Skip to content

docs(auth-web): add MISFIELD gotcha about user.id vs user.uid #688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
binggg wants to merge 1 commit into from
Closed

docs(auth-web): add MISFIELD gotcha about user.id vs user.uid #688

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions config/source/skills/auth-web/SKILL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ Keep local `references/...` paths for files that ship with the current skill dir
- Using `signInWithEmailAndPassword` or `signUpWithEmailAndPassword` for username-style accounts such as `admin` and `editor`.
- Keeping the login or register account input as `type="email"` when the task explicitly says the account identifier is a plain username string.
- Starting implementation before calling `queryAppAuth(action="getLoginConfig")` and enabling `usernamePassword` when it is still off.
- **MISFIELD: `signInWithPassword` and `register` return `data.user.id` as the uid; `getLoginState` exposes the uid via `loginState.uid`. Do NOT write `user.uid` — it does not exist on the user object.**
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Use canonical signUp API name in MISFIELD note

This new warning introduces a backticked register identifier even though this skill consistently documents registration with auth.signUp(...) (and does not define an auth.register API). Because this file is used as generation guidance, presenting register as an API-like name can lead generated frontend code to call a nonexistent method and fail at runtime (auth.register is not a function) in username/password registration flows.

Useful? React with 👍 / 👎.

- **Treating `auth.getUser()` returning a user as proof of real login.** When the SDK is initialized with a `publishableKey` / `accessKey`, it may silently create an anonymous session. A route guard's `checkAuth()` must verify that the user actually signed in with username/password (e.g. check `session.loginType !== 'ANONYMOUS'` or that `user.user_metadata?.username` exists), not just that `getUser()` returns non-null. Otherwise unauthenticated visitors pass the guard, protected pages render without a real user, and role-based UI (edit / delete buttons gated on `currentUser.role`) breaks because `currentUser` has no role record.

## Overview
Expand Down
Loading