fix(ui+auth): origin-forwarding for sign-in + disable dark mode + center dialog

Three related cleanups while QA-testing on iPad: 1. Origin-forwarding bug on /api/auth/sign-in-by-identifier - The custom identifier-sign-in route forwarded to better-auth's /sign-in/email handler but did NOT preserve the inbound Origin + Referer headers. Better-auth's CSRF check then 403'd every login with MISSING_OR_NULL_ORIGIN — and the UI showed a generic "Invalid credentials" toast even when the password was right. - Fix: pass through req.headers.get('origin') and req.headers.get('referer') when constructing forwardReq. - Affects: every login attempt from any device (this isn't dev- only); discovered testing from 192.168.1.17 → app on the same LAN IP. Production users hit the same path. 2. Dark mode disabled - Drop the Sun/Moon toggle from user-menu, the documentElement class flip, darkMode from ui-store, darkMode from the user- preferences validator. Hardcode sonner theme="light" (was reading next-themes which isn't actually wired anywhere else). - The 10 stray `dark:` Tailwind utilities are left alone — they're inactive without the `dark` class on <html> so they don't ship anything that renders, just dead CSS. 3. Center dialog animation - Dialog content was sliding in from the top-right corner (slide- in-from-left-1/2 + slide-in-from-top-[48%]) which felt jarring. Drop the slide directions, keep just zoom-in-95 + the base fade-in/out so dialogs appear in place with a subtle scale-up. 4. Login placeholder - Removed the "you@example.com or yourname" placeholder so the field reads as a clean empty input below the "Email or username" label. No tests added (the 1340 vitest suite passes); changes are surface- level UI tweaks + the origin-header fix where a unit-test of the custom route would mostly be testing better-auth's behaviour. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 15:20:06 +02:00
parent bd432fc6c7
commit 12e22d9be3
7 changed files with 19 additions and 34 deletions
--- a/src/app/api/auth/sign-in-by-identifier/route.ts
+++ b/src/app/api/auth/sign-in-by-identifier/route.ts
@@ -93,6 +93,14 @@ export async function POST(req: NextRequest) {
      'x-forwarded-for': req.headers.get('x-forwarded-for') ?? ip,
      'user-agent': req.headers.get('user-agent') ?? '',
      cookie: req.headers.get('cookie') ?? '',
+      // CRITICAL: forward Origin + Referer so better-auth's CSRF check
+      // passes. Without these the internal call lands as a cross-origin
+      // request with no Origin → 403 MISSING_OR_NULL_ORIGIN, and the
+      // user sees a generic "Invalid credentials" toast even though
+      // the password is right. (Bug surfaced 2026-05-13 testing on
+      // 192.168.1.17:3000 from an iPad.)
+      ...(req.headers.get('origin') ? { origin: req.headers.get('origin')! } : {}),
+      ...(req.headers.get('referer') ? { referer: req.headers.get('referer')! } : {}),
    },
    body: forwardBody,
  });