Skip to content

fix(auth): preserve host-established trust during handshake#99

Merged
antfu merged 1 commit into
devframes:mainfrom
webfansplz:fix/auth
Jul 16, 2026
Merged

fix(auth): preserve host-established trust during handshake#99
antfu merged 1 commit into
devframes:mainfrom
webfansplz:fix/auth

Conversation

@webfansplz

Copy link
Copy Markdown
Contributor

Hosts can establish trust at the transport layer before the browser runs the mandatory anonymous:devframe:auth handshake.

Vite DevTools standalone exposes this when client authentication is disabled in build mode: the WebSocket session is marked as trusted, but the subsequent handshake attempts to verify an empty bearer token and returns isTrusted: false. The client then displays an OTP authorization screen even though the server considers the connection trusted and does not print an OTP.

Fix

Return isTrusted: true from the interactive auth handshake when the current session is already trusted.

This preserves trust granted by the host while keeping the existing static-token and persisted-token verification paths unchanged.

Copilot AI review requested due to automatic review settings July 15, 2026 15:36
@netlify

netlify Bot commented Jul 15, 2026

Copy link
Copy Markdown

Deploy Preview for devfra ready!

Name Link
🔨 Latest commit fa08e3b
🔍 Latest deploy log https://app.netlify.com/projects/devfra/deploys/6a57a90f1a33de00084c3811
😎 Deploy Preview https://deploy-preview-99--devfra.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an auth-handshake edge case in devframe where a connection that was already marked trusted by the host (at the transport/session layer) could be downgraded to untrusted by the mandatory anonymous:devframe:auth handshake, causing the client to incorrectly prompt for OTP.

Changes:

  • Update the anonymous:devframe:auth handler to immediately return { isTrusted: true } when the current RPC session is already trusted.
  • Extend the interactive-auth test suite to cover “host pre-trust before handshake” behavior via startHttpAndWs({ onPeerConnect }).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
packages/devframe/src/recipes/interactive-auth.ts Preserves host-established trust by short-circuiting the interactive auth handshake when the session is already trusted.
packages/devframe/src/recipes/tests/interactive-auth.test.ts Adds a regression test ensuring pre-trusted sessions remain trusted after the client handshake.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/devframe/src/recipes/interactive-auth.ts
@antfu antfu merged commit 93369dd into devframes:main Jul 16, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants