Skip to content

fix(nexus): stop magic-link login loop when localStorage is blocked#1076

Merged
Dr0p42 merged 1 commit into
mainfrom
fix/nexus-magic-link-localstorage-loop
Jul 13, 2026
Merged

fix(nexus): stop magic-link login loop when localStorage is blocked#1076
Dr0p42 merged 1 commit into
mainfrom
fix/nexus-magic-link-localstorage-loop

Conversation

@jravenel

Copy link
Copy Markdown
Contributor

Summary

Fixes the Nexus magic-link sign-in loop reported in #1075 when the browser blocks or restricts localStorage.

  • Add resilient auth storage (localStorage -> sessionStorage -> in-memory fallback).
  • Prevent Zustand hydration from overwriting a just-verified in-memory session.
  • Clear stale nexus-auth-flag cookies when the workspace layout detects no client token.
  • Keep /auth/magic-link reachable even when a stale auth cookie exists, so users can always confirm the link.

Root cause

Auth relied on default localStorage persistence. When storage was blocked, tokens were lost after confirm, while the middleware cookie still marked the user as signed in. That bounced users between /auth/login and /workspace/....

Test plan

  • pnpx vitest run src/lib/safe-storage.test.ts src/lib/auth-session.test.ts src/middleware.test.ts (6 tests)
  • Pre-commit Nexus next build passed
  • Manual: block site storage in browser devtools, request magic link, confirm sign-in, verify workspace loads without redirect loop
  • Manual: confirm /auth/login no longer loops when nexus-auth-flag is set but tokens are missing

Closes #1075

Auth tokens now persist via a safe storage fallback, hydration keeps
active in-memory sessions, stale auth cookies are cleared on failed
client auth, and middleware no longer bounces users off the confirm page.

Closes #1075
@jravenel

Copy link
Copy Markdown
Contributor Author

@Dr0p42 — could you review this one when you have a moment?

Context

Fixes #1075: users hitting a magic-link login loop when browser storage is restricted. They see Confirm sign-in, click through, briefly appear signed in, then land back on /auth/login.

Root cause (code path)

  1. Auth tokens persist via Zustand → localStorage (no fallback).
  2. After magic-link verify, session lives in memory + nexus-auth-flag cookie is set.
  3. If localStorage is blocked/unavailable, hydration can wipe the in-memory session with empty persisted state.
  4. Workspace layout sees !token → redirects to login.
  5. Middleware still sees the auth cookie → can bounce the user back toward workspace.

What changed

  • safe-storage.ts: localStoragesessionStorage → in-memory fallback
  • auth-session.ts: merge logic keeps an active in-memory session during hydration
  • auth.ts: uses safe storage; clears stale cookie on failed verify
  • middleware.ts: does not auto-redirect away from /auth/magic-link when a stale cookie exists
  • Workspace layout: clears nexus-auth-flag before login redirect (breaks the loop)

Testing

  • 6 vitest unit tests (safe storage, auth merge, middleware)
  • Pre-commit next build passed

Manual check I'd appreciate your eyes on: block site storage in devtools, complete a magic-link sign-in, confirm workspace loads without looping.

Thanks!

@jravenel jravenel requested a review from Dr0p42 July 13, 2026 16:20
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying abi-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: dc6b884
Status: ✅  Deploy successful!
Preview URL: https://1160dfd9.abi-docs-76c.pages.dev
Branch Preview URL: https://fix-nexus-magic-link-localst.abi-docs-76c.pages.dev

View logs

@Dr0p42 Dr0p42 merged commit 3a01ea5 into main Jul 13, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(nexus): magic-link login loop when browser localStorage is blocked

2 participants