Skip to content

Type-safety bypass: double-unknown cast on session ID in SecondaryAuthFlow #232

Description

@ahmetabdullahgultekin

SecondaryAuthFlow.tsx:197 derives the session ID via (authSession as unknown as Record<string, unknown>).id as string, defeating type checking and accepting arbitrary session shapes. Type the fallback field on the AuthSession model (or normalize sessionId/id upstream) instead of double-casting. (Source: docs/archive/AUDIT_REPORT_2026-04-16.md P0 #4 — still present on HEAD.)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingsurface/webweb-app (React dashboard + hosted login)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions