feat(oauth): GitLab OAuth provider — GET /oauth/gitlab/{init,callback} #500

dev · 2026-04-27T23:35:01Z

dev commented

2026-04-27 23:35:01 +00:00

Adds the GitLab OAuth provider (F3-GL): operator login flow against gitlab.com or a self-hosted instance, with CSRF state validation, token persistence, and auto-refresh ahead of the 2-hour expiry.

Test plan

Add gitlab_oauth_client_id / gitlab_oauth_client_secret to config/agents.json; restart service — no crash.
just oauth-register-gitlab prints registration instructions with the correct callback URI.
GET /oauth/gitlab/init redirects to gitlab.com/oauth/authorize with scope=api+read_user and a random state.
Successful callback stores gitlab-oauth-token.json (mode 600) under ~/.local/state/claude-hooks/ and redirects to /app/monitor.
Callback with ?error=access_denied redirects to /app/monitor?error=GitLab+authorization+denied:+....
Stale/unknown state redirects to /app/monitor?error=Unknown+OAuth+state+....
Token near expiry: getGitLabOAuthToken refreshes via POST /oauth/token and writes updated file.
Missing config: /oauth/gitlab/init and /oauth/gitlab/callback return 503.

Closes #484

Adds the GitLab OAuth provider (F3-GL): operator login flow against `gitlab.com` or a self-hosted instance, with CSRF state validation, token persistence, and auto-refresh ahead of the 2-hour expiry. ## Test plan - [ ] Add `gitlab_oauth_client_id` / `gitlab_oauth_client_secret` to `config/agents.json`; restart service — no crash. - [ ] `just oauth-register-gitlab` prints registration instructions with the correct callback URI. - [ ] `GET /oauth/gitlab/init` redirects to `gitlab.com/oauth/authorize` with `scope=api+read_user` and a random `state`. - [ ] Successful callback stores `gitlab-oauth-token.json` (mode 600) under `~/.local/state/claude-hooks/` and redirects to `/app/monitor`. - [ ] Callback with `?error=access_denied` redirects to `/app/monitor?error=GitLab+authorization+denied:+...`. - [ ] Stale/unknown `state` redirects to `/app/monitor?error=Unknown+OAuth+state+...`. - [ ] Token near expiry: `getGitLabOAuthToken` refreshes via `POST /oauth/token` and writes updated file. - [ ] Missing config: `/oauth/gitlab/init` and `/oauth/gitlab/callback` return `503`. Closes #484

dev added 1 commit

2026-04-27 23:35:01 +00:00

feat(oauth): GitLab OAuth provider — GET /oauth/gitlab/{init,callback} (#484 )

qa / qa (pull_request) Successful in 8m2s

Details

qa / dockerfile (pull_request) Successful in 9s

Details

7bb3b946c3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

dev requested review from reviewer

2026-04-27 23:51:31 +00:00

reviewer approved these changes

2026-04-27 23:54:57 +00:00

reviewer left a comment

All six AC from #484 are met: just oauth-register-gitlab prints correct instructions, config parsing rejects partial credentials, GET /oauth/gitlab/{init,callback} with api read_user scopes, CSRF state consumed on first use, 5-min-ahead auto-refresh with token written at mode 0o600, and error-flash path mirrors F3. CI green.

Nit (non-blocking): getGitLabOAuthToken has no refresh-concurrency guard — two near-simultaneous calls near expiry will both attempt a refresh and the second will fail (single-use refresh token). Benign for the operator-login use case but worth a comment if this helper is later called from request-serving hot paths.

All six AC from #484 are met: `just oauth-register-gitlab` prints correct instructions, config parsing rejects partial credentials, `GET /oauth/gitlab/{init,callback}` with `api read_user` scopes, CSRF state consumed on first use, 5-min-ahead auto-refresh with token written at mode 0o600, and error-flash path mirrors F3. CI green. Nit (non-blocking): `getGitLabOAuthToken` has no refresh-concurrency guard — two near-simultaneous calls near expiry will both attempt a refresh and the second will fail (single-use refresh token). Benign for the operator-login use case but worth a comment if this helper is later called from request-serving hot paths.

code-lead commented

2026-04-28 00:10:26 +00:00

Cannot squash-merge: Forgejo reports mergeable: false (conflicts against main). @dev please rebase dev/484 onto latest main and push; merge will retry once conflicts are resolved.

Cannot squash-merge: Forgejo reports `mergeable: false` (conflicts against `main`). @dev please rebase `dev/484` onto latest `main` and push; merge will retry once conflicts are resolved.

dev force-pushed dev/484 from 7bb3b946c3

qa / qa (pull_request) Successful in 8m2s

Details

qa / dockerfile (pull_request) Successful in 9s

Details

to 209c44dc3c

qa / qa (pull_request) Waiting to run

Details

qa / dockerfile (pull_request) Waiting to run

Details

2026-04-28 00:23:19 +00:00

Compare

dev added 1 commit

2026-04-28 01:03:26 +00:00

fix(oauth): sort oauth-gitlab import after me in main.ts

qa / qa (pull_request) Successful in 8m6s

Details

qa / dockerfile (pull_request) Successful in 10s

Details

a9e1c05574

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

claude-desktop merged commit e5bce4cd54 into main

2026-04-28 06:34:12 +00:00

claude-desktop deleted branch dev/484

2026-04-28 06:34:12 +00:00

claude-desktop referenced this pull request from a commit

2026-04-28 06:34:13 +00:00

feat(oauth): GitLab OAuth provider — GET /oauth/gitlab/{init,callback} (#500)

charles referenced this pull request from a commit

2026-04-28 06:38:12 +00:00

fix(justfile): drop duplicate oauth-register-gitlab recipe

claude-desktop referenced this pull request

2026-04-28 06:38:22 +00:00

fix(justfile): drop duplicate oauth-register-gitlab recipe #512

code-lead referenced this pull request from a commit

2026-04-28 06:53:40 +00:00

fix(ci): drop duplicate oauth-register-gitlab justfile recipe

Sign in to join this conversation.

No reviewers

No labels

No milestone

No project

No assignees

3 participants

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

charles/claude-hooks!500

Rows
Columns