Skip to content

fix(gui): OAuth manual redirect URL / code paste fallback#132

Merged
lidge-jun merged 1 commit into
lidge-jun:mainfrom
claudianus:fix/gui-oauth-manual-code-fallback
Jul 15, 2026
Merged

fix(gui): OAuth manual redirect URL / code paste fallback#132
lidge-jun merged 1 commit into
lidge-jun:mainfrom
claudianus:fix/gui-oauth-manual-code-fallback

Conversation

@claudianus

Copy link
Copy Markdown

Summary

  • GUI OAuth login (xAI and other OAuthCallbackFlow providers) could not finish when the browser failed to hit the loopback callback — CLI already had paste fallback via onManualCodeInput, GUI did not.
  • Wire startLoginFlow to accept a pasted redirect URL or authorization code through submitManualLoginCode, expose POST /api/oauth/login/code, and show paste UI on Providers + Add Provider while login is waiting.
  • Accept raw auth codes (no state) for in-process paste; still require state match when a full redirect URL is pasted.

Closes #131

Verification

  • bun test tests/oauth-manual-code.test.ts
  • bun test tests/oauth-status-privacy.test.ts tests/kiro-oauth.test.ts
  • bun x tsc --noEmit (root + gui/)
  • bun run build:gui
  • Manual: bun run src/cli/index.ts start → dashboard served after GUI build; paste field appears during OAuth wait

Checklist

  • Scope stays focused and avoids unrelated cleanup.
  • Docs or release notes were updated when needed. (no user-doc change required; CLI already documented the paste path; GUI now matches that behavior)
  • Security-sensitive changes were reviewed for secrets, auth, and unsafe defaults. (manual paste only while an in-progress login is waiting; no tokens returned by the API; state still validated when present in the pasted URL)

Wire GUI login to the same onManualCodeInput path the CLI uses so xAI
(and other browser OAuth providers) can finish when the loopback callback
is unreachable. Adds POST /api/oauth/login/code, dashboard paste UI, and
focused regression tests.

Closes lidge-jun#131
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@lidge-jun
lidge-jun merged commit af25d96 into lidge-jun:main Jul 15, 2026
@lidge-jun

Copy link
Copy Markdown
Owner

Merged into dev and released in v2.7.19 — thanks for fixing #131! Stacked hardening on top (06ee963): pasted redirect URLs/query strings now require a matching state (raw codes stay in-session-PKCE-exempt) and are validated synchronously at submit (409 with a clear reason), the management endpoint caps input at 4 KiB, the Add Provider modal now uses the prov.paste* i18n keys + aria-label, and the test suite proves full PKCE-verifier continuity end-to-end.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: GUI OAuth login has no manual redirect URL / code paste fallback

2 participants