fix: Harden auth code: safe JSON parsing, guarded URL constructor, fix error leaks

Author: gabrielste1n

main.js

@@ -415,7 +415,9 @@ async function startApp() {
   session.defaultSession.webRequest.onBeforeSendHeaders(
     { urls: ["https://*.neon.tech/*"] },
     (details, callback) => {
-      details.requestHeaders["Origin"] = new URL(details.url).origin;
+      try {
+        details.requestHeaders["Origin"] = new URL(details.url).origin;
+      } catch { /* malformed URL — leave Origin as-is */ }
       callback({ requestHeaders: details.requestHeaders });
     }
   );

src/components/AuthenticationStep.tsx

@@ -66,6 +66,8 @@ export default function AuthenticationStep({
   // Track if we've already processed the OAuth callback
   const oauthProcessedRef = useRef(false);
   const resetProcessedRef = useRef(false);
+  // Track if email verification was triggered (prevents auto-advance race condition)
+  const needsVerificationRef = useRef(false);
 
   // Check for OAuth callback verifier or password reset token in URL
   useEffect(() => {
@@ -104,7 +106,7 @@ export default function AuthenticationStep({
   }, []);
 
   useEffect(() => {
-    if (isLoaded && isSignedIn) {
+    if (isLoaded && isSignedIn && !needsVerificationRef.current) {
       if (OPENWHISPR_API_URL && user?.id && user?.email) {
         fetch(`${OPENWHISPR_API_URL}/api/auth/init-user`, {
           method: "POST",
@@ -173,7 +175,7 @@ export default function AuthenticationStep({
         throw new Error("Failed to check user existence");
       }
 
-      const data = await response.json();
+      const data = await response.json().catch(() => ({}));
       setAuthMode(data.exists ? "sign-in" : "sign-up");
     } catch (err) {
       console.error("Error checking user existence:", err);
@@ -238,6 +240,7 @@ export default function AuthenticationStep({
               }
             }
 
+            needsVerificationRef.current = true;
             onNeedsVerification(email.trim());
           }
         } else {

src/lib/neonAuth.ts

@@ -224,7 +224,21 @@ export async function signInWithSocial(provider: SocialProvider): Promise<{ erro
         body: JSON.stringify({ provider, callbackURL, disableRedirect: true }),
       });
 
-      const data = await response.json();
+      const text = await response.text();
+
+      if (!response.ok) {
+        console.error(`[Auth] Social sign-in failed: ${response.status}`, text.slice(0, 200));
+        return { error: new Error("Failed to initiate sign-in") };
+      }
+
+      let data: { url?: string };
+      try {
+        data = JSON.parse(text);
+      } catch {
+        console.error("[Auth] Non-JSON response from auth server:", text.slice(0, 200));
+        return { error: new Error("Unexpected response from auth server") };
+      }
+
       if (!data.url) return { error: new Error("Failed to get OAuth URL") };
 
       openExternalLink(data.url);