fix(auth): Echo original session method on refresh_token#14
Merged
Conversation
The refresh_token grant reuses an existing session but hard-coded its internal method category to 'OAuth'. After #12 resolved that category to a spec-valid value, a refresh dropped authentication_method entirely for any non-OAuth session (e.g. a password login), since 'OAuth' resolves to the user's oauth_provider or nothing. Real WorkOS echoes the session's original method. Recover the truthful value from the reused session's stored auth_method (snake_case) via resolveSessionResponseAuthMethod — password → Password, magic_code → MagicAuth, sso → SSO, etc. Generic 'oauth' still defers to oauth_provider (else omit); 'unknown'/unmapped values are omitted rather than guessed, consistent with the fresh-login path. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #12. A Greptile review comment flagged that the
refresh_tokengrant loses the original authentication method.refresh_tokengrant reuses an existing session but hard-coded its internal method category to'OAuth'(auth.ts:389). After fix(auth): Emit spec-valid authentication_method #12 resolved that category to a spec-valid value, a refresh droppedauthentication_methodentirely for any non-OAuth session (e.g. a password login), because'OAuth'resolves to the user'soauth_provideror nothing.auth_method(auth.ts:514).auth_method(snake_case) via a newresolveSessionResponseAuthMethod:password → Password,magic_code → MagicAuth,sso → SSO, etc. Genericoauthstill defers tooauth_provider(else omit);unknown/unmapped values are omitted rather than guessed — consistent with the fresh-login path.Test plan
refresh_tokentest: a password login now assertsauthentication_method: 'Password'on both the initial response and the refreshed response (previously the field was dropped on refresh).authorization_code/device_codeare genuinely provider-less fresh logins, so their omit-or-oauth_providerbehavior is unchanged.Refs #11.
🤖 Generated with Claude Code