Skip to content

feat: add OAuth-style app-linking for client applications#413

Draft
michael-j-green with Copilot wants to merge 7 commits into
mainfrom
copilot/add-support-linking-client-apps
Draft

feat: add OAuth-style app-linking for client applications#413
michael-j-green with Copilot wants to merge 7 commits into
mainfrom
copilot/add-support-linking-client-apps

Conversation

Copilot AI commented Apr 25, 2026

Copy link
Copy Markdown
Contributor
  • Fix link-app.js: reject '*' wildcard targetOrigin (CodeQL: cross-window communication with unrestricted target origin)
  • Fix APIKeyMiddleware.cs (round 1): replace bare catch {} with catch (Exception ex) + log
  • Fix APIKeyMiddleware.cs (round 2): narrow catch (Exception ex) to specific DB exception types (DataException, InvalidOperationException) — CodeQL generic catch clause, 0 alerts remaining

Copilot AI and others added 2 commits April 25, 2026 05:20
- DB migration hasheous-1034.sql: UserAppKeys table
- APIKeyMiddleware: fall through to UserAppKeys validation + PurgeApiKeyCache helper
- New AppLinkController: GET AppInfo and POST Authorize endpoints
- AccountController: GET AppLinks and DELETE AppLinks/{id} endpoints
- New link-app.html/js: standalone popup for the auth flow
- account.html/js: linked apps management section
- en.json: new localisation strings

Agent-Logs-Url: https://github.com/gaseous-project/hasheous/sessions/dc09cd3b-8ff2-487a-8375-9f0fc196952c

Co-authored-by: michael-j-green <84688932+michael-j-green@users.noreply.github.com>
- Fix typo: lastuused -> lastused in APIKeyMiddleware
- Restrict postMessage targetOrigin using query param or opener origin
- Use postData() for DELETE revoke in account.js (CSRF consistency)
- Update integration guide with targetOrigin parameter
- Update copilot-instructions.md with feature docs

Agent-Logs-Url: https://github.com/gaseous-project/hasheous/sessions/dc09cd3b-8ff2-487a-8375-9f0fc196952c

Co-authored-by: michael-j-green <84688932+michael-j-green@users.noreply.github.com>
Comment thread hasheous/wwwroot/pages/link-app.js Fixed
Comment thread hasheous-lib/Classes/Auth/Classes/APIKeyMiddleware.cs Fixed
- docs/wiki/App-Linking-Integration-Guide.md: full developer guide
- hasheous/wwwroot/images/hasheous-link-button.svg: official button SVG asset
- hasheous/wwwroot/styles/style.css: .hasheous-link-button CSS class

Agent-Logs-Url: https://github.com/gaseous-project/hasheous/sessions/aced81ad-2f0b-4727-ba81-600b805af6a1

Co-authored-by: michael-j-green <84688932+michael-j-green@users.noreply.github.com>
…catch

- link-app.js: add isValidOrigin() guard; targetOrigin must be an explicit
  valid origin (rejects '*', 'null', missing); popup refuses to proceed
  without it so the API key is never sent to an unrestricted target.
- APIKeyMiddleware.cs: replace bare catch{} with typed catch(Exception ex)
  + multi-line Console.Error.WriteLine log in the fire-and-forget Task.Run.

Agent-Logs-Url: https://github.com/gaseous-project/hasheous/sessions/774b477e-90aa-45e5-a088-78724de18f05

Co-authored-by: michael-j-green <84688932+michael-j-green@users.noreply.github.com>
Comment thread hasheous-lib/Classes/Auth/Classes/APIKeyMiddleware.cs Fixed
…dleware

Replace catch(Exception ex) in the fire-and-forget Task.Run block with
specific catches: DataException and InvalidOperationException. Both log
the same diagnostic message; no behaviour change.

Agent-Logs-Url: https://github.com/gaseous-project/hasheous/sessions/2b1dba67-2a92-4fb5-b753-fced1d030fcf

Co-authored-by: michael-j-green <84688932+michael-j-green@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants