feat(verify): one-command api + adapter conformance (npm-link friendly)#12
Merged
Conversation
…ter, wip) - adapter-app: a minimal adopter backend that mounts the real @seamless-auth/express with capture handlers, so the harness can read OTP/magic-link codes the adapter strips before responding to the browser - compose: build the adapter from adapter-app (drops the starter-express dependency and its app DB) WIP: the cookie bridge (register -> seamless-ephemeral) and code capture are verified end-to-end. Session-completion flows still need work: the adapter establishes sessions on verify-login-otp / magic-link-poll (not registration verify), login OTP is gated by stale seeded login_methods, and magic-link poll hits device-binding 403 through the adapter. Tracking next.
…gin green Proves the cookie bridge end-to-end through the real @seamless-auth/express: register -> verify email -> login OTP -> seamless-access/refresh cookies -> authenticated /users/me (200). Codes come from the harness adapter app's /__captured (the adapter strips them from browser responses). - lib/adapterFlows.ts, newAdapterActor + adapterActor fixture, adapter/emailOtpLogin.spec - Requires email_otp enabled in login_methods. The verify command must set this: LOGIN_METHODS env is ignored because a migration hard-seeds login_methods and bootstrapSystemConfig skips existing rows (filed separately). Magic-link via the adapter is still blocked by a poll device-binding 403 (under investigation).
Cookie path: after login, DELETE /auth/logout returns 204 and clears the session; a subsequent /users/me is no longer authenticated.
…friendly - default SEAMLESS_API_DIR to the sibling seamless-auth-api checkout (override via env); drop the obsolete SEAMLESS_ADAPTER_DIR requirement - down -v before up for a deterministic config seed (LOGIN_METHODS now honored) - bring up the full stack and run both the api and adapter Playwright projects; --api-only skips the adapter - ship verify/ in the published package
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
seamless verifynow stands up the full stack and runs both the API and the cookie (adapter) conformance paths in a single command, designed to work straight afternpm link.Heads up — this also re-delivers adapter work that #11 missed
PR #11 was created from a stale remote branch, so it merged only the compose dev-mode/issuer change — the harness adapter app and the two cookie conformance cases were never pushed and are not on
main. This PR includes them (verify/adapter-app/, theadapterPlaywright project) along with the command wiring.Command changes
SEAMLESS_API_DIRto the siblingseamless-auth-apicheckout (override via env); dropped the obsoleteSEAMLESS_ADAPTER_DIRrequirement (the adapter is built fromverify/adapter-app).down -vbeforeupfor a deterministicsystem_configseed — soLOGIN_METHODS(made authoritative by seamless-auth-api#48) enablesemail_otpautomatically; the adapter login path needs no manual setup.--api-onlyskips the adapter.verify/in the publishedfilesso a published CLI carries the harness.Verified
Ran via the
npm link'd binary end-to-end: 8/8 passing (6 api + 2 adapter), then clean teardown.Follow-up (not in this PR)
Magic-link via the adapter has a known device-binding 403 on poll (narrowed to a likely user-agent-forwarding difference) — under investigation, not yet covered.