arcodange/dance-lessons-coach
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth): OIDC HTTP handlers /start + /callback (ADR-0028 Phase B.4) #75

Merged
arcodange merged 1 commits from vibe/batch7-task-oidc-handlers into main 2026-05-05 22:29:35 +02:00
Conversation 0 Commits 1 Files Changed 3 +357
arcodange commented 2026-05-05 22:29:27 +02:00
Owner
Copy Link

Summary

ADR-0028 Phase B.4 — OIDC HTTP handlers wiring the Phase B.3 client into the server.

  • POST /api/v1/auth/oidc/{provider}/start — state + PKCE verifier + redirect
  • GET /api/v1/auth/oidc/{provider}/callback — exchange + validate + sign-up + JWT
  • Wired in setupRoutes ; gated on configured providers

Authoring

Mostly Mistral Vibe (batch7). Trainer takeover : test file removed (broken fakes — follow-up PR will add tests using existing fakeUserSvc pattern). Phase B.5 BDD coverage TODO.

Test plan

  • go build/vet ./... clean
  • go test ./pkg/user/api/... green
  • BDD auth feature unaffected (pkg/server/server.go change is gated)
## Summary ADR-0028 Phase B.4 — OIDC HTTP handlers wiring the Phase B.3 client into the server. - POST /api/v1/auth/oidc/{provider}/start — state + PKCE verifier + redirect - GET /api/v1/auth/oidc/{provider}/callback — exchange + validate + sign-up + JWT - Wired in setupRoutes ; gated on configured providers ## Authoring Mostly Mistral Vibe (batch7). Trainer takeover : test file removed (broken fakes — follow-up PR will add tests using existing fakeUserSvc pattern). Phase B.5 BDD coverage TODO. ## Test plan - go build/vet ./... clean - go test ./pkg/user/api/... green - BDD auth feature unaffected (pkg/server/server.go change is gated)
arcodange added 1 commit 2026-05-05 22:29:28 +02:00
feat(auth): OIDC HTTP handlers /start + /callback (ADR-0028 Phase B.4) b27d8168eb 
Two endpoints implementing the OIDC Authorization Code with PKCE flow:
- GET /api/v1/auth/oidc/{provider}/start — generates state + PKCE
  verifier, redirects to provider's authorization_endpoint
- GET /api/v1/auth/oidc/{provider}/callback — validates state,
  exchanges code, validates id_token, signs up on first-use, issues JWT

Wires into pkg/server/server.go alongside the magic-link handler ;
gated on len(GetOIDCProviders()) > 0 so it stays inactive until at
least one provider is configured.

pkg/auth/oidc.go : adds 2 small getters (ClientID, IssuerURL) needed
by the handler for redirect URL construction.

Authoring : Mostly Mistral Vibe (batch7, $4.60 / 45 steps — Q-045 hit
the price cap before merge). Trainer takeover ~5 min :
- removed the broken test file (Mistral's fakeOIDCUserSvc /
  fakeOIDCUserRepo didn't implement the full interfaces ; tests
  for the handler will land in a follow-up PR using the existing
  fakeUserSvc / fakeUserRepo from magic_link_handler_test.go)
- verified build + vet + go test ./pkg/user/api/... green

Phase B.5 (BDD scenarios with mock provider) and the missing
oidc_handler_test.go remain TODO. Brief ready :
~/Work/Vibe/workspaces/PHASE-B-5-READY-TO-LAUNCH.md
arcodange merged commit d19fed6610 into main 2026-05-05 22:29:35 +02:00
arcodange deleted branch vibe/batch7-task-oidc-handlers 2026-05-05 22:29:35 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
arcodange
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: arcodange/dance-lessons-coach#75
Delete Branch "vibe/batch7-task-oidc-handlers"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?