Skip to content

auth provider follow-ups: sessionless register, login audit, test isolation#284

Open
Polliog wants to merge 9 commits into
developfrom
fix/auth-provider-followups
Open

auth provider follow-ups: sessionless register, login audit, test isolation#284
Polliog wants to merge 9 commits into
developfrom
fix/auth-provider-followups

Conversation

@Polliog

@Polliog Polliog commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

Summary

Follow-up fixes for the auth provider interface merge (#266), addressing the remaining review items and issues found while verifying the merged code:

  • Register page handles the sessionless 201: the backend can legitimately return 201 without a session when post-registration auto-login fails transiently. The frontend now redirects to /login with a "please sign in" toast instead of throwing a TypeError. RegisterResponse (optional session) makes TypeScript enforce the guard for any future caller.
  • Login failure audit coverage: disabled-account and SSO-required 401s are now recorded as auth.login_failed audit events with a reason in the metadata (invalid_credentials / account_disabled / sso_required), previously only wrong-password failures were audited. The reason never appears in the HTTP response, so anti-enumeration behavior is unchanged. The lookup is guarded with Object.hasOwn so inherited Object.prototype keys cannot be misclassified as auth failures.
  • Auto-login failures are observable: the bare catch {} around post-registration auto-login now logs through hub.captureLog, a persistent failure there silently degraded every signup with zero diagnostics.
  • Test-suite isolation fix: two auth test files deleted every auth_providers row including the migration-seeded local provider. Since Feat/auth provider interface #266 routes login through the provider registry, every login-based test file running after them could fail with 500s, masked intermittently by the registry's 5-minute cache (tracked migrations never re-run, so the row stayed gone). The files now preserve the seeded row and the shared test setup re-seeds it defensively. Before the fix, running the users+auth+audit-log modules together failed 8 tests; now the full suite is green.
  • Test factory cleanup: createTestUser supports disabled and password: null (SSO-only users) instead of tests hand-rolling inserts.
  • CHANGELOG entry for the Feat/auth provider interface #266 merge (was a blocking review item) plus these follow-ups.

Deferred (tracked internally): consolidating usersService.login onto the provider path, and replacing the error-message string matching with a typed AuthErrorCode propagated end to end. The integration tests pin the three current strings, so a drift fails CI in the meantime.

Tenant safety

LogTide is multi-tenant. Confirm the following for any new/changed query, endpoint,
or background job (see docs/security/tenant-isolation-audit.md):

  • Tenant tables are filtered by organization_id (and project_id where relevant). (No new tenant-table queries; audit rows for login events are platform-level with organizationId: null, matching the existing auth.* pattern.)
  • Joins enforce scoping at every level, not just the outer query. (No new joins.)
  • Updates/deletes verify scope before executing, not just trusting the filter to match. (No new updates/deletes outside test cleanup.)
  • Cache keys include the organization id. (No new caches.)
  • Background jobs carry the org id and the consumer re-validates it. (No new jobs.)
  • Ids from a URL parameter or request body are verified to belong to the requesting tenant before use. (No new id-taking endpoints.)
  • New data-access paths are added to the audit doc. (None added.)
  • npm run check:tenant-scoping passes (run from packages/backend).

Testing

  • Full backend suite: 4768/4768 tests across 271 files, green (the users+auth+audit-log subset failed 8 tests before the isolation fix).
  • Red-green verified: the three new auth.login_failed integration tests fail against the pre-fix login handler; removing the frontend guard produces the expected svelte-check type error at the exact call site.
  • tsc --noEmit clean on backend; svelte-check at the pre-existing 9-error baseline; frontend unit tests 86/86.
  • check:tenant-scoping: all 307 access sites scoped or allowlisted.

@codecov

codecov Bot commented Jul 17, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 96.00000% with 1 line in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
packages/backend/src/modules/users/routes.ts 96.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant