login. A standard browser or cookie jar therefore does not sendastrbot_totp_trusted_deviceback to the v1 login endpoint. On the next v1 login attempt,_login()receives no trusted-device token,AuthService.login()treats the device as untrusted, and the response still requires TOTP.In practice, this made the user-visible "trust this device" option work for the legacy auth path, but not for the current v1 dashboard login path.
Evidence
Before the fix, a cookie scoped to
/api/authwas sent to legacy auth paths, but not to v1 auth paths:The affected user-visible flow was:
The regression test now verifies the fixed v1 flow:
Possible call chain / impact
Risk boundary: the trusted-device cookie remains
HttpOnlyandSameSite=Strict, and itsSecurebehavior still follows the existing dashboard JWT secure-cookie setting. The path change broadens browser attachment from/api/authto/api, but backend trusted-device validation remains required and the cookie is only consumed by the login flow.Screenshots or Test Results / 运行截图或测试结果
Focused regression tests:
Result:
Formatting and lint checks:
Result:
GitHub checks after the initial PR push passed before the follow-up compatibility cleanup:
Checklist / 检查清单
😊 If there are new features added in the PR, I have discussed it with the authors through issues/emails, etc.
/ 如果 PR 中有新加入的功能,已经通过 Issue / 邮件等方式和作者讨论过。
N/A - bugfix only; no new feature added.
👀 My changes have been well-tested, and "Verification Steps" and "Screenshots" have been provided above.
/ 我的更改经过了良好的测试,并已在上方提供了“验证步骤”和“运行截图”。
🤓 I have ensured that no new dependencies are introduced, OR if new dependencies are introduced, they have been added to the appropriate locations in
requirements.txtandpyproject.toml./ 我确保没有引入新依赖库,或者引入了新依赖库的同时将其添加到
requirements.txt和pyproject.toml文件相应位置。😮 My changes do not introduce malicious code.
/ 我的更改没有引入恶意代码。