feat: add OAuth-style app-linking for client applications#413
Draft
michael-j-green with Copilot wants to merge 7 commits into
Draft
feat: add OAuth-style app-linking for client applications#413michael-j-green with Copilot wants to merge 7 commits into
michael-j-green with Copilot wants to merge 7 commits into
Conversation
- DB migration hasheous-1034.sql: UserAppKeys table
- APIKeyMiddleware: fall through to UserAppKeys validation + PurgeApiKeyCache helper
- New AppLinkController: GET AppInfo and POST Authorize endpoints
- AccountController: GET AppLinks and DELETE AppLinks/{id} endpoints
- New link-app.html/js: standalone popup for the auth flow
- account.html/js: linked apps management section
- en.json: new localisation strings
Agent-Logs-Url: https://github.com/gaseous-project/hasheous/sessions/dc09cd3b-8ff2-487a-8375-9f0fc196952c
Co-authored-by: michael-j-green <84688932+michael-j-green@users.noreply.github.com>
- Fix typo: lastuused -> lastused in APIKeyMiddleware - Restrict postMessage targetOrigin using query param or opener origin - Use postData() for DELETE revoke in account.js (CSRF consistency) - Update integration guide with targetOrigin parameter - Update copilot-instructions.md with feature docs Agent-Logs-Url: https://github.com/gaseous-project/hasheous/sessions/dc09cd3b-8ff2-487a-8375-9f0fc196952c Co-authored-by: michael-j-green <84688932+michael-j-green@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
michael-j-green
April 25, 2026 05:26
View session
- docs/wiki/App-Linking-Integration-Guide.md: full developer guide - hasheous/wwwroot/images/hasheous-link-button.svg: official button SVG asset - hasheous/wwwroot/styles/style.css: .hasheous-link-button CSS class Agent-Logs-Url: https://github.com/gaseous-project/hasheous/sessions/aced81ad-2f0b-4727-ba81-600b805af6a1 Co-authored-by: michael-j-green <84688932+michael-j-green@users.noreply.github.com>
…catch
- link-app.js: add isValidOrigin() guard; targetOrigin must be an explicit
valid origin (rejects '*', 'null', missing); popup refuses to proceed
without it so the API key is never sent to an unrestricted target.
- APIKeyMiddleware.cs: replace bare catch{} with typed catch(Exception ex)
+ multi-line Console.Error.WriteLine log in the fire-and-forget Task.Run.
Agent-Logs-Url: https://github.com/gaseous-project/hasheous/sessions/774b477e-90aa-45e5-a088-78724de18f05
Co-authored-by: michael-j-green <84688932+michael-j-green@users.noreply.github.com>
…dleware Replace catch(Exception ex) in the fire-and-forget Task.Run block with specific catches: DataException and InvalidOperationException. Both log the same diagnostic message; no behaviour change. Agent-Logs-Url: https://github.com/gaseous-project/hasheous/sessions/2b1dba67-2a92-4fb5-b753-fced1d030fcf Co-authored-by: michael-j-green <84688932+michael-j-green@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
link-app.js: reject'*'wildcardtargetOrigin(CodeQL: cross-window communication with unrestricted target origin)APIKeyMiddleware.cs(round 1): replace barecatch {}withcatch (Exception ex)+ logAPIKeyMiddleware.cs(round 2): narrowcatch (Exception ex)to specific DB exception types (DataException,InvalidOperationException) — CodeQL generic catch clause, 0 alerts remaining