fix: add tests for simple test flow #25566
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sean-brydon
commented
Dec 3, 2025
| totpCode: { label: "Two-factor Code", type: "input", placeholder: "Code from authenticator app" }, | ||
| backupCode: { label: "Backup Code", type: "input", placeholder: "Two-factor backup code" }, | ||
| }, | ||
| async authorize(credentials): Promise<User | null> { |
Member
Author
There was a problem hiding this comment.
Extract this function to "authoriseCredentials" so we can test easier without logic being caught be AuthJS credential provider
sean-brydon
commented
Dec 3, 2025
| authorize: authorizeCredentials, | ||
| }); | ||
|
|
||
| const providers: Provider[] = [calComCredentialsProvider, ImpersonationProvider]; |
Member
Author
There was a problem hiding this comment.
use the provider tsame as before
emrysal
previously approved these changes
Dec 3, 2025
Contributor
emrysal
left a comment
There was a problem hiding this comment.
lgtm, let's start refactoring this straight away indeed.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
1 issue found across 2 files
Prompt for AI agents (all 1 issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="packages/features/auth/lib/next-auth-options.ts">
<violation number="1" location="packages/features/auth/lib/next-auth-options.ts:143">
P1: Rule violated: **Avoid Logging Sensitive Information**
`authorizeCredentials` logs the entire credentials payload (email, password, TOTP, backup code), exposing sensitive authentication data in logs. Replace it with a sanitized log that omits secrets or remove the log entirely.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
| export async function authorizeCredentials( | ||
| credentials: Record<"email" | "password" | "totpCode" | "backupCode", string> | undefined | ||
| ): Promise<User | null> { | ||
| log.debug("CredentialsProvider:credentials:authorize", safeStringify({ credentials })); |
Contributor
There was a problem hiding this comment.
P1: Rule violated: Avoid Logging Sensitive Information
authorizeCredentials logs the entire credentials payload (email, password, TOTP, backup code), exposing sensitive authentication data in logs. Replace it with a sanitized log that omits secrets or remove the log entirely.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/features/auth/lib/next-auth-options.ts, line 143:
<comment>`authorizeCredentials` logs the entire credentials payload (email, password, TOTP, backup code), exposing sensitive authentication data in logs. Replace it with a sanitized log that omits secrets or remove the log entirely.</comment>
<file context>
@@ -133,139 +133,144 @@ const checkIfUserShouldBelongToOrg = async (idP: IdentityProvider, email: string
+export async function authorizeCredentials(
+ credentials: Record<"email" | "password" | "totpCode" | "backupCode", string> | undefined
+): Promise<User | null> {
+ log.debug("CredentialsProvider:credentials:authorize", safeStringify({ credentials }));
+ if (!credentials) {
+ console.error(`For some reason credentials are missing`);
</file context>
Suggested change
| log.debug("CredentialsProvider:credentials:authorize", safeStringify({ credentials })); | |
| log.debug("CredentialsProvider:credentials:authorize", { | |
| hasCredentials: Boolean(credentials), | |
| identifier: credentials?.email ? hashEmail(credentials.email) : undefined, | |
| }); |
Contributor
There was a problem hiding this comment.
1 issue found across 2 files
Prompt for AI agents (all 1 issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="packages/features/auth/lib/next-auth-options.ts">
<violation number="1" location="packages/features/auth/lib/next-auth-options.ts:143">
P1: Rule violated: **Avoid Logging Sensitive Information**
`authorizeCredentials` still logs the full `credentials` object, exposing email, password, TOTP, and backup codes in logs, which violates the “Avoid Logging Sensitive Information” rule.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
| export async function authorizeCredentials( | ||
| credentials: Record<"email" | "password" | "totpCode" | "backupCode", string> | undefined | ||
| ): Promise<User | null> { | ||
| log.debug("CredentialsProvider:credentials:authorize", safeStringify({ credentials })); |
Contributor
There was a problem hiding this comment.
P1: Rule violated: Avoid Logging Sensitive Information
authorizeCredentials still logs the full credentials object, exposing email, password, TOTP, and backup codes in logs, which violates the “Avoid Logging Sensitive Information” rule.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/features/auth/lib/next-auth-options.ts, line 143:
<comment>`authorizeCredentials` still logs the full `credentials` object, exposing email, password, TOTP, and backup codes in logs, which violates the “Avoid Logging Sensitive Information” rule.</comment>
<file context>
@@ -133,139 +133,144 @@ const checkIfUserShouldBelongToOrg = async (idP: IdentityProvider, email: string
+export async function authorizeCredentials(
+ credentials: Record<"email" | "password" | "totpCode" | "backupCode", string> | undefined
+): Promise<User | null> {
+ log.debug("CredentialsProvider:credentials:authorize", safeStringify({ credentials }));
+ if (!credentials) {
+ console.error(`For some reason credentials are missing`);
</file context>
Suggested change
| log.debug("CredentialsProvider:credentials:authorize", safeStringify({ credentials })); | |
| log.debug("CredentialsProvider:credentials:authorize", safeStringify({ hasCredentials: Boolean(credentials) })); |
Contributor
|
This PR has been marked as stale due to inactivity. If you're still working on it or need any help, please let us know or update the PR to keep it active. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR extracts the credentials provider authorization logic from the NextAuth provider configuration into a separate, testable function. This enables comprehensive unit testing of the authorization flow, particularly the simplified password validation logic introduced in PR #25563.