root/smart-home-server

Fork: 0

root / smart-home-server

History for smart-home-server / server / SHServ / Integrations / GAuth

2026-06-07	e90acee Browse files » Phase 1 auth security hotfixes: cookie-based session, bearer checks, router guard sync ... - Remove access_token from OAuth callback URL (token leak fix) - Add sanitizeReturnTo() to prevent open redirect on login/callback - Add Bearer token expiration check in resolve_user_by_bearer() - Add user status check in load_user_by_id() (block inactive/banned) - Cache authStore.init() promise to prevent race condition - Await auth init in router beforeEach guard - Remove URL token parsing from main.js and LoginPage - Remove hasTokenInUrl workaround from client.js 401 handler Eugene Sukhodolskiy committed 9 hours ago
2026-06-06	568f25e Browse files » Fix UserResolver: use ThinBuilder::insert() return value ... ThinBuilder::insert() already returns lastInsertId(). Calling lastInsertId() as a separate method does not exist. Eugene Sukhodolskiy committed 23 hours ago
	402e195 Browse files » Fix auth session persistence: add credentials:include to fetch and session_start to auth flow ... - http.js: add credentials: 'include' to fetch() so cookies are sent with every API request (fixes /auth/me returning 401 after callback) - AuthControllerTrait::resolve_user(): ensure session_start() before reading - AuthController::callback(): ensure session_start() before writing - AuthService::handleCallback(): defer DB token persistence until local user ID is resolved; store temp token data in session - UserResolver: fix lastInsertId() method name, remove avatarUrl() call (use profile array instead) This fixes the loop where user was redirected back to /login after successful OAuth callback because PHP session cookie was not sent with the /auth/me request. Eugene Sukhodolskiy committed 1 day ago
	ac97fa4 Browse files » Phase 4: Vue client auth store, Bearer token injection, router guards, login page ... Server: - AuthControllerTrait now supports both session and Bearer token auth (resolves user from Authorization: Bearer header via shserv_sessions) Vue client: - Add api/auth.js module for access token management - Inject Authorization: Bearer header in http.js - Handle 401 in client.js: clear token + redirect to /auth/login - New Pinia auth store (stores/auth.js): init, refreshToken, logout, hasPermission - New usePermission composable - Router guards: redirect unauthenticated to /login, permission-based route blocking - New LoginPage.vue with gnexus-auth login button - AppShell: conditional nav items by permission, user bar with logout - main.js: initialize auth before mounting app - MSW mocks: /auth/me, /auth/logout, /auth/refresh - Fix AppShell.spec.js for Pinia + router setup All 167 tests pass. Eugene Sukhodolskiy committed 1 day ago
	3f75d33 Browse files » Phase 0: gnexus-auth integration infrastructure ... - Add gnexus/auth-client via Composer vcs - Thin PSR-18/17 cURL adapter (zero extra deps) - SessionStateStore, SessionPkceStore, DbTokenStore - AuthService wrapper: login URL, callback, logout, refresh, me - UserResolver + PermissionResolver - AuthController (login, callback, logout, me, refresh) - WebhookController + WebhookRouter + event handlers - AuthControllerTrait for endpoint protection - Migration: 9 tables (users, roles, permissions, overrides, groups, members, group_perms, sessions, audit) + seed data - Remove old Example_AuthController - Add GAUTH_* env variables to config and .env.example Eugene Sukhodolskiy committed 1 day ago