fix(plugin-auth,platform-objects): close @better-auth/oauth-provider 1.7 schema drift — restore platform SSO#3080
Merged
Conversation
…1.7 schema drift — restore platform SSO The better-auth 1.7.0-rc.1 bump (4ab16f8 "pnpm upgrade") changed the oauth-provider model schemas, but the sys_oauth_* platform objects and the camelCase→snake_case fieldName mappings in auth-schema-config.ts were never updated. Token exchange then 500s with `table sys_oauth_access_token has no column named authorizationCodeId`, breaking platform SSO ("Continue with ObjectStack") end-to-end for every environment login — on SQLite AND Postgres control planes alike. - sys_oauth_access_token / sys_oauth_refresh_token: add authorization_code_id (indexed), resources, requested_user_info_claims, confirmation; access adds revoked; refresh adds rotated_at, rotation_replay_response, rotation_replay_expires_at. - sys_oauth_consent: add resources, requested_user_info_claims. - sys_oauth_application: add jwks, jwks_uri, backchannel_logout_uri, backchannel_logout_session_required, dpop_bound_access_tokens (1.7 DCR writes dpopBoundAccessTokens with a default — same crash class). - New objects for the three models 1.7 introduced: sys_oauth_resource, sys_oauth_client_resource (RFC 8707 resource indicators, used by the MCP OAuth track), sys_oauth_client_assertion (RFC 7523 jti replay prevention); registered in the auth manifest, SystemObjectName, i18n extract config, and buildOauthProviderPluginSchema(). - Mappings extended for every camelCase field; regenerated the platform-objects translation bundles (additive only). - NEW oauth-provider-schema-parity.test.ts: iterates the INSTALLED plugin's declared schema and fails when any writable column is missing from the platform objects — the next better-auth bump that adds fields breaks at test time, not in production. (This test is what surfaced the three brand-new 1.7 models above.) Companion changes: cloud registers the ≥1.7 social-flow callback format (/api/v1/auth/callback/<provider>) alongside the legacy one, and @object-ui/auth signs OIDC providers in via POST /sign-in/social. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
📓 Docs Drift CheckThis PR changes 4 package(s): 102 hand-written doc(s) reference the affected code and may need an implementation-accuracy re-verification:
|
…oken exchange Drives authorize → code → token → userinfo against a bootStack kernel with OS_OIDC_PROVIDER_ENABLED, seeding the client row exactly the way cloud's seedPlatformSsoClient does (hashed secret, skip_consent, client_secret_basic, ≥1.7 /api/v1/auth/callback/<provider> redirect_uri). The token-exchange step is the hop that 500'd in production on the 1.7 schema drift; verified the test fails (2/3) when the authorization_code_id column is removed and passes (3/3) with the fix. Complements the static parity gate in plugin-auth. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
os-zhuang
added a commit
to objectstack-ai/objectui
that referenced
this pull request
Jul 16, 2026
…h ≥ 1.7) (#2621) better-auth 1.7 restructured the genericOAuth plugin: generic OAuth/OIDC providers are injected into the core social sign-in flow and the dedicated POST /sign-in/oauth2 endpoint no longer exists. `signInWithProvider` with `type: 'oidc'` therefore 404'd on every click — "Continue with ObjectStack" (platform SSO) was dead against a current framework server. Sign in through `signIn.social` first; when the social route rejects the provider AND the legacy `signIn.oauth2` client method succeeds (an older < 1.7 server), fall back to it — the coordinated framework/cloud rollout can't atomically flip every deployment. When both routes fail, surface the social-route error: on a ≥ 1.7 server it is the real failure, the legacy route only 404s. Companion changes: framework adds the better-auth 1.7 sys_oauth_* columns (objectstack-ai/framework#3080); cloud registers the new /api/v1/auth/callback/<provider> redirect_uri format alongside the legacy one. Co-authored-by: Jack Zhuang <277994282+os-zhuang@users.noreply.github.com> Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
问题
better-auth 1.7.0-rc.1 升级(4ab16f8 “pnpm upgrade”)改变了
@better-auth/oauth-provider的模型 schema,但sys_oauth_*平台对象和auth-schema-config.ts里的 camelCase→snake_case 映射没有跟上。实测(cloud 本地 rig,三仓 main)平台 SSO token 交换 500:新字段没有 fieldName 映射时 camelCase 直通(其它列都是 snake_case),列也不存在 —— SQLite 与 prod PG 同炸。这是「Continue with ObjectStack」全环境登录链路的断点之一(另两个在 cloud / objectui,见下)。
修复
补列(1.7 完整对齐):
sys_oauth_access_token/sys_oauth_refresh_token:authorization_code_id(带索引)、resources、requested_user_info_claims、confirmation;access 另加revoked;refresh 另加rotated_at、rotation_replay_response、rotation_replay_expires_atsys_oauth_consent:resources、requested_user_info_claimssys_oauth_application:jwks、jwks_uri、backchannel_logout_uri、backchannel_logout_session_required、dpop_bound_access_tokens(1.7 的 DCR 会写带默认值的dpopBoundAccessTokens,同类炸点)新表(1.7 新增的三个模型):
sys_oauth_resource/sys_oauth_client_resource— RFC 8707 resource indicators(MCP OAuth track 的 audience 绑定用)sys_oauth_client_assertion— RFC 7523 client-assertion jti 防重放已注册进 auth manifest、
SystemObjectName、i18n extract config 与buildOauthProviderPluginSchema();翻译 bundle 重新生成(纯新增,708 insertions / 0 deletions)。防漂移门(新测试):
oauth-provider-schema-parity.test.ts遍历 已安装 插件声明的 schema(fieldName ?? key与 better-auth adapter 同逻辑解析),任何对象缺列直接红 —— 下次 better-auth bump 新增字段会在测试期失败而不是 prod 500。这个测试就是本 PR 发现三张新表的来源。测试
plugin-auth:19 files / 452 tests 全过(含新 parity 8/8)platform-objects:5 files / 197 tests 全过(含 bundle-ownership 门)spec:6883 tests 全过turbo build --filter=@objectstack/plugin-auth:11/11 成功三仓协调
platform-sso.ts注册双格式 redirect_uri(新/api/v1/auth/callback/<provider>+ 旧/oauth2/callback/过渡)POST /sign-in/oauth2(1.7 已移除)迁到POST /sign-in/social,带旧路由 fallback.framework-sha(929efdf)已包含 better-auth 升级点 —— 如果 staging/prod 已滚过含该 pin 的镜像,平台 SSO 现在就是断的;三仓合并后需尽快一起 bump pin 部署。🤖 Generated with Claude Code