Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Prevent cookies from being set when onSuccess callback throws an error #335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
LShaViR wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Prevent cookies from being set when onSuccess callback throws an error #335

LShaViR wants to merge 2 commits into from

Conversation

@LShaViR
Copy link

@LShaViR LShaViR commented Dec 2, 2025
edited
Loading

Fixes #334

Overview
This pull request fixes an issue where authentication cookies were being set even when the onSuccess callback inside handleAuth threw an error. This resulted in inconsistent auth state: the callback route returned an error, but the user was still marked as authenticated.

What’s changed

  • Updated the authentication flow to ensure cookies are only set after the onSuccess callback completes successfully.

  • If onSuccess throws an error, cookie-setting is skipped and the error is correctly propagated to the callback route.

Reason for the change
The previous behavior caused misleading authentication states and made debugging difficult. Authentication should not be considered successful if onSuccess fails.

How to test

  1. Add an onSuccess function in app/callback/route.ts.
  2. Throw an error inside it.
  3. Confirm that:
  • The callback route shows the error.
  • No cookies are set.

Impact
Ensures correctness and consistency in the authentication flow and prevents unintended authenticated sessions.

@LShaViR LShaViR requested a review from a team as a code owner December 2, 2025 09:03
@nicknisi
Copy link
Member

nicknisi commented Dec 2, 2025

I initially agreed that this is probably the best/simplest way forward to address this issue, but as the failing test shows, it causes a regression in the case where a user manually calls saveSession inside of onSuccess. They might do that to modify the token in some way before it's returned. Moving the saveSession call to after onSuccess runs would overwrite any changes to the session that were made in onSuccess.

The better approach might be to catch the error if it's thrown, delete the session, and then rethrow the error. What do you think?

@LShaViR
Copy link
Author

LShaViR commented Dec 3, 2025
edited
Loading

@nicknisi
That would be better. And Instead of deleting the session, what if we delete only the cookies so that other applications on the same platform (e.g., youtube, drive , docs ... for google) using same session can continue to work without any interruption?

I’ve made some changes for the delete-cookies solution, and it passes all tests as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonatascastro12 jonatascastro12 Awaiting requested review from jonatascastro12 jonatascastro12 is a code owner automatically assigned from workos/typescript

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Authentication cookies are set even when onSuccess callback throws an error

2 participants

@LShaViR @nicknisi