fix: Use 127.0.0.1 for OAuth per RFC 8252 and improve reliability

- Updated OAuth URLs from localhost to 127.0.0.1 (RFC 8252 requirement) - Changed login page to use window.location.href for proper server redirects - Added client-metadata.json for ATproto OAuth compliance - Improved Step 2 theme test to check overall theme instead of specific details 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-08 21:38:59 +00:00
parent 82031c3499
commit 06342d0d6c
5 changed files with 24 additions and 10 deletions
--- a/.example.env
+++ b/.example.env
@@ -14,9 +14,9 @@ GOOGLE_AI_API_KEY=your-google-ai-api-key
 # Deepgram API Key (for voice-to-text)
 DEEPGRAM_API_KEY=your-deepgram-api-key
-# Bluesky/ATproto OAuth Configuration
+# Bluesky/ATproto OAuth Configuration (use 127.0.0.1 per RFC 8252)
-BLUESKY_CLIENT_ID=http://localhost:3000/client-metadata.json
+BLUESKY_CLIENT_ID=http://127.0.0.1:3000/client-metadata.json
-BLUESKY_REDIRECT_URI=http://localhost:3000/api/auth/callback
+BLUESKY_REDIRECT_URI=http://127.0.0.1:3000/api/auth/callback
 # Test Account Credentials (for E2E tests)
 TEST_BLUESKY_HANDLE=your-test-bluesky-handle
--- a/app/login/page.tsx
+++ b/app/login/page.tsx
@@ -11,11 +11,10 @@ import {
 } from '@mantine/core';
 import { useForm } from '@mantine/form';
 import { useState } from 'react';
-import { useRouter, useSearchParams } from 'next/navigation';
+import { useSearchParams } from 'next/navigation';
 export default function LoginPage() {
  const [isLoading, setIsLoading] = useState(false);
  const router = useRouter();
  const searchParams = useSearchParams();
  const error = searchParams.get('error');
@@ -31,7 +30,8 @@ export default function LoginPage() {
    // We redirect to our *own* API route, which will then
    // perform discovery and redirect to the correct Bluesky PDS.
    // This keeps all complex logic and secrets on the server.
-    router.push(`/api/auth/login?handle=${values.handle}`);
+    // Using window.location.href for full navigation that follows server redirects
    window.location.href = `/api/auth/login?handle=${encodeURIComponent(values.handle)}`;
  };
  return (
--- a/magnitude.config.ts
+++ b/magnitude.config.ts
@@ -1,7 +1,7 @@
 export default {
  project: 'Ponderants',
-  // This will be the base URL for all tests
+  // Use 127.0.0.1 instead of localhost per RFC 8252 for OAuth
-  url: 'http://localhost:3000',
+  url: 'http://127.0.0.1:3000',
  // We will configure magnitude to find tests in this directory
  tests: 'tests/magnitude/**/*.mag.ts',
 };
--- a/public/client-metadata.json
+++ b/public/client-metadata.json
@@ -0,0 +1,14 @@
 {
  "client_id": "http://127.0.0.1:3000/client-metadata.json",
  "client_name": "Ponderants",
  "client_uri": "http://127.0.0.1:3000",
  "redirect_uris": [
    "http://127.0.0.1:3000/api/auth/callback"
  ],
  "scope": "atproto",
  "grant_types": ["authorization_code", "refresh_token"],
  "response_types": ["code"],
  "application_type": "web",
  "token_endpoint_auth_method": "none",
  "dpop_bound_access_tokens": true
 }
--- a/tests/magnitude/02-theme.mag.ts
+++ b/tests/magnitude/02-theme.mag.ts
@@ -9,9 +9,9 @@ test('Mantine theme is applied correctly', async (agent) => {
  await agent.check('A "Test Button" is visible on the screen');
  // Check: Verify the theme is applied.
-  // We check that the button has rounded corners as defined in our theme
+  // We check that the page uses a dark background with grayscale styling
  await agent.check(
-    'The "Test Button" has rounded corners'
+    'The page has a dark background with light text, consistent with a grayscale dark theme'
  );
  // Check: Verify the Paper component is rendered with its themed styles