"use client"; import { useState, useEffect, useRef, useCallback } from "react"; import PropTypes from "prop-types"; import { Modal, Button, Input } from "@/shared/components"; import { useCopyToClipboard } from "@/shared/hooks/useCopyToClipboard"; /** * OAuth Modal Component * - Localhost: Auto callback via popup message * - Remote: Manual paste callback URL */ export default function OAuthModal({ isOpen, provider, providerInfo, onSuccess, onClose, oauthMeta, idcConfig }) { const [step, setStep] = useState("waiting"); // waiting | input | success | error const [authData, setAuthData] = useState(null); const [callbackUrl, setCallbackUrl] = useState(""); const [error, setError] = useState(null); const [isDeviceCode, setIsDeviceCode] = useState(false); const [deviceData, setDeviceData] = useState(null); const [polling, setPolling] = useState(false); const popupRef = useRef(null); const pollingAbortRef = useRef(false); const openedRef = useRef(false); const { copied, copy } = useCopyToClipboard(); // State for client-only values to avoid hydration mismatch const [isLocalhost, setIsLocalhost] = useState(false); const [placeholderUrl, setPlaceholderUrl] = useState("/callback?code=..."); const callbackProcessedRef = useRef(false); // Detect if running on localhost (client-side only) useEffect(() => { if (typeof window !== "undefined") { setIsLocalhost( window.location.hostname === "localhost" || window.location.hostname === "127.0.0.1" ); setPlaceholderUrl(`${window.location.origin}/callback?code=...`); } }, []); // Define all useCallback hooks BEFORE the useEffects that reference them // Exchange tokens const exchangeTokens = useCallback(async (code, state) => { if (!authData) return; try { const res = await fetch(`/api/oauth/${provider}/exchange`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ code, redirectUri: authData.redirectUri, codeVerifier: authData.codeVerifier, state, ...(oauthMeta ? { meta: oauthMeta } : {}), }), }); const data = await res.json(); if (!res.ok) throw new Error(data.error); setStep("success"); onSuccess?.(); } catch (err) { setError(err.message); setStep("error"); } }, [authData, provider, onSuccess]); const completeXaiManualCode = useCallback(async (code) => { if (!authData?.state) return; try { const res = await fetch("/api/oauth/xai/manual-code", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ code, state: authData.state }), }); const data = await res.json(); if (!res.ok) throw new Error(data.error); setStep("success"); onSuccess?.(); } catch (err) { setError(err.message); setStep("error"); } }, [authData, onSuccess]); // Poll for device code token const startPolling = useCallback(async (deviceCode, codeVerifier, interval, extraData, deadlineMs) => { pollingAbortRef.current = false; setPolling(true); // Honor the upstream's expires_in when supplied (qoder sets 300s) so we // don't time out earlier than the device code itself. Default 120s // matches the prior behavior for providers that don't surface a value. const startedAt = Date.now(); const deadline = startedAt + (Number.isFinite(deadlineMs) && deadlineMs > 0 ? deadlineMs : 120_000); while (Date.now() < deadline) { // Check if polling should be aborted if (pollingAbortRef.current) { console.log("[OAuthModal] Polling aborted"); setPolling(false); return; } await new Promise((r) => setTimeout(r, interval * 1000)); // Check again after sleep if (pollingAbortRef.current) { console.log("[OAuthModal] Polling aborted after sleep"); setPolling(false); return; } try { const res = await fetch(`/api/oauth/${provider}/poll`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ deviceCode, codeVerifier, extraData }), }); const data = await res.json(); if (data.success) { pollingAbortRef.current = true; // Stop polling immediately setStep("success"); setPolling(false); onSuccess?.(); return; } if (data.error === "expired_token" || data.error === "access_denied") { throw new Error(data.errorDescription || data.error); } if (data.error === "slow_down") { interval = Math.min(interval + 5, 30); } } catch (err) { setError(err.message); setStep("error"); setPolling(false); return; } } setError("Authorization timeout"); setStep("error"); setPolling(false); }, [provider, onSuccess]); // Start OAuth flow const startOAuthFlow = useCallback(async () => { if (!provider) return; try { setError(null); // Device code flow providers const deviceCodeProviders = ["github", "qwen", "kiro", "kimi-coding", "kilocode", "codebuddy", "qoder"]; if (deviceCodeProviders.includes(provider)) { setIsDeviceCode(true); setStep("waiting"); const deviceCodeUrl = new URL(`/api/oauth/${provider}/device-code`, window.location.origin); if (provider === "kiro" && idcConfig?.startUrl) { deviceCodeUrl.searchParams.set("start_url", idcConfig.startUrl); if (idcConfig.region) { deviceCodeUrl.searchParams.set("region", idcConfig.region); } deviceCodeUrl.searchParams.set("auth_method", "idc"); } const res = await fetch(deviceCodeUrl.toString()); const data = await res.json(); if (!res.ok) throw new Error(data.error); setDeviceData(data); // Auto-open verification URL in new tab const verifyUrl = data.verification_uri_complete || data.verification_uri; if (verifyUrl) window.open(verifyUrl, "_blank", "noopener,noreferrer"); // Pass extraData for Kiro (contains _clientId, _clientSecret) and // Qoder (contains _qoderMachineId / _qoderNonce — needed so mapTokens // can persist the machine id alongside the token). const extraData = provider === "kiro" ? { _clientId: data._clientId, _clientSecret: data._clientSecret, _region: data._region, _authMethod: data._authMethod, _startUrl: data._startUrl, } : provider === "qoder" ? { _qoderNonce: data._qoderNonce, _qoderMachineId: data._qoderMachineId, _qoderVerifier: data.codeVerifier, } : null; startPolling( data.device_code, data.codeVerifier, data.interval || 5, extraData, // Use the upstream's expires_in if present so we don't time out // before the device code itself (qoder gives 300s). Number.isFinite(data.expires_in) && data.expires_in > 0 ? data.expires_in * 1000 : undefined, ); return; } // Authorization code flow - build redirect URI (some providers require fixed ports) const appPort = window.location.port || (window.location.protocol === "https:" ? "443" : "80"); let redirectUri; if (provider === "codex") { redirectUri = "http://localhost:1455/auth/callback"; } else if (provider === "xai") { redirectUri = "http://127.0.0.1:56121/callback"; } else { redirectUri = `http://localhost:${appPort}/callback`; } // Build authorize URL first to get codeVerifier/state for codex server-side mode const authorizeUrl = new URL(`/api/oauth/${provider}/authorize`, window.location.origin); authorizeUrl.searchParams.set("redirect_uri", redirectUri); if (oauthMeta) { Object.entries(oauthMeta).forEach(([k, v]) => { if (v) authorizeUrl.searchParams.set(k, v); }); } const res = await fetch(authorizeUrl.toString()); const data = await res.json(); if (!res.ok) throw new Error(data.error); // Codex: start proxy with server-side session (auto-exchange) + fallback to channels let codexProxyActive = false; let codexServerSide = false; if (provider === "codex") { try { const proxyUrl = new URL(`/api/oauth/codex/start-proxy`, window.location.origin); proxyUrl.searchParams.set("app_port", appPort); proxyUrl.searchParams.set("state", data.state); proxyUrl.searchParams.set("code_verifier", data.codeVerifier); proxyUrl.searchParams.set("redirect_uri", redirectUri); const proxyRes = await fetch(proxyUrl.toString()); const proxyData = await proxyRes.json(); codexProxyActive = proxyData.success; codexServerSide = !!proxyData.serverSide; } catch { codexProxyActive = false; } } // xAI: same fixed-port server-side proxy pattern as codex (port 56121) let xaiProxyActive = false; let xaiServerSide = false; if (provider === "xai") { try { const proxyUrl = new URL(`/api/oauth/xai/start-proxy`, window.location.origin); proxyUrl.searchParams.set("app_port", appPort); proxyUrl.searchParams.set("state", data.state); proxyUrl.searchParams.set("code_verifier", data.codeVerifier); proxyUrl.searchParams.set("redirect_uri", redirectUri); const proxyRes = await fetch(proxyUrl.toString()); const proxyData = await proxyRes.json(); xaiProxyActive = proxyData.success; xaiServerSide = !!proxyData.serverSide; if (!xaiProxyActive && proxyData.reason === "port_busy") { throw new Error("Port 56121 in use; close the conflicting process and retry"); } } catch (e) { if (e?.message) throw e; xaiProxyActive = false; } } setAuthData({ ...data, redirectUri, codexServerSide, xaiServerSide }); if (provider === "codex" && codexProxyActive) { // Proxy active: callback will be handled server-side (auto-exchange) or via channels (fallback) setStep("waiting"); popupRef.current = window.open(data.authUrl, "oauth_popup", "width=600,height=700"); if (!popupRef.current) { setStep("input"); } } else if (provider === "xai" && xaiProxyActive) { setStep("waiting"); popupRef.current = window.open(data.authUrl, "oauth_popup", "width=600,height=700"); if (!popupRef.current) { setStep("input"); } } else if (!isLocalhost || provider === "codex" || provider === "xai") { // Non-localhost or proxy failed: manual input mode setStep("input"); window.open(data.authUrl, "_blank"); } else { // Localhost (non-Codex/xAI): Open popup and wait for message setStep("waiting"); popupRef.current = window.open(data.authUrl, "oauth_popup", "width=600,height=700"); if (!popupRef.current) { setStep("input"); } } } catch (err) { setError(err.message); setStep("error"); } }, [provider, isLocalhost, startPolling, oauthMeta, idcConfig]); // Reset state and start OAuth when modal opens useEffect(() => { if (isOpen && provider) { // Guard against StrictMode/effect re-runs auto-opening multiple tabs. if (openedRef.current) return; openedRef.current = true; setAuthData(null); setCallbackUrl(""); setError(null); setIsDeviceCode(false); setDeviceData(null); setPolling(false); pollingAbortRef.current = false; startOAuthFlow(); } else if (!isOpen) { // Abort polling and cleanup proxy when modal closes pollingAbortRef.current = true; openedRef.current = false; if (provider === "codex") { fetch("/api/oauth/codex/stop-proxy").catch(() => {}); } else if (provider === "xai") { fetch("/api/oauth/xai/stop-proxy").catch(() => {}); } } }, [isOpen, provider, startOAuthFlow]); // Fixed-port server-side mode: poll status (proxy auto-exchanges + saves DB) useEffect(() => { const pollProvider = authData?.codexServerSide ? "codex" : authData?.xaiServerSide ? "xai" : null; if (!pollProvider || !authData?.state) return; if (callbackProcessedRef.current) return; let cancelled = false; const POLL_INTERVAL_MS = 1500; const MAX_ATTEMPTS = 200; // ~5 minutes let attempts = 0; const tick = async () => { if (cancelled || callbackProcessedRef.current) return; attempts += 1; try { const res = await fetch(`/api/oauth/${pollProvider}/poll-status?state=${encodeURIComponent(authData.state)}`); const data = await res.json(); if (cancelled || callbackProcessedRef.current) return; if (data.status === "done") { callbackProcessedRef.current = true; setStep("success"); onSuccess?.(); return; } if (data.status === "error") { callbackProcessedRef.current = true; setError(data.error || "Authentication failed"); setStep("error"); return; } } catch { // Network error, keep polling } if (attempts >= MAX_ATTEMPTS) { callbackProcessedRef.current = true; setError("Authentication timeout"); setStep("error"); return; } setTimeout(tick, POLL_INTERVAL_MS); }; setTimeout(tick, POLL_INTERVAL_MS); return () => { cancelled = true; }; }, [authData, onSuccess]); // Listen for OAuth callback via multiple methods useEffect(() => { if (!authData) return; callbackProcessedRef.current = false; // Reset when authData changes // Handler for callback data - only process once const handleCallback = async (data) => { if (callbackProcessedRef.current) return; // Already processed const { code, state, error: callbackError, errorDescription } = data; if (callbackError) { callbackProcessedRef.current = true; setError(errorDescription || callbackError); setStep("error"); return; } if (code) { callbackProcessedRef.current = true; await exchangeTokens(code, state); } }; // Method 1: postMessage from popup const handleMessage = (event) => { // Allow messages from same origin or localhost (any port) const isLocalhost = event.origin.includes("localhost") || event.origin.includes("127.0.0.1"); const isSameOrigin = event.origin === window.location.origin; if (!isLocalhost && !isSameOrigin) return; if (event.data?.type === "oauth_callback") { handleCallback(event.data.data); } }; window.addEventListener("message", handleMessage); // Method 2: BroadcastChannel let channel; try { channel = new BroadcastChannel("oauth_callback"); channel.onmessage = (event) => handleCallback(event.data); } catch (e) { console.log("BroadcastChannel not supported"); } // Method 3: localStorage event const handleStorage = (event) => { if (event.key === "oauth_callback" && event.newValue) { try { const data = JSON.parse(event.newValue); handleCallback(data); localStorage.removeItem("oauth_callback"); } catch (e) { console.log("Failed to parse localStorage data"); } } }; window.addEventListener("storage", handleStorage); // Also check localStorage on mount (in case callback already happened) try { const stored = localStorage.getItem("oauth_callback"); if (stored) { const data = JSON.parse(stored); if (data.timestamp && Date.now() - data.timestamp < 30000) { handleCallback(data); } localStorage.removeItem("oauth_callback"); } } catch { // localStorage may be unavailable or data may be malformed - ignore silently } return () => { window.removeEventListener("message", handleMessage); window.removeEventListener("storage", handleStorage); if (channel) channel.close(); }; }, [authData, exchangeTokens]); // Handle manual URL input const handleManualSubmit = async () => { try { setError(null); const input = callbackUrl.trim(); // Detect raw JWT access token (starts with eyJ) — skip URL parsing if (input.startsWith("eyJ") && input.includes(".")) { await exchangeTokens(input, null); return; } if (provider === "xai" && input && !input.includes("://") && !input.includes("?") && !input.includes("code=")) { await completeXaiManualCode(input); return; } const url = new URL(input); const code = url.searchParams.get("code"); const state = url.searchParams.get("state"); const errorParam = url.searchParams.get("error"); if (errorParam) { throw new Error(url.searchParams.get("error_description") || errorParam); } if (!code) { throw new Error(provider === "xai" ? "Paste the callback URL or copied xAI code" : "No authorization code found in URL"); } await exchangeTokens(code, state); } catch (err) { setError(err.message); setStep("error"); } }; // Clear session on modal close + cleanup proxy const handleClose = useCallback(() => { if (provider === "codex") { fetch("/api/oauth/codex/stop-proxy").catch(() => {}); } else if (provider === "xai") { fetch("/api/oauth/xai/stop-proxy").catch(() => {}); } onClose(); }, [onClose, provider]); if (!provider || !providerInfo) return null; const isXaiProvider = provider === "xai"; const deviceLoginUrl = deviceData?.verification_uri_complete || deviceData?.verification_uri || ""; const modalTitle = isXaiProvider ? "Connect Grok Build OAuth" : `Connect ${providerInfo.name}`; const manualPlaceholder = isXaiProvider ? "http://127.0.0.1:56121/callback?code=... or copied code" : placeholderUrl; return (
{/* Waiting + Manual Input combined (non-device-code) */} {(step === "waiting" || step === "input") && !isDeviceCode && ( <> {/* Option A: Auto via popup */}
progress_activity {isXaiProvider ? "Waiting for Grok Build OAuth…" : "Waiting for popup authorization…"}
{/* Divider */}
Or paste callback URL manually
{/* Option B: Manual paste */}

Step 1: Open this {isXaiProvider ? "Grok Build OAuth URL" : "URL"} in your browser

Step 2: Paste the {provider === "xai" ? "callback URL or copied code" : "callback URL"} here

{provider === "xai" ? "If xAI shows a code instead of redirecting, paste that code here." : "After authorization, copy the full URL from your browser."}

setCallbackUrl(e.target.value)} placeholder={manualPlaceholder} className="font-mono text-xs" />
)} {/* Device Code Flow - Waiting */} {step === "waiting" && isDeviceCode && deviceData && ( <>

Visit the login URL below and authorize:

Login URL

{deviceLoginUrl}

Your Code

{deviceData.user_code}

{polling && (
progress_activity Waiting for authorization...
)} )} {/* Success Step */} {step === "success" && (
check_circle

Connected Successfully!

Your {providerInfo.name} account has been connected.

)} {/* Error Step */} {step === "error" && (
error

Connection Failed

{error}

)}
); } OAuthModal.propTypes = { isOpen: PropTypes.bool.isRequired, provider: PropTypes.string, providerInfo: PropTypes.shape({ name: PropTypes.string }), onSuccess: PropTypes.func, onClose: PropTypes.func.isRequired, /** Extra metadata passed to /authorize and /exchange (e.g. gitlab clientId/baseUrl) */ oauthMeta: PropTypes.object, /** Optional Kiro IDC config for AWS IAM Identity Center device flow */ idcConfig: PropTypes.shape({ startUrl: PropTypes.string, region: PropTypes.string, }), };