Skip to content

feat: add OAuth 2.0 login with PKCE#236

Closed
kolaente wants to merge 16 commits intomainfrom
feat-oauth-login
Closed

feat: add OAuth 2.0 login with PKCE#236
kolaente wants to merge 16 commits intomainfrom
feat-oauth-login

Conversation

@kolaente
Copy link
Copy Markdown
Member

@kolaente kolaente commented Feb 26, 2026

Summary

  • Add OAuth 2.0 Authorization Code with PKCE login flow, enabling users to authenticate via a system browser alongside existing username/password and webview login methods
  • Implement proactive token refresh via onBeforeRequest hook in Client, with serialized concurrent refresh handling
  • Support OAuth session restoration on cold start with automatic token refresh

Changes

New files

  • lib/data/data_sources/oauth_data_source.dart — PKCE generation, authorization URL builder, token exchange/refresh via form-encoded HTTP
  • lib/data/models/oauth_token_response.dart — OAuth token response DTO
  • test/oauth_data_source_test.dart — Tests for PKCE and URL builder (8 tests)
  • test/settings_datasource_oauth_test.dart — Tests for new storage methods (8 tests)

Modified files

  • pubspec.yaml — Added crypto and app_links dependencies
  • AndroidManifest.xml / Info.plist — Registered vikunja://callback deep link scheme
  • settings_data_source.dart / settings_repository.dart / settings_repository_impl.dart — Added refresh token, token expiry, and auth type storage
  • client.dart — Added token setter and onBeforeRequest hook (1 new test)
  • network_provider.dart — Added OAuthTokenManager notifier, AuthData.updateToken(), wired refresh into ClientProvider
  • data_source_provider.dart — Added oAuthDataSource provider
  • login_page.dart — OAuth button, deep link listener, PKCE flow, callback handler, auth-type persistence
  • init_page.dart — OAuth session restoration with token refresh on cold start

Test plan

  • Happy path: Enter server URL → tap "Login with OAuth" → browser opens → log in → app receives callback → navigated to home → tasks load
  • Already logged in browser: If browser has an active Vikunja session, the redirect should be immediate
  • Token refresh: Wait for token expiry → make an API call → should auto-refresh without user interaction
  • Cold start restoration: Force-kill the app → reopen → should auto-restore the OAuth session (refreshing if needed)
  • Session expiry: Expired refresh token → open app → refresh fails → redirected to login
  • Password login still works: Username/password login should work exactly as before
  • WebView login still works: "Login with Frontend" should work exactly as before
  • Cancel flow: Tap "Login with OAuth" → navigate away in browser → return to app → still on login page

@kolaente
feat(oauth): add crypto and app_links dependencies
1ad5925
@kolaente
feat(oauth): register vikunja:// deep link URL scheme
0c63af9
@kolaente
feat(oauth): add refresh token and expiry storage to SettingsDatasource
ec8b2bf
@kolaente
feat(oauth): add OAuthTokenResponse DTO
920c1ec
@kolaente
feat(oauth): add OAuthDataSource with PKCE, URL builder, token exchan…
f696aca 
…ge/refresh
@kolaente
feat(oauth): add token setter and onBeforeRequest hook to Client
8858950
@kolaente
feat(oauth): add OAuthTokenManager and proactive refresh in ClientPro…
9505393 
…vider
@kolaente
feat(oauth): add OAuth login button and callback handler to LoginPage
1f2bf27
@kolaente
feat(oauth): restore OAuth session on cold start with token refresh
cb2b607
@kolaente
feat(oauth): persist auth-type for password logins
d08d398
@kolaente
chore: regenerate riverpod providers
2925e99
@kolaente
feat(login): simplify login page to OAuth-only flow
c27baad 
Remove password login, webview login, registration, and TOTP flows.
The login page now shows only the server URL input, a single
"Login or sign up" button that launches the OAuth browser flow,
and the ignore certificates checkbox.
kolaente
kolaente commented Feb 26, 2026
View reviewed changes
lib/presentation/pages/login/login_page.dart
// Persist tokens
final settingsRepo = ref.read(settingsRepositoryProvider);
await settingsRepo.saveUserToken(tokens.accessToken);
await settingsRepo.saveRefreshToken(tokens.refreshToken);
Copy link
Copy Markdown
Member Author

@kolaente kolaente Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These tokens should be treated like credentials and stored as secrets

test/oauth_data_source_test.dart
final challenge = OAuthDataSource.generateCodeChallenge(verifier);

// Manually compute expected: base64url(sha256(verifier)) without padding
final digest = sha256.convert(utf8.encode(verifier));
Copy link
Copy Markdown
Member Author

@kolaente kolaente Feb 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this test does not seem like it's actually good. it seems to duplicate the logic of the code it's testing?

@kolaente
Copy link
Copy Markdown
Member Author

kolaente commented Mar 27, 2026
edited
Loading

Replaced by #253

@kolaente kolaente closed this Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kolaente