login remember me

[cobraprojects]

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Fixed "remember me" cookie handling to properly clear remembered state when users opt out during login
  • Improved session hydration for login flows to correctly restore remembered sessions

• Tests

  • Added test coverage for "remember me" state management and opt-out behavior
  • Extended authentication flow tests to verify remember me cookie functionality

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dd8c0102-cdd2-454b-aeeb-5ffd314cb319

📥 Commits

Reviewing files that changed from the base of the PR and between 30be45c and fb4274c.

📒 Files selected for processing (3)

• packages/auth/src/runtime.ts
• packages/auth/tests/package.test.ts
• tests/example-app-auth-flow.mjs

---

📝 Walkthrough

Walkthrough

This PR improves remember-me cookie management in authentication by introducing forgetDefaultRememberCookie() to clear remember cookies during session establishment, calling hydrateGuardContextFromRequest() before login flows to restore prior remember state, and opting users out when they log in without the remember flag.

Changes

Remember-Me State Hydration and Opt-Out

Layer / File(s)	Summary
Helper Function packages/auth/src/runtime.ts (lines 885–890)	New forgetDefaultRememberCookie() extracts and clears the default remember-me cookie from request bindings.
Guard Context Hydration packages/auth/src/runtime.ts (lines 1755, 1982)	hydrateGuardContextFromRequest() is called before session establishment in both loginForGuard and loginUsingForGuard flows to restore remember state from prior requests.
Session Establishment Logic packages/auth/src/runtime.ts (lines 2358–2365, 2399–2401)	establishSessionForUser now conditionally clears the remember cookie based on options.remember, preserveRememberSession, and presence of existing remember tokens; forgotten cookie is appended to session cookies when applicable.
Core Auth Test packages/auth/tests/package.test.ts (lines 1161–1198)	New test case verifies that remembered session state is hydrated before login and that opting out (logging in without remember) removes the remembered session and invalidates the remember cookie.
Test Utilities & Integration Test tests/example-app-auth-flow.mjs (lines 48–54, 355–408)	Cookie jar gains headerExcept() method to generate cookie headers excluding specified names; auth flow test extended to validate end-to-end remember-me behavior, including login with remember, authentication via remember cookie alone, and opt-out clearing.

Sequence Diagram

sequenceDiagram
    participant Client
    participant AuthHandler as Auth Flow
    participant Context as Guard Context
    participant Cookies as Session / Cookies

    rect rgba(100, 150, 200, 0.5)
    Note over Client,Cookies: Login WITH remember=true
    Client->>AuthHandler: POST /login {remember: true}
    AuthHandler->>Context: hydrateGuardContextFromRequest()
    AuthHandler->>Cookies: establishSessionForUser() + rememberToken
    AuthHandler-->>Client: session cookie + remember cookie
    end

    rect rgba(100, 150, 200, 0.5)
    Note over Client,Cookies: Subsequent request with remember cookie
    Client->>AuthHandler: GET /user (remember cookie only)
    AuthHandler->>Context: hydrateGuardContextFromRequest()
    AuthHandler-->>Client: User authenticated via remember state
    end

    rect rgba(200, 100, 100, 0.5)
    Note over Client,Cookies: Login WITHOUT remember (opt-out)
    Client->>AuthHandler: POST /login {remember: false} (old remember cookie)
    AuthHandler->>Context: hydrateGuardContextFromRequest()
    Note over Context: Detect prior remember session
    AuthHandler->>Cookies: establishSessionForUser() + forgetDefaultRememberCookie()
    AuthHandler-->>Client: new session cookie + invalidating remember cookie
    end

    rect rgba(200, 100, 100, 0.5)
    Note over Client,Cookies: Request with stale remember cookie
    Client->>AuthHandler: GET /user (stale remember cookie only)
    AuthHandler->>Context: hydrateGuardContextFromRequest()
    AuthHandler-->>Client: Unauthenticated (remember cookie cleared)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• cobraprojects/holo-js#20: Modifies remember-me token/session hydration and session-establishment behavior in the same auth runtime file.

Poem

🐰 A cookie remembers, a cookie forgets,
When the heart changes mind, no tokens regret.
Hydrate from shadows, then clear what was old—
The dance of remember makes sessions more bold! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'login remember me' directly matches the main objective of this PR, which implements remember-me functionality for login flows across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat-login-remember-me

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}