Skip to content

fix(chat-otp): re-check authType before minting deployment auth cookie#5600

Merged
waleedlatif1 merged 1 commit into
stagingfrom
worktree-fix-chat-otp-authtype-check
Jul 11, 2026
Merged

fix(chat-otp): re-check authType before minting deployment auth cookie#5600
waleedlatif1 merged 1 commit into
stagingfrom
worktree-fix-chat-otp-authtype-check

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • The chat OTP verify endpoint (PUT /api/chat/[identifier]/otp) minted the deployment auth cookie using the chat's current authType without re-checking it was still email, unlike the sibling POST handler and the public-file OTP route
  • Added the same authType !== 'email' guard used elsewhere, right before OTP verification/cookie minting

Type of Change

  • Bug fix (security)

Testing

  • Added a regression test asserting the guard rejects verification when the chat is no longer email-auth, and confirmed it fails without the fix
  • bunx vitest run app/api/chat/[identifier]/otp/route.test.ts — 17/17 passing
  • bun run check:api-validation passes
  • Typecheck and lint clean on changed files

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

PUT verify no longer trusts a stale authType at cookie-mint time — it
now re-checks the chat is still email-auth before issuing the cookie,
matching the existing POST guard and the public-file OTP route.
@vercel

vercel Bot commented Jul 11, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Jul 11, 2026 6:27pm

Request Review

@cursor

cursor Bot commented Jul 11, 2026

Copy link
Copy Markdown

PR Summary

High Risk
Touches deployment authentication cookie minting; the change reduces risk by blocking verify when email auth is no longer enabled.

Overview
Chat OTP verify (PUT) now rejects requests when the deployment’s authType is no longer email, matching the existing POST send-OTP guard and the public-file OTP verify flow.

The handler returns 400 (This chat does not use email authentication) before reading stored OTPs or calling setChatAuthCookie, closing a gap where a code issued under email auth could still mint a cookie after the chat switched to password (or another mode).

A regression test asserts that path: no Redis OTP lookup and no auth cookie when authType is password.

Reviewed by Cursor Bugbot for commit 51b040a. Configure here.

@greptile-apps

greptile-apps Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds a safer check to the chat OTP verification flow.

  • Re-checks that the chat still uses email auth before verifying an OTP.
  • Stops OTP lookup and auth-cookie minting when the chat has switched to another auth type.
  • Adds a regression test for the switched-auth case.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.
  • The new check runs before OTP storage access and cookie creation.
  • The guard matches the existing email-auth checks used by sibling OTP paths.

Important Files Changed

Filename Overview
apps/sim/app/api/chat/[identifier]/otp/route.ts Adds an email-auth guard before OTP verification and chat auth cookie creation.
apps/sim/app/api/chat/[identifier]/otp/route.test.ts Adds coverage for rejecting OTP verification after the chat switches away from email auth.

Reviews (1): Last reviewed commit: "fix(chat-otp): re-check authType before ..." | Re-trigger Greptile

@waleedlatif1 waleedlatif1 merged commit eb12333 into staging Jul 11, 2026
18 checks passed
@waleedlatif1 waleedlatif1 deleted the worktree-fix-chat-otp-authtype-check branch July 11, 2026 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant