From c6448a63bc12087cfb6bd78cfc660005d78db5eb Mon Sep 17 00:00:00 2001 From: Till JS Date: Tue, 31 Mar 2026 21:41:06 +0200 Subject: [PATCH] =?UTF-8?q?fix(mana-auth):=20avoid=20error.body=20access?= =?UTF-8?q?=20in=20login=20catch=20=E2=80=94=20triggers=20async=20stream?= =?UTF-8?q?=20read?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Accessing (error as any)?.body?.code on a Better Auth APIError triggers an internal async stream read. When the request body contains special chars like '!', the deferred JSON parse fails as an unhandled rejection that races with the response, causing 500. Use only error.status === 'FORBIDDEN' which is a simple string property. Co-Authored-By: Claude Sonnet 4.6 --- services/mana-auth/src/routes/auth.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/mana-auth/src/routes/auth.ts b/services/mana-auth/src/routes/auth.ts index 0689282f5..798658fa5 100644 --- a/services/mana-auth/src/routes/auth.ts +++ b/services/mana-auth/src/routes/auth.ts @@ -142,10 +142,10 @@ export function createAuthRoutes( return c.json(response); } catch (error) { - // Better Auth throws APIError (status="FORBIDDEN", body.code="EMAIL_NOT_VERIFIED") - const isEmailNotVerified = - (error as any)?.body?.code === 'EMAIL_NOT_VERIFIED' || - (error as any)?.status === 'FORBIDDEN'; + // Better Auth throws APIError with status="FORBIDDEN" for unverified emails. + // Do NOT access error.body — it may be an async stream that triggers unhandled + // promise rejections when the request body contains special characters (e.g. !). + const isEmailNotVerified = (error as any)?.status === 'FORBIDDEN'; if (isEmailNotVerified) { return c.json({ error: 'Email not verified', code: 'EMAIL_NOT_VERIFIED' }, 403); }