Add OAuth2 PKCE registration E2E test for example resource server#7
Merged
Add OAuth2 PKCE registration E2E test for example resource server#7
Conversation
Tests the full cross-origin PKCE flow: admin creates invite code, new user visits example app, clicks Register, gets redirected to auth server, fills registration form, approves consent screen, and lands on the protected /account page. https://claude.ai/code/session_01SHq9hQdUiZTD9Huz2gMNZ2
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
The Dockerfile sets PORT=80, but docker-compose was exposing and mapping port 3007. Fixed to expose port 80 internally (matching the container) and map host 3007 to container 80. Updated the EXAMPLE_NEXTJS_RESOURCE_SERVER_URL env var to use port 80 for inter-container communication. https://claude.ai/code/session_01SHq9hQdUiZTD9Huz2gMNZ2
Cypress requires cy.origin() when interacting with elements on a different origin than the base URL. Added cy.origin() blocks for: - Visiting and interacting with the example app (click Register) - Verifying the /account page after redirect back to the example app https://claude.ai/code/session_01SHq9hQdUiZTD9Huz2gMNZ2
new URL(url).origin strips the default :80 port, matching how browsers and Cypress normalize origins. Previously cy.origin() received `:80` in the URL while the browser had already stripped it, causing a "same origin" error. https://claude.ai/code/session_01SHq9hQdUiZTD9Huz2gMNZ2
cy.visit() to a cross-origin URL handles the origin transition automatically — commands run directly on the visited page. Only the final redirect back from auth server to example app needs cy.origin() since that navigation happens via JS redirect, not cy.visit(). https://claude.ai/code/session_01SHq9hQdUiZTD9Huz2gMNZ2
cy.origin() must wrap the entire cross-origin interaction including the visit. Placing cy.visit() inside cy.origin() makes it relative to the example app origin, letting Cypress properly manage the cross-origin context from the start. https://claude.ai/code/session_01SHq9hQdUiZTD9Huz2gMNZ2
The browser normalises http://host:80 to http://host (port 80 is the HTTP default). The auth server's CORS validation does a strict string comparison between the browser's Origin header and the registered app domain. With :80 in the registered domain, CORS rejects the token exchange request, causing the PKCE flow to fail silently and redirect the user to / instead of /account. https://claude.ai/code/session_01SHq9hQdUiZTD9Huz2gMNZ2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tests the full cross-origin PKCE flow: admin creates invite code,
new user visits example app, clicks Register, gets redirected to
auth server, fills registration form, approves consent screen,
and lands on the protected /account page.
https://claude.ai/code/session_01SHq9hQdUiZTD9Huz2gMNZ2