mirror of
https://github.com/maybe-finance/maybe.git
synced 2025-07-18 20:59:39 +02:00
cba0bdf0e2
- Configure Doorkeeper to allow custom URL schemes (maybeapp://)
- Disable force_ssl_in_redirect_uri to support non-HTTPS schemes
- Add custom Doorkeeper views with mobile OAuth detection
- Disable Turbo for mobile OAuth flows to prevent redirect interference
- Add display parameter preservation through OAuth flow
- Create custom Doorkeeper layouts with proper styling
- Add comprehensive integration tests for mobile OAuth flows
- Ensure all OAuth pages use proper doorkeeper/application layout
This allows the mobile app to complete OAuth authorization flows
without the web app interfering with custom URL scheme redirects.
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
75 lines
2 KiB
Ruby
75 lines
2 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "test_helper"
|
|
|
|
class OauthMobileTest < ActionDispatch::IntegrationTest
|
|
setup do
|
|
@user = users(:empty)
|
|
sign_in(@user)
|
|
|
|
@oauth_app = Doorkeeper::Application.create!(
|
|
name: "Maybe Mobile App",
|
|
redirect_uri: "maybeapp://oauth/callback",
|
|
scopes: "read"
|
|
)
|
|
end
|
|
|
|
test "mobile oauth authorization with custom scheme redirect" do
|
|
get "/oauth/authorize", params: {
|
|
client_id: @oauth_app.uid,
|
|
redirect_uri: @oauth_app.redirect_uri,
|
|
response_type: "code",
|
|
scope: "read",
|
|
display: "mobile"
|
|
}
|
|
|
|
assert_response :success
|
|
|
|
# Check that Turbo is disabled in the form
|
|
assert_match(/data-turbo="false"/, response.body)
|
|
assert_match(/maybeapp:\/\/oauth\/callback/, response.body)
|
|
end
|
|
|
|
test "mobile oauth detects custom scheme in redirect_uri" do
|
|
get "/oauth/authorize", params: {
|
|
client_id: @oauth_app.uid,
|
|
redirect_uri: "maybeapp://oauth/callback",
|
|
response_type: "code",
|
|
scope: "read"
|
|
}
|
|
|
|
assert_response :success
|
|
|
|
# Should detect mobile flow from redirect_uri
|
|
assert_match(/data-turbo="false"/, response.body)
|
|
end
|
|
|
|
test "mobile oauth authorization flow completes successfully" do
|
|
post "/oauth/authorize", params: {
|
|
client_id: @oauth_app.uid,
|
|
redirect_uri: @oauth_app.redirect_uri,
|
|
response_type: "code",
|
|
scope: "read",
|
|
display: "mobile"
|
|
}
|
|
|
|
# Should redirect to the custom scheme
|
|
assert_response :redirect
|
|
assert response.location.start_with?("maybeapp://oauth/callback")
|
|
end
|
|
|
|
test "mobile oauth preserves display parameter through forms" do
|
|
get "/oauth/authorize", params: {
|
|
client_id: @oauth_app.uid,
|
|
redirect_uri: @oauth_app.redirect_uri,
|
|
response_type: "code",
|
|
scope: "read",
|
|
display: "mobile"
|
|
}
|
|
|
|
assert_response :success
|
|
|
|
# Check that display parameter is preserved in hidden fields
|
|
assert_match(/<input[^>]*name="display"[^>]*value="mobile"/, response.body)
|
|
end
|
|
end
|