feat: add oauth launch url

[netliam]

Implements feature outlined here

OIDC Launch URL

Summary by CodeRabbit

• New Features
  • Added OAuth authentication flow with OIDC provider support for user login
  • Implemented error handling and success notifications during the authentication process
  • Added configurable redirect behavior after successful authentication

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Introduces OAuth launch functionality by adding a new OAuthLaunchComponent that orchestrates OAuth login flows, supporting both native and web builds with popup-based authentication, error handling, and configurable redirect behavior. Exports the component from the auth module and integrates it into a new /oauth/launch route.

Changes

Cohort / File(s)	Summary
Auth Module Export packages/frontend/core/src/components/affine/auth/index.ts	Re-exports OAuthLaunchComponent to expose it as part of the public auth module API.
OAuth Launch Component packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx	New React component that manages OAuth login initiation. Subscribes to authentication status via useLiveData, computes effective redirect URL, handles OAuth flow with platform-specific behavior (native popup with scheme vs. web popup with constructed oauth/login URL), tracks sign-in events, displays success toasts, and invokes optional onAuthenticated callback. Automatically initiates login on mount.
Desktop OAuth Page & Routing packages/frontend/core/src/desktop/pages/auth/oauth-launch.tsx, packages/frontend/core/src/desktop/router.tsx	Adds OAuthLaunch page component that wraps OAuthLaunchComponent with error handling and redirect logic. Implements handleAuthenticated callback to close popup or navigate based on redirectUrl. Registers new /oauth/launch route with lazy loading and webpack chunk naming.

Sequence Diagram

sequenceDiagram
    participant Mount as OAuthLaunchComponent<br/>(Mount)
    participant Auth as AuthService
    participant Server as ServerService
    participant UI as Popup Window
    participant Callback as onAuthenticated<br/>Callback

    Mount->>Auth: Subscribe to authentication<br/>status via useLiveData
    Mount->>Server: Compute effective<br/>redirect URL
    activate Mount
    Note over Mount: Initiate OAuth flow<br/>(onContinue)
    alt Native Build
        Mount->>UI: Preflight check &<br/>scheme-based popup
    else Web Build
        Mount->>UI: Construct oauth/login URL<br/>with provider & redirect_uri<br/>+ open popup
    end
    deactivate Mount
    
    UI->>Auth: User authenticates<br/>& sign-in event triggered
    Auth-->>Mount: Authentication status<br/>updated
    
    alt Authentication Successful
        Mount->>UI: Display success toast
        Mount->>Callback: Invoke callback with<br/>AuthSessionStatus
        Callback->>Callback: Handle redirect or<br/>close popup
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–25 minutes

Areas requiring extra attention:

• OAuth flow logic in OAuthLaunchComponent - verify correct handling of native vs. web builds and popup behavior
• Authentication status subscription and state management via useLiveData
• Redirect URL computation and handling of CLOSE_POPUP constant logic
• Error handling and toast notification integration
• Route lazy loading and webpack chunk configuration

Poem

🐰 A rabbit hops through OAuth's dance,
With popups popping left and chance,
Native schemes and web URLs bright,
Auth flows flowing, day and night!
🌟 Now login's just a launch away,
Hippity-hop, authenticate today!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add oauth launch url' accurately describes the main change: adding OAuth launch functionality with a URL component, matching the new route, page component, and OAuth launch service introduced in the changeset.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

packages/frontend/core/src/desktop/pages/auth/oauth-launch.tsx (1)

15-25: Consider forwarding redirectUrl into OAuthLaunchComponent

The page computes a redirectUrl (from props or redirect_uri query) and uses it in handleAuthenticated, but OAuthLaunchComponent also exposes a redirectUrl prop that currently isn’t used here:

<OAuthLaunchComponent onAuthenticated={handleAuthenticated} />

If the intent is for the same redirectUrl to control both:

• the final in-app navigation/close behavior (handled here), and
• the redirect_uri passed into the OAuth login URL (handled inside OAuthLaunchComponent),

then you likely want to pass it through:

-        <OAuthLaunchComponent onAuthenticated={handleAuthenticated} />
+        <OAuthLaunchComponent
+          redirectUrl={redirectUrl ?? undefined}
+          onAuthenticated={handleAuthenticated}
+        />

Otherwise you end up always using the default /oauth/callback as the OAuth redirect_uri, regardless of the redirect_uri/redirectUrl passed into this page.

Also applies to: 43-66

packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx (1)

71-81: Tighten success toast & onAuthenticated semantics to avoid duplicates

The effect:

useEffect(() => {
  if (loginStatus === 'authenticated') {
    notify.success(...);
  }
  onAuthenticated?.(loginStatus);
}, [loginStatus, onAuthenticated, t]);

fires on every loginStatus emission, so repeated 'authenticated' emissions will show multiple success toasts and invoke onAuthenticated multiple times.

If you only care about the transition to authenticated once, consider tracking the previous status in a ref and only:

• showing the toast, and
• calling onAuthenticated

when prevStatus !== 'authenticated' && loginStatus === 'authenticated'.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 027f741 and 0f98787.

📒 Files selected for processing (4)

• packages/frontend/core/src/components/affine/auth/index.ts (1 hunks)
• packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx (1 hunks)
• packages/frontend/core/src/desktop/pages/auth/oauth-launch.tsx (1 hunks)
• packages/frontend/core/src/desktop/router.tsx (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-11-27T03:23:11.880Z

Learnt from: CR
Repo: toeverything/AFFiNE PR: 0
File: packages/frontend/apps/ios/AGENTS.md:0-0
Timestamp: 2025-11-27T03:23:11.880Z
Learning: Applies to packages/frontend/apps/ios/**/*.{ts,tsx} : Expose JavaScript APIs to native iOS code through window object for Capacitor integration

Applied to files:

• packages/frontend/core/src/components/affine/auth/index.ts

🧬 Code graph analysis (2)

packages/frontend/core/src/desktop/pages/auth/oauth-launch.tsx (3)

packages/frontend/core/src/components/hooks/use-navigate-helper.ts (1)

• useNavigateHelper (24-268)

packages/frontend/core/src/modules/cloud/entities/session.ts (1)

• AuthSessionStatus (39-42)

packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx (1)

• OAuthLaunchComponent (13-88)

packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx (5)

packages/frontend/core/src/modules/cloud/entities/session.ts (1)

• AuthSessionStatus (39-42)

packages/common/infra/src/framework/react/index.tsx (1)

• useService (15-17)

packages/frontend/core/src/modules/url/services/url.ts (1)

• UrlService (6-58)

packages/frontend/core/src/components/hooks/affine-async-hooks.ts (1)

• useAsyncCallback (18-30)

packages/backend/server/src/base/error/def.ts (1)

• UserFriendlyError (63-166)

🔇 Additional comments (3)

packages/frontend/core/src/components/affine/auth/index.ts (1)

1-1: OAuthLaunchComponent re-export looks good

Re-exporting OAuthLaunchComponent from the auth barrel file cleanly exposes the new component without changing behavior elsewhere.

packages/frontend/core/src/desktop/router.tsx (1)

153-157: New /oauth/launch route wiring is consistent

The new /oauth/launch route follows the existing auth routing pattern (lazy import under the "auth" chunk and placement alongside other OAuth routes). No issues from a router perspective.

packages/frontend/core/src/components/affine/auth/oauth-launch-component.tsx (1)

26-60: Auto-launching OAuth popup from an effect may be blocked in browsers

onContinue ultimately calls urlService.openPopupWindow(...), and it's invoked from a useEffect on mount without a direct user gesture. The UrlService.openPopupWindow documentation warns that popup windows called from async callbacks/effects can be blocked by browsers, which may break the OAuth launch flow in web environments.

Consider one of the following:

• For web builds, switch to urlService.openExternal(oauthUrl) so the tab navigates instead of opening a popup, or
• Gate onContinue behind an explicit user action (e.g. a "Continue" button) when running in a browser, keeping auto-launch only for native/electron where popup blocking is not an issue, or
• Introduce a dedicated UrlService method tailored for this launch route that internally chooses the safest behavior per platform.

Also, please double-check that UserFriendlyError.fromAny(e) (in the native branch) returns an object shape that notify.error can render correctly.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.53%. Comparing base (027f741) to head (0f98787).
⚠️ Report is 2 commits behind head on canary.

Additional details and impacted files

@@            Coverage Diff             @@
##           canary   #14071      +/-   ##
==========================================
- Coverage   57.10%   56.53%   -0.58%     
==========================================
  Files        2757     2757              
  Lines      138059   138059              
  Branches    21156    21048     -108     
==========================================
- Hits        78843    78056     -787     
- Misses      56944    57738     +794     
+ Partials     2272     2265       -7     

Flag	Coverage Δ
server-test	77.02% <ø> (-1.25%)	⬇️
unittest	31.97% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.