Skip to content

fix: Switch to BROKER_URL and remove public_return_url#1283

Merged
edwinjosechittilappilly merged 14 commits into
mainfrom
fix-broker
Mar 27, 2026
Merged

fix: Switch to BROKER_URL and remove public_return_url#1283
edwinjosechittilappilly merged 14 commits into
mainfrom
fix-broker

Conversation

@edwinjosechittilappilly

Copy link
Copy Markdown
Collaborator

Replace the old PUBLIC_RETURN_URL with BROKER_URL in settings and update auth flow to use a broker when present. AuthService now uses BROKER_URL as the effective redirect URI (falling back to the original redirect_uri) and logs the OAuth callback state. The public_return_url field was removed from API responses and frontend code no longer relies on it, defaulting to window.location.origin instead. Added debug logging in frontend auth callback and auth context to aid troubleshooting of OAuth state encoding/decoding.

lucaseduoli and others added 5 commits March 26, 2026 09:13
Replace the old PUBLIC_RETURN_URL with BROKER_URL in settings and update auth flow to use a broker when present. AuthService now uses BROKER_URL as the effective redirect URI (falling back to the original redirect_uri) and logs the OAuth callback state. The public_return_url field was removed from API responses and frontend code no longer relies on it, defaulting to window.location.origin instead. Added debug logging in frontend auth callback and auth context to aid troubleshooting of OAuth state encoding/decoding.
Clarify the broker setting name by renaming BROKER_URL to OAUTH_BROKER_URL in src/config/settings.py and update imports/usages in src/services/auth_service.py. auth_service now uses OAUTH_BROKER_URL when computing the effective redirect URI. Update environment variables/deployments to set OAUTH_BROKER_URL (migrate any existing BROKER_URL value).
Copilot AI review requested due to automatic review settings March 26, 2026 19:45
@github-actions github-actions Bot added frontend 🟨 Issues related to the UI/UX backend 🔷 Issues related to backend services (OpenSearch, Langflow, APIs) bug 🔴 Something isn't working. labels Mar 26, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the OAuth flow to support an OAuth callback broker by using a configured broker URL as the effective OAuth redirect URI, and removes the deprecated public_return_url field from backend responses and frontend usage.

Changes:

  • Backend: use OAUTH_BROKER_URL (when set) as the OAuth redirect_uri returned to the frontend and stored in connection config; remove public_return_url from the init response.
  • Frontend: stop relying on public_return_url; encode return=${window.location.origin}/auth/callback into OAuth state and add additional debug logging around state encoding/decoding.
  • Backend: add logging of the OAuth callback state.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
src/services/auth_service.py Uses broker URL as effective OAuth redirect and removes public_return_url; logs callback state.
src/config/settings.py Introduces OAUTH_BROKER_URL setting to configure broker-based redirects.
frontend/contexts/auth-context.tsx Updates OAuth state construction to no longer use public_return_url; adds state debug logging.
frontend/app/auth/callback/page.tsx Adds debug logging of raw/decoded OAuth state during callback handling.
frontend/app/api/mutations/useConnectConnectorMutation.ts Removes public_return_url from response typing and hardcodes callback return URL into OAuth state.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 93 to 95
const decodedState = decodeBase64(stateParam);
console.log("OAuth callback state (decoded):", decodedState);
const params = new URLSearchParams(decodedState);

Copilot AI Mar 26, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The decoded OAuth state is being printed to the console, which can expose connection ids and redirect targets. Additionally, because return in state is later used as a redirect target, leaking it makes open-redirect style issues easier to exploit/debug. Please remove this log or gate it behind a dev-only flag.

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

const state = searchParams.get("state");
const errorParam = searchParams.get("error");

console.log("OAuth callback state (raw):", state);

Copilot AI Mar 26, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

console.log("OAuth callback state (raw):", state) will print the full OAuth state value to the browser console. Since state is attacker-controlled input and may embed redirect targets, avoid logging it in production; keep it behind a dev-only flag or remove it.

Suggested change
console.log("OAuth callback state (raw):", state);
if (process.env.NODE_ENV !== "production") {
console.log("OAuth callback state (raw):", state);
}

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove console log @edwinjosechittilappilly

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

keeping for debugging

request=None,
) -> dict:
"""Handle OAuth callback - exchange authorization code for tokens"""
logger.info(f"OAuth callback state: {state}")

Copilot AI Mar 26, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logging the raw OAuth state at INFO level can leak user origins/redirect targets into application logs and may expose CSRF-related state to anyone with log access. Please remove this log or downgrade to DEBUG and redact/trim the value (e.g., log only whether state was present and its length or a hash).

Copilot uses AI. Check for mistakes.
Comment thread src/config/settings.py
Comment on lines +113 to +116
# OAuth callback broker URL -- when set, Google (and other providers) redirect
# here instead of directly to the frontend. The broker then forwards to the
# actual frontend origin that is carried in the OAuth state parameter.
OAUTH_BROKER_URL = os.getenv("OAUTH_BROKER_URL")

Copilot AI Mar 26, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR title/description mention switching to BROKER_URL, but the code introduces OAUTH_BROKER_URL/OAUTH_BROKER_URL env var. This mismatch is likely to cause misconfiguration in deployments. Either align the env var name with the documented BROKER_URL or support both (with a deprecation path) to avoid breaking existing configs.

Copilot uses AI. Check for mistakes.
Comment thread frontend/contexts/auth-context.tsx Outdated
});

const returnUrl = result.public_return_url || window.location.origin;
const returnUrl = `${window.location.origin}/auth/callback`;

Copilot AI Mar 26, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

returnUrl is being set to the callback route itself (/auth/callback) and then encoded into the OAuth state. In the callback handler, the decoded return value is later treated as the post-auth redirect target, which will cause a redirect back to the callback page (potential loop / error page). Consider encoding the frontend origin (for broker forwarding) separately from the final in-app redirect (e.g., origin= vs next=), or set return to a real destination like /chat.

Suggested change
const returnUrl = `${window.location.origin}/auth/callback`;
const returnUrl = `${window.location.origin}/chat`;

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lucaseduoli is this the return url for ouath or after oauth ? @mfortman11

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if its releared to oauth then we need auth/callback

also @mfortman11 / @lucaseduoli can you help to put these new broker releated FE changed under feature flag of IBMauth enabled?

Comment thread frontend/contexts/auth-context.tsx Outdated
Comment on lines +158 to +159
console.log("OAuth state (encoded):", state, "decoded:", stateQuery);

Copilot AI Mar 26, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Avoid logging the encoded/decoded OAuth state to the browser console in production: it includes the connection id and redirect information and can be copied from the console by anyone with access to the device/session. If this is needed for troubleshooting, gate it behind a dev-only flag (e.g., process.env.NODE_ENV !== 'production') or remove it before merging.

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment on lines 72 to 74
const returnUrl = `${window.location.origin}/auth/callback`;
const stateQuery = `id=${result.connection_id}&return=${returnUrl}`;
const state = encodeBase64(stateQuery);

Copilot AI Mar 26, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

returnUrl is hardcoded to ${window.location.origin}/auth/callback even though this mutation receives a redirectUri argument that is sent to the backend. If callers pass a different redirectUri (custom base path, reverse proxy, embedded UI, etc.), the state return value will be inconsistent and broker forwarding / post-auth redirects may break. Prefer deriving returnUrl from the redirectUri parameter (or a single shared helper) so they stay in sync.

Copilot uses AI. Check for mistakes.

@lucaseduoli lucaseduoli left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with few minor nitpicks

Comment thread frontend/contexts/auth-context.tsx Outdated
Comment on lines +158 to +159
console.log("OAuth state (encoded):", state, "decoded:", stateQuery);

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment on lines 93 to 95
const decodedState = decodeBase64(stateParam);
console.log("OAuth callback state (decoded):", decodedState);
const params = new URLSearchParams(decodedState);

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

const state = searchParams.get("state");
const errorParam = searchParams.get("error");

console.log("OAuth callback state (raw):", state);

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove console log @edwinjosechittilappilly

@github-actions github-actions Bot added the lgtm label Mar 26, 2026
@edwinjosechittilappilly edwinjosechittilappilly changed the base branch from fix/oauth_return_url to main March 26, 2026 21:37
@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Mar 26, 2026
lucaseduoli and others added 5 commits March 26, 2026 16:40
Replace the old PUBLIC_RETURN_URL with BROKER_URL in settings and update auth flow to use a broker when present. AuthService now uses BROKER_URL as the effective redirect URI (falling back to the original redirect_uri) and logs the OAuth callback state. The public_return_url field was removed from API responses and frontend code no longer relies on it, defaulting to window.location.origin instead. Added debug logging in frontend auth callback and auth context to aid troubleshooting of OAuth state encoding/decoding.
Clarify the broker setting name by renaming BROKER_URL to OAUTH_BROKER_URL in src/config/settings.py and update imports/usages in src/services/auth_service.py. auth_service now uses OAUTH_BROKER_URL when computing the effective redirect URI. Update environment variables/deployments to set OAUTH_BROKER_URL (migrate any existing BROKER_URL value).
@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Mar 26, 2026
@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Mar 27, 2026
@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Mar 27, 2026
@edwinjosechittilappilly edwinjosechittilappilly merged commit 46d09cf into main Mar 27, 2026
10 checks passed
@github-actions github-actions Bot deleted the fix-broker branch March 27, 2026 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend 🔷 Issues related to backend services (OpenSearch, Langflow, APIs) bug 🔴 Something isn't working. frontend 🟨 Issues related to the UI/UX lgtm

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants