Skip to content

feat: OAuth provider setup + auth secrets + web healthcheck#28

Merged
Bccorb merged 2 commits into
mainfrom
feat/oauth-provider-setup
Jul 2, 2026
Merged

feat: OAuth provider setup + auth secrets + web healthcheck#28
Bccorb merged 2 commits into
mainfrom
feat/oauth-provider-setup

Conversation

@Bccorb

@Bccorb Bccorb commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Makes seamless init --oauth produce a near-working OAuth example, and fixes two scaffold gaps. Pairs with fells-code/seamless-templates#5 (the setup.oauth manifest flag).

OAuth provider setup

  • When the selected web template declares setup.oauth, init prompts for OIDC providers (Google, GitHub, Microsoft, GitLab) and each one's client id + secret.
  • Wires them into the auth server: OAUTH_PROVIDERS config (endpoints, scopes, PKCE, redirect URI), a per-provider *_CLIENT_SECRET env var, and the oauth login method.
  • Providers left blank are scaffolded disabled, and a next-steps note lists what to fill in plus the redirect URI to register (http://localhost:5173/oauth/callback).
  • Apple is intentionally documented-as-manual: its client secret is a short-lived signed JWT (Team id, Key id, .p8 key) and it has no userinfo endpoint, so it does not fit a "paste a client id and secret" flow.

Scaffold fixes (apply to all templates)

  • Generate REFRESH_TOKEN_LOOKUP_SECRET, TOTP_SECRET_ENCRYPTION_KEY, and OAUTH_STATE_SECRET, which were left empty (silently falling back to the service token).
  • Add a healthcheck to the generated web container (nginx /health).

Validation

  • Generation tested: secrets populated, OAUTH_PROVIDERS with an enabled provider (correct clientId/clientSecretEnv/redirectUri/pkce) and a disabled one for blank creds, per-provider secret env, oauth appended to LOGIN_METHODS, web healthcheck present. Non-OAuth scaffolds unchanged apart from the secrets/healthcheck.
  • Prompt renders (Google/GitHub/Microsoft/GitLab); the setup.oauth gate reads correctly (react-oauth on, react-vite off).

Follow-up for production

Bump SEAMLESS_TEMPLATES_REF to the templates release that carries setup.oauth (after seamless-templates#5 merges and tags), so the OAuth prompts trigger for npx seamless-cli init --oauth. This PR's fixes work regardless of the templates ref.

Bccorb added 2 commits July 2, 2026 23:20
When a template opts into OAuth setup (manifest setup.oauth), prompt for OIDC
providers (Google, GitHub, Microsoft, GitLab) and credentials, and emit
OAUTH_PROVIDERS, per-provider *_CLIENT_SECRET, the oauth login method, and the
redirect URI into the auth env. Also generate the previously-empty
REFRESH_TOKEN_LOOKUP_SECRET / TOTP_SECRET_ENCRYPTION_KEY / OAUTH_STATE_SECRET, and
add a healthcheck to the web container.
Picks up the react-oauth setup.oauth manifest flag, so seamless init --oauth runs
the OAuth provider prompts in production.
@Bccorb Bccorb merged commit 1806986 into main Jul 2, 2026
1 check passed
@Bccorb Bccorb deleted the feat/oauth-provider-setup branch July 2, 2026 21:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant