feat: connect planner via OAuth 2.1 / OIDC

[mroderick]

Summary

Connect the auth service to the planner via OAuth 2.1 / OIDC using Better Auth's built-in oauthProvider and jwt plugins. The planner acts as a first-party OAuth client.

Commits

Commit	Description
chore: add @better-auth/oauth-provider and @playwright/test dependencies	Add @better-auth/oauth-provider runtime dep, bump better-auth to 1.6.20, add @playwright/test dev dep
feat: add JWT and OAuth provider plugins with login flow, seeding, and tests	Core feature: Better Auth config with jwt/oauthProvider/magicLink plugins, OAuth authorize login flow, PKCE seeding, test infrastructure with schema isolation, 49 new unit/integration tests
ci: add CI pipeline and Playwright e2e test for OAuth flow	CI workflow with parallel test groups + e2e Playwright job testing full magic link OAuth flow
docs: add architecture documentation covering OAuth 2.1 flows	Architecture doc with sequence diagrams for GitHub OAuth and Magic Link flows

Changes

Auth configuration (src/auth.js)

• Add jwt() plugin — issues id_tokens with email and name claims for the planner (RS256)
• Add oauthProvider() plugin — exposes OAuth 2.1 authorize/token endpoints (/api/auth/oauth2/*)
• Add account.skipStateCookieCheck: true — cross-site OAuth callback compatibility
• Add trustedOrigins with localhost + auth base URL

Config (src/config.js)

• Add AUTH_DEFAULT_PORT and PLANNER_DEFAULT_PORT constants
• Add planner_redirect_uris and allowed_redirects from PLANNER_REDIRECT_URIS env var (comma-separated, supports multiple environments)

Login flow (src/app/routes/auth.js, src/app/components/login.js)

• Replace redirect_url-based flow with callbackURL pointing to the OAuth authorize endpoint
• Extract named route handlers (showLogin, showMagicLinkForm, sendMagicLink, startGitHubOAuth)
• getCallbackURL preserves OAuth query params (PKCE, state, etc.) from the authorize request
• GitHub and magic link buttons now POST/GET with callbackURL

Database seeding

• src/app/db/seed-client.js — inserts the planner OAuth client via raw SQL with ON CONFLICT DO UPDATE for idempotency. Accepts redirect URIs as JSON array via $1::jsonb. Validates schemaName to prevent SQL injection.
• scripts/migrate.js — runs migrations and seeds the planner client
• scripts/heroku-release.sh — runs node scripts/migrate.js on every deploy

Dev test helpers

• src/dev/magic-links.js — captures sent magic links when SENDGRID_API_KEY is unset
• src/app/app.js — exposes /api/test/magic-links GET/DELETE in non-production, magic link endpoint localhost-restricted

CI

• Add e2e job running Playwright after unit tests
• Use chromium-headless-shell for smaller download
• Add permissions: contents: read at workflow level

Documentation

• docs/architecture.md — architecture overview with sequence diagrams, environment layout, env vars, and operational details

Testing

158 unit tests, 0 failures. New tests cover:

• OAuth provider: planner client seeded correctly (public, PKCE-required, redirect URIs as JSON array)
• Authorize endpoint: redirects unauthenticated users to login, issues code when authenticated
• Token endpoint: exchanges code for access token with PKCE, rejects missing/invalid PKCE, invalid code, mismatched redirect_uri
• Integration: full flow — authenticate -> authorize -> exchange code -> verify JWT via JWKS
• E2E (Playwright): unauthenticated authorize -> login -> magic link -> verify -> authorize -> code

[till]

Maybe pull these into another pr to fix?

[mroderick]

@till, would you mind reviewing this one?

[till]

I started, but I need to look more.

[till]

Maybe pull these into another pr to fix?

[till]

I don't understand these changes.

[mroderick]

Yeah, that was really not well implemented.
I added an e2e test, but the workflow file took a beating in the process. I've added a commit, that makes the final diff read well.
Once review is complete, I'll rebase the confusion away.

[mroderick]

I have deployed both PRs for planner and auth to Heroku, in order to verify things in staging before we merge the PRs.

I also reviewed the PRs against OWASP top 10 for 2025, and fixed the few minor things that surfaced.

This unfortunately meant that I had to make some changes since I originally marked this as ready for review. I chose to rewrite the git history, in order to make the PRs easier to follow ... i.e. without any side quests. They should read fairly linearly now.

---

Testing on Heroku

To verify the OAuth 2.1 flow end-to-end:

Flow A: Sign in with GitHub

1. Open https://codebar-staging.herokuapp.com/ — confirm the app loads
2. Navigate to https://codebar-staging.herokuapp.com/auth/codebar << this is not linked in the UI, we'll only do that, once it is proven to work in production
3. Observe you're redirected to https://auth.codebar.io/login?... with OAuth params
   (client_id=planner, response_type=code, code_challenge=..., state=...) in the URL
4. Click "Sign In with GitHub" — authenticate with your GitHub account
5. Observe you're redirected back to the staging app, signed in

Flow B: Sign in with Magic Link

1. Clear all cookies for *.codebar.io and *.herokuapp.com to start fresh
2. Navigate to https://codebar-staging.herokuapp.com/auth/codebar again
3. Observe you're redirected to https://auth.codebar.io/login?...
4. Enter your email address and click "Send Magic Link"
5. Check your inbox for the magic link email from auth-noreply@codebar.io
6. Click the link in the email
7. Observe you're redirected back to the staging app, signed in

If something goes wrong

Check the staging app logs:

  heroku logs --tail -a codebar-staging

OAuth errors from the planner side show as (codebar) Authentication failure! <error_type>. The auth
app is already in production — let us know if you need access to its logs too.

[till]

This is a lot. But LMK, what you think, not hard no's on anything. I will have a look again.

[till]

It already serves profile, logout and I think link/unlink capabilities today. Those will stay around.

[mroderick]

You're right. That sentence is misleading.

I've pushed a better version in 1a4ed9f

[till]

Just curious, why would we not use admin-api?

[mroderick]

It requires a user session, so we would have create the OAuth client using the endpoint after the code has been deployed.

That seemed a bit clunky to me, so I opted for a simpler solution.

Admittedly, getting all this working in Heroku had a few other steps that were clumsy to me, so in the grand scheme of things, it wouldn't have added that much more.

[till]

Maybe this should be somewhere else, like in the utlities. This will is pretty large already.

[mroderick]

Sure. I've extracted it to a different file in afbcbac

[till]

Similar, maybe spin them out to another file.

[mroderick]

You're right. I've created another fixup commit: 7e02c87

[till]

This should be more obvious, e.g. not rely on apiKey to be set (which could be a mistake), but instead use the same environment guard.

[mroderick]

I agree. fixup in 7c8fed6

[till]

Does the auth app have a staging? Otherwise, how would this work.

[mroderick]

It doesn't have a staging environment. The allowed redirect uris are in PLANNER_REDIRECT_URIS.

It is explained in the architecture doc, which is easy to overlook.

I've added a comment in a fixup commit 6977b55

[till]

I'd put this into a helper and make it more descriptive. But the params repeats itself.

Maybe generally, I haven't look at it all in detail, but it could use some test helpers for all the tests.

[mroderick]

That's a good point.

I've created another fixup for this in 37e1b9a

[till]

🥳

[till]

The issue is closed and from last year, is this even applicable?

[mroderick]

⚠️ Written by my synthetic assistant ⚠️

---

Good catch on the issue being old and about a different problem. I investigated whether it's still needed, and it is. Here's what I found:

The account.skipStateCookieCheck option controls a second signed cookie check in parseGenericState's database strategy. The state is already validated against the verification table — the cookie is a redundant additional check that sets a __Secure-better-auth.state cookie (SameSite=Lax, httpOnly) and verifies it on callback.

This fails in the GitHub OAuth flow (user signs in with GitHub on the login page) because Cloudflare strips __Secure- prefix cookies on ingress. The same issue is present behind Heroku's router. The database verification passes fine, but the cookie check throws "State mismatch" before the user ever reaches the oauthProvider flow.

The option is not deprecated — it's still wired in v1.6.20 (create-context.mjs:130), and even Better Auth's own oauth-proxy plugin hardcodes skipStateCookieCheck: true when parsing state for cross-domain flows.

I updated the ponytail comment to explain this properly and dropped the stale issue link.

[till]

Could also fetch this in config and re-use it here. So the code is not using process.env everywhere?

[mroderick]

⚠️ Written in collaboration with my synthetic assistant ⚠️

---

Good call. We had three raw process.env.NODE_ENV references across auth.js and app.js. After the other fixups (environment guards in sendMagicLink and trustedOrigins), this was the last one that couldn't be derived from config values.

I added isProduction: process.env.NODE_ENV === "production" to src/config.js and replaced all three process.env.NODE_ENV checks with appConfig.isProduction / !appConfig.isProduction. The changes are in 9cb7eb9.

The only remaining direct process.env reads in the app code are the env vars that are genuinely per-environment config (database URLs, API keys, etc.) — those are already centralised through getter functions in config.js.