By: Michael Lynch <git@mtlynch.io>
Remove IsMagicLoginTokenValid and its TOCTOU check in loginConfirmGet The GET handler validated the token before rendering the confirmation page, but the POST handler re-validated atomically on submit. Between the two requests the token could expire or be consumed, making the GET check advisory at best. Removing it eliminates a store method and the TOCTOU window. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
| Time to Start | Worker time | Duration | Time to finish | |
| Config | 0s | 3s | 3s | 3s |
| Eval | 2s | 1m54s | 1m54s | 1m57s |
| Build | 1m43s | 4m59s | 1m48s | 3m32s |
| Test | - | - | - | - |
| Deploy | - | - | - | - |
| Suite | 0s | 6m56s | 3m32s | 3m32s |