feat: oauth-consent-frontend-screen (#7136)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

Author: Zaimwa9

frontend/common/services/useOAuthAuthorize.ts

@@ -0,0 +1,36 @@
+import { Res } from 'common/types/responses'
+import { Req } from 'common/types/requests'
+import { service } from 'common/service'
+
+export const oauthAuthorizeService = service
+  .enhanceEndpoints({ addTagTypes: ['OAuthAuthorize'] })
+  .injectEndpoints({
+    endpoints: (builder) => ({
+      processOAuthConsent: builder.mutation<
+        Res['processOAuthConsent'],
+        Req['processOAuthConsent']
+      >({
+        query: (body) => ({
+          body,
+          method: 'POST',
+          url: 'oauth/authorize/',
+        }),
+      }),
+      validateOAuthAuthorize: builder.query<
+        Res['validateOAuthAuthorize'],
+        Req['validateOAuthAuthorize']
+      >({
+        keepUnusedDataFor: 600,
+        query: (params) => ({
+          url: `oauth/authorize/?${new URLSearchParams(params).toString()}`,
+        }),
+      }),
+      // END OF ENDPOINTS
+    }),
+  })
+
+export const {
+  useProcessOAuthConsentMutation,
+  useValidateOAuthAuthorizeQuery,
+  // END OF EXPORTS
+} = oauthAuthorizeService

frontend/common/types/requests.ts

@@ -924,5 +924,16 @@ export type Req = {
     enabled: boolean
     feature_state_value: FlagsmithValue | null
   }
+  validateOAuthAuthorize: Record<string, string>
+  processOAuthConsent: {
+    allow: boolean
+    client_id: string
+    redirect_uri: string
+    response_type: string
+    scope: string
+    code_challenge: string
+    code_challenge_method: string
+    state?: string
+  }
   // END OF TYPES
 }

frontend/common/types/responses.ts

@@ -1258,5 +1258,14 @@ export type Res = {
     feature_external_resource_id: number
     html_url: string
   }
+  validateOAuthAuthorize: {
+    application: { name: string; client_id: string }
+    scopes: Record<string, string>
+    redirect_uri: string
+    is_verified: boolean
+  }
+  processOAuthConsent: {
+    redirect_uri: string
+  }
   // END OF TYPES
 }

frontend/web/components/App.js

@@ -150,7 +150,8 @@ const App = class extends Component {
       this.props.location.pathname === '/' ||
       this.props.location.pathname === '/widget' ||
       this.props.location.pathname === '/saml' ||
-      this.props.location.pathname.includes('/oauth') ||
+      (this.props.location.pathname.includes('/oauth') &&
+        !this.props.location.pathname.startsWith('/oauth/authorize')) ||
       this.props.location.pathname === '/login' ||
       this.props.location.pathname === '/signup'
     ) {

frontend/web/components/pages/OAuthAuthorizePage.tsx

@@ -0,0 +1,200 @@
+import React, { useMemo, useState } from 'react'
+import { useLocation } from 'react-router-dom'
+import {
+  useProcessOAuthConsentMutation,
+  useValidateOAuthAuthorizeQuery,
+} from 'common/services/useOAuthAuthorize'
+import Utils from 'common/utils/utils'
+import Icon from 'components/Icon'
+import Logo from 'components/Logo'
+
+// Frontend-maintained scope descriptions. The backend returns `mcp` as an
+// umbrella scope; we expand it into granular descriptions for the consent UI.
+// If a scope is not found here, the backend description is used as fallback.
+const SCOPE_DESCRIPTIONS: Record<string, string[]> = {
+  mcp: [
+    'Manage feature flags, toggle states, and update values',
+    'Create and manage audience targeting segments',
+    'View and configure environments',
+    'View and update project settings',
+    'Create and review change requests',
+    'View organisation details, roles, and groups',
+  ],
+}
+
+const OAuthAuthorizePage = () => {
+  const location = useLocation()
+  const [isRedirecting, setIsRedirecting] = useState(false)
+  const [consentError, setConsentError] = useState<string | null>(null)
+
+  const oauthParams = useMemo(() => {
+    const params = Utils.fromParam(location.search)
+    return {
+      client_id: params.client_id || '',
+      code_challenge: params.code_challenge || '',
+      code_challenge_method: params.code_challenge_method || '',
+      redirect_uri: params.redirect_uri || '',
+      response_type: params.response_type || '',
+      scope: params.scope || 'mcp',
+      state: params.state || '',
+    }
+  }, [location.search])
+
+  const hasRequiredParams = !!(
+    oauthParams.client_id &&
+    oauthParams.redirect_uri &&
+    oauthParams.response_type &&
+    oauthParams.code_challenge &&
+    oauthParams.code_challenge_method
+  )
+
+  const { data, error, isLoading } = useValidateOAuthAuthorizeQuery(
+    oauthParams,
+    {
+      refetchOnFocus: false,
+      refetchOnReconnect: false,
+      skip: !hasRequiredParams,
+    },
+  )
+
+  const [processConsent, { isLoading: isProcessing }] =
+    useProcessOAuthConsentMutation()
+
+  const handleConsent = async (allow: boolean) => {
+    try {
+      setConsentError(null)
+      setIsRedirecting(true)
+      const result = await processConsent({
+        ...oauthParams,
+        allow,
+      }).unwrap()
+      window.location.href = result.redirect_uri
+    } catch (e) {
+      console.error('OAuth consent error:', e)
+      setIsRedirecting(false)
+      setConsentError('Something went wrong. Please try again.')
+    }
+  }
+
+  const renderContent = () => {
+    if (!hasRequiredParams) {
+      return (
+        <div className='oauth-authorize__card card shadow p-4'>
+          <h3>Invalid authorisation request</h3>
+          <p className='text-muted'>
+            Required OAuth parameters are missing. Please return to the
+            application and try again.
+          </p>
+        </div>
+      )
+    }
+
+    if (isLoading) {
+      return (
+        <div className='oauth-authorize__card card shadow p-4'>
+          <div className='centered-container'>
+            <Loader />
+          </div>
+        </div>
+      )
+    }
+
+    if (error || !data) {
+      return (
+        <div className='oauth-authorize__card card shadow p-4'>
+          <h3>Authorisation error</h3>
+          <p className='text-muted'>
+            The authorisation request is invalid. The application may have
+            provided incorrect parameters.
+          </p>
+        </div>
+      )
+    }
+
+    return (
+      <div className='oauth-authorize__card card shadow p-4'>
+        <div className='text-center mb-4'>
+          <Logo size={48} />
+          <h3 className='oauth-authorize__title mb-0'>
+            <strong>{data.application.name}</strong> would like to connect to
+            your Flagsmith account
+          </h3>
+        </div>
+
+        {!data.is_verified && (
+          <div className='oauth-authorize__warning'>
+            <Icon name='warning' width={16} fill='#e5a00d' />
+            <span>
+              This application is unverified. Only authorise if you trust it.
+            </span>
+          </div>
+        )}
+
+        <div className='oauth-authorize__scope-box'>
+          <p className='oauth-authorize__scope-header mb-3 mt-0'>
+            YOUR ACCOUNT WILL BE USED TO:
+          </p>
+          <div className='d-flex flex-column gap-3'>
+            {Object.entries(data.scopes).flatMap(([scope, description]) => {
+              const descriptions = SCOPE_DESCRIPTIONS[scope]
+              if (descriptions) {
+                return descriptions.map((desc, i) => (
+                  <div
+                    key={`${scope}-${i}`}
+                    className='oauth-authorize__scope-item'
+                  >
+                    <Icon name='checkmark' width={20} fill='#6837fc' />
+                    <span>{desc}</span>
+                  </div>
+                ))
+              }
+              return [
+                <div key={scope} className='oauth-authorize__scope-item'>
+                  <Icon name='checkmark' width={20} fill='#6837fc' />
+                  <span>{description}</span>
+                </div>,
+              ]
+            })}
+          </div>
+        </div>
+
+        <p className='oauth-authorize__redirect-text text-muted text-center mb-4'>
+          You will be redirected to:
+          <br />
+          <code className='oauth-authorize__redirect-uri'>
+            {data.redirect_uri}
+          </code>
+        </p>
+
+        {consentError && (
+          <p className='oauth-authorize__error text-center text-danger mb-2'>
+            {consentError}
+          </p>
+        )}
+
+        {isRedirecting || isProcessing ? (
+          <div className='centered-container'>
+            <Loader />
+          </div>
+        ) : (
+          <div className='d-flex flex-column gap-2'>
+            <Button className='w-100' onClick={() => handleConsent(true)}>
+              Authorise
+            </Button>
+            <Button
+              theme='secondary'
+              className='w-100'
+              onClick={() => handleConsent(false)}
+            >
+              Decline
+            </Button>
+          </div>
+        )}
+      </div>
+    )
+  }
+
+  return <div className='oauth-authorize'>{renderContent()}</div>
+}
+
+export default OAuthAuthorizePage

frontend/web/main.js

@@ -42,14 +42,21 @@ if (event) {
 }
 
 const isInvite = document.location.href.includes('invite')
-const isOauth = document.location.href.includes('/oauth')
+const isOauth =
+  document.location.href.includes('/oauth') &&
+  !document.location.pathname.startsWith('/oauth/authorize')
 if (res && !isInvite && !isOauth) {
   AppActions.setToken(res)
 }
 
 function isPublicURL() {
   const pathname = document.location.pathname
 
+  // /oauth/authorize requires auth (consent screen), but /oauth/:type (callbacks) is public.
+  if (pathname.startsWith('/oauth/authorize')) {
+    return false
+  }
+
   const publicPaths = [
     '/',
     '/404',