LOGIN-CODE: emailed type-in one-time code (passwordless alternative to the link)#118
Merged
Conversation
…ve to the link Lets a user sign in on a device where they don't want to open their email — read the 12-char code on their phone, type it on the device. Shown in the "check your email" view alongside the magic link; one email carries both. - packages/web/src/lib/loginCode.ts (+ tests, 9/9): unambiguous alphabet (no O/0), normalize (uppercase, strip dashes, cap 12), live XXXX-XXXX-XXXX formatter, isComplete. Normalization is kept byte-identical to the Worker's copy. - Signin: code input (auto-formats, autoFocus on the sent view, Enter submits) + POST /auth/code/verify → persist session token + reload. Field resets on "try a different email". Pairs with the GraphDone-Cloud Worker change (generate/store/email the code + /auth/code/verify + login_codes table). Web typecheck clean; THE GATE 5/5; login-focus e2e 2/2. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
🧪 Comprehensive Test Suite
Full-stack smoke gate runs in the CI workflow. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an emailed type-in one-time code as a passwordless alternative to clicking the magic link, so a user can sign in on a device (e.g. a shared/kiosk computer) without opening their email there: read the code on their phone, type it in.
Format: 12 characters shown as
XXXX-XXXX-XXXX, from an unambiguous uppercase alphabet — no letter O, no digit 0 (no O/0 confusion). Users may type lowercase and may omit the dashes; both are normalised before matching.This PR (Core/SPA):
lib/loginCode.ts(+ 9 unit tests): alphabet,normalizeLoginCode, liveformatLoginCodeInput,isCompleteLoginCode. Normalisation is byte-identical to the Worker's copy (both hash the normalised form).Signin"check your email" view: a code input (auto-formats as you type, autofocuses, Enter submits) →POST /auth/code/verify→ persists the returned session token and reloads. Resets on "try a different email".Paired Worker change (GraphDone-Cloud):
/auth/magic-link/requestnow also mints + stores (hashed, email-keyed) + emails the code; new/auth/code/verify(single-use, 15-min expiry, 5-attempt cap, rate-limited) creates the user on first sign-in and returns a session token;login_codesmigration.Verify: web typecheck clean ·
loginCode9/9 +loginFocus6/6 · THE GATE 5/5 · login-focus e2e 2/2. The code round-trip is exercised live post-deploy (the dev/Neo4j server has no code endpoint).🤖 Generated with Claude Code