Summary
After a PAR expires (the user already saw the timeout renderError), navigating back to email entry, submitting again, and entering the freshly delivered OTP fails with "Authentication session expired. Please try again." on auth-service's /auth/complete. A re-submitted email should establish a new auth flow, not surface the dead one.
Reproduce
- Start sign-in from a client (Ma Earth,
dev.certified.app).
- Submit email, receive OTP, idle 10 min so the PAR (and OTP) expire.
- Submit the stale OTP. Land on the timeout
renderError page at /oauth/epds-callback.
- Browser back to the email form. Submit email again.
- New OTP arrives in inbox. Enter it.
Actual
auth.dev.certified.app/auth/complete renders "Authentication session expired. Please try again." (no CTA, see issue 2). User must manually navigate to the client homepage and restart from scratch.
Expected
Step 4 (re-submitting email) creates a fresh auth_flow row + new PAR. Step 5 completes sign-in.
Notes
- High frequency during the last weeks of testing — PAR-expiry is hit often enough that the recovery path matters as much as the happy path.
- May indicate that step 4 is reusing client-side state (cookie / query) bound to the dead PAR rather than starting a fresh PAR.
Summary
After a PAR expires (the user already saw the timeout
renderError), navigating back to email entry, submitting again, and entering the freshly delivered OTP fails with "Authentication session expired. Please try again." onauth-service's/auth/complete. A re-submitted email should establish a new auth flow, not surface the dead one.Reproduce
dev.certified.app).renderErrorpage at/oauth/epds-callback.Actual
auth.dev.certified.app/auth/completerenders "Authentication session expired. Please try again." (no CTA, see issue 2). User must manually navigate to the client homepage and restart from scratch.Expected
Step 4 (re-submitting email) creates a fresh
auth_flowrow + new PAR. Step 5 completes sign-in.Notes