chore: retire v1 account auth endpoints in favor of v2#322
Open
hhvrc wants to merge 2 commits into
Open
Conversation
The v1 login, signup, and password-reset endpoints predate Cloudflare Turnstile and have captcha-less request bodies. Their v2 counterparts (/2/account/login, /signup, /password-reset) require a turnstile token, so the v1 routes are now retired. - v1 POST /1/account/login, /signup, /reset now return 410 Gone with a problem response pointing at the v2 replacement, and are hidden from the OpenAPI document (ApiExplorerSettings.IgnoreApi). - Remove the captcha-less v1 request DTOs (Login, SignUp) and the now-unused CreateAccountWithoutActivationFlowLegacyAsync service method. - Extract the duplicated Turnstile verification block from LoginV2, SignupV2, and PasswordResetInitiateV2 into a shared VerifyTurnstileAsync helper. - Migrate integration tests off the retired routes and add coverage asserting the v1 endpoints respond 410 Gone.
|
Ready to review this PR? Stage has broken it down into 5 individual chapters for you: 
Chapters generated by Stage for commit 3aea4bd on Jun 24, 2026 10:54am UTC. |
The deprecated /reset-password and /recover password-reset aliases are
unused by the new frontend (verified: no call sites outside the
generated SDK), so retire them alongside the v1 auth endpoints.
- POST /2/account/reset-password, POST /1/account/recover/{id}/{secret},
and HEAD /1/account/recover/{id}/{secret} now return 410 Gone pointing
at their canonical replacements, and are hidden from the OpenAPI doc.
- Replace the "legacy route still works" tests with 410 Gone assertions
and add coverage for the retired /reset-password alias.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The v1
login,signup, andpassword-resetaccount endpoints predate Cloudflare Turnstile and accept captcha-less request bodies. Their v2 counterparts already require a turnstile token, so this PR retires the v1 routes.Changes
410 Gone—POST /1/account/login,/1/account/signup, and/1/account/resetnow return a clear problem response (Endpoint.Retired) pointing at the v2 replacement instead of silently 404ing. They're also hidden from the OpenAPI document via[ApiExplorerSettings(IgnoreApi = true)].Login,SignUp) and the now-unusedCreateAccountWithoutActivationFlowLegacyAsyncservice method.LoginV2,SignupV2, andPasswordResetInitiateV2is now a single sharedVerifyTurnstileAsynchelper onAccountController.usernameOrEmailfield), preserve duplicate-username coverage, and add tests asserting each v1 endpoint responds410 Gone.Notes
CreateAccount'sverifyOnCreationparameter is retained (defaulting tofalse).410 Gonewas chosen over404/400because it semantically signals a permanently-removed resource.Testing
AccountLoginTests(8),AccountSignupTests(7),RegistrationDisabledTests(1), andMailTests(15) all pass locally against the Docker test containers.