fix(oauth): reliable callback delivery without manual token

linull24 · linull24 · commit cabee7cc5a2b · 2025-12-23T13:43:59.000+08:00
diff --git a/app/src/app.d.ts b/app/src/app.d.ts
@@ -16,7 +16,6 @@ declare global {
 interface ImportMetaEnv {
 		readonly PUBLIC_GITHUB_CLIENT_ID?: string;
 		readonly PUBLIC_GITHUB_OAUTH_PROXY_URL?: string;
-		readonly PUBLIC_GITHUB_ALLOW_MANUAL_TOKEN?: string;
 	}
 
 	interface ImportMeta {
diff --git a/app/src/lib/policies/github/oauthPkce.ts b/app/src/lib/policies/github/oauthPkce.ts
@@ -1,10 +1,12 @@
 import { base } from '$app/paths';
-import { browser, dev } from '$app/environment';
+import { browser } from '$app/environment';
 import { env as publicEnv } from '$env/dynamic/public';
 import { z } from 'zod';
 import { setGithubToken } from '../../stores/githubAuth';
 
 const SESSION_PREFIX = 'github:oauth:pkce:';
+const CALLBACK_KEY = 'github:oauth:pkce:callback';
+const CALLBACK_TTL_MS = 2 * 60 * 1000;
 
 const GithubPkceSessionSchema = z.object({
 	verifier: z.string().min(32),
@@ -62,11 +64,6 @@ export function getGithubPkceAvailability(): GithubPkceAvailability {
 
 export type GithubPkceCodePayload = { code: string; state: string };
 
-export function getGithubManualTokenAllowed() {
-	// eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
-	return Boolean(dev) || Boolean(publicEnv.PUBLIC_GITHUB_ALLOW_MANUAL_TOKEN);
-}
-
 export type GithubPkceStartResult =
 	| { ok: true }
 	| { ok: false; errorKey: 'panels.sync.githubMissing' | 'errors.githubPopupBlocked' | 'errors.githubPkceUnsupported' };
@@ -264,6 +261,7 @@ function attachPopupCallbackCoordinator(popup: Window, redirectUri: string) {
 		if (done) return;
 		done = true;
 		window.removeEventListener('message', handleMessage);
+		window.removeEventListener('storage', handleStorage);
 		channel?.removeEventListener('message', handleChannelMessage as any);
 		channel?.close();
 		clearInterval(interval);
@@ -309,13 +307,45 @@ function attachPopupCallbackCoordinator(popup: Window, redirectUri: string) {
 		cleanup();
 	};
 
+	const readCallbackFromStorage = () => {
+		try {
+			const raw = localStorage.getItem(CALLBACK_KEY);
+			if (!raw) return null;
+			const parsed = JSON.parse(raw);
+			const code = typeof parsed?.code === 'string' ? parsed.code.trim() : '';
+			const state = typeof parsed?.state === 'string' ? parsed.state.trim() : '';
+			const createdAt = typeof parsed?.createdAt === 'number' ? parsed.createdAt : 0;
+			if (!code || !state) return null;
+			if (!createdAt || Date.now() - createdAt > CALLBACK_TTL_MS) return null;
+			return { code, state };
+		} catch {
+			return null;
+		}
+	};
+
+	const clearCallbackStorage = () => {
+		try {
+			localStorage.removeItem(CALLBACK_KEY);
+		} catch {
+			// ignore
+		}
+	};
+
 	const handleMessage = (event: MessageEvent) => {
 		if (event.origin !== window.location.origin) return;
 		if (event.data?.type === 'github-oauth-code' && event.data.code && event.data.state) {
 			void onCallback({ code: event.data.code, state: event.data.state });
 		}
 	};
 
+	const handleStorage = (event: StorageEvent) => {
+		if (event.key !== CALLBACK_KEY) return;
+		const payload = readCallbackFromStorage();
+		if (!payload) return;
+		clearCallbackStorage();
+		void onCallback(payload);
+	};
+
 	const handleChannelMessage = (event: MessageEvent) => {
 		const data = (event as MessageEvent).data as any;
 		if (data?.type === 'github-oauth-code' && data.code && data.state) {
@@ -324,6 +354,7 @@ function attachPopupCallbackCoordinator(popup: Window, redirectUri: string) {
 	};
 
 	window.addEventListener('message', handleMessage);
+	window.addEventListener('storage', handleStorage);
 	channel?.addEventListener('message', handleChannelMessage as any);
 
 	const interval = window.setInterval(() => {
@@ -344,6 +375,12 @@ function attachPopupCallbackCoordinator(popup: Window, redirectUri: string) {
 		} catch {
 			// ignore (cross-origin until it returns to our site)
 		}
+
+		const payload = readCallbackFromStorage();
+		if (payload) {
+			clearCallbackStorage();
+			void onCallback(payload);
+		}
 	}, 350);
 
 	const timeout = window.setTimeout(() => cleanup(), 2 * 60 * 1000);
diff --git a/app/src/routes/auth/callback/+page.svelte b/app/src/routes/auth/callback/+page.svelte
@@ -47,6 +47,25 @@
 		const state = String(payload.state || '').trim();
 		if (!code || !state) return;
 
+		try {
+			localStorage.setItem(
+				'github:oauth:pkce:callback',
+				JSON.stringify({ code, state, createdAt: Date.now() })
+			);
+			setTimeout(() => {
+				try {
+					const raw = localStorage.getItem('github:oauth:pkce:callback');
+					if (!raw) return;
+					const parsed = JSON.parse(raw);
+					if (parsed?.code === code && parsed?.state === state) localStorage.removeItem('github:oauth:pkce:callback');
+				} catch {
+					// ignore
+				}
+			}, 10_000);
+		} catch {
+			// ignore
+		}
+
 		try {
 			window.opener?.postMessage({ type: 'github-oauth-code', code, state }, window.location.origin);
 		} catch {

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,6 @@ declare global {`
`16`	`16`	`interface ImportMetaEnv {`
`17`	`17`	`readonly PUBLIC_GITHUB_CLIENT_ID?: string;`
`18`	`18`	`readonly PUBLIC_GITHUB_OAUTH_PROXY_URL?: string;`
`19`		`- readonly PUBLIC_GITHUB_ALLOW_MANUAL_TOKEN?: string;`
`20`	`19`	`}`
`21`	`20`
`22`	`21`	`interface ImportMeta {`