Ilyas Hallak
ec432a037c
Add complete OAuth 2.0 Authorization Code Flow with PKCE as alternative to API token authentication, with automatic server detection and graceful fallback to classic login. **OAuth Core (RFC 7636 PKCE):** - PKCEGenerator: S256 challenge generation for secure code exchange - OAuth DTOs: Client registration, token request/response models - OAuthClient, OAuthToken, AuthenticationMethod domain models - API.swift: registerOAuthClient() and exchangeOAuthToken() endpoints - OAuthRepository + POAuthRepository protocol **Browser Integration (ASWebAuthenticationSession):** - OAuthSession: Wraps native authentication session - OAuthFlowCoordinator: Orchestrates 5-phase OAuth flow - readeck:// URL scheme for OAuth callback handling - State verification for CSRF protection - User cancellation handling **Token Management:** - KeychainHelper: OAuth token storage alongside API tokens - TokenProvider: getOAuthToken(), setOAuthToken(), getAuthMethod() - AuthenticationMethod enum to distinguish token types - AuthRepository: loginWithOAuth(), getAuthenticationMethod() - Endpoint persistence in both Keychain and Settings **Server Feature Detection:** - ServerInfo extended with features array and supportsOAuth flag - GET /api/info endpoint integration (backward compatible) - GetServerInfoUseCase with optional endpoint parameter **User Profile Integration:** - ProfileApiClient: Fetch user data via GET /api/profile - UserProfileDto with username, email, provider information - GetUserProfileUseCase: Extract username from profile - Username saved and displayed for OAuth users (like classic auth) **Automatic OAuth Flow (No User Selection):** - OnboardingServerView: 2-phase flow (endpoint → auto-OAuth or classic) - OAuth attempted automatically if server supports it - Fallback to username/password on OAuth failure or unsupported - SettingsServerViewModel: checkServerOAuthSupport(), loginWithOAuth() **Cleanup & Refactoring:** - Remove all #if os(iOS) && !APP_EXTENSION conditionals - Remove LoginMethodSelectionView (no longer needed) - Remove switchToClassicLogin() method - Factories updated with OAuth dependencies **Testing:** - PKCEGeneratorTests: Verify RFC 7636 compliance - ServerInfoTests: Feature detection and backward compatibility - Mock implementations for all OAuth components **Documentation:** - docs/OAuth2-Implementation-Plan.md: Complete implementation guide - openapi.json: Readeck API specification **Scopes Requested:** - bookmarks:read, bookmarks:write, profile:read OAuth users now have full feature parity with classic authentication. Server auto-detects OAuth support via /info endpoint. Seamless UX with browser-based login and automatic fallback.
94 lines
3.2 KiB
Swift
94 lines
3.2 KiB
Swift
//
|
|
// OAuthSession.swift
|
|
// readeck
|
|
//
|
|
// Created by Ilyas Hallak on 16.12.25.
|
|
//
|
|
|
|
import AuthenticationServices
|
|
import Foundation
|
|
|
|
/// Wrapper for ASWebAuthenticationSession to handle OAuth browser flow
|
|
@MainActor
|
|
class OAuthSession: NSObject {
|
|
private var authSession: ASWebAuthenticationSession?
|
|
private let logger = Logger.network
|
|
|
|
/// Starts the OAuth authentication flow in a browser
|
|
/// - Parameters:
|
|
/// - url: Authorization URL to open
|
|
/// - callbackURLScheme: Custom URL scheme for callback (e.g., "readeck")
|
|
/// - completion: Called with callback URL or error
|
|
func start(
|
|
url: URL,
|
|
callbackURLScheme: String,
|
|
completion: @escaping (Result<URL, Error>) -> Void
|
|
) {
|
|
logger.info("Starting OAuth authentication session with URL: \(url.absoluteString)")
|
|
|
|
// Create authentication session
|
|
authSession = ASWebAuthenticationSession(
|
|
url: url,
|
|
callbackURLScheme: callbackURLScheme
|
|
) { [weak self] callbackURL, error in
|
|
guard let self = self else { return }
|
|
|
|
if let error = error {
|
|
self.logger.error("OAuth authentication failed: \(error.localizedDescription)")
|
|
|
|
// Check if user cancelled
|
|
if let authError = error as? ASWebAuthenticationSessionError,
|
|
authError.code == .canceledLogin {
|
|
self.logger.info("User cancelled OAuth login")
|
|
completion(.failure(OAuthError.userCancelled))
|
|
} else {
|
|
completion(.failure(error))
|
|
}
|
|
return
|
|
}
|
|
|
|
guard let callbackURL = callbackURL else {
|
|
self.logger.error("OAuth callback URL is nil")
|
|
completion(.failure(OAuthError.invalidCallback))
|
|
return
|
|
}
|
|
|
|
self.logger.info("OAuth callback received: \(callbackURL.absoluteString)")
|
|
completion(.success(callbackURL))
|
|
}
|
|
|
|
// Configure session
|
|
authSession?.presentationContextProvider = self
|
|
authSession?.prefersEphemeralWebBrowserSession = false // Allow cookies/saved passwords
|
|
|
|
// Start the session
|
|
guard let session = authSession, session.start() else {
|
|
logger.error("Failed to start OAuth authentication session")
|
|
completion(.failure(OAuthError.invalidCallback))
|
|
return
|
|
}
|
|
|
|
logger.info("OAuth authentication session started successfully")
|
|
}
|
|
|
|
/// Cancels the ongoing authentication session
|
|
func cancel() {
|
|
logger.info("Cancelling OAuth authentication session")
|
|
authSession?.cancel()
|
|
authSession = nil
|
|
}
|
|
}
|
|
|
|
// MARK: - ASWebAuthenticationPresentationContextProviding
|
|
|
|
extension OAuthSession: ASWebAuthenticationPresentationContextProviding {
|
|
func presentationAnchor(for session: ASWebAuthenticationSession) -> ASPresentationAnchor {
|
|
// Return the key window for presenting the authentication session
|
|
guard let windowScene = UIApplication.shared.connectedScenes.first as? UIWindowScene,
|
|
let window = windowScene.windows.first else {
|
|
fatalError("No window available for OAuth presentation")
|
|
}
|
|
return window
|
|
}
|
|
}
|