Fix Google OAuth in Telegram's in-app browser#104
Merged
priyanshujain merged 8 commits intomasterfrom Mar 19, 2026
Merged
Conversation
Serves an HTML page that detects Telegram's WebView and shows a "Continue with Google" button with target="_blank" to force the system browser. In non-Telegram browsers, auto-redirects immediately. Validates that the URL is a Google OAuth URL to prevent open redirects.
Adds AuthRedirectURL field to GWSToolConfig. When set, requestConsent wraps the Google OAuth URL inside the trampoline URL so Telegram's WebView opens the trampoline page instead of Google directly.
Derives the trampoline URL from the existing GWS callback URL and passes it to GWSToolConfig so OAuth links in Telegram open via the trampoline page, allowing users to sign in with their system browser.
The user agent string in Telegram's iOS WebView doesn't contain "Telegram", so the auto-redirect fired incorrectly. Check for window.TelegramWebviewProxy (injected by Telegram) in addition to the user agent regex.
requestConsent now sends the auth link and returns immediately with errAuthPending instead of blocking the agent loop on scopeWaiter.Await. The waiter entry is cleaned up by a background goroutine. Account discovery is moved to the start of Execute so retries after auth work. This stops the "typing..." indicator from hanging while waiting for the user to complete OAuth.
Include the Telegram Mini App JS SDK and call openLink() on button click to open the Google OAuth URL in the system browser (Safari). Falls back to normal link behavior in non-Telegram contexts.
Telegram's in-app browser ignores target="_blank" on iOS. Auth redirect URLs now use a web_app inline keyboard button, which opens the page as a Mini App where Telegram.WebApp.openLink() can open the system browser (Safari). Regular URLs still use url buttons.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GET /auth/redirect) that detects Telegram's WebView and shows a "Continue with Google" button withtarget="_blank", forcing the system browser (Safari/Chrome) to open. In real browsers, it auto-redirects immediately.AuthRedirectURLis configured onGWSToolConfig, so Telegram users can actually sign in with their Google accounts (WebView lacks cookie/passkey support).Test plan
go test ./internal/server/ -run TestHandleAuthRedirect -v— missing URL → 400, non-Google URL → 400, HTTP → 400, valid URL → 200 with correct HTML, ampersand escapinggo test ./agent/tools/ -run TestGWSExecute_AuthRedirect -v— wraps URL when set, passes through directly when emptygo test ./channel/telegram/ -run TestAuthRedirectURL -v— derives correct URL from callback config, returns empty when unconfigured./internal/server/,./agent/tools/,./channel/telegram/pass