fix(auth): Emit spec-valid authentication_method#12
Conversation
The AuthenticateResponse authentication_method enum is PascalCase and provider-specific — it has no bare 'OAuth', no 'MFA', and no 'EmailVerification'. The emulator was returning its internal method categories verbatim, so those responses failed spec conformance. Resolve the internal category to a spec-valid value instead: an OAuth grant reports the user's explicitly configured oauth_provider, and an MFA or email-verification gate reports the primary method that initiated the flow. When no truthful concrete method is known, the field is omitted (it is nullable in the SDKs) rather than fabricating a provider — the hosted authorize flow carries no provider info, so there is nothing honest to default to.
The spec-valid authentication_method fix made OAuth logins omit the field by default, since the hosted authorize flow carries no provider information. Document oauth_provider as the way to opt into a concrete, spec-valid provider so the omission reads as intended behavior rather than a bug.
Greptile SummaryThis PR makes authenticate responses emit spec-valid
Confidence Score: 4/5This PR has one contained authenticate-response bug on refresh-token rotations. Most changes are focused and covered by tests, but refresh-token responses can now lose the original concrete login method and return an omitted
What T-Rex did
Important Files Changed
|
| authentication_method: resolveResponseAuthMethod(sessionAuthMethod ?? authMethod, { | ||
| oauthProvider: updatedUser.oauth_provider, | ||
| }), |
There was a problem hiding this comment.
Refresh method lost
For refresh_token grants this resolves from authMethod, which is hard-coded to OAuth on line 389 instead of the reused session's original method. A password login followed by refresh now returns no authentication_method unless the user has oauth_provider, even though the existing session at line 521 still records auth_method: 'password', so refreshed responses no longer truthfully report Password.
Artifacts
Repro: focused Vitest route harness for password login followed by refresh token authentication
- Contains supporting evidence from the run (text/typescript; charset=utf-8).
- Keeps the command output available without making the summary code-heavy.
Ran code and verified through T-Rex
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/workos/routes/auth.ts
Line: 602-604
Comment:
**Refresh method lost**
For `refresh_token` grants this resolves from `authMethod`, which is hard-coded to `OAuth` on line 389 instead of the reused session's original method. A password login followed by refresh now returns no `authentication_method` unless the user has `oauth_provider`, even though the existing session at line 521 still records `auth_method: 'password'`, so refreshed responses no longer truthfully report `Password`.
How can I resolve this? If you propose a fix, please make it concise.
Summary
AuthenticateResponse.authentication_methodenum is PascalCase and provider-specific — it has no bareOAuth, noMFA, and noEmailVerification. The emulator was returning its internal method categories verbatim, so those responses failed spec conformance.resolveResponseAuthMethodhelper: an OAuth grant reports the user's explicitly configuredoauth_provider, and an MFA/email-verification gate reports the primary method that initiated the flow.oauth_providerfield to seeded users (excluded from the user response) so OAuth logins can report a concrete, spec-valid provider likeGoogleOAuth.oauth_providerseeding option in the README so the default omission reads as intended behavior rather than a bug.Closes #11