cba0bdf0e2
- Configure Doorkeeper to allow custom URL schemes (maybeapp://) - Disable force_ssl_in_redirect_uri to support non-HTTPS schemes - Add custom Doorkeeper views with mobile OAuth detection - Disable Turbo for mobile OAuth flows to prevent redirect interference - Add display parameter preservation through OAuth flow - Create custom Doorkeeper layouts with proper styling - Add comprehensive integration tests for mobile OAuth flows - Ensure all OAuth pages use proper doorkeeper/application layout This allows the mobile app to complete OAuth authorization flows without the web app interfering with custom URL scheme redirects. 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
76 lines
2.0 KiB
Ruby
76 lines
2.0 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "test_helper"
|
|
|
|
class OauthMobileTest < ActionDispatch::IntegrationTest
|
|
setup do
|
|
@user = users(:empty)
|
|
sign_in(@user)
|
|
|
|
@oauth_app = Doorkeeper::Application.create!(
|
|
name: "Maybe Mobile App",
|
|
redirect_uri: "maybeapp://oauth/callback",
|
|
scopes: "read"
|
|
)
|
|
end
|
|
|
|
test "mobile oauth authorization with custom scheme redirect" do
|
|
get "/oauth/authorize", params: {
|
|
client_id: @oauth_app.uid,
|
|
redirect_uri: @oauth_app.redirect_uri,
|
|
response_type: "code",
|
|
scope: "read",
|
|
display: "mobile"
|
|
}
|
|
|
|
assert_response :success
|
|
|
|
# Check that Turbo is disabled in the form
|
|
assert_match(/data-turbo="false"/, response.body)
|
|
assert_match(/maybeapp:\/\/oauth\/callback/, response.body)
|
|
end
|
|
|
|
test "mobile oauth detects custom scheme in redirect_uri" do
|
|
get "/oauth/authorize", params: {
|
|
client_id: @oauth_app.uid,
|
|
redirect_uri: "maybeapp://oauth/callback",
|
|
response_type: "code",
|
|
scope: "read"
|
|
}
|
|
|
|
assert_response :success
|
|
|
|
# Should detect mobile flow from redirect_uri
|
|
assert_match(/data-turbo="false"/, response.body)
|
|
end
|
|
|
|
test "mobile oauth authorization flow completes successfully" do
|
|
post "/oauth/authorize", params: {
|
|
client_id: @oauth_app.uid,
|
|
redirect_uri: @oauth_app.redirect_uri,
|
|
response_type: "code",
|
|
scope: "read",
|
|
display: "mobile"
|
|
}
|
|
|
|
# Should redirect to the custom scheme
|
|
assert_response :redirect
|
|
assert response.location.start_with?("maybeapp://oauth/callback")
|
|
end
|
|
|
|
test "mobile oauth preserves display parameter through forms" do
|
|
get "/oauth/authorize", params: {
|
|
client_id: @oauth_app.uid,
|
|
redirect_uri: @oauth_app.redirect_uri,
|
|
response_type: "code",
|
|
scope: "read",
|
|
display: "mobile"
|
|
}
|
|
|
|
assert_response :success
|
|
|
|
# Check that display parameter is preserved in hidden fields
|
|
assert_match(/<input[^>]*name="display"[^>]*value="mobile"/, response.body)
|
|
end
|
|
end
|