feat: connect planner via OAuth 2.1 / OIDC

[mroderick]

Summary

Connect the auth service to the planner via OAuth 2.1 / OIDC using Better Auth's built-in oauthProvider and jwt plugins. The planner acts as a first-party OAuth client.

Commits

Commit	Description
chore: add @better-auth/oauth-provider and @playwright/test dependencies	Add @better-auth/oauth-provider runtime dep, bump better-auth to 1.6.20, add @playwright/test dev dep
feat: add JWT and OAuth provider plugins with login flow, seeding, and tests	Core feature: Better Auth config with jwt/oauthProvider/magicLink plugins, OAuth authorize login flow, PKCE seeding, test infrastructure with schema isolation, 49 new unit/integration tests
ci: add CI pipeline and Playwright e2e test for OAuth flow	CI workflow with parallel test groups + e2e Playwright job testing full magic link OAuth flow
docs: add architecture documentation covering OAuth 2.1 flows	Architecture doc with sequence diagrams for GitHub OAuth and Magic Link flows

Changes

Auth configuration (src/auth.js)

• Add jwt() plugin — issues id_tokens with email and name claims for the planner (RS256)
• Add oauthProvider() plugin — exposes OAuth 2.1 authorize/token endpoints (/api/auth/oauth2/*)
• Add account.skipStateCookieCheck: true — cross-site OAuth callback compatibility
• Add trustedOrigins with localhost + auth base URL

Config (src/config.js)

• Add AUTH_DEFAULT_PORT and PLANNER_DEFAULT_PORT constants
• Add planner_redirect_uris and allowed_redirects from PLANNER_REDIRECT_URIS env var (comma-separated, supports multiple environments)

Login flow (src/app/routes/auth.js, src/app/components/login.js)

• Replace redirect_url-based flow with callbackURL pointing to the OAuth authorize endpoint
• Extract named route handlers (showLogin, showMagicLinkForm, sendMagicLink, startGitHubOAuth)
• getCallbackURL preserves OAuth query params (PKCE, state, etc.) from the authorize request
• GitHub and magic link buttons now POST/GET with callbackURL

Database seeding

• src/app/db/seed-client.js — inserts the planner OAuth client via raw SQL with ON CONFLICT DO UPDATE for idempotency. Accepts redirect URIs as JSON array via $1::jsonb. Validates schemaName to prevent SQL injection.
• scripts/migrate.js — runs migrations and seeds the planner client
• scripts/heroku-release.sh — runs node scripts/migrate.js on every deploy

Dev test helpers

• src/dev/magic-links.js — captures sent magic links when SENDGRID_API_KEY is unset
• src/app/app.js — exposes /api/test/magic-links GET/DELETE in non-production, magic link endpoint localhost-restricted

CI

• Add e2e job running Playwright after unit tests
• Use chromium-headless-shell for smaller download
• Add permissions: contents: read at workflow level

Documentation

• docs/architecture.md — architecture overview with sequence diagrams, environment layout, env vars, and operational details

Testing

158 unit tests, 0 failures. New tests cover:

• OAuth provider: planner client seeded correctly (public, PKCE-required, redirect URIs as JSON array)
• Authorize endpoint: redirects unauthenticated users to login, issues code when authenticated
• Token endpoint: exchanges code for access token with PKCE, rejects missing/invalid PKCE, invalid code, mismatched redirect_uri
• Integration: full flow — authenticate -> authorize -> exchange code -> verify JWT via JWKS
• E2E (Playwright): unauthenticated authorize -> login -> magic link -> verify -> authorize -> code

[till]

Maybe pull these into another pr to fix?

[mroderick]

@till, would you mind reviewing this one?

[till]

I started, but I need to look more.

[till]

Maybe pull these into another pr to fix?

[till]

I don't understand these changes.

[mroderick]

Yeah, that was really not well implemented.
I added an e2e test, but the workflow file took a beating in the process. I've added a commit, that makes the final diff read well.
Once review is complete, I'll rebase the confusion away.

[mroderick]

I have deployed both PRs for planner and auth to Heroku, in order to verify things in staging before we merge the PRs.

I also reviewed the PRs against OWASP top 10 for 2025, and fixed the few minor things that surfaced.

This unfortunately meant that I had to make some changes since I originally marked this as ready for review. I chose to rewrite the git history, in order to make the PRs easier to follow ... i.e. without any side quests. They should read fairly linearly now.

---

Testing on Heroku

To verify the OAuth 2.1 flow end-to-end:

Flow A: Sign in with GitHub

1. Open https://codebar-staging.herokuapp.com/ — confirm the app loads
2. Navigate to https://codebar-staging.herokuapp.com/auth/codebar << this is not linked in the UI, we'll only do that, once it is proven to work in production
3. Observe you're redirected to https://auth.codebar.io/login?... with OAuth params
   (client_id=planner, response_type=code, code_challenge=..., state=...) in the URL
4. Click "Sign In with GitHub" — authenticate with your GitHub account
5. Observe you're redirected back to the staging app, signed in

Flow B: Sign in with Magic Link

1. Clear all cookies for *.codebar.io and *.herokuapp.com to start fresh
2. Navigate to https://codebar-staging.herokuapp.com/auth/codebar again
3. Observe you're redirected to https://auth.codebar.io/login?...
4. Enter your email address and click "Send Magic Link"
5. Check your inbox for the magic link email from auth-noreply@codebar.io
6. Click the link in the email
7. Observe you're redirected back to the staging app, signed in

If something goes wrong

Check the staging app logs:

  heroku logs --tail -a codebar-staging

OAuth errors from the planner side show as (codebar) Authentication failure! <error_type>. The auth
app is already in production — let us know if you need access to its logs too.

[till]

This is a lot. But LMK, what you think, not hard no's on anything. I will have a look again.

[till]

It already serves profile, logout and I think link/unlink capabilities today. Those will stay around.

[till]

Just curious, why would we not use admin-api?

[till]

Maybe this should be somewhere else, like in the utlities. This will is pretty large already.

[till]

Similar, maybe spin them out to another file.

[till]

This should be more obvious, e.g. not rely on apiKey to be set (which could be a mistake), but instead use the same environment guard.

[till]

Does the auth app have a staging? Otherwise, how would this work.

[till]

I'd put this into a helper and make it more descriptive. But the params repeats itself.

Maybe generally, I haven't look at it all in detail, but it could use some test helpers for all the tests.

[till]

🥳

[till]

The issue is closed and from last year, is this even applicable?

[till]

Could also fetch this in config and re-use it here. So the code is not using process.env everywhere?