From d581df6f8820be71d9ccbbfcd4b3537c6eafef61 Mon Sep 17 00:00:00 2001 From: Richard R Date: Tue, 9 Jun 2026 10:53:01 -0600 Subject: [PATCH] fix(auth): prevent anonymous session creation on auth pages Avoid bootstrapping anonymous sessions when users are on sign-in or sign-up pages to prevent overwriting account-scoped preferences after login. Adjust loading logic to account for this scenario. --- src/components/auth/AuthLoader.tsx | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/components/auth/AuthLoader.tsx b/src/components/auth/AuthLoader.tsx index e429b1e..910e6d3 100644 --- a/src/components/auth/AuthLoader.tsx +++ b/src/components/auth/AuthLoader.tsx @@ -148,6 +148,17 @@ export function AuthLoader({ children }: { children: ReactNode }) { return; } + // Don't bootstrap a throwaway anonymous session while the user is on the + // sign-in / sign-up pages. An anonymous user created here would be linked + // into their account on login (onLinkAccount), clobbering account-scoped + // preferences such as the changelog "last seen version" and re-showing the + // changelog on every fresh login. + if (isAuthPage) { + setIsAutoLoggingIn(false); + setBootstrapError(null); + return; + } + // Avoid double-calling anonymous sign-in (e.g. React strict mode). if (attemptedForNullSessionRef.current) return; attemptedForNullSessionRef.current = true; @@ -244,7 +255,7 @@ export function AuthLoader({ children }: { children: ReactNode }) { const shouldBlockForDisallowedAnonymous = !allowAnonymousAuthSessions && Boolean(session?.user?.isAnonymous); const isLoading = ( - (allowAnonymousAuthSessions && (isPending || isAutoLoggingIn || !session)) || + (allowAnonymousAuthSessions && !isAuthPage && (isPending || isAutoLoggingIn || !session)) || (!allowAnonymousAuthSessions && !isAuthPage && ( isPending || isRedirecting || shouldBlockForProtectedNoSession || shouldBlockForDisallowedAnonymous ))