larvit/plainpages
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

§6 comment cleanup (todo §6); tightened the OAuth2 handler comments in app.ts — the three sibling /oauth2/{login,consent,logout} blocks had drifted toward repeating the same prose. Trimmed the login block header (dropped derivable "looked up over Hydra's admin API" + condensed the provider-role line to "Provider-only.", matching the consent/logout blocks) and collapsed the consent 4xx→400/5xx→500 degrade comment to the one-liner the logout sibling already uses, so the canonical explanation lives once (the login block). §6 modules (hydra-admin/oauth-login/oauth-consent/admin-clients) were authored dense — no changes. Left intact: the logout GET-accept safety rationale (reviewer-requested), the EJS view config-doc headers, and the §6 README sections (authored concise in §6). README Status/_(planned)_/Layout refresh stays §9. typecheck + 279 units green.

Browse Source
This commit is contained in:
Lilleman auf Larv
2026-06-19 11:53:20 +02:00
parent 521c09fa2d
commit d011bf2589
2 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/app.ts
View File

@@ -222,8 +222,7 @@ export function createApp(options: AppOptions = {}): Server {
// OAuth2 login challenge (§6): Hydra hands the browser here when another app logs in
// *through* us. Resolve it via the Kratos session and accept; an unauthenticated user
// bounces to our themed login and returns here once signed in. Challenge looked up over
// Hydra's admin API. Nothing first-party needs this — it's the OAuth2-provider role only.
// bounces to our themed login and returns here once signed in. Provider-only.
if (hydra && kratos && pathname === "/oauth2/login" && (method === "GET" || method === "HEAD")) {
const challenge = ctx.url.searchParams.get("login_challenge");
if (!challenge) {
@@ -288,8 +287,7 @@ export function createApp(options: AppOptions = {}): Server {
return;
}
} catch (err) {
// Stale/invalid/consumed challenge (Hydra 4xx — back button, slow login, re-used URL):
// recoverable 400, not a 500. A genuine Hydra outage (5xx) rethrows → 500.
// Stale/consumed challenge (Hydra 4xx) → recoverable 400; a genuine outage (5xx) → 500 (as /oauth2/login).
if (err instanceof HydraError && err.status < 500) {
res.writeHead(400, { "content-type": "text/plain; charset=utf-8" }).end("This authorization request has expired. Please start again from the application you were signing in to.");
return;