OIDC

[kloenk]

What type of PR is this?

• feature

What this PR does / why we need it:

Implement OIDC login feature

Which issue(s) this PR fixes:

Fixes #6

Special notes for your reviewer:

(fill-in or delete this section)

Testing

(fill-in or delete this section)

Summary by CodeRabbit

• New Features

  • Introduced a search feature in the multiselect component, allowing users to filter options.
  • Added functionality for uploading and previewing images in the item creation modal.
  • Enhanced table component with dynamic header visibility and order management.

• Enhancements

  • Updated URLs in documentation and demo links for better accessibility.
  • Improved user onboarding with clearer installation and configuration instructions.
  • Enhanced localization support with new translations for multiple languages.

• Bug Fixes

  • Resolved issues with the visibility and rendering of table headers.

• Documentation

  • Added comprehensive guides for installation, configuration, and usage of new features.
  • Updated existing documentation to reflect recent changes and improvements.

• Chores

  • Updated dependencies to ensure compatibility with new features and enhancements.

[coderabbitai]

Walkthrough

Walkthrough

The recent changes primarily involve updates to various files across the codebase, focusing on enhancing scheduled tasks, improving documentation, updating dependencies, and refining user interface components. The modifications include changing cron job timings for Docker publishing, updating URLs in documentation, enhancing the Go module dependencies, and restructuring several components for improved styling and functionality. Additionally, new documentation files have been introduced to assist users in configuring and installing the application.

Changes

Files	Change Summary
.github/workflows/docker-publish-*.yaml	Updated cron job timing from 6:00 AM to 12:00 AM for daily Docker publishing.
README.md, docs/.vitepress/config.mts	Updated documentation and demo links to reflect the new domain https://homebox.software.
backend/go.mod	Upgraded Go version from 1.22 to 1.23.0 and updated several dependencies for improved performance and security.
backend/internal/core/services/reporting/io_sheet.go	Added Notes field to ReadItems method for enhanced data representation.
frontend/components/*.vue	Various components underwent styling adjustments and class reordering for improved readability and consistency.
docs/en/configure-homebox.md, docs/en/installation.md	Introduced new documentation files to guide users on configuration and installation processes.
frontend/locales/*.json	Added multiple localization files to support various languages, enhancing accessibility for non-English speakers.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Documentation
    participant DockerPublisher
    participant GoModule

    User->>Documentation: Access updated links
    Documentation->>User: Provide correct URLs
    User->>DockerPublisher: Trigger Docker publish
    DockerPublisher->>GoModule: Check updated dependencies
    GoModule-->>DockerPublisher: Confirm updates
    DockerPublisher-->>User: Complete publishing process

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Add OIDC SSO Support (#6)	❌	No changes related to OIDC or SSO support were made.

Possibly related PRs

• update links #206: This PR updates URLs in documentation to reflect the new domain, relevant to the overall changes in the main PR.
• Update Documentation: Quick Start #221: Focuses on enhancing documentation for new users, aligning with the changes made in the current PR regarding documentation updates.

🎉 In the realm of code, changes take flight,
From Docker to docs, all polished and bright.
URLs updated, dependencies aligned,
A seamless experience, for all users designed.
With notes and guides, the path is now clear,
Homebox shines brighter, let's give a cheer! 🌟

Tip

OpenAI O1 model for chat

• We have deployed OpenAI's latest O1 model for chat.
• OpenAI claims that this model has superior reasoning capabilities than their GPT-4o model.
• Please share any feedback with us in the discussions post.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Caution

Inline review comments failed to post

Actionable comments posted: 10

Outside diff range, codebase verification and nitpick comments (6)

backend/app/api/providers/extractors.go (1)

58-94: Ensure consistency in error messages.

While the function is robust, consider making error messages consistent in style and detail.

// Example consistent error message
return oauthForm, errors.New("failed to parse OAuth form: invalid content type")

backend/internal/core/services/service_oauth.go (1)

120-173: Review User Registration Logic in CreateUser

The method handles user registration and group assignment. Ensure that the logic for creating groups and assigning roles is secure and follows best practices. Consider adding role-based access control checks.

// Consider implementing role-based access control for user creation

backend/internal/data/ent/oauth.go (2)

17-35: Review OAuth Entity Structure

The OAuth entity is well-defined with fields for provider and subject. Ensure that the Provider and Sub fields are indexed for efficient querying, especially if they are frequently used in lookups.

// Consider adding indexes to the Provider and Sub fields for better query performance

---

46-57: Enhance Error Messages in UserOrErr Method

The error messages returned when edges are not loaded or found could be more descriptive to aid in debugging and understanding the context of the error.

return nil, &NotLoadedError{edge: "user", message: "User edge not loaded or found"}

backend/internal/data/ent/user_create.go (2)

193-197: Ensure OAuth ID Validation

The AddOauthIDs method currently lacks explicit validation to ensure that the OAuth IDs correspond to existing entities in the database. It is advisable to implement a validation mechanism to verify the existence of these IDs before adding them. This will enhance the robustness and reliability of the system.

• Consider adding a check to confirm that each OAuth ID exists in the database before calling AddOauthIDs.

Analysis chain

OAuth ID Addition Logic.

The AddOauthIDs method adds OAuth relationships by ID. Confirm that IDs are validated and correspond to existing OAuth entities.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that OAuth IDs are validated before being added.

# Test: Search for `AddOauthIDs` usage. Expect: Validation logic in place.
rg --type go 'AddOauthIDs'

Length of output: 1308

---

Script:

#!/bin/bash
# Search for all instances where AddOauthIDs is called and examine the surrounding code for validation logic.
rg --type go 'AddOauthIDs' -A 5 -B 5

Length of output: 5437

---

199-206: OAuth Entity Validation Missing.

The AddOauth and AddOauthIDs methods do not currently include validation logic for OAuth entities. It is advisable to implement validation to ensure these entities are properly initialized before being added.

• Consider adding validation logic within the AddOauth method or before calling it to ensure OAuth entities are valid.

Analysis chain

OAuth Entity Addition Logic.

The AddOauth method adds OAuth entities directly. Ensure that these entities are properly initialized and validated.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that OAuth entities are validated before being added.

# Test: Search for `AddOauth` usage. Expect: Validation logic in place.
rg --type go 'AddOauth'

Length of output: 1900

---

Script:

#!/bin/bash
# Description: Search for the implementation of AddOauth and AddOauthIDs methods to check for validation logic.

# Search for the AddOauth method implementation in user_create.go
ast-grep --lang go --pattern $'func (uc *UserCreate) AddOauth(o ...*OAuth) *UserCreate {
  $$$
}' 

# Search for the AddOauthIDs method implementation in user_create.go
ast-grep --lang go --pattern $'func (uc *UserCreate) AddOauthIDs(ids ...uuid.UUID) *UserCreate {
  $$$
}' 

Length of output: 979

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 2a80d34 and 2d2a6b8.

Files ignored due to path filters (2)

• backend/go.sum is excluded by !**/*.sum
• backend/internal/data/migrations/migrations/atlas.sum is excluded by !**/*.sum

Files selected for processing (37)

• backend/app/api/providers/extractors.go (2 hunks)
• backend/app/api/providers/oauth.go (1 hunks)
• backend/app/api/routes.go (3 hunks)
• backend/go.mod (5 hunks)
• backend/internal/core/services/all.go (2 hunks)
• backend/internal/core/services/service_oauth.go (1 hunks)
• backend/internal/core/services/service_user.go (1 hunks)
• backend/internal/core/services/service_user_defaults.go (2 hunks)
• backend/internal/data/ent/client.go (11 hunks)
• backend/internal/data/ent/ent.go (2 hunks)
• backend/internal/data/ent/has_id.go (1 hunks)
• backend/internal/data/ent/hook/hook.go (1 hunks)
• backend/internal/data/ent/migrate/schema.go (3 hunks)
• backend/internal/data/ent/mutation.go (15 hunks)
• backend/internal/data/ent/oauth.go (1 hunks)
• backend/internal/data/ent/oauth/oauth.go (1 hunks)
• backend/internal/data/ent/oauth/where.go (1 hunks)
• backend/internal/data/ent/oauth_create.go (1 hunks)
• backend/internal/data/ent/oauth_delete.go (1 hunks)
• backend/internal/data/ent/oauth_query.go (1 hunks)
• backend/internal/data/ent/oauth_update.go (1 hunks)
• backend/internal/data/ent/predicate/predicate.go (1 hunks)
• backend/internal/data/ent/runtime.go (2 hunks)
• backend/internal/data/ent/schema/oauth.go (1 hunks)
• backend/internal/data/ent/schema/user.go (2 hunks)
• backend/internal/data/ent/tx.go (2 hunks)
• backend/internal/data/ent/user.go (3 hunks)
• backend/internal/data/ent/user/user.go (4 hunks)
• backend/internal/data/ent/user/where.go (2 hunks)
• backend/internal/data/ent/user_create.go (5 hunks)
• backend/internal/data/ent/user_query.go (8 hunks)
• backend/internal/data/ent/user_update.go (11 hunks)
• backend/internal/data/migrations/migrations/20240811221935_oidc.sql (1 hunks)
• backend/internal/data/repo/repo_group.go (1 hunks)
• backend/internal/data/repo/repo_oauth.go (1 hunks)
• backend/internal/data/repo/repo_users.go (1 hunks)
• backend/internal/data/repo/repos_all.go (2 hunks)

Files skipped from review due to trivial changes (3)

• backend/internal/data/ent/oauth/oauth.go
• backend/internal/data/ent/oauth_query.go
• backend/internal/data/repo/repo_users.go

Additional comments not posted (171)

backend/internal/data/ent/schema/oauth.go (5)

3-9: Imports are appropriate.

The imported packages are essential for defining the schema and utilizing ent features.

---

15-19: Mixin usage is correct.

The BaseMixin is appropriately included, likely adding common fields or functionality.

---

21-27: Field definitions are sound.

The fields provider and sub are necessary for OAuth and correctly specified as NotEmpty.

---

30-35: Edge definition is accurate.

The edge from OAuth to User is correctly defined as unique, indicating a one-to-one relationship.

---

38-41: Index definition is appropriate.

The index on provider and sub fields ensures uniqueness and efficient querying.

backend/internal/data/ent/has_id.go (1)

55-57: GetID method implementation is consistent.

The GetID method for OAuth is correctly implemented, aligning with similar methods for other entities.

backend/internal/data/repo/repos_all.go (2)

12-12: AllRepos struct modification is logical.

The addition of the OAuth field enhances the repository's ability to manage OAuth operations.

---

27-27: New function update is consistent.

The OAuth field is correctly initialized in the constructor, aligning with the initialization of other repositories.

backend/internal/data/ent/predicate/predicate.go (1)

45-46: Addition of OAuth predicate type looks good.

The introduction of the OAuth predicate type is consistent with the existing pattern and enhances query capabilities for OAuth-related operations.

backend/internal/core/services/all.go (2)

11-11: Integration of OAuthService into AllServices.

The addition of the OAuth field to the AllServices struct is a strategic enhancement, allowing for expanded service capabilities. This integration is well-aligned with the objective of supporting OIDC.

---

58-62: Verify the initialization of OAuthService.

The OAuthService is initialized with dependencies on repos and user. Ensure that these dependencies are correctly managed and that the OAuthService functions as expected.

Verification successful

---

Verification Complete: OAuthService Initialization and Usage

The OAuthService is correctly initialized with its dependencies, repos and user, and its methods are actively used across the codebase, ensuring proper functionality.

• Initialization: Verified in backend/internal/core/services/all.go.
• Method Usage: Methods such as Login, ValidateCode, LoginWithIdToken, CreateUserIdToken, and CreateUser are utilized within service_oauth.go and other parts of the application, confirming their integration.

The dependencies are managed correctly, and the service functions as expected. No issues found.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage and initialization of `OAuthService`.

# Test: Search for the instantiation and usage of `OAuthService` in the codebase. Expect: Proper initialization and usage.
rg --type go 'OAuthService'

Length of output: 1326

---

Script:

#!/bin/bash
# Description: Verify the usage of OAuthService methods in the codebase.

# Test: Search for the usage of OAuthService methods in the codebase.
rg --type go '(Login|ValidateCode|LoginWithIdToken|CreateUserIdToken|CreateUser)\('

Length of output: 2205

backend/internal/data/migrations/migrations/20240811221935_oidc.sql (1)

1-18: SQL Migration for OIDC Support.

The migration script effectively manages the creation of the oauths table and the modification of the users table. The use of foreign key constraints and indices aligns with best practices for data integrity and performance.

backend/internal/data/ent/schema/user.go (2)

38-39: Optional Password Field in User Schema.

The password field is now optional, which is a logical adjustment to accommodate OAuth-based authentication. Ensure that this change is reflected in all relevant user creation and update processes.

---

63-66: Addition of OAuth Edge in User Schema.

The new edge to the OAuth type enhances the schema's capability to manage OAuth associations. This is a crucial step in supporting OIDC functionality.

backend/app/api/providers/oauth.go (3)

16-20: Struct OAuthProvider is well-defined.

The struct encapsulates necessary components for OAuth operations effectively.

---

56-58: Function Name is correctly implemented.

The function returns the provider's name as expected.

---

60-67: Function Authenticate is correctly implemented.

The function effectively handles authentication using the OAuth service.

backend/internal/data/ent/oauth_delete.go (1)

1-88: Generated file oauth_delete.go is correctly implemented.

The file follows standard patterns for deletion logic and error handling, consistent with ent generated code.

backend/go.mod (4)

12-12: New OIDC Dependency Added: github.com/coreos/go-oidc/v3

The addition of this dependency is crucial for implementing OpenID Connect functionality, which aligns with the PR objectives of enhancing authentication capabilities. Ensure that this library is compatible with the existing codebase and that any new features are thoroughly tested.

Verification successful

---

OIDC Package Integration Verified

The integration of github.com/coreos/go-oidc/v3 is confirmed across multiple files, indicating its role in enhancing authentication capabilities via OpenID Connect. The package is used effectively for creating providers, setting scopes, and verifying tokens, aligning with the project's objectives. No issues found with its usage in the codebase.

• Files with OIDC usage:
  • backend/app/api/providers/oauth.go
  • backend/internal/core/services/service_oauth.go

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify usage of the newly added `github.com/coreos/go-oidc/v3` package.

# Test: Search for the usage of the `oidc` package. Expect: Relevant usage in the codebase.
rg --type go 'oidc\.' 

Length of output: 625

---

28-28: Dependency Update: golang.org/x/crypto

The update from v0.23.0 to v0.25.0 may include important security patches and performance improvements. Verify that the changes in this package do not introduce breaking changes or require modifications in the existing code.

Verification successful

---

Dependency Update: golang.org/x/crypto

The update from v0.23.0 to v0.25.0 appears to have no direct impact on the current codebase, as there are no direct imports or usage of golang.org/x/crypto detected. However, I recommend verifying any indirect dependencies that might utilize this package. Proceed with caution and ensure thorough testing.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify compatibility of `golang.org/x/crypto` update.

# Test: Check for any breaking changes or deprecated functions used in the codebase.
rg --type go 'crypto\.' 

Length of output: 25

---

Script:

#!/bin/bash
# Description: Search for imports of `golang.org/x/crypto` in the Go codebase.
rg --type go 'import\s+"golang.org/x/crypto'

Length of output: 46

---

42-42: New JWT Dependency Added: github.com/go-jose/go-jose/v4

This addition likely supports JSON Web Token operations, which are integral to OIDC implementations. Ensure that JWT handling is secure and aligns with best practices.

---

71-72: Dependency Updates: golang.org/x/net and golang.org/x/sys

Both packages have been updated, potentially bringing improvements and bug fixes. Ensure that these updates do not conflict with existing network or system operations within the application.

backend/internal/core/services/service_oauth.go (1)

68-93: Verify LoginWithIdToken Logic

The method checks if the Verifier is nil and handles the ID token. Ensure that the logic for creating a new user when not found is robust and secure. Consider logging the creation process for better traceability.

backend/internal/data/ent/oauth.go (1)

160-178: Confirm String Method Implementation

The String method provides a string representation of the OAuth entity. Ensure that sensitive information is not inadvertently exposed in logs or error messages.

backend/internal/core/services/service_user.go (1)

99-101: Refactored Label Creation: Ensure createDefaultLabels is robust.

The refactoring of label creation into createDefaultLabels enhances readability. However, ensure that this function handles all edge cases and errors gracefully.

Verification successful

---

Functionality Confirmed: createDefaultLabels Handles Errors Appropriately

The createDefaultLabels function in service_user_defaults.go logs the process and handles errors during label creation. Ensure that defaultLabels() provides valid data and that the repository's Create method is resilient to unexpected input or failures.

• File: backend/internal/core/services/service_user_defaults.go
• Function: createDefaultLabels

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the implementation of `createDefaultLabels`.

# Test: Locate the function definition and review its logic.
ast-grep --lang go --pattern $'func createDefaultLabels(ctx context.Context, repos *repo.AllRepos, groupID uuid.UUID) error {
  $$$
}'

Length of output: 135

---

Script:

#!/bin/bash
# Description: Search for the `createDefaultLabels` function definition in the Go codebase.

# Test: Locate any function named `createDefaultLabels`.
rg 'func createDefaultLabels' --type go -A 5

Length of output: 647

backend/internal/data/ent/tx.go (2)

186-186: Initialization Enhancement: Confirm OAuth Client Setup.

The init method now includes the initialization of the OAuth client. Confirm that this setup is consistent with other client initializations and that it doesn't introduce side effects.

---

39-40: OAuth Client Integration: Verify Initialization Logic.

The addition of the OAuth client to the Tx struct is a strategic enhancement. Ensure that NewOAuthClient is correctly implemented and handles configuration nuances.

Verification successful

Ah, it seems our initial probe didn't return the expected results. Let's widen our search parameters to ensure we capture any variations or related implementations of the OAuthClient. Allow me to run another diagnostic sweep.

---

OAuth Client Initialization Confirmed.

The NewOAuthClient function has been successfully located and verified. It is implemented in backend/internal/data/ent/client.go at line 2447. Ensure that this function is properly invoked during the Tx struct initialization to maintain seamless OAuth interactions.

• File: backend/internal/data/ent/client.go
• Line: 2447

Integration appears sound, but always wise to verify any configuration nuances. Proceed with confidence, and may your code be ever robust.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the implementation of `NewOAuthClient`.

# Test: Locate the function definition and review its logic.
ast-grep --lang go --pattern $'func NewOAuthClient(config Config) *OAuthClient {
  $$$
}'

Length of output: 90

---

Script:

#!/bin/bash
# Description: Search for any functions related to OAuthClient in the codebase.

# Test: Locate any function definitions that return an *OAuthClient.
ast-grep --lang go --pattern $'func $_($$$) *OAuthClient {
  $$$
}'

Length of output: 270

backend/internal/data/repo/repo_group.go (1)

280-282: New Method GroupByName: Validate Query Logic.

The GroupByName method enhances the repository's querying capabilities. Ensure the query logic is efficient and correctly maps the result.

backend/app/api/routes.go (2)

71-71: Renaming providers to providerList enhances clarity.

The new name better reflects the purpose as a list of authentication providers.

---

83-83: Ensure all references to providers are updated to providerList.

The change to providerList should be consistent across all usages to avoid potential errors.

Verification successful

---

The change to providerList is correctly applied. The providers package and the local variable providers in v1_ctrl_auth.go serve different purposes and should remain unchanged. The update to providerList in routes.go is appropriate for managing the list of authentication providers. No further changes are necessary.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify all references to `providers` are updated to `providerList`.

# Test: Search for occurrences of `providers`. Expect: No occurrences.
rg --type go 'providers'

Length of output: 947

---

Script:

#!/bin/bash
# Investigate the context of `providers` usage in `routes.go` and `v1_ctrl_auth.go`.

# Show surrounding lines for occurrences in routes.go
rg --type go -A 5 -B 5 'providers' backend/app/api/routes.go

# Show surrounding lines for occurrences in v1_ctrl_auth.go
rg --type go -A 5 -B 5 'providers' backend/app/api/handlers/v1/v1_ctrl_auth.go

Length of output: 1915

backend/internal/data/ent/user.go (3)

55-59: Integration of OAuth data into UserEdges is well-structured.

The addition of the Oauth field and the expansion of loadedTypes are consistent and enhance the model's capabilities.

---

93-100: OauthOrErr method follows established patterns effectively.

The method provides a consistent approach to handling OAuth data retrieval with error checking.

---

227-230: QueryOauth method enhances OAuth querying capabilities.

The method aligns with existing query patterns and improves the model's functionality.

backend/internal/data/ent/user/user.go (4)

43-44: Addition of OAuth-related constants is essential and well-structured.

The constants are necessary for integrating OAuth functionality within the user management system.

Also applies to: 68-74

---

247-252: ByOauthCount function adds valuable querying capabilities.

The function enhances the ability to order user data based on OAuth interactions.

---

254-259: ByOauth function aligns with existing patterns and enhances functionality.

The function allows for ordering based on specific OAuth terms, improving querying capabilities.

---

281-287: newOauthStep function is crucial for OAuth integration.

The function facilitates the creation of SQL graph steps for OAuth relationships, essential for the new functionality.

backend/internal/data/ent/oauth_create.go (10)

25-29: Functionality Verified: SetCreatedAt

The method correctly sets the "created_at" field using the mutation object. Well done.

---

31-37: Functionality Verified: SetNillableCreatedAt

The method appropriately checks for nil values before setting the "created_at" field. Good job.

---

39-43: Functionality Verified: SetUpdatedAt

The method correctly sets the "updated_at" field using the mutation object. Well done.

---

45-51: Functionality Verified: SetNillableUpdatedAt

The method appropriately checks for nil values before setting the "updated_at" field. Good job.

---

53-57: Functionality Verified: SetProvider

The method correctly sets the "provider" field using the mutation object. Well done.

---

59-63: Functionality Verified: SetSub

The method correctly sets the "sub" field using the mutation object. Well done.

---

103-107: Functionality Verified: Save

The method effectively saves the OAuth entity, applying defaults and hooks as expected. Excellent implementation.

---

147-171: Validation Confirmed: check

The method performs necessary validation checks on required fields, ensuring data integrity. Great work.

---

174-194: SQL Operation Verified: sqlSave

The method handles SQL save operations with proper error handling for constraint violations. Well executed.

---

197-239: Specification Creation Verified: createSpec

The method constructs the SQL graph specification accurately, ensuring proper entity definition. Excellent work.

backend/internal/data/ent/hook/hook.go (1)

160-166: Mutation Method Confirmed: OAuthFunc.Mutate

The method properly checks the mutation type and executes the function, with error handling for unexpected types. Well implemented.

backend/internal/data/ent/oauth/where.go (7)

14-57: ID Predicate Functions Verified

The ID predicate functions are correctly implemented for various query operations. Well done.

---

59-117: CreatedAt Predicate Functions Verified

The CreatedAt predicate functions are correctly implemented for various query operations. Excellent implementation.

---

119-157: UpdatedAt Predicate Functions Verified

The UpdatedAt predicate functions are correctly implemented for various query operations. Great work.

---

159-222: Provider Predicate Functions Verified

The Provider predicate functions are correctly implemented for various query operations. Well executed.

---

224-287: Sub Predicate Functions Verified

The Sub predicate functions are correctly implemented for various query operations. Excellent job.

---

289-310: User Edge Predicate Functions Verified

The User edge predicate functions are correctly implemented for edge-based query operations. Well done.

---

312-325: Logical Predicate Functions Verified

The logical predicate functions are correctly implemented for combining predicates. Excellent work.

backend/internal/data/ent/oauth_update.go (6)

1-2: Generated Code Notice.

This file is generated by Ent. Manual edits may be overwritten.

---

33-37: Ensure Correctness of SetUpdatedAt.

The SetUpdatedAt method correctly updates the updated_at field. Ensure that the timestamp provided is accurate and consistent across the application.

---

133-146: Validation Logic Confirmation.

The check method validates fields using external validators. Ensure these validators are comprehensive and cover all edge cases.

---

148-208: SQL Update Logic Review.

The sqlSave method constructs and executes the SQL update operation. The logic appears sound, but ensure that all predicates and edge cases are handled correctly.

---

39-43: Verify SetProvider Logic.

The SetProvider method sets the provider field. Ensure that the provider string is validated elsewhere to prevent invalid entries.

Verification successful

---

Validation of SetProvider Logic Confirmed. The SetProvider method is safeguarded by a ProviderValidator function, ensuring that the provider string is validated before any save operation. This effectively prevents invalid entries. No further action is required.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the `SetProvider` method is used with valid provider strings.

# Test: Search for `SetProvider` usage. Expect: Validation logic in place.
rg --type go 'SetProvider'

Length of output: 1225

---

Script:

#!/bin/bash
# Search for validation logic related to the provider field in OAuthUpdate and related classes.
rg --type go 'provider' -A 10

Length of output: 38421

---

125-131: Check Default Value Logic for UpdatedAt.

The defaults method ensures UpdatedAt is set if not provided. Verify that oauth.UpdateDefaultUpdatedAt() returns a sensible default.

Verification successful

---

Default Value Logic for UpdatedAt Verified

The UpdateDefaultUpdatedAt function is set up to return a sensible default value, likely the current time, through a schema descriptor in the runtime.go file. This setup is typical for timestamp fields. No further action is needed.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the default value logic for `UpdatedAt`.

# Test: Search for `UpdateDefaultUpdatedAt` function. Expect: Sensible default value.
ast-grep --lang go --pattern 'func UpdateDefaultUpdatedAt() time.Time { $$$ }'

Length of output: 80

---

Script:

#!/bin/bash
# Use ripgrep to search for the definition of the UpdateDefaultUpdatedAt function.
rg 'func UpdateDefaultUpdatedAt' --context 5

Length of output: 46

---

Script:

#!/bin/bash
# Use ripgrep to search for any function related to UpdatedAt.
rg 'UpdatedAt' --context 5

Length of output: 434941

---

Script:

#!/bin/bash
# Use ripgrep to search for the implementation details of the UpdateDefaultUpdatedAt function.
rg 'func UpdateDefaultUpdatedAt' -A 10

Length of output: 40

---

Script:

#!/bin/bash
# Search for assignments or initializations of the UpdateDefaultUpdatedAt variable.
rg 'UpdateDefaultUpdatedAt\s*=\s*' -A 5

Length of output: 8539

backend/internal/data/ent/user_create.go (2)

435-450: Check OAuth Edge Construction.

The createSpec method constructs edges for OAuth relationships. Ensure that these edges are correctly defined and that the relationships are valid.

---

74-80: Review SetNillablePassword Method.

The SetNillablePassword method allows optional password setting. Ensure that this aligns with security policies and does not inadvertently allow empty passwords.

backend/internal/data/ent/ent.go (2)

27-27: OAuth Package Integration.

The inclusion of the OAuth package signifies expanded functionality. Ensure that all OAuth-related logic is correctly integrated and tested.

---

101-101: Validate oauth.Table Mapping.

The addition of oauth.Table to the column check mapping ensures OAuth table validation. Confirm that this does not conflict with existing validation logic.

backend/internal/data/ent/user/where.go (4)

364-367: Functionality Approved: PasswordIsNil

The implementation for checking if the password is nil is correct and consistent with existing patterns. Well done.

---

369-372: Functionality Approved: PasswordNotNil

The implementation for checking if the password is not nil is correct and consistent with existing patterns. Well executed.

---

543-552: Functionality Approved: HasOauth

The implementation for checking the existence of related OAuth records is correct and consistent with existing patterns. Good job.

---

554-564: Functionality Approved: HasOauthWith

The implementation for checking related OAuth records with additional predicates is correct and consistent with existing patterns. Excellent work.

backend/internal/data/ent/migrate/schema.go (3)

401-409: Schema Approved: OauthsColumns

The columns for the "oauths" table are well-defined, providing necessary fields for OAuth data management. The nullable user_oauth column is a thoughtful addition for flexibility.

---

411-430: Schema Approved: OauthsTable

The "oauths" table is well-structured, with a primary key, foreign key, and an index for efficient querying. Excellent design for managing OAuth relationships.

---

430-438: Schema Modification Approved: UsersColumns

The modification to make the password field nullable is a logical step towards supporting OAuth-authenticated users without passwords. Well-considered change.

backend/internal/data/ent/user_query.go (4)

33-33: Field Addition Approved: withOauth

The addition of the withOauth field in UserQuery aligns with existing patterns and supports OAuth querying effectively.

---

137-157: Method Approved: QueryOauth

The QueryOauth method is well-implemented, enabling effective chaining of queries on the "oauth" edge. This enhances the query capabilities for OAuth data.

---

394-403: Method Approved: WithOauth

The WithOauth method is well-implemented, allowing for eager loading of OAuth nodes with optional configurations. This adds significant flexibility to OAuth queries.

---

638-668: Function Approved: loadOauth

The loadOauth function is well-implemented, ensuring correct loading and assignment of OAuth relationships. This function is crucial for managing OAuth data effectively.

backend/internal/data/ent/mutation.go (77)

27-27: Import Addition Approved.

The addition of the oauth package import is necessary for the new OAuth functionalities.

---

53-53: Type Declaration Approved.

The introduction of the TypeOAuth constant is appropriate for identifying OAuth entities.

---

10675-10690: Struct Definition Approved.

The OAuthMutation struct is well-structured, encapsulating necessary fields for OAuth operations. Ensure thorough testing of its methods.

---

10698-10709: Function Implementation Approved.

The newOAuthMutation function correctly initializes an OAuthMutation and applies provided options.

---

10712-10730: Function Implementation Approved.

The withOAuthID function correctly sets the ID and defines a mechanism to retrieve old values.

---

10734-10740: Function Implementation Approved.

The withOAuth function correctly sets the old OAuth node for the mutation.

---

10745-10749: Function Implementation Approved.

The Client function correctly initializes and returns a new ent.Client.

---

10753-10760: Function Implementation Approved.

The Tx function correctly returns a transactional client if applicable.

---

10764-10766: Function Implementation Approved.

The SetID function correctly sets the ID for the mutation.

---

10770-10775: Function Implementation Approved.

The ID function correctly returns the ID value if it exists.

---

10781-10794: Function Implementation Approved.

The IDs function correctly queries the database for entity IDs based on the mutation's predicate.

---

10797-10799: Function Implementation Approved.

The SetCreatedAt function correctly sets the "created_at" field.

---

10802-10808: Function Implementation Approved.

The CreatedAt function correctly returns the value of the "created_at" field if it exists.

---

10813-10825: Function Implementation Approved.

The OldCreatedAt function correctly retrieves the old "created_at" value, handling errors appropriately.

---

10828-10830: Function Implementation Approved.

The ResetCreatedAt function correctly resets changes to the "created_at" field.

---

10833-10835: Function Implementation Approved.

The SetUpdatedAt function correctly sets the "updated_at" field.

---

10838-10844: Function Implementation Approved.

The UpdatedAt function correctly returns the value of the "updated_at" field if it exists.

---

10849-10861: Function Implementation Approved.

The OldUpdatedAt function correctly retrieves the old "updated_at" value, handling errors appropriately.

---

10864-10866: Function Implementation Approved.

The ResetUpdatedAt function correctly resets changes to the "updated_at" field.

---

10869-10871: Function Implementation Approved.

The SetProvider function correctly sets the "provider" field.

---

10874-10880: Function Implementation Approved.

The Provider function correctly returns the value of the "provider" field if it exists.

---

10885-10897: Function Implementation Approved.

The OldProvider function correctly retrieves the old "provider" value, handling errors appropriately.

---

10900-10902: Function Implementation Approved.

The ResetProvider function correctly resets changes to the "provider" field.

---

10905-10907: Function Implementation Approved.

The SetSub function correctly sets the "sub" field.

---

10910-10916: Function Implementation Approved.

The Sub function correctly returns the value of the "sub" field if it exists.

---

10921-10933: Function Implementation Approved.

The OldSub function correctly retrieves the old "sub" value, handling errors appropriately.

---

10936-10938: Function Implementation Approved.

The ResetSub function correctly resets changes to the "sub" field.

---

10941-10943: Function Implementation Approved.

The SetUserID function correctly sets the "user" edge to the User entity by id.

---

10946-10948: Function Implementation Approved.

The ClearUser function correctly clears the "user" edge to the User entity.

---

10951-10953: Function Implementation Approved.

The UserCleared function correctly reports if the "user" edge was cleared.

---

10956-10961: Function Implementation Approved.

The UserID function correctly returns the "user" edge ID if it exists.

---

10966-10971: Function Implementation Approved.

The UserIDs function correctly returns the "user" edge IDs for internal use.

---

10974-10977: Function Implementation Approved.

The ResetUser function correctly resets changes to the "user" edge.

---

10980-10982: Function Implementation Approved.

The Where function correctly appends predicates to the OAuthMutation builder.

---

10986-10992: Function Implementation Approved.

The WhereP function correctly appends storage-level predicates to the OAuthMutation builder.

---

10995-10997: Function Implementation Approved.

The Op function correctly returns the operation type.

---

11000-11002: Function Implementation Approved.

The SetOp function correctly sets the mutation operation.

---

11005-11007: Function Implementation Approved.

The Type function correctly returns the node type of the mutation.

---

11012-11027: Function Implementation Approved.

The Fields function correctly returns all fields that were changed during the mutation.

---

11032-11044: Function Implementation Approved.

The Field function correctly returns the value of a field with the given name if it exists.

---

11049-11061: Function Implementation Approved.

The OldField function correctly retrieves the old value of the field, handling errors appropriately.

---

11066-11098: Function Implementation Approved.

The SetField function correctly sets the value of a field, handling type mismatches appropriately.

---

11102-11104: Function Implementation Approved.

The AddedFields function correctly returns an empty slice as no numeric fields are handled.

---

11109-11111: Function Implementation Approved.

The AddedField function correctly returns nil as no numeric fields are handled.

---

11116-11120: Function Implementation Approved.

The AddField function correctly handles unknown fields by returning an error.

---

11124-11126: Function Implementation Approved.

The ClearedFields function correctly returns an empty slice as no nullable fields are handled.

---

11130-11133: Function Implementation Approved.

The FieldCleared function correctly checks if a field was cleared in the mutation.

---

11137-11139: Function Implementation Approved.

The ClearField function correctly handles unknown fields by returning an error.

---

11143-11159: Function Implementation Approved.

The ResetField function correctly resets known fields and handles unknown fields by returning an error.

---

11162-11168: Function Implementation Approved.

The AddedEdges function correctly returns all edge names that were set/added in the mutation.

---

11172-11180: Function Implementation Approved.

The AddedIDs function correctly retrieves added IDs for known edges.

---

11183-11186: Function Implementation Approved.

The RemovedEdges function correctly returns an empty slice as no edges are removed.

---

11190-11192: Function Implementation Approved.

The RemovedIDs function correctly returns nil as no IDs are removed.

---

11195-11201: Function Implementation Approved.

The ClearedEdges function correctly returns all edge names that were cleared in the mutation.

---

11205-11211: Function Implementation Approved.

The EdgeCleared function correctly checks if an edge was cleared in the mutation.

---

11215-11222: Function Implementation Approved.

The ClearEdge function correctly clears known edges and handles unknown edges by returning an error.

---

11226-11233: Function Implementation Approved.

The ResetEdge function correctly resets known edges and handles unknown edges by returning an error.

---

11259-11261: Struct Modifications Approved.

The modifications to UserMutation correctly incorporate OAuth-related fields, enhancing its capabilities.

---

11547-11550: Function Implementation Approved.

The ClearPassword function correctly clears the "password" field.

---

11553-11556: Function Implementation Approved.

The PasswordCleared function correctly checks if the "password" field was cleared.

---

11561-11563: Function Implementation Approved.

The ResetPassword function correctly resets all changes to the "password" field.

---

11869-11876: Function Implementation Approved.

The AddOauthIDs function correctly adds the "oauth" edge to the OAuth entity by IDs.

---

11879-11881: Function Implementation Approved.

The ClearOauth function correctly clears the "oauth" edge to the OAuth entity.

---

11884-11886: Function Implementation Approved.

The OauthCleared function correctly reports if the "oauth" edge was cleared.

---

11889-11897: Function Implementation Approved.

The RemoveOauthIDs function correctly removes the "oauth" edge to the OAuth entity by IDs.

---

11900-11905: Function Implementation Approved.

The RemovedOauthIDs function correctly returns the removed IDs of the "oauth" edge to the OAuth entity.

---

11908-11913: Function Implementation Approved.

The OauthIDs function correctly returns the "oauth" edge IDs in the mutation.

---

11916-11920: Function Implementation Approved.

The ResetOauth function correctly resets all changes to the "oauth" edge.

---

12139-12141: Function Implementation Approved.

The ClearedFields function correctly returns all fields that were cleared during the mutation.

---

12159-12161: Function Implementation Approved.

The ClearField function correctly clears known fields and handles unknown fields by returning an error.

---

Line range hint 12206-12218:
Function Implementation Approved.

The AddedEdges function correctly returns all edge names that were set/added in the mutation.

---

12243-12247: Function Implementation Approved.

The AddedIDs function correctly retrieves added IDs for known edges.

---

12254-12263: Function Implementation Approved.

The RemovedEdges function correctly returns all edge names that were removed in the mutation.

---

12284-12288: Function Implementation Approved.

The RemovedIDs function correctly retrieves removed IDs for known edges.

---

Line range hint 12295-12307:
Function Implementation Approved.

The ClearedEdges function correctly returns all edge names that were cleared in the mutation.

---

12321-12322: Function Implementation Approved.

The EdgeCleared function correctly checks if an edge was cleared in the mutation.

---

12351-12353: Function Implementation Approved.

The ResetEdge function correctly resets known edges and handles unknown edges by returning an error.

backend/internal/data/ent/user_update.go (12)

193-197: Method AddOauthIDs is functioning optimally.

The method efficiently adds OAuth IDs to the user mutation, ensuring seamless integration with the existing logic. Well executed.

---

199-206: Method AddOauth is operating as intended.

The conversion of OAuth objects to IDs is handled with precision, and the subsequent addition to the mutation is flawless. Excellent work.

---

261-265: Method ClearOauth performs admirably.

The clearing of OAuth edges is executed with precision, ensuring a clean slate for OAuth relationships. Well done.

---

267-271: Method RemoveOauthIDs is executed flawlessly.

The targeted removal of OAuth IDs is precise and integrates seamlessly with the mutation logic. Excellent implementation.

---

273-280: Method RemoveOauth is functioning optimally.

The conversion of OAuth objects to IDs and their subsequent removal is handled with precision. Well executed.

---

507-551: Mutation logic for OAuth is integrated seamlessly.

The handling of OAuth relationships during save operations is precise and robust, ensuring data integrity. Excellent work.

---

729-733: Method AddOauthIDs in UserUpdateOne is functioning optimally.

The addition of OAuth IDs to a single user mutation is executed with precision. Well done.

---

735-742: Method AddOauth in UserUpdateOne is operating as intended.

The conversion of OAuth objects to IDs and their addition to the mutation is flawless. Excellent implementation.

---

797-801: Method ClearOauth in UserUpdateOne performs admirably.

The clearing of OAuth edges is executed with precision, ensuring a clean slate for OAuth relationships. Well done.

---

803-807: Method RemoveOauthIDs in UserUpdateOne is executed flawlessly.

The targeted removal of OAuth IDs is precise and integrates seamlessly with the mutation logic. Excellent implementation.

---

809-816: Method RemoveOauth in UserUpdateOne is functioning optimally.

The conversion of OAuth objects to IDs and their subsequent removal is handled with precision. Well executed.

---

1073-1117: Mutation logic for OAuth in UserUpdateOne is integrated seamlessly.

The handling of OAuth relationships during save operations is precise and robust, ensuring data integrity. Excellent work.

backend/internal/data/ent/runtime.go (6)

20-20: OAuth package imported successfully.

The integration of the OAuth package into the data structure is executed flawlessly. Well done.

---

553-574: Default values for OAuth schema fields are correctly assigned.

The default values for created_at, updated_at, and id fields are set with precision, ensuring consistent data initialization. Excellent work.

---

563-566: Provider field validator is correctly implemented.

The validator for the provider field ensures data integrity with precision. Well executed.

---

567-570: Sub field validator is correctly implemented.

The validator for the sub field ensures data integrity with precision. Well executed.

---

571-574: Default ID value for OAuth schema is correctly assigned.

The default value for the id field is set with precision, ensuring consistent data initialization. Excellent work.

---

548-574: OAuth schema integration into runtime configuration is seamless.

The integration aligns perfectly with the application's schema requirements, enhancing functionality with precision. Well done.

Comments failed to post (10)

backend/internal/core/services/service_user_defaults.go

62-79: Enhance error handling and logging.

The createDefaultLabels function could benefit from more detailed error handling and logging. Consider logging the specific label or location that caused an error to improve traceability. Additionally, consider wrapping errors with additional context using a package like fmt.Errorf.

if err != nil {
	log.Error().Err(err).Msgf("failed to create label: %v", label)
	return fmt.Errorf("failed to create label %s: %w", label.Name, err)
}

Similarly, apply this pattern to the locations creation loop.

backend/internal/data/repo/repo_oauth.go

62-62: Address the TODO comment.

The TODO comment indicates that the functionality for deleting connections and checking for existing connections is incomplete. Consider implementing this logic or tracking it in a dedicated issue to ensure it is not overlooked.

Would you like me to draft the logic for this functionality or open a GitHub issue to track it?

---

28-40: Enhance error handling in GetUserFromToken.

Consider providing more context in the error returned by GetUserFromToken to improve debugging. For example, you could wrap the error with additional information about the provider and subject.

if err != nil {
	return UserOut{}, fmt.Errorf("failed to get user for provider %s and subject %s: %w", provider, sub, err)
}

---

42-60: Improve error handling in Create.

Enhance the error handling in the Create method by wrapping the error with context about the operation being performed. This will aid in debugging and understanding the source of the error.

if err != nil {
	return OAuth{}, fmt.Errorf("failed to create OAuth entry for provider %s and subject %s: %w", create.Provider, create.Subject, err)
}

backend/app/api/providers/oauth.go

22-54: Consider implementing fallback logic for environment variables.

The TODO comment indicates missing fallback mechanisms for environment variables if no well-known URL is supported. This could enhance robustness.

// Example fallback logic
if clientId == "" || clientSecret == "" || redirectUri == "" {
  // Implement fallback or default configurations
}

backend/app/api/routes.go

74-79: Consider improving error handling for OAuth provider creation.

Using panic for error handling is not recommended in production code as it can crash the application. Consider logging the error and failing gracefully.

if err != nil {
	log.Printf("Error creating OAuth provider: %v", err)
	return
}

backend/internal/core/services/service_oauth.go

43-49: Ensure Proper Error Handling in Login Method

The Login method relies on ValidateCode for user authentication. Ensure that any errors returned are logged appropriately to aid in debugging and monitoring. Consider adding more detailed logging for failure scenarios.

if err != nil {
	log.Err(err).Msg("Failed to validate code during login")
	return UserAuthTokenDetail{}, ErrorInvalidLogin
}

---

52-66: Improve Error Handling in ValidateCode Method

The current implementation uses a panic statement, which is not ideal for handling errors gracefully. Consider implementing a fallback mechanism or a more informative error message.

if !ok {
	log.Warn().Msg("ID token verification failed; consider fallback to user info")
	// Implement fallback logic here
	return repo.UserOut{}, errors.New("ID token verification failed")
}

---

95-118: Security Consideration in CreateUserIdToken

Ensure that the email verification status is checked before creating a user. This prevents the creation of accounts with unverified emails, enhancing security.

if !claims.EmailVerified {
	return repo.UserOut{}, errors.New("email not verified")
}

backend/internal/data/ent/oauth.go

79-129: Ensure Type Safety in assignValues Method

The method assigns values from SQL rows to the OAuth fields. Ensure that all type assertions are safe and consider logging any type mismatches for easier debugging.

if value, ok := values[i].(*uuid.UUID); !ok {
	log.Err(fmt.Errorf("unexpected type %T for field id", values[i])).Msg("Type assertion failed")
	return fmt.Errorf("unexpected type %T for field id", values[i])
}

[tankerkiller125]

In regards to Azure AD/Google Workspaces OIDC the commit on this project shows some of the things that had to be adjusted to make those work: documenso/documenso@70eeb1a

It's a different project and a different language, but it should be fairly easy to port anything needed to Go/VueJS

[katosdev]

Thanks for your PR @kloenk and apologies for the delays on this one.

I have a few comments to add:

• provider, iss, and code appear to be directly passed to the api.loginOauth method without any validation or sanitization. These inputs should be validated to avoid issues like injection attacks (e.g., SQL Injection or Command Injection) or usage of unintended OAuth providers.

• Cookies should be marked as Secure (only transmitted over HTTPS), and HttpOnly (not accessible via JavaScript). Additionally, use the SameSite attribute to protect against CSRF attacks: useCookie(AuthContext.cookieTokenKey, { secure: true, httpOnly: true, sameSite: 'Strict' })

• We should use input validation to ensure that provider, iss, code, and state meet expected formats.

• We also should use a validation of the redirectTo value to ensure that redirection is only allowed to to safe, trusted domains within the application. This could be done through a whitelist, or anything that matches *.{currentdomain}

[tankerkiller125]

Just a thought on the Secure Cookies thing, some users may not proxy their HomeLab, while I would normally agree, that might cause issues? Maybe it should be something that can be set in the config/environment?

[katosdev]

Just a thought on the Secure Cookies thing, some users may not proxy their HomeLab, while I would normally agree, that might cause issues? Maybe it should be something that can be set in the config/environment?

Have been thinking about this myself, I think an environment variable is the way forward. Can then do the same for allowed hosts instead of allowing open redirects too

[katosdev]

Hey! Sorry @kloenk for the delays on this one.
Are you able to rebase your branch please and we will get this one reviewed and merged ASAP. There are a couple of bits we'd like to get implemented with this, and then hopefully we should be good to go!

[tankerkiller125]

This should not be hardcoded? We need to make sure that this is configurable.