Skip to content

Otp sanatization#43

Merged
Bccorb merged 9 commits into
mainfrom
otp-sanatization
Jun 27, 2026
Merged

Otp sanatization#43
Bccorb merged 9 commits into
mainfrom
otp-sanatization

Conversation

@Bccorb

@Bccorb Bccorb commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@codecov-commenter

codecov-commenter commented Jun 20, 2026

Copy link
Copy Markdown

Bccorb and others added 2 commits June 27, 2026 13:55
Also folds in follow-up work that previously landed in an unnamed WIP commit:
- magic-link polling returns 204/403 instead of 500 on missing/mismatched token
- unify OTP verify success response with the refresh response schema
- add e2e/integration/unit tests (defineRoute auth, response-schema coverage)
- coverage badge refresh + run coverage with --fileParallelism=false
- CLAUDE.md: imports AGENTS.md and adds a working agreement (verify loop,
  license-header/commit/changeset conventions, don't-touch list)
- .claude/settings.json: allowlist safe project commands to reduce prompts
- .gitignore: keep personal .claude/settings.local.json out of version control

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Bccorb Bccorb force-pushed the otp-sanatization branch from 3e03028 to 11b7e6d Compare June 27, 2026 11:56
Bccorb and others added 5 commits June 27, 2026 18:12
- docs/ecosystem.md: deep coupling map of Tier 1/2 sibling repos
  (seamless-auth-react/-server/-types, seamless-messaging, +consumers):
  endpoints, schema import sites, token/JWKS touchpoints, blast radius
- CLAUDE.md: concise ecosystem section + ripple protocol for contract changes
- .gitignore: allowlist docs/ecosystem.md past the docs/* rule

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- ci.yml: run `prettier --check` (new format:check script) instead of
  `--write`, so formatting diffs actually fail the build
- vitest.config.ts: raise coverage thresholds to current floor
  (statements 80 / branches 70 / functions 90 / lines 80) so coverage
  cannot silently regress; will ratchet up as regression tests land
- release.yml: align Node to 20 (matches CI)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…on tests

- verifyMagicLink: remove dead no-op device-binding branches; device binding is
  correctly enforced at the poll step (the email may be opened on another device)
- pollMagicLinkConfirmation: return 204 with no body (was 204 + JSON body that
  Express strips); status stays 204 for the server adapter
- await the post-session user.update so failures surface
- regression tests: full request -> verify -> poll -> session sequence (the path
  that broke), user-agent mismatch -> 403, 204-empty-body guard (was 500),
  verify stays device-agnostic

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…rites

- rate-limit the four OTP verify endpoints (otpIpLimiter + otpIdentityLimiter);
  they were previously unthrottled and brute-forceable once an ephemeral token
  was held
- otpMatchesStoredValue: remove the transitional plaintext-OTP fallback; OTPs are
  hashed-only (sha256:) now. Any code issued before hashing (5-min TTL) simply
  expires — re-request to get a hashed one
- await the post-session user.update(lastLogin) writes so failures surface
- tests: flip legacy-plaintext-acceptance to rejection; add round-trip regression
  tests (email/phone generate->verify) and a hashed-at-rest format guard

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

@Bccorb Bccorb left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Bccorb Bccorb merged commit 4cebb97 into main Jun 27, 2026
2 checks passed
@Bccorb Bccorb deleted the otp-sanatization branch June 27, 2026 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants