fix: support OAuth/SSO auth flows in webview blocks#3358
Conversation
Two related fixes so login flows can complete inside Wave web blocks instead of dead-ending with ERR_BLOCKED_BY_RESPONSE: 1. Don't treat sub-frame load failures as fatal (webview.tsx). Web apps load hidden iframes that are expected to fail - notably OAuth/OIDC silent-auth probes (response_mode=web_message, prompt=none), which the embedding page's Cross-Origin-Embedder-Policy blocks. A normal browser surfaces these only to the page's auth SDK (which then falls back to interactive login); Wave painted a fatal error overlay over the whole block on ANY did-fail-load, killing the flow before the fallback could run. Only show the overlay for main-frame failures. 2. Allow genuine popups for window.open with features (emain-tabview.ts). Popup-based SSO (e.g. GitHub/Microsoft) calls window.open(url, name, 'width=...') which Electron reports as disposition 'new-window'; these need a real popup window that preserves window.opener and the COOP browsing context. Rerouting them into a new web block severs both. Allow a real popup for that disposition while keeping ordinary link clicks routed to web blocks. Verified end-to-end with the DuckDB local UI MotherDuck (Auth0) sign-in. Refs wavetermdev#2764 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughThis PR updates webview handling in two places. In the main process, the webview setWindowOpenHandler now permits true Electron "new-window" popups only when details.features is non-empty, applying overrideBrowserWindowOptions (fixed width/height, autoHideMenuBar); other popup attempts are denied and forwarded via IPC, and did-create-window hides the popup menu bar. In the renderer WebView, did-fail-load now treats non-main-frame failures as non-fatal, logging a warning with the URL and error description instead of triggering fatal error UI or callbacks. Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 50f295f833
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
emain/emain-tabview.ts (1)
322-337: 💤 Low valueLGTM!
The OAuth/SSO popup logic is correct and well-documented. The disposition check properly distinguishes popup-based auth flows from regular link navigation.
Optional UX enhancement: consider adding
center: truetooverrideBrowserWindowOptionsto position OAuth popups in the center of the screen for better visibility.Optional refinement
if (details.disposition === "new-window") { return { action: "allow", - overrideBrowserWindowOptions: { width: 600, height: 700, autoHideMenuBar: true }, + overrideBrowserWindowOptions: { + width: 600, + height: 700, + autoHideMenuBar: true, + center: true, + resizable: false + }, }; }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@emain/emain-tabview.ts` around lines 322 - 337, Update the popup window options returned in the new-window disposition branch so OAuth/SSO popups are centered: inside the if (details.disposition === "new-window") branch where you return overrideBrowserWindowOptions, add the center: true property to the options object (the one alongside width, height, autoHideMenuBar) so the popup opens centered on screen.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@emain/emain-tabview.ts`:
- Around line 322-337: Update the popup window options returned in the
new-window disposition branch so OAuth/SSO popups are centered: inside the if
(details.disposition === "new-window") branch where you return
overrideBrowserWindowOptions, add the center: true property to the options
object (the one alongside width, height, autoHideMenuBar) so the popup opens
centered on screen.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: c3df7a9b-ffb1-4745-b45e-5c1b102199da
📒 Files selected for processing (2)
emain/emain-tabview.tsfrontend/app/view/webview/webview.tsx
Electron's setWindowOpenHandler reports disposition "new-window" not only for scripted window.open(...) popups but also for shift+clicked links. Keying the allow case on disposition alone meant a shift-clicked link in a web block opened an unmanaged BrowserWindow instead of a Wave web block. OAuth/SSO popups always pass a window-features string (width/height); plain links carry none, so also require a non-empty details.features to allow a real popup. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
3 participants
Fixes #2764
Login flows that rely on OAuth/OIDC or popup-based SSO currently dead-end inside Wave web blocks with
ERR_BLOCKED_BY_RESPONSEinstead of completing. Two related changes fix this:1. Don't treat sub-frame load failures as fatal (
webview.tsx)Web apps routinely load hidden iframes that are expected to fail — notably OAuth/OIDC silent-auth probes (
response_mode=web_message,prompt=none), which the embedding page's Cross-Origin-Embedder-Policy blocks. A normal browser surfaces these only to the page's auth SDK, which then falls back to interactive login. Wave instead painted a fatal error overlay over the whole block on anydid-fail-load, killing the flow before the fallback could run. Now the overlay is only shown for main-frame failures; sub-frame failures are logged and suppressed.2. Allow genuine popups for
window.openwith features (emain-tabview.ts)Popup-based SSO (e.g. GitHub/Microsoft) calls
window.open(url, name, "width=..."), which Electron reports as dispositionnew-window. These need a real popup window that preserveswindow.openerand the COOP browsing context — rerouting them into a new web block severs both. This allows a real popup for thenew-windowdisposition while keeping ordinary link clicks routed to web blocks.Verification
Reproduced the DuckDB local UI → MotherDuck (Auth0) sign-in inside a web block on two builds: this branch, and upstream
main(baseline, neither fix). In both, the OIDC silent-auth probe (response_mode=web_message&prompt=none) is blocked by the embedder's COEP and fails withERR_BLOCKED_BY_RESPONSE— the difference is how Wave reacts to that sub-frame failure.Before — upstream
main(no fix). The host renderer treats the sub-frame failure as fatal and paints an error overlay over the whole block, killing the flow:After — this branch. The sub-frame failure is logged and suppressed; no overlay is shown, so the auth SDK's own fallback can run:
With the block no longer killed, the page's Auth0 SDK handles the blocked probe and the DuckDB UI keeps loading instead of dead-ending (web-block page console, fixed build):