Skip to content

[WIP] auth.js rebase#375

Draft
tvi wants to merge 4 commits into
mainfrom
t/auth2
Draft

[WIP] auth.js rebase#375
tvi wants to merge 4 commits into
mainfrom
t/auth2

Conversation

@tvi

@tvi tvi commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@cla-bot cla-bot Bot added the cla-signed label Jun 9, 2026
@vercel

vercel Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
web Error Error Jun 9, 2026 8:43pm
web-juliett Error Error Jun 9, 2026 8:43pm

Request Review

@cursor

cursor Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown

PR Summary

Medium Risk
Auth.js/Ory work is security-critical, but with an empty diff there is no change set to evaluate; risk is unknown until rebased commits land.

Overview
No file changes are present in the diff supplied for this review, so there is nothing concrete to describe about what this PR modifies.

The title [WIP] auth.js rebase indicates an in-progress git rebase of Auth.js-related work (the dashboard already documents AUTH_PROVIDER=ory with Auth.js env vars such as AUTH_SECRET and depends on next-auth). Until the rebase is finished and the branch contains a non-empty diff, reviewers cannot assess scope or behavior changes from this PR alone.

Reviewed by Cursor Bugbot for commit 8e8d841. Bugbot is set up for automated code reviews on this repo. Configure here.

ben-fornefeld and others added 3 commits June 9, 2026 13:40
@ben-fornefeld @tvi
feat(auth): add Ory Auth.js integration
83d8cc4 
Wire the dashboard to Ory through Auth.js while preserving Supabase mode behind the auth provider switch.
@ben-fornefeld @tvi
style: apply biome formatting
87e5d50
@tvi
feat(auth): add local Hydra login/consent/logout provider
20746a1 
Wire the dashboard as Hydra's login provider so the OIDC flow can complete
end-to-end against a self-hosted Hydra (e.g. ../infra devenv) without
requiring a separate IdP UI.

- src/app/oauth/login: auto-accept login challenges as ORY_LOCAL_LOGIN_SUBJECT.
- src/app/oauth/consent: defensive auto-accept (never hit while the seeded
  client has skip_consent=true; kept for misconfiguration safety).
- src/app/oauth/logout: auto-accept logout challenges.
- src/core/server/auth/ory/hydra-admin.ts: OAuth2Api client that targets
  ORY_HYDRA_ADMIN_URL (self-hosted, no PAT) or ORY_SDK_URL (Ory Network, PAT).
- src/lib/env.ts: new optional ORY_HYDRA_ADMIN_URL and ORY_LOCAL_LOGIN_SUBJECT.
- package.json: pin 'next dev' to :3001 so it doesn't collide with the
  infra api on :3000 and matches the seeded client's redirect_uri.

Modeled on ory/hydra-login-consent-node. Intended for local/dev only;
production deployments delegate login to Ory Network / Kratos.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ben-fornefeld ben-fornefeld Awaiting requested review from ben-fornefeld ben-fornefeld will be requested when the pull request is marked ready for review ben-fornefeld is a code owner

@drankou drankou Awaiting requested review from drankou drankou will be requested when the pull request is marked ready for review drankou is a code owner

@huv1k huv1k Awaiting requested review from huv1k huv1k will be requested when the pull request is marked ready for review huv1k is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tvi @ben-fornefeld