Fix OAuth mobile app support with custom URL schemes

- Configure Doorkeeper to allow custom URL schemes (maybeapp://) - Disable force_ssl_in_redirect_uri to support non-HTTPS schemes - Add custom Doorkeeper views with mobile OAuth detection - Disable Turbo for mobile OAuth flows to prevent redirect interference - Add display parameter preservation through OAuth flow - Create custom Doorkeeper layouts with proper styling - Add comprehensive integration tests for mobile OAuth flows - Ensure all OAuth pages use proper doorkeeper/application layout This allows the mobile app to complete OAuth authorization flows without the web app interfering with custom URL scheme redirects. 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-19 12:04:08 +00:00 · 2025-06-18 05:38:23 -05:00
parent 404066eaa1
commit cba0bdf0e2
17 changed files with 513 additions and 4 deletions
--- a/test/integration/oauth_mobile_test.rb
+++ b/test/integration/oauth_mobile_test.rb
@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class OauthMobileTest < ActionDispatch::IntegrationTest
+  setup do
+    @user = users(:empty)
+    sign_in(@user)
+
+    @oauth_app = Doorkeeper::Application.create!(
+      name: "Maybe Mobile App",
+      redirect_uri: "maybeapp://oauth/callback",
+      scopes: "read"
+    )
+  end
+
+  test "mobile oauth authorization with custom scheme redirect" do
+    get "/oauth/authorize", params: {
+      client_id: @oauth_app.uid,
+      redirect_uri: @oauth_app.redirect_uri,
+      response_type: "code",
+      scope: "read",
+      display: "mobile"
+    }
+
+    assert_response :success
+
+    # Check that Turbo is disabled in the form
+    assert_match(/data-turbo="false"/, response.body)
+    assert_match(/maybeapp:\/\/oauth\/callback/, response.body)
+  end
+
+  test "mobile oauth detects custom scheme in redirect_uri" do
+    get "/oauth/authorize", params: {
+      client_id: @oauth_app.uid,
+      redirect_uri: "maybeapp://oauth/callback",
+      response_type: "code",
+      scope: "read"
+    }
+
+    assert_response :success
+
+    # Should detect mobile flow from redirect_uri
+    assert_match(/data-turbo="false"/, response.body)
+  end
+
+  test "mobile oauth authorization flow completes successfully" do
+    post "/oauth/authorize", params: {
+      client_id: @oauth_app.uid,
+      redirect_uri: @oauth_app.redirect_uri,
+      response_type: "code",
+      scope: "read",
+      display: "mobile"
+    }
+
+    # Should redirect to the custom scheme
+    assert_response :redirect
+    assert response.location.start_with?("maybeapp://oauth/callback")
+  end
+
+  test "mobile oauth preserves display parameter through forms" do
+    get "/oauth/authorize", params: {
+      client_id: @oauth_app.uid,
+      redirect_uri: @oauth_app.redirect_uri,
+      response_type: "code",
+      scope: "read",
+      display: "mobile"
+    }
+
+    assert_response :success
+
+    # Check that display parameter is preserved in hidden fields
+    assert_match(/<input[^>]*name="display"[^>]*value="mobile"/, response.body)
+  end
+end