feedback

brendan-kellam · brendan-kellam · commit 8ba9bb27b998 · 2026-03-04T17:17:11.000-08:00
diff --git a/packages/web/src/app/oauth/authorize/components/consentScreen.tsx b/packages/web/src/app/oauth/authorize/components/consentScreen.tsx
@@ -0,0 +1,116 @@
+'use client';
+
+import { approveAuthorization, denyAuthorization } from '@/ee/features/oauth/actions';
+import { LoadingButton } from '@/components/ui/loading-button';
+import { isServiceError } from '@/lib/utils';
+import { ClientIcon } from './clientIcon';
+import Image from 'next/image';
+import logo from '@/public/logo_512.png';
+import { useState } from 'react';
+
+interface ConsentScreenProps {
+    clientId: string;
+    clientName: string;
+    clientLogoUri: string | null;
+    redirectUri: string;
+    codeChallenge: string;
+    resource: string | null;
+    state: string | undefined;
+    userEmail: string;
+}
+
+export function ConsentScreen({
+    clientId,
+    clientName,
+    clientLogoUri,
+    redirectUri,
+    codeChallenge,
+    resource,
+    state,
+    userEmail,
+}: ConsentScreenProps) {
+    const [pending, setPending] = useState<'approve' | 'deny' | null>(null);
+
+    const onApprove = async () => {
+        setPending('approve');
+        const result = await approveAuthorization({ clientId, redirectUri, codeChallenge, resource, state });
+        if (isServiceError(result)) {
+            setPending(null);
+            return;
+        }
+        window.location.href = result;
+    };
+
+    const onDeny = async () => {
+        setPending('deny');
+        const result = await denyAuthorization({ redirectUri, state });
+        if (isServiceError(result)) {
+            setPending(null);
+            return;
+        }
+        window.location.href = result;
+    };
+
+    return (
+        <div className="w-full max-w-md rounded-lg border border-border bg-card p-8 shadow-sm">
+
+            {/* App icons */}
+            <div className="flex items-center justify-center gap-3 mb-6">
+                <ClientIcon name={clientName} logoUri={clientLogoUri} />
+                <svg className="w-4 h-4 text-muted-foreground" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={1.5}>
+                    <path strokeLinecap="round" strokeLinejoin="round" d="M8 7h8m0 0-3-3m3 3-3 3M16 17H8m0 0 3 3m-3-3 3-3" />
+                </svg>
+                <Image
+                    src={logo}
+                    alt="Sourcebot"
+                    width={70}
+                    height={70}
+                    className="shrink-0 rounded-xl object-cover"
+                />
+            </div>
+
+            {/* Title */}
+            <h1 className="text-lg font-semibold text-foreground mb-2">
+                <span className="font-bold">{clientName}</span> is requesting access to your Sourcebot account.
+            </h1>
+            <p className="text-sm text-muted-foreground text-center mb-6">
+                Logged in as <span className="font-medium">{userEmail}</span>
+            </p>
+
+            {/* Details table */}
+            <div className="mb-6 text-sm">
+                <p className="text-muted-foreground mb-2">Details</p>
+                <div className="rounded-md border border-border divide-y divide-border">
+                    <div className="flex px-4 py-2.5">
+                        <span className="font-medium text-foreground w-32 shrink-0">Name:</span>
+                        <span>{clientName}</span>
+                    </div>
+                    <div className="flex px-4 py-2.5">
+                        <span className="font-medium text-foreground w-32 shrink-0">Redirect URI:</span>
+                        <span className="break-all">{redirectUri}</span>
+                    </div>
+                </div>
+            </div>
+
+            {/* Actions */}
+            <div className="flex justify-end gap-3">
+                <LoadingButton
+                    variant="outline"
+                    onClick={onDeny}
+                    loading={pending === 'deny'}
+                    disabled={pending !== null}
+                >
+                    Cancel
+                </LoadingButton>
+                <LoadingButton
+                    onClick={onApprove}
+                    loading={pending === 'approve'}
+                    disabled={pending !== null}
+                >
+                    Approve
+                </LoadingButton>
+            </div>
+
+        </div>
+    );
+}
diff --git a/packages/web/src/app/oauth/authorize/page.tsx b/packages/web/src/app/oauth/authorize/page.tsx
@@ -1,13 +1,9 @@
 import { auth } from '@/auth';
-import { generateAndStoreAuthCode } from '@/ee/features/oauth/server';
 import { LogoutEscapeHatch } from '@/app/components/logoutEscapeHatch';
-import { ClientIcon } from './components/clientIcon';
-import { Button } from '@/components/ui/button';
+import { ConsentScreen } from './components/consentScreen';
 import { prisma } from '@/prisma';
 import { hasEntitlement } from '@sourcebot/shared';
 import { redirect } from 'next/navigation';
-import logo from '@/public/logo_512.png';
-import Image from 'next/image';
 
 interface AuthorizePageProps {
     searchParams: Promise<{
@@ -60,97 +56,19 @@ export default async function AuthorizePage({ searchParams }: AuthorizePageProps
         redirect(`/login?callbackUrl=${encodeURIComponent(callbackUrl)}`);
     }
 
-    // Server action: user approved the authorization request.
-    async function handleAllow() {
-        'use server';
-        const rawCode = await generateAndStoreAuthCode({
-            clientId: client_id!,
-            userId: session!.user.id,
-            redirectUri: redirect_uri!,
-            codeChallenge: code_challenge!,
-            resource: resource ?? null,
-        });
-
-        const callbackUrl = new URL(redirect_uri!);
-        callbackUrl.searchParams.set('code', rawCode);
-        if (state) callbackUrl.searchParams.set('state', state);
-        const isWebUrl = callbackUrl.protocol === 'http:' || callbackUrl.protocol === 'https:';
-        if (isWebUrl) {
-            redirect(callbackUrl.toString());
-        } else {
-            redirect(`/oauth/complete?url=${encodeURIComponent(callbackUrl.toString())}`);
-        }
-    }
-
-    // Server action: user denied the authorization request.
-    async function handleDeny() {
-        'use server';
-        const callbackUrl = new URL(redirect_uri!);
-        callbackUrl.searchParams.set('error', 'access_denied');
-        callbackUrl.searchParams.set('error_description', 'The user denied the authorization request.');
-        if (state) callbackUrl.searchParams.set('state', state);
-        const isWebUrl = callbackUrl.protocol === 'http:' || callbackUrl.protocol === 'https:';
-        if (isWebUrl) {
-            redirect(callbackUrl.toString());
-        } else {
-            redirect(`/oauth/complete?url=${encodeURIComponent(callbackUrl.toString())}`);
-        }
-    }
-
     return (
         <div className="relative min-h-screen flex items-center justify-center bg-background">
             <LogoutEscapeHatch className="absolute top-0 right-0 p-6" />
-            <div className="w-full max-w-md rounded-lg border border-border bg-card p-8 shadow-sm">
-
-                {/* App icons */}
-                <div className="flex items-center justify-center gap-3 mb-6">
-                    <ClientIcon name={client.name} logoUri={client.logoUri} />
-                    <svg className="w-4 h-4 text-muted-foreground" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={1.5}>
-                        <path strokeLinecap="round" strokeLinejoin="round" d="M8 7h8m0 0-3-3m3 3-3 3M16 17H8m0 0 3 3m-3-3 3-3" />
-                    </svg>
-                    <Image
-                        src={logo}
-                        alt="Sourcebot"
-                        width={70}
-                        height={70}
-                        className="shrink-0 rounded-xl object-cover"
-                    />
-                </div>
-
-                {/* Title */}
-                <h1 className="text-lg font-semibold text-foreground mb-2">
-                    <span className="font-bold">{client.name}</span> is requesting access to your Sourcebot account.
-                </h1>
-                <p className="text-sm text-muted-foreground text-center mb-6">
-                    Logged in as <span className="font-medium">{session.user.email}</span>
-                </p>
-
-                {/* Details table */}
-                <div className="mb-6 text-sm">
-                    <p className="text-muted-foreground mb-2">Details</p>
-                    <div className="rounded-md border border-border divide-y divide-border">
-                        <div className="flex px-4 py-2.5">
-                            <span className="font-medium text-foreground w-32 shrink-0">Name:</span>
-                            <span>{client.name}</span>
-                        </div>
-                        <div className="flex px-4 py-2.5">
-                            <span className="font-medium text-foreground w-32 shrink-0">Redirect URI:</span>
-                            <span className="break-all">{redirect_uri}</span>
-                        </div>
-                    </div>
-                </div>
-
-                {/* Actions */}
-                <div className="flex justify-end gap-3">
-                    <form action={handleDeny}>
-                        <Button type="submit" variant="outline">Cancel</Button>
-                    </form>
-                    <form action={handleAllow}>
-                        <Button type="submit">Approve</Button>
-                    </form>
-                </div>
-
-            </div>
+            <ConsentScreen
+                clientId={client_id!}
+                clientName={client.name}
+                clientLogoUri={client.logoUri}
+                redirectUri={redirect_uri!}
+                codeChallenge={code_challenge!}
+                resource={resource ?? null}
+                state={state}
+                userEmail={session!.user.email!}
+            />
         </div>
     );
 }
diff --git a/packages/web/src/ee/features/oauth/actions.ts b/packages/web/src/ee/features/oauth/actions.ts
@@ -0,0 +1,68 @@
+'use server';
+
+import { sew } from '@/actions';
+import { generateAndStoreAuthCode } from '@/ee/features/oauth/server';
+import { withAuthV2 } from '@/withAuthV2';
+
+/**
+ * Resolves the final URL to navigate to after an authorization decision.
+ * Non-web redirect URIs (e.g. custom schemes like vscode://) are wrapped in
+ * /oauth/complete so the browser can handle the handoff.
+ */
+function resolveCallbackUrl(callbackUrl: URL): string {
+    const isWebUrl = callbackUrl.protocol === 'http:' || callbackUrl.protocol === 'https:';
+    return isWebUrl
+        ? callbackUrl.toString()
+        : `/oauth/complete?url=${encodeURIComponent(callbackUrl.toString())}`;
+}
+
+/**
+ * Called when the user approves the OAuth authorization request. Generates an
+ * authorization code and returns the callback URL for the client to navigate to.
+ */
+export const approveAuthorization = async ({
+    clientId,
+    redirectUri,
+    codeChallenge,
+    resource,
+    state,
+}: {
+    clientId: string;
+    redirectUri: string;
+    codeChallenge: string;
+    resource: string | null;
+    state: string | undefined;
+}) => sew(() =>
+    withAuthV2(async ({ user }) => {
+        const rawCode = await generateAndStoreAuthCode({
+            clientId,
+            userId: user.id,
+            redirectUri,
+            codeChallenge,
+            resource,
+        });
+
+        const callbackUrl = new URL(redirectUri);
+        callbackUrl.searchParams.set('code', rawCode);
+        if (state) callbackUrl.searchParams.set('state', state);
+        return resolveCallbackUrl(callbackUrl);
+    }))
+
+/**
+ * Called when the user denies the OAuth authorization request. Returns the
+ * callback URL with an access_denied error for the client to navigate to.
+ */
+export const denyAuthorization = async ({
+    redirectUri,
+    state,
+}: {
+    redirectUri: string;
+    state: string | undefined;
+}) => sew(() =>
+    withAuthV2(async () => {
+        const callbackUrl = new URL(redirectUri);
+        callbackUrl.searchParams.set('error', 'access_denied');
+        callbackUrl.searchParams.set('error_description', 'The user denied the authorization request.');
+        if (state) callbackUrl.searchParams.set('state', state);
+        return resolveCallbackUrl(callbackUrl);
+    }))
