Skip to content

feat(mobile): OAuth2 mobile endpoint and Mail Settings field (#485)#496

Merged
krantheman merged 4 commits into
frappe:mobile-appfrom
krantheman:mobile/485-oauth-endpoint
Jun 1, 2026
Merged

feat(mobile): OAuth2 mobile endpoint and Mail Settings field (#485)#496
krantheman merged 4 commits into
frappe:mobile-appfrom
krantheman:mobile/485-oauth-endpoint

Conversation

@krantheman
Copy link
Copy Markdown
Member

@krantheman krantheman commented May 27, 2026
edited
Loading

Summary

  • Adds mail/api/mobile.py with two endpoints:
    • get_client_id (allow_guest=True) — called by the mobile app before login to validate the site and fetch the OAuth client ID, app name, logo, and sitename. Returns only non-sensitive public config; reviewed and marked # nosemgrep for the guest-whitelisted-method rule (same pattern as Raven's equivalent endpoint).
    • create_oauth_client (requires Mail Settings write permission) — auto-creates or updates a Frappe OAuth Client doc and stores its ID in Mail Settings, so admins don't need to configure it manually
  • Adds mobile_oauth_client (Link → OAuth Client) field to Mail Settings under a new Mobile tab
  • Adds a Setup Mobile OAuth Client button (Mail Settings → Actions) that calls create_oauth_client and reloads the form
  • Redirect URI is com.frappe.mail://oauth — matches the iOS Info.plist and Android AndroidManifest.xml stubs added in Mobile: NativeScript + Vue 3 project scaffolding #484

Modeled on Raven's mobile-login approach (guest get_client_id discovery + admin create_oauth_client, Authorization Code flow against Frappe's OAuth provider). Note: mail users are identified by is_jmap_configured (a User Settings check), not a role, so the OAuth client is not role-gated — the mail APIs already enforce is_jmap_configured.

Admin setup flow

  1. Open Mail Settings → Mobile tab in Frappe Desk
  2. Click Setup Mobile OAuth Client under Actions — creates/updates the OAuth Client automatically and stores its ID
  3. Mobile app users can now enter the site URL and the app will fetch the client_id from get_client_id

Test plan

Verified on a dev site (bench migrate + console/HTTP):

  • get_client_id raises DoesNotExistError when no OAuth client is configured
  • After create_oauth_client, get_client_id returns client_id, app_name, logo, sitename (also confirmed over HTTP as guest — no auth)
  • create_oauth_client raises PermissionError for users without Mail Settings write permission
  • Mail Settings shows the Mobile tab + OAuth Client link field after bench migrate
  • The created OAuth Client has the expected config (redirect com.frappe.mail://oauth, Authorization Code / Code, scopes = all openid)

Closes #485

🤖 Generated with Claude Code

@krantheman @claude
feat(mobile): add OAuth2 mobile endpoint and Mail Settings field (fra…
16a1b3a 
…ppe#485)

- Add mail/api/mobile.py with two endpoints:
  - get_client_id (allow_guest): returns OAuth client_id, app_name, logo,
    and sitename for the mobile app's site-validation step
  - create_oauth_client (System Manager): auto-creates or updates the
    OAuth Client doctype and stores the ID in Mail Settings
- Add mobile_oauth_client field to Mail Settings under a new Mobile tab
- Redirect URI registered as com.frappe.mail://oauth (matches iOS Info.plist
  and Android AndroidManifest.xml stubs from frappe#484)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@krantheman krantheman requested a review from s-aga-r as a code owner May 27, 2026 08:23
krantheman and others added 3 commits May 29, 2026 21:18
@krantheman @claude
style: ruff-format mail/api/mobile.py
f3fc637 
Reflow two get_single_value expressions to the project's 110-char line
length and wrap the long frappe.throw call, fixing the ruff-format
pre-commit hook in CI. No behavior change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@krantheman @claude
feat(mail-settings): add Setup Mobile OAuth Client button
d243807 
Adds an Actions button that calls mail.api.mobile.create_oauth_client and
reloads the form, so admins can provision the mobile OAuth client from the
UI instead of calling the endpoint by hand (the field description already
pointed at this button).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@krantheman @claude
chore(ci): mark get_client_id guest endpoint as reviewed
ff2063a 
The endpoint must be allow_guest=True (the mobile app fetches the public
OAuth client_id before login) and returns only non-sensitive public config,
so suppress the guest-whitelisted-method semgrep rule with a justification.
Same pattern as Raven's equivalent endpoint.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@krantheman krantheman merged commit 9a6c765 into frappe:mobile-app Jun 1, 2026
3 checks passed
@krantheman krantheman mentioned this pull request Jun 1, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@s-aga-r s-aga-r Awaiting requested review from s-aga-r s-aga-r is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@krantheman