You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
feat(auth): Nous OAuth login alongside token (easier onboarding) (#11)
Adds 'Sign in with Nous' as an additive auth path so testers use their existing
Nous account instead of pasting a BATTLESTATION_TOKEN. The token path is
UNCHANGED and checked first; OAuth only runs if no valid token is presented.
- lib/oauth/nous.ts: PKCE start + code exchange, RS256 JWT verify server-side
- lib/oauth/session.ts: first-party HMAC session cookie (Edge+Node safe, Web
Crypto only), secret derives from BATTLESTATION_TOKEN so rotation invalidates
- app/api/auth/oauth/{start,callback}: PKCE flow, httpOnly cookies, graceful
503 when no OAuth client configured
- middleware.ts: accept EITHER valid bs_token (existing, first) OR Nous OAuth
session (additive). Loopback-open dev preserved.
- app/connect/page.tsx: 'Sign in with Nous' button above the token field
- .env.example: documents BATTLESTATION_OAUTH_CLIENT_ID + session secret
Token path verified intact (safeEqual branch byte-unchanged). typecheck 0,
build ok, oauth/start 503 when unconfigured (graceful).