Skip to content

feat: add rxlab sign in api#40

Merged
sirily11 merged 2 commits into
mainfrom
aasp
May 26, 2026
Merged

feat: add rxlab sign in api#40
sirily11 merged 2 commits into
mainfrom
aasp

Conversation

@sirily11

Copy link
Copy Markdown
Contributor

No description provided.

Copilot AI review requested due to automatic review settings May 26, 2026 08:26
@sirily11 sirily11 enabled auto-merge (squash) May 26, 2026 08:26
@vercel

vercel Bot commented May 26, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
rxlab-auth Ready Ready Preview, Comment May 26, 2026 8:50am

Request Review

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for the OAuth password grant (“rxlab sign in API”) by extending token request validation and implementing password-based token issuance in the OAuth token endpoint.

Changes:

  • Adds grant_type=password validation and unit coverage.
  • Implements password grant handling with user lookup, password verification, scope validation, sign-in permission checks, and token issuance.
  • Adds endpoint tests for successful and failed password-grant requests.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
lib/validations/oauth.ts Adds schema support for password grant requests.
lib/validations/oauth.test.ts Adds validation tests for password grant inputs and unsupported grant types.
app/api/oauth/token/route.ts Adds password grant routing and token issuance logic.
app/api/oauth/token/password-grant.test.ts Adds API tests for password grant success and common failure cases.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +488 to +507
// Resolve allowed scopes; default to client's allowed scopes when omitted
const allowedScopes: string[] = JSON.parse(client.allowedScopes);
let requestedScopes: string[];
if (data.scope) {
requestedScopes = data.scope.split(" ").filter(Boolean);
const invalidScopes = requestedScopes.filter(
(s) => !allowedScopes.includes(s),
);
if (invalidScopes.length > 0) {
return NextResponse.json(
{
error: "invalid_scope",
error_description: `Requested scope(s) not allowed: ${invalidScopes.join(", ")}`,
},
{ status: 400 },
);
}
} else {
requestedScopes = allowedScopes;
}
Comment on lines +525 to +526
const passwordValid = await verifyPassword(user.passwordHash, data.password);
if (!passwordValid) {
Comment on lines +584 to +585
email: requestedScopes.includes("email") ? user.email : undefined,
email_verified: requestedScopes.includes("email")
@sirily11 sirily11 disabled auto-merge May 26, 2026 08:32
…rty clients

Adds `grant_type=password` to /api/oauth/token (extends tokenRequestSchema with a
password branch and routes to a handlePasswordGrant) and a new /api/oauth/signup
JSON route that wraps the existing register action so native clients like the
macOS RxAuthSwift test app can sign up and sign in without the web UI's
server-action RPC. Includes tests for both.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sirily11 sirily11 merged commit 4661451 into main May 26, 2026
3 checks passed
@sirily11 sirily11 deleted the aasp branch May 26, 2026 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants