Skip to content

feat(oauth): browser-based consent page for daemonized servers#190

Merged
danieljustus merged 1 commit into
mainfrom
session/20260522-115018
May 22, 2026
Merged

feat(oauth): browser-based consent page for daemonized servers#190
danieljustus merged 1 commit into
mainfrom
session/20260522-115018

Conversation

@danieljustus
Copy link
Copy Markdown
Owner

@danieljustus danieljustus commented May 22, 2026
edited
Loading

Bundles fixes for multiple open issues. The list below grows as commits land; every linked issue will close automatically on merge.

@danieljustus
feat(oauth): browser-based consent page for daemonized servers
42a5ddb 
When the OAuth authorize handler runs without a TTY (e.g. as a LaunchAgent
or systemd service), it previously returned interaction_required as JSON,
leaving users with no recovery path.

Now it renders an HTML consent page where the user can enter their vault
passphrase to prove human presence. The passphrase is verified by attempting
to open the vault — the same secret that gates the vault root, so no new
trust material is introduced.

On successful passphrase verification, the authorization code is minted and
the user is redirected to the client's redirect_uri exactly as in the TTY
flow. On failure, the consent page is re-rendered with an error message.

This preserves the #21 security property: token issuance still requires
active human action (knowing the vault passphrase), while making the OAuth
DCR flow usable in daemon deployments.

Changes:
- handleOAuthAuthorize: detects no-TTY condition and renders HTML consent page
- handleOAuthConfirm: new POST handler that verifies passphrase via vault open
- consent page: clean HTML form with client info and passphrase input
- CSRF protection: uses the OAuth state parameter

Closes #188
@danieljustus danieljustus force-pushed the session/20260522-115018 branch from 79565b4 to 42a5ddb Compare May 22, 2026 10:08
@danieljustus danieljustus marked this pull request as ready for review May 22, 2026 10:18
Copilot AI review requested due to automatic review settings May 22, 2026 10:18
@danieljustus danieljustus merged commit 1876f1a into main May 22, 2026
19 of 20 checks passed
@danieljustus danieljustus deleted the session/20260522-115018 branch May 22, 2026 10:18
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth consent works only with TTY — daemonized server cannot complete DCR flow

2 participants

@danieljustus