fix(auth): address PR review and OAuth state-loss bugs

- proxy: await getUser() so refreshed session cookies land on the response
- callback: gate on AUTH_ENABLED, reject non-relative next (open redirect)
- page: snapshot + resume form and style image across the OAuth redirect;
  require login before the style-image vision parse
- play: wire authResolveRef so login retries the action that hit 401;
  dismissing the modal no longer re-fires it
- server: wrap cookie setAll in try/catch for read-only contexts

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
yuanzonghao
2026-06-13 19:27:51 +08:00
parent 87a2f93edb
commit 89a5c54065
5 changed files with 237 additions and 41 deletions
+8 -2
View File
@@ -10,8 +10,14 @@ export async function createClient() {
cookies: {
getAll: () => cookieStore.getAll(),
setAll: (cookiesToSet) => {
for (const { name, value, options } of cookiesToSet) {
cookieStore.set(name, value, options);
try {
for (const { name, value, options } of cookiesToSet) {
cookieStore.set(name, value, options);
}
} catch {
// `setAll` can be invoked from a Server Component, where the cookie
// store is read-only and throws. Safe to ignore — the proxy
// middleware refreshes the session on the next request.
}
},
},