feat(p26): OAuth callback + User.tier column#53
Merged
Conversation
GET /auth/oauth/{provider}/callback closes the OAuth dance:
- verify state cookie vs query (400 on mismatch — CSRF anchor)
- exchange authorization code for access token
- fetch userinfo
- upsert local user (preserve existing tier — P27's webhook owns it)
- mint and return the same TokenResponse JWT the password endpoint
returns
User.tier column (default "community") drives the billing feature
gates. Added with an idempotent ALTER TABLE migration in init_db so
legacy DBs stay read-compatible. JWT payload now carries tier;
/auth/me and UserRead expose it.
10 new tests cover migration, register default tier, callback happy
path, repeat-login tier preservation, state mismatch / missing cookie
400s, unknown provider 404, unconfigured 503, no-email 502. Full
suite: 438 passing.
# Conflicts: # CHANGELOG.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GET /auth/oauth/{provider}/callback: state-cookie verify → code exchange → userinfo fetch → user upsert → JWT mint.User.tiercolumn (default"community") drives the billing feature gates. IdempotentALTER TABLEmigration ininit_dbso legacy DBs read-compatible.tier;/auth/meandUserReadexpose it.Why
Closes Phase P26 — the only remaining Wave-1 piece before P27 Razorpay lifecycle can lift users out of
community.Test plan