fix(experience): enforce terms agreement when sign-in flow turns into registration#8835
Merged
xiaoyijun merged 1 commit intoMay 21, 2026
Merged
Conversation
COMPARE TO
|
| Name | Diff |
|---|---|
| .changeset/enforce-terms-on-signin-to-register.md | 📈 +550 Bytes |
| packages/experience/src/Providers/ConfirmModalProvider/index.tsx | 📈 +392 Bytes |
| packages/experience/src/containers/VerificationCode/index.test.tsx | 📈 +4.13 KB |
| packages/experience/src/containers/VerificationCode/use-sign-in-flow-code-verification.ts | 📈 +588 Bytes |
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Pull request overview
This PR closes a gap in the Experience verification-code sign-in flow where an unregistered identifier could be converted into a registration without enforcing the configured terms agreement (specifically ManualRegistrationOnly). It does so by ensuring the “sign-in turns into registration” path runs the same terms validation as other registration entry points.
Changes:
- Update the verification-code sign-in → register confirmation to use the promise-based confirm modal and run
termsValidation()before registration submission. - Harden
ConfirmModalProviderby clearing stale callback refs when opening a promise-based modal. - Add a unit test covering
ManualRegistrationOnlyto ensure terms are prompted before account creation, plus a changeset entry.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| packages/experience/src/Providers/ConfirmModalProvider/index.tsx | Clears stale callback refs when opening a promise-based modal to prevent accidental invocation. |
| packages/experience/src/containers/VerificationCode/use-sign-in-flow-code-verification.ts | Ensures terms agreement is validated before registering when sign-in flow becomes registration. |
| packages/experience/src/containers/VerificationCode/index.test.tsx | Adds a unit test for the sign-in→register path under ManualRegistrationOnly. |
| .changeset/enforce-terms-on-signin-to-register.md | Documents the patch release change for @logto/experience. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
xiaoyijun
force-pushed
the
yijun-fix-terms-agreement-on-signin-to-register
branch
from
efed02e to
b139cab
Compare
simeng-li
approved these changes
May 20, 2026
charIeszhao
approved these changes
May 20, 2026
wangsijie
approved these changes
May 21, 2026
gao-sun
approved these changes
May 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When the sign-in experience agreement policy is set to
ManualRegistrationOnly("Require checkbox agreement on registration only"), the verification-code sign-in flow had a gap: signing in with an unregistered email/phone, then confirming the "this account doesn't exist, create a new account?" prompt, created the account without ever showing the terms agreement.Root cause: agreement is enforced purely on the frontend, and this "sign-in turns into registration" path (
use-sign-in-flow-code-verification.ts) submitted the registration directly from the confirm modal'sonConfirm, never callingtermsValidation(). The dedicated registration form and the social/SSO registration callbacks already validate terms; only this path was missing it.Changes
use-sign-in-flow-code-verification.ts: switch the "create a new account?" confirmation from the callback-based modal to the promise-basedusePromiseConfirmModal, and on confirm runtermsValidation()before registering.termsValidation()is a no-op forAutomatic, when terms are not configured, or when the user already agreed (e.g.Manual, where agreement is collected up front on the sign-in form), so no double prompt occurs.ConfirmModalProvider: defensively clearcallbackRefwhen a promise-based modal opens, so a stale callback from a previous callback-based modal can't be invoked when the promise modal is confirmed/cancelled. This also makes it safe to open a promise modal from within a callback modal's handler.Behavior by policy on this path:
Automatic→ no prompt (unchanged);ManualRegistrationOnly→ now prompts before account creation;Manual→ already agreed on the sign-in form, no change.Testing
unit tests — added a case in
VerificationCode/index.test.tsxasserting that underManualRegistrationOnly, the terms modal is shown and registration only happens after the user agrees. Verified it fails without the fix and passes with it.Checklist
.changeset