Skip to content

feat: browser-based OAuth via server-side relay with nonce#11

Merged
eskp merged 5 commits into
mainfrom
fix/default-host-domain
Mar 13, 2026
Merged

feat: browser-based OAuth via server-side relay with nonce#11
eskp merged 5 commits into
mainfrom
fix/default-host-domain

Conversation

@eskp
Copy link
Copy Markdown
Contributor

@eskp eskp commented Mar 13, 2026

Summary

  • Replace direct POST to Better Auth with server-side relay flow
  • CLI opens /cli-auth page in browser (same origin as Better Auth, no CORS/CF Access issues)
  • Server-side relay reads HttpOnly session cookie and redirects token to CLI callback
  • Cryptographic nonce threaded through entire flow to prevent relay URL forgery
  • Includes nonce validation test (bad nonce returns 403)

Test plan

  • All 21 Go tests pass (go test ./internal/auth/)
  • go build ./... succeeds
  • End-to-end test with kh auth login against staging (requires KeeperHub PR #562 deployed first)

eskp added 5 commits March 13, 2026 21:28
@eskp
fix: POST to Better Auth social sign-in endpoint instead of GET
a1395ea 
Better Auth's /sign-in/social is a POST endpoint returning a redirect
URL. The CLI was opening it as a GET URL in the browser, causing a 404.
Now POSTs to get the OAuth redirect URL, then opens that in the browser.
@eskp
feat: browser-based OAuth via server-side relay with nonce
5635884 
Replace direct POST to Better Auth with a server-side flow:
CLI opens /cli-auth page in the browser, which POSTs from the same
origin (avoiding CORS/CF Access issues). A relay endpoint reads the
HttpOnly session cookie and redirects to the CLI callback with the token.

A cryptographic nonce is threaded through the entire flow to prevent
relay URL forgery.
@eskp
feat: make device flow the default auth method
eb0b8ff 
Switch kh auth login to use device code flow (RFC 8628) by default,
matching the pattern used by GitHub CLI. Browser OAuth is available
via --browser flag. Device flow avoids CORS, cookie, and Cloudflare
Access issues since the browser handles all server communication.

Also adds CF-Access header support to device code/token requests
for staging environments behind Cloudflare Access.
@eskp
fix: add Origin header to device flow requests for Better Auth CSRF
9ff8747
@eskp
refactor: remove dead browser OAuth flow
11343bf 
- Remove --browser flag (server-side relay page was never built)
- Delete oauth.go and oauth_test.go
- Move ReadTokenFromStdin to device.go
- Device flow is the only interactive auth method
@eskp eskp merged commit 8bbb5fb into main Mar 13, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eskp