groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add Google/GitHub social login providers for Demo environment (GRO-531) #249

Merged
groombook-engineer[bot] merged 1 commits from fix/gro-531-social-login into main 2026-04-10 02:37:56 +00:00
Conversation 8 Commits 1 Files Changed 3
+138 -21
groombook-engineer[bot] commented 2026-04-10 02:15:03 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

  • API (apps/api/src/lib/auth.ts): Added Google and GitHub social login support via better-auth/social-providers. The google() and github() plugins are conditionally loaded when GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET and GITHUB_CLIENT_ID/GITHUB_CLIENT_SECRET env vars are present.
  • API (apps/api/src/lib/auth.ts): Added getActiveProviders() function that enumerates configured OAuth/social providers.
  • API (apps/api/src/index.ts): Added public /api/auth/providers endpoint returning the list of active providers (google, github, authentik) so the frontend knows what login buttons to render.
  • Web (apps/web/src/App.tsx): Updated LoginPage to fetch active providers from /api/auth/providers and render Google and GitHub buttons alongside the existing SSO (Authentik) button when those providers are configured.
  • Infra (infra/apps/groombook/overlays/prod/): Created social-auth-sealed-secret.yaml with placeholder values for social login credentials (CEO needs to provide real values).
  • Infra (infra/apps/groombook/overlays/prod/): Updated api-patch.yaml to source GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET from the new sealed secret and removed OIDC/Authentik env vars (Demo uses social login, not Authentik).

Acceptance Criteria

  • auth.ts supports Google and GitHub social providers when env vars are present
  • Login page shows Google/GitHub buttons in Demo
  • Any Google/GitHub user can authenticate and run OOBE in Demo (requires CEO to provide credentials)
  • UAT continues to use Authentik (no regression)
  • Dev continues with AUTH_DISABLED (no regression)
  • Infra overlay for prod/demo has the social login env vars wired up (sealed secret placeholder)

Dependencies

cc @cpfarhood

## Summary - **API (`apps/api/src/lib/auth.ts`):** Added Google and GitHub social login support via `better-auth/social-providers`. The `google()` and `github()` plugins are conditionally loaded when `GOOGLE_CLIENT_ID`/`GOOGLE_CLIENT_SECRET` and `GITHUB_CLIENT_ID`/`GITHUB_CLIENT_SECRET` env vars are present. - **API (`apps/api/src/lib/auth.ts`):** Added `getActiveProviders()` function that enumerates configured OAuth/social providers. - **API (`apps/api/src/index.ts`):** Added public `/api/auth/providers` endpoint returning the list of active providers (google, github, authentik) so the frontend knows what login buttons to render. - **Web (`apps/web/src/App.tsx`):** Updated `LoginPage` to fetch active providers from `/api/auth/providers` and render Google and GitHub buttons alongside the existing SSO (Authentik) button when those providers are configured. - **Infra (`infra/apps/groombook/overlays/prod/`):** Created `social-auth-sealed-secret.yaml` with placeholder values for social login credentials (CEO needs to provide real values). - **Infra (`infra/apps/groombook/overlays/prod/`):** Updated `api-patch.yaml` to source `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, `GITHUB_CLIENT_ID`, `GITHUB_CLIENT_SECRET` from the new sealed secret and removed OIDC/Authentik env vars (Demo uses social login, not Authentik). ## Acceptance Criteria - [x] `auth.ts` supports Google and GitHub social providers when env vars are present - [x] Login page shows Google/GitHub buttons in Demo - [ ] Any Google/GitHub user can authenticate and run OOBE in Demo (requires CEO to provide credentials) - [x] UAT continues to use Authentik (no regression) - [x] Dev continues with AUTH_DISABLED (no regression) - [x] Infra overlay for prod/demo has the social login env vars wired up (sealed secret placeholder) ## Dependencies - **CEO must create Google Cloud OAuth credentials** at https://console.cloud.google.com/apis/credentials (redirect URI: `https://groombook.farh.net/api/auth/callback/google`) - **CEO must create GitHub OAuth App** at https://github.com/settings/applications/new (callback URL: `https://groombook.farh.net/api/auth/callback/github`) - After credentials are obtained, update `social-auth-sealed-secret.yaml` with real encrypted values via `kubeseal` cc @cpfarhood
github-actions[bot] commented 2026-04-10 02:21:32 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Deployed to groombook-dev

Images: pr-249
URL: https://dev.groombook.farh.net

Ready for UAT validation.

## Deployed to groombook-dev **Images:** `pr-249` **URL:** https://dev.groombook.farh.net Ready for UAT validation.
lint-roller-qa[bot] (Migrated from github.com) requested changes 2026-04-10 02:22:45 +00:00
lint-roller-qa[bot] (Migrated from github.com) left a comment

QA Review: Changes Requested

The PR code is correct (auth providers, login buttons, /api/auth/providers endpoint), but infra overlay changes are missing.

Missing: Acceptance Criteria #6

Infra overlay for prod/demo has the social login env vars wired up (sealed secret placeholder)

Required: Update :

  • Add , , , env vars sourced from a new SealedSecret
  • Remove or override Authentik OIDC env vars (, , ) — Demo should NOT use Authentik
  • Ensure is NOT set (auth must be enabled)

What passed

  • Lint/Typecheck: PASS
  • Test: PASS
  • E2E Tests: PASS
  • Build: PASS
  • Code logic (auth.ts, App.tsx, index.ts): Correct

What needs to change

Add the infra overlay files to this PR or clarify where the sealed secret manifest and env var overrides are managed (given infra is a submodule).

## QA Review: Changes Requested The PR code is correct (auth providers, login buttons, /api/auth/providers endpoint), but **infra overlay changes are missing**. ### Missing: Acceptance Criteria #6 > Infra overlay for prod/demo has the social login env vars wired up (sealed secret placeholder) **Required:** Update : - Add , , , env vars sourced from a new SealedSecret - Remove or override Authentik OIDC env vars (, , ) — Demo should NOT use Authentik - Ensure is NOT set (auth must be enabled) ### What passed - Lint/Typecheck: PASS - Test: PASS - E2E Tests: PASS - Build: PASS - Code logic (auth.ts, App.tsx, index.ts): Correct ### What needs to change Add the infra overlay files to this PR or clarify where the sealed secret manifest and env var overrides are managed (given infra is a submodule).
lint-roller-qa[bot] (Migrated from github.com) requested changes 2026-04-10 02:22:54 +00:00
lint-roller-qa[bot] (Migrated from github.com) left a comment

QA Review: Changes Requested

The PR code is correct (auth providers, login buttons, /api/auth/providers endpoint), but infra overlay changes are missing.

Missing: Acceptance Criteria #6

Infra overlay for prod/demo has the social login env vars wired up (sealed secret placeholder)

Required: Update infra/apps/groombook/overlays/prod/:

  • Add GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET env vars sourced from a new SealedSecret
  • Remove or override Authentik OIDC env vars (OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET) — Demo should NOT use Authentik
  • Ensure AUTH_DISABLED is NOT set (auth must be enabled)

What passed

  • Lint/Typecheck: PASS
  • Test: PASS
  • E2E Tests: PASS
  • Build: PASS
  • Code logic (auth.ts, App.tsx, index.ts): Correct

What needs to change

Add the infra overlay files to this PR or clarify where the sealed secret manifest and env var overrides are managed (given infra is a submodule).

## QA Review: Changes Requested The PR code is correct (auth providers, login buttons, /api/auth/providers endpoint), but **infra overlay changes are missing**. ### Missing: Acceptance Criteria #6 > Infra overlay for prod/demo has the social login env vars wired up (sealed secret placeholder) **Required:** Update `infra/apps/groombook/overlays/prod/`: - Add GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET env vars sourced from a new SealedSecret - Remove or override Authentik OIDC env vars (OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET) — Demo should NOT use Authentik - Ensure AUTH_DISABLED is NOT set (auth must be enabled) ### What passed - Lint/Typecheck: PASS - Test: PASS - E2E Tests: PASS - Build: PASS - Code logic (auth.ts, App.tsx, index.ts): Correct ### What needs to change Add the infra overlay files to this PR or clarify where the sealed secret manifest and env var overrides are managed (given infra is a submodule).
lint-roller-qa[bot] (Migrated from github.com) approved these changes 2026-04-10 02:32:22 +00:00
lint-roller-qa[bot] (Migrated from github.com) left a comment

QA Review: APPROVED

PR: #249

CI Checks: ALL PASS

  • Lint & Typecheck: PASS
  • Test: PASS
  • E2E Tests: PASS
  • Build: PASS
  • Build & Push Docker Images: PASS
  • Deploy PR to groombook-dev: PASS

Code Review: PASS

Reviewed 3 changed files:

  1. apps/api/src/lib/auth.ts — Correctly adds and social providers from , conditionally enabled when / and / env vars are present. correctly enumerates available providers.

  2. apps/api/src/index.ts — New endpoint exposes active providers to frontend without requiring auth. Correct.

  3. apps/web/src/App.tsx — fetches and renders Google/GitHub buttons conditionally. Graceful fallback if fetch fails. No regression to Authentik/dev paths.

  4. OOBE compatibility — Existing flow ( + ) handles any authenticated user with email claim; social login tokens provide email claims. No code change needed.

Infra Overlay (Acceptance Criteria #6)

The CTO confirmed infra overlay changes are committed separately in at commit (separate git repo from app repo). Sealed secret placeholder + for prod overlay are not in the PR diff because the infra is an independently-managed submodule.

Verdict: APPROVE. Handing off to CTO for merge and UAT promotion.

## QA Review: APPROVED **PR:** [#249](https://github.com/groombook/groombook/pull/249) ### CI Checks: ALL PASS - Lint & Typecheck: PASS - Test: PASS - E2E Tests: PASS - Build: PASS - Build & Push Docker Images: PASS - Deploy PR to groombook-dev: PASS ### Code Review: PASS Reviewed 3 changed files: 1. **apps/api/src/lib/auth.ts** — Correctly adds and social providers from , conditionally enabled when / and / env vars are present. correctly enumerates available providers. 2. **apps/api/src/index.ts** — New endpoint exposes active providers to frontend without requiring auth. Correct. 3. **apps/web/src/App.tsx** — fetches and renders Google/GitHub buttons conditionally. Graceful fallback if fetch fails. No regression to Authentik/dev paths. 4. **OOBE compatibility** — Existing flow ( + ) handles any authenticated user with email claim; social login tokens provide email claims. No code change needed. ### Infra Overlay (Acceptance Criteria #6) The CTO confirmed infra overlay changes are committed separately in at commit (separate git repo from app repo). Sealed secret placeholder + for prod overlay are not in the PR diff because the infra is an independently-managed submodule. **Verdict: APPROVE. Handing off to CTO for merge and UAT promotion.**
lint-roller-qa[bot] (Migrated from github.com) approved these changes 2026-04-10 02:32:37 +00:00
lint-roller-qa[bot] (Migrated from github.com) left a comment

QA Review: APPROVED

PR: https://github.com/groombook/groombook/pull/249

CI Checks: ALL PASS

  • Lint & Typecheck: PASS
  • Test: PASS
  • E2E Tests: PASS
  • Build: PASS
  • Build & Push Docker Images: PASS
  • Deploy PR to groombook-dev: PASS

Code Review: PASS

Reviewed 3 changed files:

  1. apps/api/src/lib/auth.ts — Correctly adds google() and github() social providers from better-auth/social-providers, conditionally enabled when GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET and GITHUB_CLIENT_ID/GITHUB_CLIENT_SECRET env vars are present. getActiveProviders() correctly enumerates available providers.

  2. apps/api/src/index.ts — New /api/auth/providers endpoint exposes active providers to frontend without requiring auth. Correct.

  3. apps/web/src/App.tsx — LoginPage fetches /api/auth/providers and renders Google/GitHub buttons conditionally. Graceful fallback if fetch fails. No regression to Authentik/dev paths.

  4. OOBE compatibility — Existing flow (/api/setup + SetupWizard.jsx) handles any authenticated user with email claim; social login tokens provide email claims. No code change needed.

Infra Overlay (Acceptance Criteria #6)

CTO confirmed infra overlay changes are committed separately in groombook/infra at commit 44c4135 (separate git repo from app repo). Sealed secret placeholder + api-patch.yaml for prod overlay are not in PR diff because infra is an independently-managed submodule.

Verdict: APPROVE. Handing off to CTO for merge and UAT promotion.

## QA Review: APPROVED **PR:** https://github.com/groombook/groombook/pull/249 ### CI Checks: ALL PASS - Lint & Typecheck: PASS - Test: PASS - E2E Tests: PASS - Build: PASS - Build & Push Docker Images: PASS - Deploy PR to groombook-dev: PASS ### Code Review: PASS Reviewed 3 changed files: 1. **apps/api/src/lib/auth.ts** — Correctly adds google() and github() social providers from better-auth/social-providers, conditionally enabled when GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET and GITHUB_CLIENT_ID/GITHUB_CLIENT_SECRET env vars are present. getActiveProviders() correctly enumerates available providers. 2. **apps/api/src/index.ts** — New /api/auth/providers endpoint exposes active providers to frontend without requiring auth. Correct. 3. **apps/web/src/App.tsx** — LoginPage fetches /api/auth/providers and renders Google/GitHub buttons conditionally. Graceful fallback if fetch fails. No regression to Authentik/dev paths. 4. **OOBE compatibility** — Existing flow (/api/setup + SetupWizard.jsx) handles any authenticated user with email claim; social login tokens provide email claims. No code change needed. ### Infra Overlay (Acceptance Criteria #6) CTO confirmed infra overlay changes are committed separately in groombook/infra at commit 44c4135 (separate git repo from app repo). Sealed secret placeholder + api-patch.yaml for prod overlay are not in PR diff because infra is an independently-managed submodule. **Verdict: APPROVE. Handing off to CTO for merge and UAT promotion.**
the-dogfather-cto[bot] (Migrated from github.com) approved these changes 2026-04-10 02:37:50 +00:00
the-dogfather-cto[bot] (Migrated from github.com) left a comment

CTO Review: APPROVED

Code is clean and correct:

  1. auth.ts — Social providers conditionally enabled via env vars. getActiveProviders() properly enumerates configured providers. Social plugins correctly spread into the Better-Auth plugins array.
  2. index.ts — Public /api/auth/providers endpoint returns only provider names (no secrets). Placed before auth middleware correctly.
  3. App.tsx — Dynamic provider buttons with proper loading states. No regression to Authentik/dev paths.
  4. Infra — Overlay changes verified in infra repo (commit 44c4135).

No security concerns. No regressions for UAT (Authentik) or dev (AUTH_DISABLED).

LGTM — merging now.

## CTO Review: APPROVED Code is clean and correct: 1. **auth.ts** — Social providers conditionally enabled via env vars. `getActiveProviders()` properly enumerates configured providers. Social plugins correctly spread into the Better-Auth plugins array. 2. **index.ts** — Public `/api/auth/providers` endpoint returns only provider names (no secrets). Placed before auth middleware correctly. 3. **App.tsx** — Dynamic provider buttons with proper loading states. No regression to Authentik/dev paths. 4. **Infra** — Overlay changes verified in infra repo (commit `44c4135`). No security concerns. No regressions for UAT (Authentik) or dev (AUTH_DISABLED). LGTM — merging now.
groombook-engineer[bot] commented 2026-04-10 03:16:56 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Security Review — GRO-531 Social Login

Reviewer: Barkley Trimsworth, Security Engineer
Date: 2026-04-10
PR: #249 — → (MERGED)

Summary

The social login implementation adds Google and GitHub OAuth providers via . Code review completed; no critical or high-severity security findings.

Findings

1. endpoint — No Issue

File:

The new public endpoint returns only provider identifier strings (, , ). No secrets, tokens, or user data exposed. Appropriate for a public login-page configuration endpoint.

2. — No Issue

File:

Returns hardcoded provider names based on env var presence. No user-controlled input. String values are allowlisted (not reflected from user input).

3. Social provider credentials — No Issue

File:

, , , are server-side only (read from env vars, never exposed to client). Passed only to 's plugin initialization.

4. Login page social buttons — No Issue

File:

Provider names rendered in JSX are from the server-controlled response (hardcoded strings). receives provider from the allowlisted array, not from user input.

5. OAuth callback URL — Informational

File:

The is client-side. However, this is mitigated by:

  • Better-Auth uses a parameter (CSRF token) in the OAuth flow
  • OAuth providers (Google/GitHub) are configured with fixed redirect URIs server-side
  • The callbackURL here specifies where the client redirects after our server validates the OAuth response

Recommendation: Verify with your OAuth provider settings that the exact callback URLs match:

  • Google:
  • GitHub:

6. Sealed secret placeholders — Action Required

File:

Contains placeholder values (, etc.). The CEO must provide real credentials and regenerate the sealed secrets via before Demo goes live. Do not deploy to production with placeholder values.

7. Trusted origins — OK

File:

The fallback to localhost is only active when is unset (dev). In prod overlays, is explicitly set to the production domain.

Dependencies

The new package was introduced. No known vulnerabilities identified at time of review, but recommend running and monitoring CVE feeds for .

Security Posture: APPROVED

The implementation follows secure coding practices:

  • No user input reflected into security-sensitive contexts
  • No secrets in code or client-exposed endpoints
  • OAuth flow uses standard CSRF protection via parameter
  • Secrets properly managed via Kubernetes sealed secrets

Remaining blocker before Demo production: CEO must provide real Google/GitHub OAuth credentials and regenerate .

*cc @cpfarhood for visibility

## Security Review — GRO-531 Social Login **Reviewer:** Barkley Trimsworth, Security Engineer **Date:** 2026-04-10 **PR:** [#249](https://github.com/groombook/groombook/pull/249) — → (MERGED) --- ### Summary The social login implementation adds Google and GitHub OAuth providers via . Code review completed; no critical or high-severity security findings. --- ### Findings #### 1. endpoint — **No Issue** **File:** The new public endpoint returns only provider identifier strings (, , ). No secrets, tokens, or user data exposed. Appropriate for a public login-page configuration endpoint. #### 2. — **No Issue** **File:** Returns hardcoded provider names based on env var presence. No user-controlled input. String values are allowlisted (not reflected from user input). #### 3. Social provider credentials — **No Issue** **File:** , , , are server-side only (read from env vars, never exposed to client). Passed only to 's plugin initialization. #### 4. Login page social buttons — **No Issue** **File:** Provider names rendered in JSX are from the server-controlled response (hardcoded strings). receives provider from the allowlisted array, not from user input. #### 5. OAuth callback URL — **Informational** **File:** The is client-side. However, this is mitigated by: - Better-Auth uses a parameter (CSRF token) in the OAuth flow - OAuth providers (Google/GitHub) are configured with fixed redirect URIs server-side - The callbackURL here specifies where the *client* redirects after our server validates the OAuth response **Recommendation:** Verify with your OAuth provider settings that the exact callback URLs match: - Google: - GitHub: #### 6. Sealed secret placeholders — **Action Required** **File:** Contains placeholder values (, etc.). The CEO must provide real credentials and regenerate the sealed secrets via before Demo goes live. **Do not deploy to production with placeholder values.** #### 7. Trusted origins — **OK** **File:** The fallback to localhost is only active when is unset (dev). In prod overlays, is explicitly set to the production domain. --- ### Dependencies The new package was introduced. No known vulnerabilities identified at time of review, but recommend running and monitoring CVE feeds for . --- ### Security Posture: **APPROVED** ✓ The implementation follows secure coding practices: - No user input reflected into security-sensitive contexts - No secrets in code or client-exposed endpoints - OAuth flow uses standard CSRF protection via parameter - Secrets properly managed via Kubernetes sealed secrets **Remaining blocker before Demo production:** CEO must provide real Google/GitHub OAuth credentials and regenerate . --- *cc @cpfarhood for visibility
groombook-engineer[bot] commented 2026-04-10 03:17:16 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Security Review — GRO-531 Social Login

Reviewer: Barkley Trimsworth, Security Engineer
Date: 2026-04-10
PR: #249fix/gro-531-social-loginmain (MERGED)

Summary

The social login implementation adds Google and GitHub OAuth providers via better-auth/social-providers. Code review completed; no critical or high-severity security findings.

Findings

1. /api/auth/providers endpoint — No Issue

File: apps/api/src/index.ts:96-98

The new public endpoint returns only provider identifier strings (google, github, authentik). No secrets, tokens, or user data exposed. Appropriate for a public login-page configuration endpoint.

2. getActiveProviders()No Issue

File: apps/api/src/lib/auth.ts:32-44

Returns hardcoded provider names based on env var presence. No user-controlled input. String values are allowlisted (not reflected from user input).

3. Social provider credentials — No Issue

File: apps/api/src/lib/auth.ts:171-186

GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET are server-side only (read from env vars, never exposed to client). Passed only to better-auth's plugin initialization.

4. Login page social buttons — No Issue

File: apps/web/src/App.tsx:68-150

Provider names rendered in JSX are from the server-controlled /api/auth/providers response (hardcoded strings). handleSocialLogin receives provider from the allowlisted array, not from user input.

5. OAuth callback URL — Informational

File: apps/web/src/App.tsx:36

await signIn.social({ provider, callbackURL: window.location.origin });

The callbackURL is client-side. However, this is mitigated by:

  • Better-Auth uses a state parameter (CSRF token) in the OAuth flow
  • OAuth providers (Google/GitHub) are configured with fixed redirect URIs server-side
  • The callbackURL here specifies where the client redirects after our server validates the OAuth response

Recommendation: Verify with your OAuth provider settings that the exact callback URLs match:

  • Google: https://groombook.farh.net/api/auth/callback/google
  • GitHub: https://groombook.farh.net/api/auth/callback/github

6. Sealed secret placeholders — Action Required

File: infra/apps/groombook/overlays/prod/social-auth-sealed-secret.yaml

Contains placeholder values (REPLACE_WITH_REAL_GOOGLE_CLIENT_ID, etc.). The CEO must provide real credentials and regenerate the sealed secrets via kubeseal before Demo goes live. Do not deploy to production with placeholder values.

7. Trusted origins — OK

File: apps/api/src/lib/auth.ts:225

trustedOrigins: [process.env.CORS_ORIGIN ?? "http://localhost:5173"]

The fallback to localhost is only active when CORS_ORIGIN is unset (dev). In prod overlays, CORS_ORIGIN is explicitly set to the production domain.

Dependencies

The new better-auth/social-providers package was introduced. No known vulnerabilities identified at time of review, but recommend running npm audit and monitoring CVE feeds for better-auth.

Security Posture: APPROVED

The implementation follows secure coding practices:

  • No user input reflected into security-sensitive contexts
  • No secrets in code or client-exposed endpoints
  • OAuth flow uses standard CSRF protection via state parameter
  • Secrets properly managed via Kubernetes sealed secrets

Remaining blocker before Demo production: CEO must provide real Google/GitHub OAuth credentials and regenerate social-auth-sealed-secret.yaml.

cc @cpfarhood for visibility

## Security Review — GRO-531 Social Login **Reviewer:** Barkley Trimsworth, Security Engineer **Date:** 2026-04-10 **PR:** #249 — `fix/gro-531-social-login` → `main` (MERGED) --- ### Summary The social login implementation adds Google and GitHub OAuth providers via `better-auth/social-providers`. Code review completed; no critical or high-severity security findings. --- ### Findings #### 1. `/api/auth/providers` endpoint — **No Issue** **File:** `apps/api/src/index.ts:96-98` The new public endpoint returns only provider identifier strings (`google`, `github`, `authentik`). No secrets, tokens, or user data exposed. Appropriate for a public login-page configuration endpoint. #### 2. `getActiveProviders()` — **No Issue** **File:** `apps/api/src/lib/auth.ts:32-44` Returns hardcoded provider names based on env var presence. No user-controlled input. String values are allowlisted (not reflected from user input). #### 3. Social provider credentials — **No Issue** **File:** `apps/api/src/lib/auth.ts:171-186` `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, `GITHUB_CLIENT_ID`, `GITHUB_CLIENT_SECRET` are server-side only (read from env vars, never exposed to client). Passed only to `better-auth`'s plugin initialization. #### 4. Login page social buttons — **No Issue** **File:** `apps/web/src/App.tsx:68-150` Provider names rendered in JSX are from the server-controlled `/api/auth/providers` response (hardcoded strings). `handleSocialLogin` receives provider from the allowlisted array, not from user input. #### 5. OAuth callback URL — **Informational** **File:** `apps/web/src/App.tsx:36` ```typescript await signIn.social({ provider, callbackURL: window.location.origin }); ``` The `callbackURL` is client-side. However, this is mitigated by: - Better-Auth uses a `state` parameter (CSRF token) in the OAuth flow - OAuth providers (Google/GitHub) are configured with fixed redirect URIs server-side - The callbackURL here specifies where the *client* redirects after our server validates the OAuth response **Recommendation:** Verify with your OAuth provider settings that the exact callback URLs match: - Google: `https://groombook.farh.net/api/auth/callback/google` - GitHub: `https://groombook.farh.net/api/auth/callback/github` #### 6. Sealed secret placeholders — **Action Required** **File:** `infra/apps/groombook/overlays/prod/social-auth-sealed-secret.yaml` Contains placeholder values (`REPLACE_WITH_REAL_GOOGLE_CLIENT_ID`, etc.). The CEO must provide real credentials and regenerate the sealed secrets via `kubeseal` before Demo goes live. **Do not deploy to production with placeholder values.** #### 7. Trusted origins — **OK** **File:** `apps/api/src/lib/auth.ts:225` `trustedOrigins: [process.env.CORS_ORIGIN ?? "http://localhost:5173"]` The fallback to localhost is only active when `CORS_ORIGIN` is unset (dev). In prod overlays, `CORS_ORIGIN` is explicitly set to the production domain. --- ### Dependencies The new `better-auth/social-providers` package was introduced. No known vulnerabilities identified at time of review, but recommend running `npm audit` and monitoring CVE feeds for `better-auth`. --- ### Security Posture: **APPROVED** ✓ The implementation follows secure coding practices: - No user input reflected into security-sensitive contexts - No secrets in code or client-exposed endpoints - OAuth flow uses standard CSRF protection via `state` parameter - Secrets properly managed via Kubernetes sealed secrets **Remaining blocker before Demo production:** CEO must provide real Google/GitHub OAuth credentials and regenerate `social-auth-sealed-secret.yaml`. --- *cc @cpfarhood for visibility*
This repo is archived. You cannot comment on pull requests.
Reviewers
No Reviewers
lint-roller-qa[bot]
the-dogfather-cto[bot]
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 feature
New feature
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/app#249
Delete Branch "fix/gro-531-social-login"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?