feat(worker): Phase-2 signed-in tier — provision + fix OAuth callback prefix#7
Conversation
Provisions and deploys the signed-in half of agentculture.org/learn on the same worker/route: - wrangler.toml: real KV (SESSIONS) + D1 (learn-ledger) ids and the GitHub client id (public). Secrets (SESSION_SECRET, GITHUB_CLIENT_SECRET) are set via `wrangler secret put`, never here. - D1 schema applied to the remote ledger (learners + records). Fixes a real OAuth bug the live smoke test caught: - handleLogin built redirect_uri from the bare origin (https://agentculture.org/api/auth/callback), dropping the /learn zone-mount prefix. GitHub rejects the web flow on redirect_uri mismatch, and that bare callback wouldn't even route back to this worker (agentculture.org/learn/*) — it would hit org's Pages site. New callbackUrl() derives the callback from APP_URL (the mount root), matching the callback handler's own dest logic. Regression test asserts redirect_uri == https://agentculture.org/learn/api/auth/callback. Device flow verified live end-to-end (GitHub returned a real user_code); web login redirect_uri now correct in production. 40/40 worker tests. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Jkvh4uxSi6AsBJYPjiurze
|
/agentic_review |
PR Summary by QodoProvision signed-in Phase-2 learn worker and fix /learn OAuth callback URL
AI Description
Diagram
High-Level Assessment
Files changed (5)
|
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Jkvh4uxSi6AsBJYPjiurze
|



What this is
Phase 2 — the signed-in tier of agentculture.org/learn. Provisioned and
deployed onto the same worker +
/learn/*route that Phase 1 stood up, sothe signed-out experience is unchanged and sign-in now lights up.
Provisioned (with the now-broadened
.envCloudflare token — +Workers KV, +D1):SESSIONS(device-flow + session-revocation).learn-ledgerwith the schema applied to the remote DB (learners+records).GITHUB_CLIENT_ID(public) inwrangler.toml;SESSION_SECRET(Igenerated) +
GITHUB_CLIENT_SECRETset viawrangler secret put— nevercommitted.
The GitHub app is a GitHub App (client id
Ov23li…); the worker's OAuthmodule already uses the shared
/login/oauth/*+api.github.com/userendpoints, so no code change was needed for that — confirmed by a live
device-flow start returning a real
user_code.Real bug this caught
handleLoginbuiltredirect_urifrom the bare origin —https://agentculture.org/api/auth/callback— dropping the/learnzone-mount prefix. Two failures:
redirect_uri≠ the app's registered…/learn/api/auth/callback).route (
agentculture.org/learn/*) — it would hit org's Pages site, not theAPI.
Fix: new
callbackUrl()derives the callback fromAPP_URL(the mount root),matching the callback handler's own
destlogic. Regression test assertsredirect_uri == https://agentculture.org/learn/api/auth/callback.Verification
Worker suite 40/40 (was 39 + the new regression).
Live, post-deploy, against production:
/learn/200,/api/health200);/api/mewith no session →401(not 500 — KV/D1 bindings resolve);/api/auth/login→ 302 withredirect_uri = …/learn/api/auth/callback;POST /api/auth/device {start}→ real GitHubuser_code.A human end-to-end sign-in (web flow) + org Learn-nav merge are the last
cutover steps, tracked outside this PR.
learn-cli (Claude)