zzstoatzz.io / status
slack status without the slack status.zzstoatzz.io/
quickslice
fork atom

Revert "Revert "Revert "Fix OAuth same-site issue with auth domain workaround"""

authored by

nate nowack and committed by
GitHub f4ab4edd 03546a3f

+6 -42
unified split
+2 -3
.github/workflows/fly-review.yml
··· 47 47 # Use smaller resources for review apps 48 48 vmsize: shared-cpu-1x 49 49 memory: 256 50 - # Set OAUTH_REDIRECT_BASE and APP_URL dynamically for OAuth redirects 50 + # Set OAUTH_REDIRECT_BASE dynamically for OAuth redirects 51 51 secrets: | 52 - OAUTH_REDIRECT_BASE=https://zzstoatzz-status-pr-${{ github.event.number }}.fly.dev 53 - APP_URL=https://zzstoatzz-status-pr-${{ github.event.number }}.fly.dev 52 + OAUTH_REDIRECT_BASE=https://zzstoatzz-status-pr-${{ github.event.number }}.fly.dev
-1
fly.review.toml
··· 11 11 ENABLE_FIREHOSE = "true" 12 12 DEV_MODE = "true" 13 13 # OAUTH_REDIRECT_BASE will be set dynamically by the workflow 14 - # APP_URL will be set dynamically by the workflow 15 14 16 15 [http_service] 17 16 internal_port = 8080
+1 -10
src/api/auth.rs
··· 64 64 request: HttpRequest, 65 65 params: web::Query<OAuthCallbackParams>, 66 66 oauth_client: web::Data<OAuthClientType>, 67 - config: web::Data<config::Config>, 68 67 session: Session, 69 68 ) -> HttpResponse { 70 69 // Check if there's an OAuth error from BlueSky ··· 110 109 match agent.did().await { 111 110 Some(did) => { 112 111 session.insert("did", did).unwrap(); 113 - // Redirect back to main app domain after successful auth 114 - let redirect_to = if config.uses_separate_auth_domain() { 115 - config.app_url.clone() 116 - } else { 117 - "/".to_string() 118 - }; 119 - Redirect::to(redirect_to) 112 + Redirect::to("/") 120 113 .see_other() 121 114 .respond_to(&request) 122 115 .map_into_boxed_body() ··· 144 137 /// Takes you to the login page 145 138 #[get("/login")] 146 139 pub async fn login() -> Result<impl Responder> { 147 - // Don't redirect - just serve the login page 148 - // The OAuth will use the correct redirect URL from config 149 140 let html = LoginTemplate { 150 141 title: "Log in", 151 142 error: None,
+3 -27
src/config.rs
··· 14 14 /// Database URL (defaults to local SQLite) 15 15 pub database_url: String, 16 16 17 - /// OAuth redirect base URL (auth domain) 17 + /// OAuth redirect base URL 18 18 pub oauth_redirect_base: String, 19 - 20 - /// Main app URL (status domain) 21 - pub app_url: String, 22 19 23 20 /// Server host 24 21 pub server_host: String, ··· 40 37 } 41 38 42 39 impl Config { 43 - /// Check if we're using a separate auth domain 44 - pub fn uses_separate_auth_domain(&self) -> bool { 45 - self.oauth_redirect_base != self.app_url 46 - } 47 - 48 40 /// Load configuration from environment variables with sensible defaults 49 41 pub fn from_env() -> Result<Self, env::VarError> { 50 42 // Admin DID is intentionally hardcoded as discussed 51 43 let admin_did = "did:plc:xbtmt2zjwlrfegqvch7fboei".to_string(); 52 44 53 - let config = Config { 45 + Ok(Config { 54 46 admin_did, 55 47 owner_handle: env::var("OWNER_HANDLE").unwrap_or_else(|_| "zzstoatzz.io".to_string()), 56 48 database_url: env::var("DATABASE_URL") 57 49 .unwrap_or_else(|_| "sqlite://./statusphere.sqlite3".to_string()), 58 50 oauth_redirect_base: env::var("OAUTH_REDIRECT_BASE") 59 51 .unwrap_or_else(|_| "http://localhost:8080".to_string()), 60 - app_url: env::var("APP_URL").unwrap_or_else(|_| "http://localhost:8080".to_string()), 61 52 server_host: env::var("SERVER_HOST").unwrap_or_else(|_| "127.0.0.1".to_string()), 62 53 server_port: env::var("SERVER_PORT") 63 54 .unwrap_or_else(|_| "8080".to_string()) ··· 74 65 .unwrap_or(false), 75 66 // Default to static/emojis for local dev; override in prod to /data/emojis 76 67 emoji_dir: env::var("EMOJI_DIR").unwrap_or_else(|_| "static/emojis".to_string()), 77 - }; 78 - 79 - // Validate critical URLs at startup 80 - if url::Url::parse(&config.oauth_redirect_base).is_err() { 81 - log::error!( 82 - "Invalid OAUTH_REDIRECT_BASE URL: {}", 83 - config.oauth_redirect_base 84 - ); 85 - panic!("Invalid OAUTH_REDIRECT_BASE URL configuration"); 86 - } 87 - if url::Url::parse(&config.app_url).is_err() { 88 - log::error!("Invalid APP_URL: {}", config.app_url); 89 - panic!("Invalid APP_URL configuration"); 90 - } 91 - 92 - Ok(config) 68 + }) 93 69 } 94 70 }
-1
templates/login.html
··· 424 424 if (themeToggle) { 425 425 themeToggle.addEventListener('click', toggleTheme); 426 426 } 427 - 428 427 }); 429 428 </script> 430 429 {%endblock content%}