- Add conditional mediation to sign-in modal so mobile browsers show
saved passkeys with usernames in the autofill area (desktop parity)
- Add publicWrite to rcred module so recompute route's own auth runs
instead of being blocked by the global write-access middleware
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The auth proxy only covered /api/auth/*, /api/register/*, /api/account/*
but the identity component also calls /api/session/verify, /api/session/refresh,
/api/guardians, /api/user/*, /api/device-link/*, /api/recovery/* — all of which
were hitting 404 on the rspace server. The session verify 404 was interpreted
as "session revoked", clearing localStorage and logging users out on every page
load after the 5-minute validation interval.
Also fix profile/recovery links in header that opened empty string (same-origin
root) instead of auth.rspace.online.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add /api/auth/*, /api/register/*, /api/account/* proxy routes to
rspace-online server, forwarding to encryptid container internally.
This eliminates cross-origin requests that Safari blocks via ITP or
Cloudflare security challenges.
- Change client auth URLs from https://auth.rspace.online to same-origin
in rstack-identity, rspace-header, login-button, and session modules.
- Add PRF extension try/catch fallback in webauthn.ts — Safari throws
TypeError on the unsupported PRF extension, now retries without it.
- Bump SW cache version v7→v8 to bust stale cached bundles.
Fixes passkey login for Safari/macOS users (e.g. christina) who were
getting "Network error when attempting to reach resource".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three client-side registration flows still had authenticatorAttachment: 'platform'
hardcoded, blocking Samsung Passkey and Linux users:
- lib/rspace-header.ts (main site header registration)
- shared/components/rstack-identity.ts (2 occurrences)
Also added server-side validation for missing userId in register/complete
to return 400 instead of crashing with TypeError.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The actual logout UI is in rspace-header.ts (not the encryptid login
button component). clearSession() now calls /api/session/logout, and
on page load the header validates the session with the server to detect
revocation from another browser session.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Force authenticatorAttachment: 'platform' across all WebAuthn registration
flows to prevent USB security key prompts. Redirect browser navigations to
space root when accessing disabled modules instead of returning JSON error.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add global polyfills for AbortSignal.timeout() (Safari <17, Firefox <122)
and crypto.randomUUID() (Safari <15.4, Firefox <95) in shell HTML templates.
Add -webkit-backdrop-filter prefix across 13 files for older Safari support.
Add Firefox scrollbar (scrollbar-width/scrollbar-color), range input
(::-moz-range-thumb/track), and color-mix() rgba fallbacks. Create shared
compat.ts utility module. Lowers browser floor from Safari 17/Firefox 122
to Safari 15.4/Firefox 95.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sessions now last 30 days instead of 15 minutes. Both the rstack-identity
component and legacy header auto-refresh the token when < 7 days remain,
so users who visit at least once every ~23 days stay logged in indefinitely.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Rewrote auth flow to go through EncryptID server instead of
client-side unsigned JWTs. Fixes "Invalid or expired authentication
token" on space creation, and shows username in header.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The RP ID jeffemmett.com caused "relying party ID is not a registrable
domain suffix" errors on *.rspace.online subdomains. Related Origins
also exceeded the 5 eTLD+1 browser limit with 18+ domains listed.
Now rspace.online is the RP ID, so all *.rspace.online subdomains
(including cca.rspace.online) are valid automatically. The Related
Origins file only lists non-rspace.online r* ecosystem domains.
Also points rspace-header auth URL to auth.rspace.online.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When a user authenticates through the community creation form (via
requireAuth), the header bar now re-renders to show the logged-in
state instead of still displaying the Sign In button.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds a persistent header bar with sign-in/sign-up across landing and canvas
pages. The "Create Community Space" form now requires EncryptID authentication,
showing a passkey auth modal if the user isn't signed in. Auth tokens are sent
with the community creation API call. EncryptID WebAuthn modules are lazy-loaded
only when auth is triggered.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Jeff Emmett
Jeff Emmett