From f62d142adb33cbe2e0e9ced9ea583ae9391de026 Mon Sep 17 00:00:00 2001 From: Usman Baig Date: Mon, 23 Feb 2026 18:46:46 +0100 Subject: [PATCH] fix: resolve sign-in issue after inactivity by ensuring only valid access tokens trigger redirects, improving user experience --- CHANGELOG.md | 1 + middleware.ts | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad766c7..f27cce3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), ### Fixed +- **Sign in after inactivity.** Clicking "Sign in" after a period of inactivity no longer does nothing. Previously, stale refresh cookies caused the middleware to redirect away from the login page; now only a valid access token triggers that redirect, so you can complete OAuth sign-in when your session has expired. - **2FA disable now requires password confirmation.** Disabling 2FA sends the derived password to the backend for verification. This prevents an attacker with a hijacked session from stripping 2FA. ## [0.11.1-alpha] - 2026-02-23 diff --git a/middleware.ts b/middleware.ts index 440ccf1..9ab1a7c 100644 --- a/middleware.ts +++ b/middleware.ts @@ -34,8 +34,9 @@ export function middleware(request: NextRequest) { const hasRefresh = request.cookies.has('refresh_token') const hasSession = hasAccess || hasRefresh - // * Authenticated user hitting /login or /signup → send them home - if (hasSession && AUTH_ONLY_ROUTES.has(pathname)) { + // * Authenticated user (with access token) hitting /login or /signup → send them home. + // * Only check access_token; stale refresh_token alone must not block login (fixes post-inactivity sign-in). + if (hasAccess && AUTH_ONLY_ROUTES.has(pathname)) { return NextResponse.redirect(new URL('/', request.url)) }