stacklok / toolhive-cloud-ui / 26168147028
79%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 61
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 78.773% (+0.4%) from 78.415%
26168147028

push

github

web-flow 
fix: force token refresh and clear cookies on failure to avoid logout loop (#511)

* fix: force token refresh and clear cookies on failure to avoid logout loop

Switch the token-refresh route from `auth.api.getAccessToken` (which only
refreshes inside Better Auth's 5s threshold) to `auth.api.refreshToken`
(unconditional refresh). This eliminates the 5–10s race window where the
caller's near-expiry margin would redirect to the route but Better Auth
would return 200 OK with no Set-Cookie, sending the browser back into a
redirect loop ("page isn't redirecting properly").

On refresh failure, call `auth.api.signOut` and forward its Set-Cookie
headers onto the /signin redirect so `session_token` and `account_data`
are actually cleared — otherwise the stale account_data cookie keeps
`isTokenNearExpiry` returning true and the user can fall back into the
loop on the next navigation.

Also export the handler as both GET and POST: Next.js `redirect()` uses
307 (method-preserving) outside Server Actions, so a redirect triggered
from a Server Component render that follows a Server Action POST would
otherwise hit this route as POST and 405.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: bump next + transitive deps to clear pnpm audit advisories

- next 16.2.3 → 16.2.6 (clears GHSA advisories for App Router middleware
  bypass, image-API DoS, SSRF, RSC cache poisoning, beforeInteractive XSS,
  etc.)
- pnpm.overrides: hono ≥4.12.18 (cache middleware Vary leakage, CSS-in-style
  injection, JWT NumericDate validation)
- pnpm.overrides: kysely ≥0.28.17 (JSON-path traversal)
- pnpm.overrides: fast-uri ≥3.1.2 (path traversal + host confusion via ajv)
- pnpm.overrides: ip-address ≥10.1.1 (XSS in Address6 HTML emitters via
  @modelcontextprotocol/sdk → express-rate-limit)

`pnpm audit` now reports no known vulnerabilities.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: pin kysely override to 0.28.x to satisfy ... (continued)

241 of 319 branches covered (75.55%)

17 of 19 new or added lines in 1 file covered. (89.47%)

475 of 603 relevant lines covered (78.77%)

13.34 hits per line

Uncovered Changes

Lines Coverage File
2
94.12
 2.45% src/app/api/auth/token-refresh/route.ts
Jobs
ID Job ID Ran Files Coverage
1 26168147028.1 61
78.77
 GitHub Action Run
Source Files on build 26168147028