Skip to content

feat: add multi-domain OAuth support for webapp #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
worlddriven merged 1 commit into from
Jan 8, 2026
Merged

feat: add multi-domain OAuth support for webapp #333

worlddriven merged 1 commit into from
Jan 8, 2026

Conversation

@TooAngel
Copy link
Owner

@TooAngel TooAngel commented Jan 6, 2026

Summary

  • Add multi-domain OAuth support to allow webapp on different domain to authenticate
  • Accept callback query parameter on /login to specify OAuth callback URL
  • Use OAuth state parameter to persist callback/redirect data through GitHub flow
  • Return JSON response with sessionId when callback domain is external
  • Whitelist allowed callback domains for security (www.worlddriven.org, worlddriven-webapp.tooangel.com, localhost)

Test plan

  • Test login from www.worlddriven.org (existing flow unchanged)
  • Test login from worlddriven-webapp.tooangel.com with callback parameter
  • Verify session is created and returned as JSON for webapp
  • Verify redirect works after OAuth completion

@TooAngel
feat: add multi-domain OAuth support for webapp
ed245be 
Allow external apps (like webapp) to specify their OAuth callback URL via
the `callback` query parameter on /login. This enables multi-domain OAuth
where the webapp can authenticate users through core's OAuth flow.

Changes:
- Add allowedCallbackDomains whitelist for security
- Accept `callback` and `redirect` params on /login route
- Use OAuth state parameter to persist data through GitHub redirect
- Return JSON response with sessionId when callback domain is specified
- Support www.worlddriven.org, worlddriven-webapp.tooangel.com, localhost
@worlddriven
Copy link
Contributor

worlddriven bot commented Jan 6, 2026
edited
Loading

🤖 Worlddriven Status

📊 Live Status Dashboard

🗓️ Merge Date: 2026-01-08 at 04:56:37 UTC (today)
📅 Started: 2026-01-06 at 10:26:37 UTC
Speed Factor: 0.18 (82% faster due to reviews)
Positive votes: 316/384 contribution weight (coefficient: 0.82)
📈 Base Merge Time: 10 days → Current: 2 days

🎯 Want to influence when this merges?

Your review matters! As a contributor to this project, your voice helps determine the merge timeline.

How to review:

  1. Check the changes
    Files changed

  2. Leave your review
    Review changes

Your options:

  • ✅ Agree & Speed Up: Approve Approving makes this merge faster
  • ❌ Disagree & Slow Down: Request changes Requesting changes delays the merge

💡 Pro tip: The more contributors who agree, the faster this gets merged!

📊 View detailed stats on the dashboard

📋 Recent Activity

2026-01-06, 10:26:45 - Pull request opened
2026-01-06, 10:26:46 - Pull request opened
2026-01-08, 05:51:41 - Pull request merged by worlddriven ✅

This comment is automatically updated by worlddriven

@worlddriven worlddriven bot merged commit 38a5502 into master Jan 8, 2026
2 checks passed
@worlddriven worlddriven bot deleted the feat/multi-domain-oauth branch January 8, 2026 05:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TooAngel