pdewey.com / atmosphere-account
forked from joebasser.com/atmosphere-account
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix(signin): submit on dropdown select; ignore localhost SITE_URL on hosted deploys

- Selecting a profile from the handle preview dropdown now sets the
handle and immediately submits the OAuth login form (one-click sign in)
instead of just filling the input.
- Detect hosted deployments via DENO_DEPLOYMENT_ID / DENO_REGION / VERCEL
and ignore FRESH_PUBLIC_SITE_URL when it points at localhost / 127.0.0.1,
falling back to https://atmosphereaccount.com. atproto + RFC 8252 reject
the literal hostname 'localhost' as an OAuth redirect_uri, so a stray
local .env value uploaded to Deno Deploy was producing PAR 'invalid_request'
errors. A startup warning is logged when this fallback triggers.

Made-with: Cursor

Joe Basser c85af562 39bdc8b8

+49 -4
+9
islands/SignInForm.tsx
··· 39 39 const debounceRef = useRef<number | null>(null); 40 40 const requestSeq = useRef(0); 41 41 const wrapRef = useRef<HTMLDivElement | null>(null); 42 + const formRef = useRef<HTMLFormElement | null>(null); 42 43 43 44 useEffect(() => { 44 45 function onDocPointerDown(e: PointerEvent) { ··· 105 106 const onSelectMatch = (m: PreviewMatch) => { 106 107 handle.value = m.handle; 107 108 showPreview.value = false; 109 + submitting.value = true; 110 + error.value = null; 111 + /** Defer one tick so the controlled <input> reflects the new value 112 + * before the native form submission serialises it. */ 113 + setTimeout(() => { 114 + formRef.current?.submit(); 115 + }, 0); 108 116 }; 109 117 110 118 return ( 111 119 <form 120 + ref={formRef} 112 121 method="POST" 113 122 action="/oauth/login" 114 123 onSubmit={onSubmit}
+40 -4
lib/env.ts
··· 12 12 } 13 13 } 14 14 15 - export const SITE_URL = safeGet("FRESH_PUBLIC_SITE_URL") ?? 16 - "https://atmosphereaccount.com"; 15 + /** True when this process is running on hosted infrastructure 16 + * (Deno Deploy / Vercel / similar). Used to override misconfigured 17 + * local URLs that may have been pasted into hosted env panels. */ 18 + const IS_HOSTED = !!(safeGet("DENO_DEPLOYMENT_ID") ?? 19 + safeGet("DENO_REGION") ?? 20 + safeGet("VERCEL")); 17 21 18 - export const IS_DEV = safeGet("DENO_ENV") !== "production" && 19 - safeGet("VERCEL_ENV") !== "production" && 22 + const RAW_SITE_URL = safeGet("FRESH_PUBLIC_SITE_URL"); 23 + 24 + /** atproto / RFC 8252 forbid `localhost` as a redirect host for confidential 25 + * clients (only loopback IPs like 127.0.0.1 are allowed, and even then only 26 + * in dev). If a hosted deployment ends up with a localhost-shaped SITE_URL, 27 + * ignore it and fall back to the canonical production origin so we don't 28 + * publish a broken client_id / redirect_uri. */ 29 + function isLocalhostUrl(u: string | undefined): boolean { 30 + if (!u) return false; 31 + try { 32 + const host = new URL(u).hostname; 33 + return host === "localhost" || host === "127.0.0.1" || host === "::1"; 34 + } catch { 35 + return false; 36 + } 37 + } 38 + 39 + export const SITE_URL: string = (() => { 40 + if (RAW_SITE_URL && !(IS_HOSTED && isLocalhostUrl(RAW_SITE_URL))) { 41 + return RAW_SITE_URL; 42 + } 43 + if (IS_HOSTED && isLocalhostUrl(RAW_SITE_URL)) { 44 + console.warn( 45 + `[env] FRESH_PUBLIC_SITE_URL is set to ${RAW_SITE_URL} on a hosted ` + 46 + `deployment. Ignoring and falling back to https://atmosphereaccount.com. ` + 47 + `Update the env var in your hosting provider's dashboard to remove ` + 48 + `this warning (and to support custom domains).`, 49 + ); 50 + } 51 + return "https://atmosphereaccount.com"; 52 + })(); 53 + 54 + export const IS_DEV = !IS_HOSTED && 55 + safeGet("DENO_ENV") !== "production" && 20 56 !SITE_URL.startsWith("https://atmosphereaccount.com"); 21 57 22 58 export const OAUTH_PRIVATE_JWK = safeGet("OAUTH_PRIVATE_JWK");