Align Ory proxy auth gate with provider

ben-fornefeld · ben-fornefeld · commit 8ac0c92f08f6 · 2026-06-06T00:35:31.000-07:00
diff --git a/src/proxy.ts b/src/proxy.ts
@@ -47,13 +47,11 @@ async function proxyCore(
   }
 }
 
-// req.auth is truthy even when the session carries a RefreshTokenError, so we
-// must check session.error too — otherwise the auth-route guard treats a
-// poisoned session as "logged in" and ping-pongs the user between /dashboard
-// (redirects to /sign-in via getAuthContext()) and /sign-in (redirects back to
-// /dashboard via the proxy's authenticated-on-auth-route rule).
+// Match the Ory auth provider's AuthContext requirements. req.auth can be
+// truthy while missing the user id/access token, or while carrying a
+// RefreshTokenError; in those cases the server auth context is unauthenticated.
 function isSessionAuthenticated(session: Session | null): boolean {
-  return !!session && !session.error
+  return !!session?.user?.id && !!session.accessToken && !session.error
 }
 
 // In Ory mode the Auth.js middleware wrapper populates req.auth and manages its
diff --git a/tests/unit/ory-proxy.test.ts b/tests/unit/ory-proxy.test.ts
@@ -49,7 +49,10 @@ describe('Ory proxy auth routes', () => {
   })
 
   it('redirects authenticated users from sign-in to the dashboard', async () => {
-    authSession.current = { user: { id: 'user-id' } } as Session
+    authSession.current = {
+      user: { id: 'user-id' },
+      accessToken: 'access-token',
+    } as Session
 
     const response = await proxy(request('/sign-in'), {} as NextFetchEvent)
 
@@ -69,9 +72,34 @@ describe('Ory proxy auth routes', () => {
     expect(location).toContain('returnTo=%2Fdashboard%2Fterminal')
   })
 
+  it('treats sessions without an access token as unauthenticated on auth routes', async () => {
+    authSession.current = {
+      user: { id: 'user-id' },
+    } as Session
+
+    const response = await proxy(request('/sign-in'), {} as NextFetchEvent)
+
+    expect(response.headers.get('location')).toContain(
+      '/api/auth/oauth-start?intent=signin'
+    )
+  })
+
+  it('treats sessions without a user id as unauthenticated on auth routes', async () => {
+    authSession.current = {
+      accessToken: 'access-token',
+    } as Session
+
+    const response = await proxy(request('/sign-in'), {} as NextFetchEvent)
+
+    expect(response.headers.get('location')).toContain(
+      '/api/auth/oauth-start?intent=signin'
+    )
+  })
+
   it('treats Auth.js error sessions as unauthenticated on auth routes', async () => {
     authSession.current = {
       user: { id: 'user-id' },
+      accessToken: 'access-token',
       error: 'RefreshTokenError',
     } as Session
 

Original file line number	Diff line number	Diff line change
`@@ -47,13 +47,11 @@ async function proxyCore(`
`47`	`47`	`}`
`48`	`48`	`}`
`49`	`49`
`50`		`-// req.auth is truthy even when the session carries a RefreshTokenError, so we`
`51`		`-// must check session.error too — otherwise the auth-route guard treats a`
`52`		`-// poisoned session as "logged in" and ping-pongs the user between /dashboard`
`53`		`-// (redirects to /sign-in via getAuthContext()) and /sign-in (redirects back to`
`54`		`-// /dashboard via the proxy's authenticated-on-auth-route rule).`
	`50`	`+// Match the Ory auth provider's AuthContext requirements. req.auth can be`
	`51`	`+// truthy while missing the user id/access token, or while carrying a`
	`52`	`+// RefreshTokenError; in those cases the server auth context is unauthenticated.`
`55`	`53`	`function isSessionAuthenticated(session: Session \| null): boolean {`
`56`		`- return !!session && !session.error`
	`54`	`+ return !!session?.user?.id && !!session.accessToken && !session.error`
`57`	`55`	`}`
`58`	`56`
`59`	`57`	`// In Ory mode the Auth.js middleware wrapper populates req.auth and manages its`