Skip to content

fix: oauth custom domains#10967

Merged
loks0n merged 1 commit into1.8.xfrom
fix-oauth-custom-domains
Dec 16, 2025
Merged

fix: oauth custom domains#10967
loks0n merged 1 commit into1.8.xfrom
fix-oauth-custom-domains

Conversation

@loks0n
Copy link
Copy Markdown
Member

@loks0n loks0n commented Dec 16, 2025

What does this PR do?

(Provide a description of what this PR does and why it's needed.)

Test Plan

(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work. Screenshots may also be helpful.)

Related PRs and Issues

  • (Related PR or issue)

Checklist

  • Have you read the Contributing Guidelines on issues?
  • If the PR includes a change to an API's metadata (desc, label, params, etc.), does it also include updated API specs and example docs?

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Dec 16, 2025
edited
Loading

📝 Walkthrough

Walkthrough

The changes modify the OAuth2 callback URL construction in the API account controller to use a protocol-aware base URL instead of directly using a platform endpoint. The new implementation dynamically builds the callback base from the request's protocol, hostname, and port, then constructs the full callback URL by appending the standard OAuth2 path pattern /v1/account/sessions/oauth2/callback/{provider}/{projectId}. This approach ensures correct URL formation across different deployment scenarios, including non-standard ports and HTTPS enforcement.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • OAuth2 security considerations: Verify the protocol/port-aware URL construction correctly handles HTTPS enforcement and prevents potential URL manipulation vulnerabilities
  • Callback URL composition logic: Review that the callback URL is correctly formed and used consistently across all OAuth2 flow entry points
  • Port handling: Confirm non-standard port composition (hostname:port) is properly implemented and tested across both HTTP and HTTPS scenarios
  • Consistency check: Verify all instances of OAuth2 redirect path generation have been updated to use the new base construction pattern

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)
Check name Status Explanation Resolution
Description check ❓ Inconclusive The description only contains the PR template with placeholder sections unfilled, providing no meaningful information about the OAuth2 custom domain fix changes. Fill in the template sections, particularly 'What does this PR do?' and 'Test Plan', to explain the OAuth2 protocol/port-aware URL construction changes and how they were tested.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title 'fix: oauth custom domains' is specific and clearly related to the main change: fixing OAuth2 URL construction for custom domains by making it protocol and port-aware.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix-oauth-custom-domains

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Dec 16, 2025

Security Scan Results for PR

Docker Image Scan Results

Package Version Vulnerability Severity
libpng 1.6.51-r0 CVE-2025-66293 HIGH
libpng-dev 1.6.51-r0 CVE-2025-66293 HIGH

Source Code Scan Results

🎉 No vulnerabilities found!

coderabbitai[bot]
coderabbitai bot reviewed Dec 16, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
app/controllers/api/account.php (1)

1956-1965: Consider extracting the callback URL construction logic into a helper function.

This exact pattern for building a protocol-aware base URL with port handling is duplicated across multiple OAuth2 endpoints (lines 1294-1303, 1371-1378, 1407-1414, 1457-1465, 1990-1998). Extracting this into a helper function would improve maintainability and reduce the risk of inconsistencies.

Example refactor:

private function buildCallbackBase(Request $request): string {
    $protocol = System::getEnv('_APP_OPTIONS_FORCE_HTTPS') === 'disabled' ? 'http' : 'https';
    $port = $request->getPort();
    $callbackBase = $protocol . '://' . $request->getHostname();
    
    if ($protocol === 'https' && $port !== '443') {
        $callbackBase .= ':' . $port;
    } elseif ($protocol === 'http' && $port !== '80') {
        $callbackBase .= ':' . $port;
    }
    
    return $callbackBase;
}

Then use:

$callbackBase = $this->buildCallbackBase($request);
$callback = $callbackBase . '/v1/account/sessions/oauth2/callback/' . $provider . '/' . $project->getId();

Note: There's also an inconsistency at line 1991 where a similar check uses == instead of === for the FORCE_HTTPS comparison. Consider standardizing to === across the file.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 546cd65 and e8e4774.

📒 Files selected for processing (1)
  • app/controllers/api/account.php (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: moderate
  • GitHub Check: Setup & Build Appwrite Image
  • GitHub Check: Setup & Build Appwrite Image
  • GitHub Check: scan

@github-actions
Copy link
Copy Markdown

github-actions bot commented Dec 16, 2025

✨ Benchmark results

  • Requests per second: 1,081
  • Requests with 200 status code: 194,662
  • P99 latency: 0.178028133

⚡ Benchmark Comparison

Metric This PR Latest version
RPS 1,081 1,107
200 194,662 199,255
P99 0.178028133 0.184201421

@loks0n loks0n merged commit 1a09913 into 1.8.x Dec 16, 2025
42 of 43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Meldiron Meldiron Meldiron approved these changes

+1 more reviewer

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@loks0n @Meldiron