Jayden/AFFiNE-Mirror
1
0
Fork 0
mirror of https://github.com/toeverything/AFFiNE.git synced 2026-02-25 02:13:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: web login (#14378)

Browse Source 
#### PR Dependency Tree


* **PR #14378** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a deprecated GET sign-out endpoint for backward compatibility
with legacy clients.

* **Improvements**
* Updated magic-link and OAuth flows to always generate and manage
client nonces; native clients use a nonce, web preserves cross-device
behavior.

* **Tests**
* Added tests covering the deprecated sign-out flow and OAuth preflight
client_nonce handling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This commit is contained in:
DarkSky
2026-02-06 03:05:50 +08:00
committed by GitHub
parent 5a51d447fb
commit 8c15df489b
4 changed files with 114 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
packages/backend/server/src/__tests__/auth/controller.spec.ts
View File

@@ -264,6 +264,23 @@ test('should be able to sign out when duplicated csrf cookies exist', async t =>
t.falsy(sessionRes.body.user);
});
test('should be able to sign out via GET /api/auth/sign-out (deprecated)', async t => {
const { app } = t.context;
const u1 = await app.createUser('u1@affine.pro');
await app
.POST('/api/auth/sign-in')
.send({ email: u1.email, password: u1.password })
.expect(200);
const res = await app.GET('/api/auth/sign-out').expect(200);
t.is(res.headers.deprecation, 'true');
const session = await currentUser(app);
t.falsy(session);
});
test('should reject sign out when csrf token mismatched', async t => {
const { app } = t.context;

24
packages/backend/server/src/core/auth/controller.ts
View File

@@ -228,6 +228,30 @@ export class AuthController {
});
}
@Public()
/**
* @deprecated Kept for 0.25 clients that still call GET `/api/auth/sign-out`.
* Use POST `/api/auth/sign-out` instead.
*/
@Get('/sign-out')
async signOutDeprecated(
@Res() res: Response,
@Session() session: Session | undefined,
@Query('user_id') userId: string | undefined
) {
res.setHeader('Deprecation', 'true');
if (!session) {
res.status(HttpStatus.OK).send({});
return;
}
await this.auth.signOut(session.sessionId, userId);
await this.auth.refreshCookies(res, session.sessionId);
res.status(HttpStatus.OK).send({});
}
@Public()
@Post('/sign-out')
async signOut(