fix(auth): login-page config race + sign-in watchdog — never strand SSO-only users on a password wall#2629
Merged
Conversation
…SO-only users on a password wall Staging E2E (2026-07-17) on a freshly provisioned environment: the login page's FIRST load rendered the plain password form — no "Continue with ObjectStack", no ssoEnforced collapse — because the /auth/config fetch hung or failed while the kernel cold-started, and both LoginForm and SocialSignInButtons silently fell back to defaults. Platform-SSO JIT users have no password, so this dead-ends the "open your environment" moment (#2625). Clicking the SSO button inside the same cold-start window hung the POST forever with the button stuck spinning (#2626). - getConfig: single-flight + success cache (3 requests → 1) with retrying backoff (500ms/1.5s/3.5s, 8s per-attempt AbortController timeout) so a hung request converts into a retry; final failure clears the cache. - LoginForm: hold a spinner until config resolves; on resolve, honour ssoEnforced on first paint. On final failure keep the old safe default (password form) — break-glass beats lock-out. - signInWithProvider: 20s watchdog rejects a hung sign-in so the #2458 button contract (pending + inline error) can recover it; legacy oauth2 fallback failures no longer mask the social-route error. - Drop LoginForm's duplicate "or" divider (SocialSignInButtons already renders one) — the stacked dividers read as a glitch. Closes #2625. Closes #2626. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
Contributor
✅ Console Performance Budget
📦 Bundle Size Report
Size Limits
|
os-zhuang
added a commit
that referenced
this pull request
Jul 17, 2026
* fix(auth): login-page config race + sign-in watchdog — never strand SSO-only users on a password wall Staging E2E (2026-07-17) on a freshly provisioned environment: the login page's FIRST load rendered the plain password form — no "Continue with ObjectStack", no ssoEnforced collapse — because the /auth/config fetch hung or failed while the kernel cold-started, and both LoginForm and SocialSignInButtons silently fell back to defaults. Platform-SSO JIT users have no password, so this dead-ends the "open your environment" moment (#2625). Clicking the SSO button inside the same cold-start window hung the POST forever with the button stuck spinning (#2626). - getConfig: single-flight + success cache (3 requests → 1) with retrying backoff (500ms/1.5s/3.5s, 8s per-attempt AbortController timeout) so a hung request converts into a retry; final failure clears the cache. - LoginForm: hold a spinner until config resolves; on resolve, honour ssoEnforced on first paint. On final failure keep the old safe default (password form) — break-glass beats lock-out. - signInWithProvider: 20s watchdog rejects a hung sign-in so the #2458 button contract (pending + inline error) can recover it; legacy oauth2 fallback failures no longer mask the social-route error. - Drop LoginForm's duplicate "or" divider (SocialSignInButtons already renders one) — the stacked dividers read as a glitch. Closes #2625. Closes #2626. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * fix(app-shell,components): welcome CTA deep-links into the environment create dialog Staging E2E (2026-07-17): the welcome hero's "Create your environment" navigated to the environments list, where the user had to find and click a SECOND create button — an extra hop on the very first thing a new user does (#844). - action:button: client-side `autoTrigger` flag — runs the action once on mount through the exact same execute path as a click (param dialog, confirm, entitlement gate all apply). Not persisted metadata; only client- composed schemas set it. - EnvironmentListToolbar: consume `?runAction=create_environment` once entitlements resolve — setup_production / add_development mark the create action autoTrigger; upgrade-locked orgs open the upgrade prompt (the honest answer to "create" there). Param is stripped on consumption so refresh / back don't re-open the dialog. Router-free (location + replaceState) so non-Router hosts and tests keep working. - CloudOnboardingNext: the create CTA navigates with the runAction param. - i18n: the toolbar's state-aware label overrides were hard-coded English in a zh console — now {en,zh} via the same pick() pattern as the widget. Closes #844. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * fix(chatbot): plan approval flips the card to a Building… badge immediately Staging E2E (2026-07-17): clicking 开始搭建 (plan approve) showed no change at the card for ~10s — the approval sends a chat message whose visible effects (user bubble + streaming turn) land at the BOTTOM of the thread, outside the viewport when the card is in view — so users assumed the click was lost and clicked again (#2627). - Track approved plan ids locally; the clicked card's buttons flip to a spinning "Building…" badge on click (both the structured plan card and the unstructured fallback gate). Built state still derives from the message stream (#432 semantics unchanged). - An approval that never left the client (unsent error) rolls the badge back so the button returns; a newer typed/suggestion send supersedes the approve as "last send" so ITS failure can't roll back a delivered approval. - New planBuildingLabel prop; AiChatPage passes 正在搭建… for zh conversations. Partially addresses #2627 — the conversation-history-clears-after-build race needs a live repro and stays open. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * fix(auth): drop RegisterForm's duplicate "or" divider (register page had the same glitch as login) Live staging verification (2026-07-17, cloud.objectos.app/_console/register) caught that #2629 fixed the double divider on the LOGIN page but the SIGN-UP page still stacked "OR CONTINUE WITH EMAIL" (from SocialSignInButtons) over a second "OR" (from RegisterForm). Remove RegisterForm's redundant AuthDivider — same fix as LoginForm — and clean up the now-unused hasSocialProviders state. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> --------- Co-authored-by: Jack Zhuang <277994282+os-zhuang@users.noreply.github.com> Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #2625, closes #2626(staging E2E 2026-07-17 的两个 P1)。
问题
新 provision 的环境首次打开登录页:kernel 冷启动令
/auth/config挂/失败,LoginForm 与 SocialSignInButtons 各自静默回退默认 → 页面只有密码表单、没有「Continue with ObjectStack」、ssoEnforced 不生效。平台 SSO 的 JIT 用户没有密码 → 魔法时刻卡死。同一窗口内点 SSO 按钮,POST 挂死后按钮永久转圈(无超时无错误)。修复
测试
packages/auth:7 files / 88 tests 全过(新增 6:单飞缓存、退避重试、失败不投毒缓存、watchdog 超时、gate 双向)。
tsc --noEmit干净。🤖 Generated with Claude Code