fix(chat-otp): re-check authType before minting deployment auth cookie#5600
Conversation
PUT verify no longer trusts a stale authType at cookie-mint time — it now re-checks the chat is still email-auth before issuing the cookie, matching the existing POST guard and the public-file OTP route.
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryHigh Risk Overview The handler returns 400 ( A regression test asserts that path: no Redis OTP lookup and no auth cookie when Reviewed by Cursor Bugbot for commit 51b040a. Configure here. |
Greptile SummaryThis PR adds a safer check to the chat OTP verification flow.
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (1): Last reviewed commit: "fix(chat-otp): re-check authType before ..." | Re-trigger Greptile |
Summary
PUT /api/chat/[identifier]/otp) minted the deployment auth cookie using the chat's currentauthTypewithout re-checking it was stillemail, unlike the siblingPOSThandler and the public-file OTP routeauthType !== 'email'guard used elsewhere, right before OTP verification/cookie mintingType of Change
Testing
bunx vitest run app/api/chat/[identifier]/otp/route.test.ts— 17/17 passingbun run check:api-validationpassesChecklist