fix(auth): use the guild OAuth app for header login on custom domains#150
Merged
Merged
Conversation
On a custom domain the header "Log in" button pointed at the absolute primary URL (appBaseUrl), so it always ran the GLOBAL MSK Forms OAuth app and showed the MSK Forms consent screen — even when the guild had its own Discord app configured. The public form login link was already relative and host-aware; only the header bypassed it. - Header login is now host-aware: on a custom domain whose guild has its own OAuth app (resolveHostOAuth != null) the login link is relative, so the host-aware login route uses the guild app and lands the session on the custom domain. Without an own app it still points to the primary host (state cookie / callback must be same-origin). Dashboard link unchanged (still primary-only). - Make the silent primary fallback diagnosable: log when a custom domain has no usable per-guild OAuth, and specifically when a stored secret is present but cannot be decrypted (the dashboard marks "Active" on presence alone).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem (customer report)
Customer configured their own per-guild Discord OAuth app (Client ID + secret, redirect URL) on their custom domain
urlap.atlasroleplay.hu. Dashboard shows Active, but login still lands on the MSK Forms OAuth consent screen instead of the guild''s own app.Root cause
The header "Log in" button builds its href from the absolute primary URL on custom domains:
So clicking it on the custom domain goes straight to
https://forms.msk-scripts.de/api/auth/discord/login→ host = primary → global MSK Forms app. This was intentional before per-guild OAuth (#146) — the dashboard/state-cookie live on primary — but it bypasses the guild''s own app. The public form login link is already relative + host-aware and works; only the header was wrong.Fix
resolveHostOAuth(host) != null), the login link is relative, so the host-aware login route uses the guild app and establishes the session on the custom domain. Without an own app it still points to primary (state cookie + callback must be same-origin). Dashboard link unchanged (primary-only).Notes
No schema/env change.
typecheckgreen. If the customer still lands on MSK Forms after this, the new[guild-oauth] … could not be decrypted/[oauth-login] no per-guild OAuth for hostPM2 log lines will pinpoint whether it''s a bad secret or an unverified domain.