From 50e2c31dd9d49c2ac0e6c38cff4978c7f98e38ff Mon Sep 17 00:00:00 2001 From: "bert.hausmans" Date: Thu, 16 Apr 2026 01:49:01 +0200 Subject: [PATCH] fix: MFA verify succeeds but user stuck on challenge screen MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After successful MFA code verification, onMfaVerified() called authStore.initialize() which returned immediately (isInitialized was already true from the initial page load). The auth store was never populated with user data, so the router guard saw isAuthenticated === false and redirected back to /login — leaving the user stuck on the MFA challenge screen with a consumed session. Fix: use authStore.refreshUser() instead of initialize(). This always calls GET /auth/me (using the new auth cookie from the MFA verify response), populates the store, and then navigation to the dashboard succeeds. The portal login already uses authStore.fetchUser() which has no isInitialized guard, so it was not affected. Co-Authored-By: Claude Opus 4.6 (1M context) --- apps/app/src/pages/login.vue | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apps/app/src/pages/login.vue b/apps/app/src/pages/login.vue index 92a075f6..5cdce684 100644 --- a/apps/app/src/pages/login.vue +++ b/apps/app/src/pages/login.vue @@ -116,7 +116,10 @@ async function handleLogin() { } function onMfaVerified() { - authStore.initialize().then(() => { + // After MFA verify, the response sets the auth cookie. Use refreshUser() + // (not initialize() — that's guarded by isInitialized and returns immediately) + // to call GET /auth/me with the new cookie, populating the store. + authStore.refreshUser().then(() => { const rawTo = route.query.to ? String(route.query.to) : '' const redirectTo = rawTo.startsWith('/') ? rawTo : '/dashboard'