zzstoatzz.io / status
slack status without the slack status.zzstoatzz.io/
quickslice
fork atom

Merge pull request #68 from zzstoatzz/revert-67-revert-66-fix/oauth-same-site-workaround

Revert "Revert "Fix OAuth same-site issue with auth domain workaround""

authored by

nate nowack and committed by
GitHub 03546a3f ca062020

+42 -6
unified split
+3 -2
.github/workflows/fly-review.yml
··· 47 47 # Use smaller resources for review apps 48 48 vmsize: shared-cpu-1x 49 49 memory: 256 50 - # Set OAUTH_REDIRECT_BASE dynamically for OAuth redirects 50 + # Set OAUTH_REDIRECT_BASE and APP_URL dynamically for OAuth redirects 51 51 secrets: | 52 - OAUTH_REDIRECT_BASE=https://zzstoatzz-status-pr-${{ github.event.number }}.fly.dev 52 + OAUTH_REDIRECT_BASE=https://zzstoatzz-status-pr-${{ github.event.number }}.fly.dev 53 + APP_URL=https://zzstoatzz-status-pr-${{ github.event.number }}.fly.dev
+1
fly.review.toml
··· 11 11 ENABLE_FIREHOSE = "true" 12 12 DEV_MODE = "true" 13 13 # OAUTH_REDIRECT_BASE will be set dynamically by the workflow 14 + # APP_URL will be set dynamically by the workflow 14 15 15 16 [http_service] 16 17 internal_port = 8080
+10 -1
src/api/auth.rs
··· 64 64 request: HttpRequest, 65 65 params: web::Query<OAuthCallbackParams>, 66 66 oauth_client: web::Data<OAuthClientType>, 67 + config: web::Data<config::Config>, 67 68 session: Session, 68 69 ) -> HttpResponse { 69 70 // Check if there's an OAuth error from BlueSky ··· 109 110 match agent.did().await { 110 111 Some(did) => { 111 112 session.insert("did", did).unwrap(); 112 - Redirect::to("/") 113 + // Redirect back to main app domain after successful auth 114 + let redirect_to = if config.uses_separate_auth_domain() { 115 + config.app_url.clone() 116 + } else { 117 + "/".to_string() 118 + }; 119 + Redirect::to(redirect_to) 113 120 .see_other() 114 121 .respond_to(&request) 115 122 .map_into_boxed_body() ··· 137 144 /// Takes you to the login page 138 145 #[get("/login")] 139 146 pub async fn login() -> Result<impl Responder> { 147 + // Don't redirect - just serve the login page 148 + // The OAuth will use the correct redirect URL from config 140 149 let html = LoginTemplate { 141 150 title: "Log in", 142 151 error: None,
+27 -3
src/config.rs
··· 14 14 /// Database URL (defaults to local SQLite) 15 15 pub database_url: String, 16 16 17 - /// OAuth redirect base URL 17 + /// OAuth redirect base URL (auth domain) 18 18 pub oauth_redirect_base: String, 19 + 20 + /// Main app URL (status domain) 21 + pub app_url: String, 19 22 20 23 /// Server host 21 24 pub server_host: String, ··· 37 40 } 38 41 39 42 impl Config { 43 + /// Check if we're using a separate auth domain 44 + pub fn uses_separate_auth_domain(&self) -> bool { 45 + self.oauth_redirect_base != self.app_url 46 + } 47 + 40 48 /// Load configuration from environment variables with sensible defaults 41 49 pub fn from_env() -> Result<Self, env::VarError> { 42 50 // Admin DID is intentionally hardcoded as discussed 43 51 let admin_did = "did:plc:xbtmt2zjwlrfegqvch7fboei".to_string(); 44 52 45 - Ok(Config { 53 + let config = Config { 46 54 admin_did, 47 55 owner_handle: env::var("OWNER_HANDLE").unwrap_or_else(|_| "zzstoatzz.io".to_string()), 48 56 database_url: env::var("DATABASE_URL") 49 57 .unwrap_or_else(|_| "sqlite://./statusphere.sqlite3".to_string()), 50 58 oauth_redirect_base: env::var("OAUTH_REDIRECT_BASE") 51 59 .unwrap_or_else(|_| "http://localhost:8080".to_string()), 60 + app_url: env::var("APP_URL").unwrap_or_else(|_| "http://localhost:8080".to_string()), 52 61 server_host: env::var("SERVER_HOST").unwrap_or_else(|_| "127.0.0.1".to_string()), 53 62 server_port: env::var("SERVER_PORT") 54 63 .unwrap_or_else(|_| "8080".to_string()) ··· 65 74 .unwrap_or(false), 66 75 // Default to static/emojis for local dev; override in prod to /data/emojis 67 76 emoji_dir: env::var("EMOJI_DIR").unwrap_or_else(|_| "static/emojis".to_string()), 68 - }) 77 + }; 78 + 79 + // Validate critical URLs at startup 80 + if url::Url::parse(&config.oauth_redirect_base).is_err() { 81 + log::error!( 82 + "Invalid OAUTH_REDIRECT_BASE URL: {}", 83 + config.oauth_redirect_base 84 + ); 85 + panic!("Invalid OAUTH_REDIRECT_BASE URL configuration"); 86 + } 87 + if url::Url::parse(&config.app_url).is_err() { 88 + log::error!("Invalid APP_URL: {}", config.app_url); 89 + panic!("Invalid APP_URL configuration"); 90 + } 91 + 92 + Ok(config) 69 93 } 70 94 }
+1
templates/login.html
··· 424 424 if (themeToggle) { 425 425 themeToggle.addEventListener('click', toggleTheme); 426 426 } 427 + 427 428 }); 428 429 </script> 429 430 {%endblock content%}