Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: codebar/auth
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: codebar/auth
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: feature/magic-link-code-exchange
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 4 commits
  • 19 files changed
  • 1 contributor

Commits on Jun 21, 2026

  1. feat: add JWT and OAuth provider plugins 

    Install @better-auth/oauth-provider and configure Better Auth with:
- jwt plugin: issues id_tokens with email/name claims for the planner
- oauthProvider plugin: OAuth 2.1 authorize/token endpoints for the planner

Add seedPlannerClient helper that inserts the first-party planner client
via raw SQL (Better Auth has no public API for this without admin auth).
Add a migration script for Heroku release phase that runs migrations
and seeds the planner client.

Add OAuth provider feature tests covering:
- planner client seeded correctly (public, PKCE-required)
- authorize redirects unauthenticated users to login
- authorize issues code when authenticated
- token endpoint exchanges code for access token with PKCE
- token endpoint rejects missing/invalid PKCE, invalid code, mismatched redirect_uri
    @mroderick
    mroderick committed Jun 21, 2026
    Configuration menu
    Copy the full SHA
    a95c08f View commit details
    Browse the repository at this point in the history

  2. feat: route login flow through OAuth authorize endpoint 

    Replace the old redirect_url-based login flow with callbackURL that
points to the OAuth provider's authorize endpoint.

- Extract named route handlers (showLogin, showMagicLinkForm, sendMagicLink,
  startGitHubOAuth) for clarity
- getCallbackURL preserves OAuth query params from the authorize request
  and falls back to a default authorize URL for direct login
- GitHubButton and MagicLinkButton now POST/GET with callbackURL instead
  of using client-side JS or redirect_url

Add integration test that exercises the full flow:
  authenticate -> authorize -> exchange code -> verify JWT
    @mroderick
    mroderick committed Jun 21, 2026
    Configuration menu
    Copy the full SHA
    8c0cf41 View commit details
    Browse the repository at this point in the history

  3. feat: add Playwright e2e test for OAuth magic link flow 

    Add a headless browser test that exercises the full OAuth 2.1 flow:
  unauthenticated authorize -> login -> magic link -> verify -> authorize -> code

- Capture magic links in dev via devMagicLinks store when SENDGRID_API_KEY
  is not set
- Expose /api/test/magic-links GET/DELETE endpoints for tests to read/clear
  captured links (dev-only, not available in production)
- Use APIRequestContext for magic link verification so cookies are handled
  automatically across requests
- Add e2e job to CI that runs after unit tests, using chromium-headless-shell
  for a smaller Playwright download
    @mroderick
    mroderick committed Jun 21, 2026
    Configuration menu
    Copy the full SHA
    215a38d View commit details
    Browse the repository at this point in the history

Commits on Jun 22, 2026

  1. fix: use RS256 for JWT signing to support ruby-jwt gem 

    The jwt ruby gem (3.2.0) does not support EdDSA signatures.
Configure Better Auth to use RS256 instead so the planner can
verify id_tokens without additional dependencies.
    @mroderick
    mroderick committed Jun 22, 2026
    Configuration menu
    Copy the full SHA
    8e0c04b View commit details
    Browse the repository at this point in the history
Loading