mirror of
https://github.com/Dvorinka/Trackeep.git
synced 2026-06-04 20:42:59 +00:00
Tomas Dvorak
57 lines
2.3 KiB
Markdown
57 lines
2.3 KiB
Markdown
# OAuth Service Configuration Changes
|
|
|
|
## Summary of Changes
|
|
|
|
### 1. CORS Configuration Updated
|
|
- **Before**: Restricted to specific origins (`http://localhost:5173,http://localhost:8080`)
|
|
- **After**: Allows all origins (`*`) for maximum flexibility
|
|
- **Implementation**: Updated CORS middleware to handle wildcard origins properly
|
|
|
|
### 2. Dynamic Client URL Detection
|
|
- **Before**: Hardcoded default client URL (`http://localhost:5173`)
|
|
- **After**: Dynamically determines client URL from:
|
|
- Query parameter `redirect_uri` (highest priority)
|
|
- Request `Origin` header
|
|
- Request `Referer` header
|
|
- Fallback to `DEFAULT_CLIENT_URL` environment variable
|
|
- **Implementation**: Enhanced `initiateGitHubOAuth` function with URL parsing logic
|
|
|
|
### 3. Service Domain Configuration
|
|
- **Added**: New `SERVICE_DOMAIN` environment variable
|
|
- **Purpose**: Identifies the OAuth service domain in logs and webhook responses
|
|
- **Current Value**: `https://oauth.tdvorak.dev`
|
|
|
|
### 4. Enhanced Webhook Handling
|
|
- **Before**: Basic webhook processing with minimal logging
|
|
- **After**:
|
|
- Proper webhook secret configuration check
|
|
- Enhanced logging with service domain identification
|
|
- Detailed event type handling with better payload logging
|
|
- Response includes service domain information
|
|
|
|
### 5. Environment Files Updated
|
|
- **`.env`**: Updated with new configuration values
|
|
- **`.env.example`**: Updated to reflect the new structure for other deployments
|
|
|
|
## Key Benefits
|
|
|
|
1. **Multi-domain Support**: Service can now handle requests from any domain
|
|
2. **Dynamic Client Detection**: Automatically redirects users back to their originating domain
|
|
3. **Better Debugging**: Enhanced logging makes troubleshooting easier
|
|
4. **Production Ready**: Configuration is more flexible for different deployment scenarios
|
|
|
|
## Security Considerations
|
|
|
|
- While CORS is set to allow all origins, the OAuth flow itself remains secure
|
|
- State parameter validation prevents CSRF attacks
|
|
- JWT tokens are still properly validated
|
|
- Webhook signature validation is in place (though secret needs to be configured)
|
|
|
|
## Usage
|
|
|
|
The service will now:
|
|
1. Accept OAuth requests from any domain
|
|
2. Automatically detect the client's origin for proper redirects
|
|
3. Handle webhooks with better logging and domain identification
|
|
4. Work seamlessly with the user's domain (`tdvorak.dev`) and any other domains
|