jordan/rdev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: always log OTP codes to stdout in standalone dev mode
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
In-memory auth codes are ephemeral — they're wiped on server restart.
Previously, codes were only visible via email delivery. If the server
restarted between OTP send and OTP verify, the code would be lost.

Now memory.AuthCodeRepository.Create() always logs the code to stdout
with a [DEV] prefix. This gives developers a reliable fallback regardless
of whether NOTIFY_URL is set. Updated CLAUDE.md to document this behavior
and the DEV_USER_EMAIL env var.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
jordan 2026-02-22 00:13:12 -07:00
parent 5f66eb0e7b
commit 5ac9af018a
2 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
internal/adapter/templates/templates/components/service/internal/adapter/memory/auth_code.go.tmpl
View File

@ -2,6 +2,7 @@ package memory
import (
"context"
"log/slog"
"sync"
"time"
@ -31,6 +32,16 @@ func (r *AuthCodeRepository) Create(_ context.Context, code *domain.AuthCode) er
cp := *code
r.codes[code.ID] = &cp
// In standalone dev mode the code lives only in memory and is lost on restart.
// Always log it so the developer can copy-paste the code from the terminal
// even when NOTIFY_URL is set and an email is also being delivered.
slog.Warn("[DEV] auth code created — use this code to log in",
"email", code.Email,
"purpose", code.Purpose,
"code", code.Code,
"expires_at", code.ExpiresAt.Format("15:04:05"),
)
return nil
}

3
internal/adapter/templates/templates/skeleton/CLAUDE.md.tmpl
View File

@ -49,7 +49,8 @@
- **No fake progress:** Never simulate progress with timers. Real progress comes from real events.
- **Auth tokens:** 15-minute access tokens with embedded session ID (`sid`). Refresh via POST `/auth/refresh`. Session revocation invalidates all tokens for that session.
- **Passwords:** Bcrypt cost 12, min 8 chars, max 72. Hashing lives in `pkg/auth/password.go`. Never store plaintext.
- **Auth codes:** OTP/magic link/reset codes are single-use and time-limited. In dev mode (`NOTIFY_URL` unset), codes are logged to stdout. In production, emails go through the notify service (`NOTIFY_URL`/`NOTIFY_API_KEY`/`NOTIFY_HOST`/`NOTIFY_FROM`).
- **Auth codes:** OTP/magic link/reset codes are single-use and time-limited. In standalone dev mode (no `DATABASE_URL`), the code is **always** logged to stdout as `[DEV] auth code created — use this code to log in code=XXXXXX` — check the server terminal to get it. This works even when `NOTIFY_URL` is set. In production (with `DATABASE_URL`), emails go through the notify service (`NOTIFY_URL`/`NOTIFY_API_KEY`/`NOTIFY_HOST`/`NOTIFY_FROM`).
- **Dev user:** Set `DEV_USER_EMAIL=you@example.com` (and optionally `DEV_USER_PASSWORD`) to seed your account into the in-memory store on startup so it survives restarts without re-registering.
## Architecture