fix(auth): oauth redirect flow

[Prime-victor]

Summary

Fixes the OAuth redirect flow so authentication returns to the configured app URL instead of whichever preview origin served the page. This also switches the Supabase client to environment-based configuration and aligns the setup docs with the actual local development port.

---

🏷️ Type of Change

• feature (minor release)
• bug (patch release)
• breaking (major release)
• enhancement
• refactor
• docs
• ci

---

🌍 Scope

• frontend
• backend
• ui/ux

---

🔗 Related Issues

Closes #

---

📸 Screenshots

Before:

• OAuth sign-in redirected to the Lovable preview placeholder domain instead of the intended app/dashboard.

After:

• OAuth redirect target is derived from VITE_APP_URL and Supabase client config is loaded from environment variables.

---

🧪 Testing

• Steps to verify the changes manually

1. Set VITE_APP_URL=http://localhost:8080 in .env
2. Start the app with npm run dev
3. Open http://localhost:8080
4. Sign in with Google or GitHub
5. Confirm the callback returns to /dashboard on the configured app origin
6. Confirm Supabase requests use the environment-configured project URL

• Tested locally
• Tested on desktop
• Tested on mobile

---

✅ Checklist

• PR is linked to an issue
• Branch is up to date with main
• Build passes (npm run build)
• Lint passes (npm run lint)
• No sensitive data (tokens, secrets)
• Follows project conventions
• UI is responsive (if applicable)
• Accessibility considered (semantic HTML, alt text, keyboard nav)

---

⚠️ Breaking Changes

None.

---

📝 Notes for Reviewers

Key changes in this PR:

• src/hooks/useAuth.tsx
  • uses VITE_APP_URL for auth redirect URLs
  • falls back safely to window.location.origin
• src/integrations/supabase/client.ts
  • removes stale hardcoded Supabase project config
  • loads URL/key from VITE_SUPABASE_URL and VITE_SUPABASE_ANON_KEY
  • throws a clear error if env vars are missing
• .env.example
  • added because docs referenced it but it was missing
• docs
  • updated local setup and OAuth callback guidance to use port 8080

One repo-specific note:

• your contribution docs target dev as the integration branch, so if your workflow follows repo policy, make sure the base branch is correct before opening the PR.

---

Summary by cubic

Fixes OAuth redirects to always return to the configured app URL and /dashboard, not preview origins. Adds SSR-safe redirect generation and switches the Supabase client to env-based config. Updates local setup and docs to port 8080 with a new .env.example.

• Bug Fixes

  • Redirects now use VITE_APP_URL with SSR-safe normalization and always go to /dashboard for sign-up and OAuth; trailing slashes are removed.
  • Supabase client (@supabase/supabase-js) reads VITE_SUPABASE_URL and VITE_SUPABASE_ANON_KEY and throws if missing.

• Migration

  • Set VITE_APP_URL=http://localhost:8080 in .env.
  • Update GitHub OAuth apps to http://localhost:8080 and http://localhost:8080/github-callback.
  • Copy .env.example and fill in values, including VITE_GITHUB_CLIENT_ID.
  • Docs updated to use 8080 for local auth and integration URLs.

^{Written for commit f8a82ff. Summary will update on new commits.}

[vercel]

@Prime-victor is attempting to deploy a commit to the jumalaw98's projects Team on Vercel.

A member of the Team first needs to authorize it.

[cubic-dev-ai]

No issues found across 7 files

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sytcolabs	Ready	Preview, Comment	May 5, 2026 7:33am

[jumalaw98]

Thanks for the submission. There are a couple of issues that need to be addressed before this can be merged:

1. Use globalThis instead of window
   src/hooks/useAuth.tsx

Sonar is correctly flagging this.

Using window assumes a browser-only environment. This reduces portability and can break in non-browser contexts (e.g., SSR, Node.js, or web workers). globalThis is the standardized way to access the global scope across all JavaScript environments.

Why this matters:

Ensures environment-agnostic code
Improves compatibility with SSR and testing environments
Aligns with modern JavaScript best practices

Suggested change:

const baseUrl = configuredAppUrl || globalThis.location?.origin;

And in the fallback:

return globalThis.location?.origin.replace(//$/, '');

(Using optional chaining adds extra safety in case location is not defined.)

2. Pull Request Title Convention (Blocking)

The PR title does not follow the required conventional commits format, which is causing the semantic PR check to fail:

Current:

Fix/auth oauth redirect

Issue:

Missing proper conventional commit prefix format

Expected format:

fix(auth): oauth redirect

Why this matters:

Enables automated versioning and changelog generation
Required by CI (action-semantic-pull-request)

Please update the PR title accordingly.

Summary

Replace window with globalThis

Update PR title to follow conventional commits

Once these are addressed, we can proceed with another review.

[Prime-victor]

Thanks for the feedback
I have addressed the requested changes:
Replaced window with globalThis for SSR compatibility
Updated the PR title to follow conventional commits

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud