zzstoatzz.io / status
slack status without the slack status.zzstoatzz.io/
quickslice
fork atom

Merge pull request #67 from zzstoatzz/revert-66-fix/oauth-same-site-workaround

Revert "Fix OAuth same-site issue with auth domain workaround"

authored by

nate nowack and committed by
GitHub ca062020 77687015

+10 -50
unified split
+2 -3
.github/workflows/fly-review.yml
··· 47 # Use smaller resources for review apps 48 vmsize: shared-cpu-1x 49 memory: 256 50 - # Set OAUTH_REDIRECT_BASE and APP_URL dynamically for OAuth redirects 51 secrets: | 52 - OAUTH_REDIRECT_BASE=https://zzstoatzz-status-pr-${{ github.event.number }}.fly.dev 53 - APP_URL=https://zzstoatzz-status-pr-${{ github.event.number }}.fly.dev
··· 47 # Use smaller resources for review apps 48 vmsize: shared-cpu-1x 49 memory: 256 50 + # Set OAUTH_REDIRECT_BASE dynamically for OAuth redirects 51 secrets: | 52 + OAUTH_REDIRECT_BASE=https://zzstoatzz-status-pr-${{ github.event.number }}.fly.dev
-1
fly.review.toml
··· 11 ENABLE_FIREHOSE = "true" 12 DEV_MODE = "true" 13 # OAUTH_REDIRECT_BASE will be set dynamically by the workflow 14 - # APP_URL will be set dynamically by the workflow 15 16 [http_service] 17 internal_port = 8080
··· 11 ENABLE_FIREHOSE = "true" 12 DEV_MODE = "true" 13 # OAUTH_REDIRECT_BASE will be set dynamically by the workflow 14 15 [http_service] 16 internal_port = 8080
+5 -18
src/api/auth.rs
··· 64 request: HttpRequest, 65 params: web::Query<OAuthCallbackParams>, 66 oauth_client: web::Data<OAuthClientType>, 67 - config: web::Data<config::Config>, 68 session: Session, 69 ) -> HttpResponse { 70 // Check if there's an OAuth error from BlueSky ··· 110 match agent.did().await { 111 Some(did) => { 112 session.insert("did", did).unwrap(); 113 - // Redirect back to main app domain after successful auth 114 - let redirect_to = if config.uses_separate_auth_domain() { 115 - config.app_url.clone() 116 - } else { 117 - "/".to_string() 118 - }; 119 - Redirect::to(redirect_to) 120 .see_other() 121 .respond_to(&request) 122 .map_into_boxed_body() ··· 143 144 /// Takes you to the login page 145 #[get("/login")] 146 - pub async fn login(config: web::Data<config::Config>) -> Result<HttpResponse> { 147 - // If we're using a separate auth domain, redirect to it 148 - if config.uses_separate_auth_domain() { 149 - let redirect_url = format!("{}/login", config.oauth_redirect_base); 150 - return Ok(HttpResponse::Found() 151 - .append_header(("Location", redirect_url)) 152 - .finish()); 153 - } 154 - 155 let html = LoginTemplate { 156 title: "Log in", 157 error: None, 158 }; 159 - Ok(HttpResponse::Ok().body(html.render().expect("template should be valid"))) 160 } 161 162 /// Logs you out by destroying your cookie on the server and web browser
··· 64 request: HttpRequest, 65 params: web::Query<OAuthCallbackParams>, 66 oauth_client: web::Data<OAuthClientType>, 67 session: Session, 68 ) -> HttpResponse { 69 // Check if there's an OAuth error from BlueSky ··· 109 match agent.did().await { 110 Some(did) => { 111 session.insert("did", did).unwrap(); 112 + Redirect::to("/") 113 .see_other() 114 .respond_to(&request) 115 .map_into_boxed_body() ··· 136 137 /// Takes you to the login page 138 #[get("/login")] 139 + pub async fn login() -> Result<impl Responder> { 140 let html = LoginTemplate { 141 title: "Log in", 142 error: None, 143 }; 144 + Ok(web::Html::new( 145 + html.render().expect("template should be valid"), 146 + )) 147 } 148 149 /// Logs you out by destroying your cookie on the server and web browser
+3 -27
src/config.rs
··· 14 /// Database URL (defaults to local SQLite) 15 pub database_url: String, 16 17 - /// OAuth redirect base URL (auth domain) 18 pub oauth_redirect_base: String, 19 - 20 - /// Main app URL (status domain) 21 - pub app_url: String, 22 23 /// Server host 24 pub server_host: String, ··· 40 } 41 42 impl Config { 43 - /// Check if we're using a separate auth domain 44 - pub fn uses_separate_auth_domain(&self) -> bool { 45 - self.oauth_redirect_base != self.app_url 46 - } 47 - 48 /// Load configuration from environment variables with sensible defaults 49 pub fn from_env() -> Result<Self, env::VarError> { 50 // Admin DID is intentionally hardcoded as discussed 51 let admin_did = "did:plc:xbtmt2zjwlrfegqvch7fboei".to_string(); 52 53 - let config = Config { 54 admin_did, 55 owner_handle: env::var("OWNER_HANDLE").unwrap_or_else(|_| "zzstoatzz.io".to_string()), 56 database_url: env::var("DATABASE_URL") 57 .unwrap_or_else(|_| "sqlite://./statusphere.sqlite3".to_string()), 58 oauth_redirect_base: env::var("OAUTH_REDIRECT_BASE") 59 .unwrap_or_else(|_| "http://localhost:8080".to_string()), 60 - app_url: env::var("APP_URL").unwrap_or_else(|_| "http://localhost:8080".to_string()), 61 server_host: env::var("SERVER_HOST").unwrap_or_else(|_| "127.0.0.1".to_string()), 62 server_port: env::var("SERVER_PORT") 63 .unwrap_or_else(|_| "8080".to_string()) ··· 74 .unwrap_or(false), 75 // Default to static/emojis for local dev; override in prod to /data/emojis 76 emoji_dir: env::var("EMOJI_DIR").unwrap_or_else(|_| "static/emojis".to_string()), 77 - }; 78 - 79 - // Validate critical URLs at startup 80 - if url::Url::parse(&config.oauth_redirect_base).is_err() { 81 - log::error!( 82 - "Invalid OAUTH_REDIRECT_BASE URL: {}", 83 - config.oauth_redirect_base 84 - ); 85 - panic!("Invalid OAUTH_REDIRECT_BASE URL configuration"); 86 - } 87 - if url::Url::parse(&config.app_url).is_err() { 88 - log::error!("Invalid APP_URL: {}", config.app_url); 89 - panic!("Invalid APP_URL configuration"); 90 - } 91 - 92 - Ok(config) 93 } 94 }
··· 14 /// Database URL (defaults to local SQLite) 15 pub database_url: String, 16 17 + /// OAuth redirect base URL 18 pub oauth_redirect_base: String, 19 20 /// Server host 21 pub server_host: String, ··· 37 } 38 39 impl Config { 40 /// Load configuration from environment variables with sensible defaults 41 pub fn from_env() -> Result<Self, env::VarError> { 42 // Admin DID is intentionally hardcoded as discussed 43 let admin_did = "did:plc:xbtmt2zjwlrfegqvch7fboei".to_string(); 44 45 + Ok(Config { 46 admin_did, 47 owner_handle: env::var("OWNER_HANDLE").unwrap_or_else(|_| "zzstoatzz.io".to_string()), 48 database_url: env::var("DATABASE_URL") 49 .unwrap_or_else(|_| "sqlite://./statusphere.sqlite3".to_string()), 50 oauth_redirect_base: env::var("OAUTH_REDIRECT_BASE") 51 .unwrap_or_else(|_| "http://localhost:8080".to_string()), 52 server_host: env::var("SERVER_HOST").unwrap_or_else(|_| "127.0.0.1".to_string()), 53 server_port: env::var("SERVER_PORT") 54 .unwrap_or_else(|_| "8080".to_string()) ··· 65 .unwrap_or(false), 66 // Default to static/emojis for local dev; override in prod to /data/emojis 67 emoji_dir: env::var("EMOJI_DIR").unwrap_or_else(|_| "static/emojis".to_string()), 68 + }) 69 } 70 }
-1
templates/login.html
··· 424 if (themeToggle) { 425 themeToggle.addEventListener('click', toggleTheme); 426 } 427 - 428 }); 429 </script> 430 {%endblock content%}
··· 424 if (themeToggle) { 425 themeToggle.addEventListener('click', toggleTheme); 426 } 427 }); 428 </script> 429 {%endblock content%}