zzstoatzz.io / at-me
interactive intro to open social at-me.zzstoatzz.io
25
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix: OAuth cross-origin state loss and missing handle after callback

Two issues:
- client metadata used wisp.place domain but users access via custom
domain, causing OAuth state stored on one origin to be inaccessible
on the redirect origin
- after OAuth callback, the view page had no handle/did param, showing
"no identity specified" — now saves and restores the original URL

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

zzstoatzz 5d1b7473 214be346

+20 -4
+3 -3
public/oauth-client-metadata.json
··· 1 1 { 2 - "client_id": "https://at-me.wisp.place/oauth-client-metadata.json", 2 + "client_id": "https://at-me.zzstoatzz.io/oauth-client-metadata.json", 3 3 "client_name": "at-me", 4 - "client_uri": "https://at-me.wisp.place", 5 - "redirect_uris": ["https://at-me.wisp.place/view/"], 4 + "client_uri": "https://at-me.zzstoatzz.io", 5 + "redirect_uris": ["https://at-me.zzstoatzz.io/view/"], 6 6 "scope": "atproto repo:app.at-me.visit", 7 7 "grant_types": ["authorization_code", "refresh_token"], 8 8 "response_types": ["code"],
+17 -1
src/view/oauth.js
··· 47 47 // Store DID in localStorage for session persistence 48 48 localStorage.setItem('oauth_did', currentDid); 49 49 50 + // Restore the original URL (with handle/did params) if we saved one 51 + const returnUrl = sessionStorage.getItem('oauth_return_url'); 52 + sessionStorage.removeItem('oauth_return_url'); 53 + if (returnUrl) { 54 + const current = new URL(window.location.href); 55 + const saved = new URL(returnUrl); 56 + // Only redirect if we're missing the identity params 57 + if (!current.searchParams.has('handle') && !current.searchParams.has('did')) { 58 + window.location.replace(returnUrl); 59 + return currentDid; 60 + } 61 + } 62 + 50 63 return currentDid; 51 64 } catch (err) { 52 65 console.error('OAuth callback failed:', err); ··· 82 95 scope: import.meta.env.VITE_OAUTH_SCOPE, 83 96 }); 84 97 85 - // Small delay to ensure localStorage is persisted 98 + // Save current URL so we can restore it after the OAuth callback 99 + sessionStorage.setItem('oauth_return_url', window.location.href); 100 + 101 + // Small delay to ensure storage is persisted 86 102 await new Promise(resolve => setTimeout(resolve, 200)); 87 103 88 104 // Redirect to authorization