Skip to content

[Fix] Guard GitLab OAuth public callback URL selection with regression tests#374

Merged
brunobergher merged 1 commit into
developfrom
fix/gitlab-oauth-public-url-tests-37j5up5sefnot
Jul 15, 2026
Merged

[Fix] Guard GitLab OAuth public callback URL selection with regression tests#374
brunobergher merged 1 commit into
developfrom
fix/gitlab-oauth-public-url-tests-37j5up5sefnot

Conversation

@roomote-roomote

Copy link
Copy Markdown
Contributor

Opened on behalf of Bruno Bergher. Follow up by mentioning @roomote-roomote, in the web UI, or in Slack.

Related issue

Follow-up coverage for the GitLab OAuth public-URL fix already merged in #352 (R_PUBLIC_URL for authorize/callback redirects and secure cookies). No separate GitHub issue.

Why this PR exists

  • A maintainer explicitly invited this PR in the linked issue or discussion
  • I am a maintainer / this is internal Roomote work

What changed

Adds regression tests so GitLab OAuth authorize and callback keep using R_PUBLIC_URL (when set) for redirect_uri, post-auth setup redirects, and Secure cookie flags, with an R_APP_URL fallback. Also tightens the public docs note that the GitLab OAuth application redirect URI must match that public origin.

Runtime redirect selection itself was already shipped on develop in #352; this change locks that behavior in and clarifies the match requirement operators already see in setup docs/UI.

How it was tested

  • pnpm --filter @roomote/web exec dotenvx run -f ../../.env.test -- vitest run src/app/api/source-control/gitlab/oauth (6 passed)
  • pnpm --filter @roomote/gitlab exec vitest run src/__tests__/oauth.test.ts (2 passed)
  • Pre-push gates (oxlint, residual lint, check-types:fast, knip) passed on push

Checklist

  • The PR title follows the repo convention: [Fix], [Feat], [Improve], [Refactor], [Docs], or [Chore] followed by a user-facing description
  • This PR is small and scoped to one change
  • pnpm lint and pnpm check-types pass locally
  • I added tests or included a clear manual validation note above
  • I removed secrets, tokens, private keys, and customer data from code, logs, and screenshots
  • If this change should appear in the changelog, I ran pnpm changeset

Lock authorize/callback routes to R_PUBLIC_URL when set and document callback matching.
@roomote-roomote

roomote-roomote Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

No code issues found. See task

Reviewed ab35dde

@brunobergher brunobergher marked this pull request as ready for review July 15, 2026 09:26
@brunobergher brunobergher merged commit 7a8e3be into develop Jul 15, 2026
17 checks passed
@brunobergher brunobergher deleted the fix/gitlab-oauth-public-url-tests-37j5up5sefnot branch July 15, 2026 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants