fix: redirect direct visits to /profile instead of OAuth authorize flow#43
Open
mroderick wants to merge 1 commit into
Open
fix: redirect direct visits to /profile instead of OAuth authorize flow#43mroderick wants to merge 1 commit into
mroderick wants to merge 1 commit into
Conversation
c7edb39 to
8fe49e7
Compare
When visiting auth.codebar.io directly (not via the planner's OAuth initiation), the default callback URL built by getCallbackURL() was an OAuth authorize URL pointing at allowed_redirects[0]. In production, PLANNER_REDIRECT_URIS had localhost first, so the user was sent to localhost:3000 with a PKCE error (the planner client is public and requires PKCE, but no PKCE params were generated). A direct visit can't initiate a planner session anyway — the planner holds the PKCE verifier and state in its own session. So sending these users through the OAuth flow is a dead end. Now direct visits get base_url/profile (from appConfig.base_url), which resolves to the right scheme behind Heroku/Cloudflare. The OAuth params branch is unchanged — the planner flow still works when coming via the authorize endpoint.
8fe49e7 to
a56798c
Compare
Collaborator
Author
|
I've verified this branch by pushing it to |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Visiting
auth.codebar.iodirectly and signing in with GitHub redirects tolocalhost:3000/auth/codebar/callbackwith:Two root causes:
Config ordering.
PLANNER_REDIRECT_URISon Heroku hashttp://localhost:3000/auth/codebar/callbackfirst.getCallbackURL()unconditionally picksallowed_redirects[0].Structural.
getCallbackURL()built an OAuth authorize URL even for direct visits. The planner client requires PKCE (public: true, requirePKCE: true), but no PKCE params were generated. After GitHub auth, the user was thrown through the OAuth flow, which rejected the request.A direct visit can't initiate a planner session anyway — the planner holds the PKCE verifier and state in its own session (
OmniAuth::Strategies::Codebar#request_phase). Pushing users through the OAuth flow from a direct visit is a guaranteed dead end.Fix
The default branch of
getCallbackURL()(no OAuth params in URL = direct visit) now returnsbase_url/profile(fromappConfig.base_url). Using the configured base URL rather than request origin fixes the scheme behind Heroku/Cloudflare — TLS terminates at the edge, so request origin would behttp://, which Better Auth rejects intrustedOrigins.The OAuth params branch is untouched — the planner flow still works when coming via the authorize endpoint.
Testing
test/unit/callback-url.test.js— all 5 tests pass