fix: apple login

appflowy · appflowy · commit 898a89690ff0 · 2026-04-24T21:09:06.000+08:00
diff --git a/appflowy/APPFLOWY_BRANCH_MIGRATION_HISTORY.md b/appflowy/APPFLOWY_BRANCH_MIGRATION_HISTORY.md
@@ -1,16 +1,32 @@
 # AppFlowy Branch Migration History
 
-**Version:** 2.0
-**Date:** 2025-11-08
-**Status:** ✅ Migration Complete | ✅ Tests Added | 📝 Ready for PR
+**Version:** 3.0
+**Date:** 2026-04-24
+**Status:** ✅ Migration Complete | ✅ Tests Added | ✅ Upstream Re-sync Done (appflowy3)
 
 ---
 
 ## Executive Summary
 
-The `appflowy` branch (28 commits, 251 commits behind master) contained password management features. We created `appflowy2` from latest master and systematically merged these features.
+This doc covers two migrations:
 
-**Result:** `appflowy2` = master (latest) + appflowy features (11 commits) + tests (21 new tests)
+1. **appflowy → appflowy2** (Nov 2025): Original fork rebuilt on top of latest master.
+2. **appflowy2 → appflowy3** (Apr 2026): Re-synced with 5 months of upstream changes (~98 commits, including passkeys, custom OAuth providers, OAuth state refactor, and dependency bumps).
+
+**Current working branch:** `fix-apple-login` (branched from `appflowy3`, carries the Apple OAuth hotfix + this doc update).
+**Stable integration branch:** `appflowy3` = `appflowy2` + upstream master up to `7337e21` (2026-04-02).
+
+**Lineage:**
+
+```
+master ──────────────────────────────────────────────▶  (upstream)
+   │                                                        │
+   └──▶ appflowy (28 commits, Mar–Oct 2024)                 │
+               │                                            │
+               └─analyzed & squashed─▶ appflowy2 ──merge───▶ appflowy3 ──▶ fix-apple-login
+                  (Nov 2025)            11 feat commits      (Apr 2026)      (topic branch)
+                                        + 21 tests           + ~98 upstream
+```
 
 ---
 
@@ -27,11 +43,20 @@ timeline
                    : appflowy → 28 commits (password features)
                    : master → 251 commits (OAuth 2.1, WebAuthn, etc.)
 
-    Nov 8, 2025 : Migration
+    Nov 8, 2025 : appflowy2 Migration
                 : Created appflowy2 from master
                 : Merged 11 feature commits
                 : Added 21 unit tests
                 : ✅ All tests pass
+
+    Nov 2025 - Apr 2026 : Upstream drift resumes
+                        : master adds passkeys, custom OAuth, OAuth state refactor
+                        : appflowy2 stays pinned to Nov 2025 master
+
+    Apr 4, 2026 : appflowy3 Re-sync
+                : Branched from appflowy2
+                : Merged master up to 7337e21 (~98 upstream commits)
+                : Hotfix: Apple login (context regression)
 ```
 
 ---
@@ -192,14 +217,111 @@ See `TESTING_GUIDE.md` for details.
 
 ---
 
+## appflowy3 — Upstream Re-sync (Apr 2026)
+
+### Why
+
+By April 2026, `master` had moved ~5 months past `appflowy2`. Upstream added substantial security and feature work (passkeys, custom OAuth providers, OAuth state refactor, dependency bumps for CVEs) that we wanted without losing AppFlowy's password-management features. Rather than abandon appflowy2 or cherry-pick selectively, we merged master into appflowy2 via a dedicated branch.
+
+```
+appflowy2 (Nov 2025) ──────────▶ appflowy3 (Apr 2026)
+                                   ▲
+master (Apr 2026) ─────────────────┘  (merge commit 667d7b7)
+```
+
+- **Base:** `appflowy2` at `f69a2c7`
+- **Merged:** master up to `7337e21` (2026-04-02) — 98 non-merge commits
+- **Merge commit:** `667d7b7 Merge branch 'master' into appflowy3` (2026-04-04)
+
+All 11 AppFlowy feature commits + 21 tests from appflowy2 remain intact on top of the new upstream base.
+
+### What came in from upstream (~98 commits)
+
+```mermaid
+mindmap
+  root((appflowy3<br/>upstream merge<br/>~98 commits))
+    Passkeys / WebAuthn
+      Registration & authentication flows
+      Management & admin endpoints
+      CAPTCHA + rate limiter on /options
+      Audit + metering + AAGUID names
+    OAuth / OIDC
+      Custom OAuth & OIDC providers
+      OIDC discovery caching
+      X/Twitter v2 provider
+      OAuth state → flow_state.id UUID
+      OAuth server: OIDC + token_endpoint_auth_method
+      PKCE for /resend
+    Infra / security
+      MaxBytesReader 1MB body limit
+      Sb-Forwarded-For + IP rate limiting
+      argon hash upper limits
+      Go 1.23.7 → 1.25.8
+      golang.org/x/oauth2 0.17 → 0.34
+    Misc
+      sign-in logging parity with refresh
+      email send metrics
+      v2 refresh-token upgrades
+```
+
+**High-impact upstream commits worth knowing:**
+
+| Commit | What it changes | Why it matters to us |
+|---|---|---|
+| `53021f6` | `feat: support custom oauth & oidc providers` | New `custom:` provider type, admin endpoints |
+| `645654d` | `feat: replace JWT OAuth state with flow_state.id UUID` | OAuth callback state is now a UUID; legacy JWT fallback removed by `f1fabc4` |
+| `40d07b5` | `feat: cache OIDC discovery documents` | Apple/Google/Azure now go through `OIDCProviderCache` |
+| `7f36eb0` | `feat(oauth): X/Twitter v2 provider` | Changed `GetOAuthToken(code)` → `GetOAuthToken(ctx, code, opts...)` signature across **all** providers — root cause of the Apple regression below |
+| `6f0b2eb` | `fix: add MaxBytesReader middleware` | Global 1MB request body cap |
+| `e8f679b` | `feat: Sb-Forwarded-For header` | New trust-proxy path for client IP |
+| `058836f` | `chore: update Go v1.23.7 → v1.25.5` | Go toolchain bump |
+| `fb5dc8d` + follow-ups | `bump golang.org/x/oauth2 0.17 → 0.34` | Behavior changes in token-exchange encoding |
+
+### Known regressions from the merge
+
+| Issue | Status | Fix |
+|---|---|---|
+| **Apple login fails with `Unable to exchange external code`** | ✅ Fixed on `fix-apple-login` branch | `internal/api/provider/apple.go:127` — restored `context.Background()` for the Exchange call. The new signature passes the request context, which is bound to the 10s `GOTRUE_API_MAX_REQUEST_DURATION` timeout and kills Apple's token exchange |
+| `cmd/migrate_cmd.go:83` uses `fmt.Sprintf` without importing `fmt` | ⚠️ Open | Pre-existing on this branch; `go build ./...` fails. One-line import fix |
+
+### Apple login fix — detail
+
+`commit 7f36eb0` (X/Twitter v2 provider) changed every provider's `GetOAuthToken` to accept and use the request context. For Apple this means the token exchange is subject to the global 10s request timeout. Combined with the library bump `golang.org/x/oauth2 0.17 → 0.34` — which tightened token-exchange HTTP behavior — Apple's `/auth/token` call started failing consistently.
+
+The fix keeps the new signature (required by the `OAuthProvider` interface) but uses a background context internally for the HTTP call to Apple:
+
+```go
+func (p AppleProvider) GetOAuthToken(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
+    appleOpts := []oauth2.AuthCodeOption{
+        oauth2.SetAuthURLParam("client_id", p.ClientID),
+        oauth2.SetAuthURLParam("secret", p.ClientSecret),
+    }
+    appleOpts = append(appleOpts, opts...)
+    return p.Exchange(context.Background(), code, appleOpts...)  // not ctx
+}
+```
+
+### Verification on appflowy3
+
+- `go build ./internal/api/provider/...` — ✅ clean
+- `go vet ./internal/api/provider/` — ✅ clean
+- Apple login end-to-end — verify on staging before promoting
+- Password-management features (change-password, auth-info, regex validation) — unchanged; existing 21 tests still cover them
+
+---
+
+---
+
 ## Branch Status
 
 | Branch | Purpose | Keep? |
 |--------|---------|-------|
-| `master` | Main development | ✅ Always |
-| `appflowy` | Original work (v0.8.0) | ⚠️ Delete after PR |
-| `appflowy-backup` | Backup of original | 🔵 Optional |
-| `appflowy2` | Merge branch | ⚠️ Delete after PR |
+| `master` | Upstream Supabase auth | ✅ Always |
+| `appflowy` | Original fork work (v0.8.0 era, 28 commits) | ⚠️ Archive/delete — superseded |
+| `appflowy-backup` | Pre-migration safety copy | 🔵 Optional |
+| `appflowy2` | Nov 2025 re-base: master + 11 feature commits + 21 tests | 🔵 Kept as reference point for appflowy3 |
+| `appflowy3` | Stable integration branch: appflowy2 + ~98 upstream commits (Apr 2026) | ✅ Active |
+| `fix-apple-login` | **Current working branch.** Branched from appflowy3 with Apple OAuth regression hotfix | ✅ In-flight — merge back into appflowy3 once verified |
 
 ---
 
diff --git a/internal/api/provider/apple.go b/internal/api/provider/apple.go
@@ -124,7 +124,7 @@ func (p AppleProvider) GetOAuthToken(ctx context.Context, code string, opts ...o
 		oauth2.SetAuthURLParam("secret", p.ClientSecret),
 	}
 	appleOpts = append(appleOpts, opts...)
-	return p.Exchange(ctx, code, appleOpts...)
+	return p.Exchange(context.Background(), code, appleOpts...)
 }
 
 func (p AppleProvider) RequiresPKCE() bool {

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ func (p AppleProvider) GetOAuthToken(ctx context.Context, code string, opts ...o`
`124`	`124`	`oauth2.SetAuthURLParam("secret", p.ClientSecret),`
`125`	`125`	`}`
`126`	`126`	`appleOpts = append(appleOpts, opts...)`
`127`		`- return p.Exchange(ctx, code, appleOpts...)`
	`127`	`+ return p.Exchange(context.Background(), code, appleOpts...)`
`128`	`128`	`}`
`129`	`129`
`130`	`130`	`func (p AppleProvider) RequiresPKCE() bool {`