zzstoatzz.io / status
slack status without the slack status.zzstoatzz.io/
quickslice
fork atom

Merge pull request #67 from zzstoatzz/revert-66-fix/oauth-same-site-workaround

Revert "Fix OAuth same-site issue with auth domain workaround"

authored by nate nowack and committed by GitHub ca062020 77687015

options
unified split
Changed files
+10 -50
.github
workflows
fly-review.yml
fly.review.toml
src
api
auth.rs
config.rs
templates
login.html
+2 -3
.github/workflows/fly-review.yml
··· 47 47 # Use smaller resources for review apps 48 48 vmsize: shared-cpu-1x 49 49 memory: 256 50 - # Set OAUTH_REDIRECT_BASE and APP_URL dynamically for OAuth redirects 50 + # Set OAUTH_REDIRECT_BASE dynamically for OAuth redirects 51 51 secrets: | 52 - OAUTH_REDIRECT_BASE=https://zzstoatzz-status-pr-${{ github.event.number }}.fly.dev 53 - APP_URL=https://zzstoatzz-status-pr-${{ github.event.number }}.fly.dev 52 + OAUTH_REDIRECT_BASE=https://zzstoatzz-status-pr-${{ github.event.number }}.fly.dev
-1
fly.review.toml
··· 11 11 ENABLE_FIREHOSE = "true" 12 12 DEV_MODE = "true" 13 13 # OAUTH_REDIRECT_BASE will be set dynamically by the workflow 14 - # APP_URL will be set dynamically by the workflow 15 14 16 15 [http_service] 17 16 internal_port = 8080
+5 -18
src/api/auth.rs
··· 64 64 request: HttpRequest, 65 65 params: web::Query<OAuthCallbackParams>, 66 66 oauth_client: web::Data<OAuthClientType>, 67 - config: web::Data<config::Config>, 68 67 session: Session, 69 68 ) -> HttpResponse { 70 69 // Check if there's an OAuth error from BlueSky ··· 110 109 match agent.did().await { 111 110 Some(did) => { 112 111 session.insert("did", did).unwrap(); 113 - // Redirect back to main app domain after successful auth 114 - let redirect_to = if config.uses_separate_auth_domain() { 115 - config.app_url.clone() 116 - } else { 117 - "/".to_string() 118 - }; 119 - Redirect::to(redirect_to) 112 + Redirect::to("/") 120 113 .see_other() 121 114 .respond_to(&request) 122 115 .map_into_boxed_body() ··· 143 136 144 137 /// Takes you to the login page 145 138 #[get("/login")] 146 - pub async fn login(config: web::Data<config::Config>) -> Result<HttpResponse> { 147 - // If we're using a separate auth domain, redirect to it 148 - if config.uses_separate_auth_domain() { 149 - let redirect_url = format!("{}/login", config.oauth_redirect_base); 150 - return Ok(HttpResponse::Found() 151 - .append_header(("Location", redirect_url)) 152 - .finish()); 153 - } 154 - 139 + pub async fn login() -> Result<impl Responder> { 155 140 let html = LoginTemplate { 156 141 title: "Log in", 157 142 error: None, 158 143 }; 159 - Ok(HttpResponse::Ok().body(html.render().expect("template should be valid"))) 144 + Ok(web::Html::new( 145 + html.render().expect("template should be valid"), 146 + )) 160 147 } 161 148 162 149 /// Logs you out by destroying your cookie on the server and web browser
+3 -27
src/config.rs
··· 14 14 /// Database URL (defaults to local SQLite) 15 15 pub database_url: String, 16 16 17 - /// OAuth redirect base URL (auth domain) 17 + /// OAuth redirect base URL 18 18 pub oauth_redirect_base: String, 19 - 20 - /// Main app URL (status domain) 21 - pub app_url: String, 22 19 23 20 /// Server host 24 21 pub server_host: String, ··· 40 37 } 41 38 42 39 impl Config { 43 - /// Check if we're using a separate auth domain 44 - pub fn uses_separate_auth_domain(&self) -> bool { 45 - self.oauth_redirect_base != self.app_url 46 - } 47 - 48 40 /// Load configuration from environment variables with sensible defaults 49 41 pub fn from_env() -> Result<Self, env::VarError> { 50 42 // Admin DID is intentionally hardcoded as discussed 51 43 let admin_did = "did:plc:xbtmt2zjwlrfegqvch7fboei".to_string(); 52 44 53 - let config = Config { 45 + Ok(Config { 54 46 admin_did, 55 47 owner_handle: env::var("OWNER_HANDLE").unwrap_or_else(|_| "zzstoatzz.io".to_string()), 56 48 database_url: env::var("DATABASE_URL") 57 49 .unwrap_or_else(|_| "sqlite://./statusphere.sqlite3".to_string()), 58 50 oauth_redirect_base: env::var("OAUTH_REDIRECT_BASE") 59 51 .unwrap_or_else(|_| "http://localhost:8080".to_string()), 60 - app_url: env::var("APP_URL").unwrap_or_else(|_| "http://localhost:8080".to_string()), 61 52 server_host: env::var("SERVER_HOST").unwrap_or_else(|_| "127.0.0.1".to_string()), 62 53 server_port: env::var("SERVER_PORT") 63 54 .unwrap_or_else(|_| "8080".to_string()) ··· 74 65 .unwrap_or(false), 75 66 // Default to static/emojis for local dev; override in prod to /data/emojis 76 67 emoji_dir: env::var("EMOJI_DIR").unwrap_or_else(|_| "static/emojis".to_string()), 77 - }; 78 - 79 - // Validate critical URLs at startup 80 - if url::Url::parse(&config.oauth_redirect_base).is_err() { 81 - log::error!( 82 - "Invalid OAUTH_REDIRECT_BASE URL: {}", 83 - config.oauth_redirect_base 84 - ); 85 - panic!("Invalid OAUTH_REDIRECT_BASE URL configuration"); 86 - } 87 - if url::Url::parse(&config.app_url).is_err() { 88 - log::error!("Invalid APP_URL: {}", config.app_url); 89 - panic!("Invalid APP_URL configuration"); 90 - } 91 - 92 - Ok(config) 68 + }) 93 69 } 94 70 }
-1
templates/login.html
··· 424 424 if (themeToggle) { 425 425 themeToggle.addEventListener('click', toggleTheme); 426 426 } 427 - 428 427 }); 429 428 </script> 430 429 {%endblock content%}