Skip to content

Commit afc8f9e

Browse files
authored
fix(webapp): show magic link confirmation instead of reloading login (#4215)
## Summary Submitting your email on the login page could reload back to an empty login form instead of showing the "we've sent you a magic link" confirmation. The magic link email was still sent, so it looked like nothing happened. ## Root cause The `/login/magic` route imported a server-only cookie module (`magicLinkEmailCookie.server.ts`) whose top-level `env.NODE_ENV` read got bundled into the route's client JS. On the client `env` is undefined, so the module threw a `TypeError` at module eval, which aborted Remix's client-side navigation to the confirmation and hard-reloaded back to `/login`. It only surfaced in production builds (local dev auto-logs-in, and local prod builds happen to tree-shake the module out), which is why it slipped through. ## Fix The email-link strategy already stores the submitted address in the session (`auth:email`), so the separate cookie was redundant. Deleted the cookie module and read the address from the session in the loader. With the module gone, nothing server-only can leak into the client bundle regardless of tree-shaking. Verified the confirmation renders with the email address, the SSO domain-policy redirect (with the email prefilled) still works, and a production build no longer bundles the module.
1 parent dc6c98a commit afc8f9e

4 files changed

Lines changed: 26 additions & 36 deletions

File tree

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
---
2+
area: webapp
3+
type: fix
4+
---
5+
6+
Fixed submitting your email on the login page reloading back to an empty form instead of showing the magic link confirmation screen.

apps/webapp/app/routes/login.magic/magicLinkEmailCookie.server.ts

Lines changed: 0 additions & 15 deletions
This file was deleted.

apps/webapp/app/routes/login.magic/route.tsx

Lines changed: 15 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,6 @@ import { ssoRedirectForEmail } from "~/services/ssoAutoDiscovery.server";
3434
import { logger, tryCatch } from "@trigger.dev/core/v3";
3535
import { env } from "~/env.server";
3636
import { extractClientIp } from "~/utils/extractClientIp.server";
37-
import { magicLinkEmailCookie } from "./magicLinkEmailCookie.server";
3837

3938
export const meta: MetaFunction = ({ matches }) => {
4039
const parentMeta = matches
@@ -74,12 +73,14 @@ export async function loader({ request }: LoaderFunctionArgs) {
7473
// confirmation renders the flashed error as magicLinkError below.
7574
const url = new URL(request.url);
7675
const sanitized = sanitizeRedirectPath(url.searchParams.get("redirectTo"));
77-
// The submitted address is carried in a short-lived cookie (not the URL) so
78-
// the confirmation can name it. Validate before echoing it back.
79-
const emailCookie = await magicLinkEmailCookie.parse(request.headers.get("Cookie"));
76+
// The email-link strategy stores the submitted address in the session
77+
// (`auth:email`) alongside the magic-link key, so read it from there to name
78+
// the confirmation — no address in the URL, and no separate cookie to leak
79+
// into the client bundle. Validate before echoing it back.
80+
const emailValue = session.get("auth:email");
8081
const email =
81-
typeof emailCookie === "string" && z.string().email().safeParse(emailCookie).success
82-
? emailCookie
82+
typeof emailValue === "string" && z.string().email().safeParse(emailValue).success
83+
? emailValue
8384
: null;
8485
if (!session.has("triggerdotdev:magiclink")) {
8586
// Throw (not return) so the redirect doesn't widen the loader's return
@@ -215,20 +216,13 @@ export async function action({ request }: ActionFunctionArgs) {
215216
return redirect(ssoRedirect);
216217
}
217218

218-
// authenticator.authenticate throws its redirect Response; attach the
219-
// sent-to email as a short-lived cookie so the confirmation can name it
220-
// without putting the address in the URL.
221-
try {
222-
return await authenticator.authenticate("email-link", request, {
223-
successRedirect: "/login/magic",
224-
failureRedirect: "/login",
225-
});
226-
} catch (thrown) {
227-
if (thrown instanceof Response) {
228-
thrown.headers.append("Set-Cookie", await magicLinkEmailCookie.serialize(email));
229-
}
230-
throw thrown;
231-
}
219+
// The email-link strategy stores the address in the session (`auth:email`)
220+
// and throws its own redirect Response (with the committed session cookie),
221+
// so return it directly — the confirmation reads the email from the session.
222+
return await authenticator.authenticate("email-link", request, {
223+
successRedirect: "/login/magic",
224+
failureRedirect: "/login",
225+
});
232226
}
233227
case "reset":
234228
default: {
@@ -260,7 +254,7 @@ export default function LoginMagicLinkPage() {
260254
</Header1>
261255
<Fieldset className="flex w-full flex-col items-center gap-y-2">
262256
<InboxArrowDownIcon className="mb-4 h-12 w-12 text-indigo-500" />
263-
<Paragraph className="mb-6 text-center [text-wrap:balance]">
257+
<Paragraph className="mb-6 text-center">
264258
{email ? (
265259
<>
266260
We emailed a magic link to <span className="text-text-bright">{email}</span> to

apps/webapp/app/services/emailAuth.server.tsx

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,11 @@ const emailStrategy = new EmailLinkStrategy(
1818
secret,
1919
callbackURL: "/magic",
2020
sessionMagicLinkKey: "triggerdotdev:magiclink",
21+
// Pin explicitly to the library default rather than relying on it: the
22+
// /login/magic loader reads the submitted address via
23+
// session.get("auth:email") to name it on the confirmation screen, so a
24+
// future remix-auth-email-link default change can't silently break that.
25+
sessionEmailKey: "auth:email",
2126
},
2227
async ({
2328
email,

0 commit comments

Comments
 (0)