feat: oidc launch url

[netliam]

Implements feature outlined here

OIDC Launch URL

Summary by CodeRabbit

• New Features
  • Added an OAuth launch flow component and standalone launch page to start authentication.
  • Exposed the launch component for reuse across the app.
  • Added a dedicated route for OAuth launch handling.
  • Shows user-facing status and displays error notifications during the auth flow.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Walkthrough

Adds OAuth launch functionality: a new OAuthLaunchComponent and page to orchestrate OAuth flows (native and web), exposes the component via the auth barrel file, and registers a new desktop route at /oauth/launch.

Changes

Cohort / File(s)	Summary
Auth barrel export packages/frontend/core/src/components/affine/auth/index.ts	Re-exports OAuthLaunchComponent from ./oauth-launch-component to expose it publicly.
OAuth launch component packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx	New React component implementing OAuth flow orchestration: initializes services (ServerService, UrlService, AuthService), observes login status, handles provider flow with BUILD_CONFIG.isNative branching (native preflight + scheme vs web URL), uses useAsyncCallback, shows success toast, and accepts onAuthenticated and redirectUrl props.
OAuth launch page packages/frontend/core/src/desktop/pages/auth/oauth-launch.tsx	New page component handling OAuth redirect flow and errors, extracts redirect_uri, shows toast on error, closes popup or navigates after auth, and exports a wrapper rendered in AffineOtherPageLayout.
Router entry packages/frontend/core/src/desktop/router.tsx	Adds a child route '/oauth/launch' with a lazy import of ./pages/auth/oauth-launch (webpackChunkName: "auth").

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant App as App (Web/Native)
    participant AuthSvc as AuthService
    participant Popup as OAuth Popup
    participant Provider as OAuth Provider

    User->>App: Start OAuth (OAuthLaunchComponent)
    App->>AuthSvc: log sign-in event
    alt Native build
        App->>AuthSvc: preflight OAuth / get client scheme
        App->>Popup: open popup with native scheme
    else Web build
        App->>App: build OAuth URL (provider, redirect_uri)
        App->>Popup: open popup window with URL
    end

    Popup->>Provider: Redirect to provider
    Provider->>Popup: Redirect back with code/state
    Popup->>AuthSvc: finalize authentication (exchange code)
    AuthSvc-->>Popup: return session status
    Popup->>App: notify authenticated (useLiveData/redirect)
    App->>User: show success toast / close or navigate to redirect_uri

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Areas to focus on:
  • Native vs. web branching and error handling in oauth-launch-component.tsx
  • Service initialization and useLiveData interactions
  • Redirect URL resolution and popup close/navigation logic in desktop/pages/auth/oauth-launch.tsx
  • Router lazy-load entry and chunk naming consistency

Poem

🐰 I hopped into OAuth's bright glen,
Opened popups, then closed them again,
Native schemes and web URLs in tune,
A toast for success beneath the moon,
Hooray — the flow returns home soon!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: oidc launch url' clearly and concisely summarizes the main change—implementing an OIDC launch URL feature. It directly relates to the additions across multiple files that implement OAuth launch flow handling.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1d9fe3b and c53ba26.

📒 Files selected for processing (4)

• packages/frontend/core/src/components/affine/auth/index.ts (1 hunks)
• packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx (1 hunks)
• packages/frontend/core/src/desktop/pages/auth/oauth-launch.tsx (1 hunks)
• packages/frontend/core/src/desktop/router.tsx (1 hunks)

🔇 Additional comments (2)

packages/frontend/core/src/components/affine/auth/index.ts (1)

1-1: Barrel export for OAuthLaunchComponent looks correct

Re-exporting from ./oauth-launch-component is consistent with the existing auth barrel pattern and safely exposes the new component.

packages/frontend/core/src/desktop/router.tsx (1)

153-157: New /oauth/launch route wiring matches existing auth routes

Path, lazy import, and "auth" chunk naming align with /oauth/login and /oauth/callback; no routing concerns from this addition.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

packages/frontend/core/src/desktop/pages/auth/oauth-launch.tsx (1)

43-60: Consider validating redirectUrl before navigation.

The redirectUrl originates from the redirect_uri query parameter (line 24) and is passed directly to navigate() without validation. While React Router may handle some edge cases, validating that the URL is a safe internal path (e.g., starts with / or matches an allowlist) would strengthen security posture and prevent potential navigation to unexpected destinations.

Consider adding validation before navigation:

  const handleAuthenticated = useCallback(
    (status: AuthSessionStatus) => {
      if (status === 'authenticated') {
        if (redirectUrl) {
          if (redirectUrl.toUpperCase() === 'CLOSE_POPUP') {
            window.close();
            return;
          }
+         // Validate redirectUrl is an internal path
+         if (!redirectUrl.startsWith('/')) {
+           console.warn('Invalid redirect URL, falling back to index');
+           handleClose();
+           return;
+         }
          navigate(redirectUrl, {
            replace: true,
          });
        } else {
          handleClose();
        }
      }
    },
    [handleClose, navigate, redirectUrl]
  );

🧹 Nitpick comments (1)

packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx (1)

87-87: Consider enhancing the UI for better user feedback.

The current UI is minimal with just a heading. While functional, adding a loading spinner or more polished styling could improve the user experience during the OAuth flow.

Example enhancement:

- return <h1>Logging in with OIDC</h1>;
+ return (
+   <div style={{ textAlign: 'center', padding: '2rem' }}>
+     <h1>Logging in with OIDC</h1>
+     <p>Please wait while we redirect you...</p>
+     {/* Add loading spinner component here */}
+   </div>
+ );

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c53ba26 and 264bcd9.

📒 Files selected for processing (2)

• packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx (1 hunks)
• packages/frontend/core/src/desktop/pages/auth/oauth-launch.tsx (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

packages/frontend/core/src/desktop/pages/auth/oauth-launch.tsx (3)

packages/frontend/core/src/components/hooks/use-navigate-helper.ts (1)

• useNavigateHelper (24-268)

packages/frontend/core/src/modules/cloud/entities/session.ts (1)

• AuthSessionStatus (39-42)

packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx (1)

• OAuthLaunchComponent (13-88)

packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx (5)

packages/frontend/core/src/modules/cloud/entities/session.ts (1)

• AuthSessionStatus (39-42)

packages/common/infra/src/framework/react/index.tsx (1)

• useService (15-17)

packages/frontend/core/src/modules/url/services/url.ts (1)

• UrlService (6-58)

packages/frontend/core/src/components/hooks/affine-async-hooks.ts (1)

• useAsyncCallback (18-30)

packages/backend/server/src/base/error/def.ts (1)

• UserFriendlyError (63-166)

🔇 Additional comments (13)

packages/frontend/core/src/desktop/pages/auth/oauth-launch.tsx (6)

1-13: LGTM!

Imports are well-organized and appropriate for the OAuth launch page functionality.

---

15-24: LGTM!

Component setup is clean with appropriate fallback from props to query parameters for the redirect URL.

---

26-35: LGTM!

Error handling via toast notification is implemented correctly with proper internationalization support.

---

37-41: LGTM!

The handleClose callback correctly uses replace navigation and preserves search parameters.

---

62-68: LGTM!

Component render structure is clean with proper callback wiring to the underlying OAuthLaunchComponent.

---

71-77: LGTM!

The wrapper Component follows the established pattern for desktop pages with appropriate layout composition.

packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx (7)

1-11: LGTM!

Imports are well-organized and cover all necessary dependencies for the OAuth launch flow.

---

13-24: LGTM!

Component setup correctly initializes services and tracks authentication status using the infra framework's reactive patterns.

---

26-27: LGTM!

The effectiveRedirectUrl is correctly computed without mutating the prop, providing a sensible default callback URL.

---

29-69: LGTM!

The onContinue callback properly handles both native and web OAuth flows with appropriate error handling for the native case and correct URL construction for the web case.

---

71-71: LGTM!

The hard-coded OIDC provider aligns with the PR objectives for implementing OIDC Launch URL functionality.

---

73-81: LGTM!

The status effect correctly handles authentication success notification and parent callback invocation without re-triggering the OAuth flow.

---

83-85: LGTM!

The launch effect is properly separated to initiate the OAuth flow once on mount, preventing duplicate popup windows on status changes.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.49%. Comparing base (bcc892c) to head (2a6e9f7).
⚠️ Report is 7 commits behind head on canary.

Additional details and impacted files

@@            Coverage Diff             @@
##           canary   #14008      +/-   ##
==========================================
- Coverage   57.15%   56.49%   -0.67%     
==========================================
  Files        2757     2757              
  Lines      137728   137728              
  Branches    21155    21019     -136     
==========================================
- Hits        78724    77809     -915     
- Misses      56776    58201    +1425     
+ Partials     2228     1718     -510     

Flag	Coverage Δ
server-test	77.00% <ø> (-1.46%)	⬇️
unittest	31.97% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.