Skip to content

fix(webapp): restore magic link login on the login page#4220

Merged
samejr merged 5 commits into
mainfrom
samejr/revert-login-magic-link-fix
Jul 10, 2026
Merged

fix(webapp): restore magic link login on the login page#4220
samejr merged 5 commits into
mainfrom
samejr/revert-login-magic-link-fix

Conversation

@samejr

@samejr samejr commented Jul 10, 2026

Copy link
Copy Markdown
Member

Summary

Magic link login could appear completely broken: submitting your email on the login page showed a stale "This email is unauthorized" error instead of the "we've sent you a magic link" confirmation, even when the address was fine.

This PR reverts #4215 (whose diagnosis and fix turned out to be wrong) and fixes the actual bug, which was in how login errors are stored and consumed.

Root cause

Two session bugs compounded on the login page:

  • The /login loader read the flashed auth:error without committing the session. A Remix flash is only consumed when the session is committed after the read, so once any attempt flashed an error (for example an address rejected on an instance with WHITELISTED_EMAILS set), it stayed in the session cookie and reappeared on every later /login visit, making successful attempts look like failures.
  • The /login/magic action stored its validation and rate limit errors with session.set, which survives every later read and commit, so those errors stuck permanently.

#4215 had instead diagnosed a server-only module leaking into the client bundle and crashing navigation. Checking the shipped images' client bundles via their sourcemaps shows .server modules were always stubbed out, so that change fixed nothing and is reverted here.

Fix

  • /login reads the flashed error and commits the session when one was present, so an error renders once and clears. The redirectTo branch now surfaces the error too instead of leaving it in the cookie.
  • /login/magic flashes its errors instead of setting them.

Verified end-to-end on a live preview environment: a rejected address shows the error once and a reload clears it; a valid address lands on the confirmation screen with the address named; GitHub, Google, and SSO login paths are untouched by this diff.

@samejr samejr added the preview label Jul 10, 2026
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 81bb7bdc-7cd4-47e0-b1f3-ef0f90043996

📥 Commits

Reviewing files that changed from the base of the PR and between fbdedf7 and 32c2bdf.

📒 Files selected for processing (2)
  • apps/webapp/app/routes/login._index/route.tsx
  • apps/webapp/app/routes/login.magic/route.tsx
🚧 Files skipped from review as they are similar to previous changes (2)
  • apps/webapp/app/routes/login._index/route.tsx
  • apps/webapp/app/routes/login.magic/route.tsx
📜 Recent review details
⏰ Context from checks skipped due to timeout. (16)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (10, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (9, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (2, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (3, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (8, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (6, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (1, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (7, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (4, 10)
  • GitHub Check: e2e-webapp / 🧪 E2E Tests: Webapp
  • GitHub Check: typecheck / typecheck
  • GitHub Check: code-quality / code-quality
  • GitHub Check: audit
  • GitHub Check: audit
  • GitHub Check: Analyze (actions)
  • GitHub Check: Analyze (javascript-typescript)

Walkthrough

The magic link flow now uses a short-lived HTTP-only cookie to carry the submitted email to the confirmation route. The action serializes the email when authentication redirects, and the loader parses and validates it instead of reading the session. Login validation and rate-limit errors are flashed and consumed by the login loader, preventing stale messages from persisting. The email authentication strategy no longer configures the previous session email key, and the confirmation paragraph adds balanced text wrapping.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description omits required template sections like Closes #, checklist, testing, changelog, and screenshots. Add the template sections and fill in the issue reference, checklist items, testing steps, changelog, and screenshots or note why any are N/A.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the main change: restoring magic link login on the login page.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch samejr/revert-login-magic-link-fix

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@trigger-dot-bot

trigger-dot-bot Bot commented Jul 10, 2026

Copy link
Copy Markdown

Preview Deployment

Status Preview Commit Updated
⚪ Removed 32c2bdf Jul 10, 10:04 UTC

devin-ai-integration[bot]

This comment was marked as resolved.

The /login loader read the flashed auth error without committing the
session, so the flash was never consumed: once any login attempt
flashed an error (for example a rejected email address), it reappeared
on every /login visit and made later, successful attempts look like
they failed. Commit the session when an error was read, and read the
error in the redirectTo branch too instead of dropping it.

The /login/magic action also stored its validation and rate limit
errors with session.set, which survives every later read. Switch those
to session.flash so they render once and clear.
@changeset-bot

changeset-bot Bot commented Jul 10, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 32c2bdf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

devin-ai-integration[bot]

This comment was marked as resolved.

devin-ai-integration[bot]

This comment was marked as resolved.

samejr added 2 commits July 10, 2026 10:11
…ion format

Sessions written before the flash fix stored auth:error with session.set, which get() does not auto-clear. Unset it explicitly after reading so those sessions heal on their next visit instead of carrying the stale error until the cookie expires.
@samejr samejr merged commit 32e5edb into main Jul 10, 2026
29 checks passed
@samejr samejr deleted the samejr/revert-login-magic-link-fix branch July 10, 2026 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants