feat: add magic link auth provider with code exchange#2649
Open
mroderick wants to merge 2 commits into
Open
Conversation
mroderick
force-pushed
the
feature/magic-link-auth
branch
from
e01eabc to
8ed635e
Compare
mroderick
force-pushed
the
feature/magic-link-auth
branch
5 times, most recently
from
f6cbdde to
213613f
Compare
Add a custom OmniAuth strategy that connects the planner to the auth
service via OAuth 2.1 / OIDC.
- lib/omniauth/strategies/codebar.rb: the strategy implementation
- request_phase: generates PKCE params and redirects to auth service
authorize endpoint
- callback_phase: exchanges code for tokens, verifies JWT via JWKS,
builds omniauth.auth hash
- Supports EdDSA, RS256, ES256 via JWT.decode with jwks: option
- Caches JWKS for 15 minutes with cache-bust on kid mismatch
- Uses email claim as uid, falls back to sub if email is missing
- config/initializers/omniauth.rb: registers the codebar provider
with auth_url and audience from env vars
- spec/lib/omniauth/strategies/codebar_spec.rb: 13 tests covering
request phase, callback error paths (CSRF, missing code/PKCE,
exchange failure, invalid JWT), successful callback with JWT
verification, and call! routing
mroderick
force-pushed
the
feature/magic-link-auth
branch
from
213613f to
7aca666
Compare
Collaborator
Author
|
This is the related PR in |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds an integration with our new auth app (auth.codebar.io), which allows users to sign up with a magic link as well as github.
Initially, this will not be available through the UI, but on a new url: https://codebar.io/auth/codebar instead of https://codebar.io/auth/github
This allows us to iron out any kinks there might be, before we start relying on it.
Summary
Adds a custom OmniAuth strategy (
:codebar) that delegates authentication to a separate auth app running on port 3001. The auth app becomes an identity provider — users authenticate via magic link or GitHub OAuth on the auth app, which issues a one-time code exchanged server-to-server for a signed JWT.Key Design Decisions
:githuband:codebarproviders coexist — existing auth controller unchanged.Files
lib/omniauth/strategies/codebar.rb— Custom OmniAuth strategy (request_phase, callback_phase, code exchange, JWT verification)config/initializers/omniauth.rb— Added:codebarprovider alongside existing:githubspec/lib/omniauth/strategies/codebar_spec.rb— 16 tests covering all error paths through callback phaseGemfile/Gemfile.lock— AddedjwtgemTesting
484 examples, 0 failures. All existing auth service tests continue to pass. New strategy tests cover state mismatch, missing code, empty code, exchange failure, JWT verification failure, and full success path.