Skip to content

feat: implement device authorization flow for CLI authentication #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vreshch merged 1 commit into from
Nov 25, 2025
Merged

feat: implement device authorization flow for CLI authentication #11

vreshch merged 1 commit into from
Nov 25, 2025

Conversation

@vreshch
Copy link
Contributor

@vreshch vreshch commented Nov 25, 2025

Summary

This PR implements the OAuth 2.0 Device Authorization Grant (RFC 8628) for CLI authentication, enabling users to authenticate their CLI tools via GitHub.

Changes

Backend (packages/backend)

  • Device Code Service (src/services/device-code/)

    • Generates cryptographically secure device codes (32+ bytes)
    • Creates user-friendly 8-character codes (XXXX-XXXX format using unambiguous characters)
    • Stores codes in MongoDB with TTL index for automatic cleanup (15 min expiry)
    • Handles code authorization and JWT token generation

  • New API Endpoints (added to src/routes/auth/index.ts)

    • POST /api/auth/device/code - Request a device code for CLI
    • POST /api/auth/device/token - Poll for token after user authenticates
    • POST /api/auth/device/authorize - Authorize a device code (called by frontend)
    • GET /api/auth/device/verify - Verify a user code is valid

  • Updated GitHub OAuth Flow

    • Modified to support device flow via OAuth state parameter
    • Redirects to /device/authorize when coming from device flow

Frontend (packages/frontend)

  • Device Entry Page (/device)

    • User enters device code displayed by CLI
    • Validates code format and verifies with backend before OAuth redirect

  • Device Authorization Page (/device/authorize)

    • Handles OAuth callback for device flow
    • Authorizes the device code with user credentials
    • Shows success/error status

Shared Types (packages/shared)

  • Added DeviceCodeDocument - MongoDB document structure
  • Added DeviceCodeResponse, DeviceTokenResponse, DeviceAuthError types

Authentication Flow

CLI                  Backend                Frontend             GitHub
 |                      |                      |                    |
 |--POST /device/code-->|                      |                    |
 |<---device_code-------|                      |                    |
 |                      |                      |                    |
 | User opens /device   |                      |                    |
 |--------------------->|--------------------->|                    |
 |                      |                      |--/auth/github----->|
 |                      |                      |<---OAuth callback--|
 |                      |<--authorize device---|                    |
 |                      |                      |                    |
 |--POST /device/token->|                      |                    |
 |<---access_token------|                      |                    |

Testing

  • Added unit tests for DeviceCodeService
  • Manually tested build passes for all packages

Related

@vreshch
feat: implement device authorization flow for CLI authentication
e248301 
- Add device code service for managing device authorization codes
- Add POST /api/auth/device/code endpoint to request device codes
- Add POST /api/auth/device/token endpoint for polling token status
- Add POST /api/auth/device/authorize endpoint for authorizing devices
- Add GET /api/auth/device/verify endpoint for validating user codes
- Update GitHub OAuth flow to support device authorization state
- Add /device page for users to enter device codes
- Add /device/authorize page for OAuth callback handling
- Add DeviceCodeDocument type to shared types
- Add TTL index for automatic device code cleanup
- Add unit tests for device code service

Implements OAuth 2.0 Device Authorization Grant (RFC 8628) for GitHub only
@github-actions
Copy link

github-actions bot commented Nov 25, 2025

Pull Request Validation Successful

Step Results:

  • 📦 Install dependencies: true
  • 🔍 Run linting: true
  • 🧪 Run tests: true
  • 🏗️ Build packages: true

🎉 All quality checks passed! Ready to merge.

📋 View workflow run

🐳 Docker Images Built Successfully!

🏷️ Tag: pr-11

  • Backend: ✅ Built
  • Frontend: ✅ Built

📋 View workflow

⏰ Generated at: 2025-11-25T23:16:01.608Z

@vreshch vreshch merged commit 56486b3 into master Nov 25, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vreshch