From edc42b28935ae392d6be9549c8125aaf0551b6a3 Mon Sep 17 00:00:00 2001 From: rabbitblood Date: Tue, 21 Apr 2026 19:54:17 -0700 Subject: [PATCH] fix(auth): break infinite redirect loop on /cp/auth/login AuthGate redirected anonymous users to /cp/auth/login?return_to=, but the login page itself triggered AuthGate, which redirected again with double-encoded return_to. Each redirect added another encoding layer until the URL exceeded 431 (Request Header Fields Too Large). Two guards: 1. redirectToLogin() returns early if already on /cp/auth/* path 2. AuthGate skips redirect check entirely for /cp/auth/* paths [Molecule-Platform-Evolvement-Manager] Co-Authored-By: Claude Opus 4.6 (1M context) --- canvas/src/components/AuthGate.tsx | 5 +++++ canvas/src/lib/auth.ts | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/canvas/src/components/AuthGate.tsx b/canvas/src/components/AuthGate.tsx index be371429..e06eae0a 100644 --- a/canvas/src/components/AuthGate.tsx +++ b/canvas/src/components/AuthGate.tsx @@ -29,6 +29,11 @@ export function AuthGate({ children }: { children: ReactNode }) { setState({ kind: "anonymous", skipRedirect: true }); return; } + // Never gate /cp/auth/* paths — these ARE the login pages. + if (typeof window !== "undefined" && window.location.pathname.startsWith("/cp/auth/")) { + setState({ kind: "anonymous", skipRedirect: true }); + return; + } let cancelled = false; fetchSession() .then((s) => { diff --git a/canvas/src/lib/auth.ts b/canvas/src/lib/auth.ts index d16006ac..8514260d 100644 --- a/canvas/src/lib/auth.ts +++ b/canvas/src/lib/auth.ts @@ -44,6 +44,10 @@ export async function fetchSession(): Promise { */ export function redirectToLogin(screenHint: "sign-up" | "sign-in" = "sign-in"): void { if (typeof window === "undefined") return; + // Guard against infinite redirect loop: if we're already on the login + // page, don't redirect again (each redirect double-encodes return_to + // until the URL exceeds header limits → 431). + if (window.location.pathname.startsWith("/cp/auth/")) return; const returnTo = window.location.href; const path = screenHint === "sign-up" ? "signup" : "login"; const dest = `${PLATFORM_URL}${AUTH_BASE}/${path}?return_to=${encodeURIComponent(returnTo)}`;