feat: move from oauth to first party auth support

Author: k11kirky

apps/twig/src/api/posthogClient.ts

@@ -373,4 +373,62 @@ export class PostHogAPIClient {
     });
     return data.results ?? [];
   }
+
+  /**
+   * Get details for multiple projects by their IDs.
+   * Returns project info including organization details.
+   */
+  async getProjectDetails(projectIds: number[]): Promise<
+    Array<{
+      id: number;
+      name: string;
+      organization: { id: string; name: string };
+    }>
+  > {
+    const results = await Promise.all(
+      projectIds.map(async (projectId) => {
+        try {
+          const project = await this.getProject(projectId);
+          return {
+            id: project.id,
+            name: project.name ?? `Project ${project.id}`,
+            organization: {
+              id: project.organization?.toString() ?? "",
+              name: project.organization?.toString() ?? "Unknown Organization",
+            },
+          };
+        } catch (error) {
+          log.warn(`Failed to fetch project ${projectId}:`, error);
+          return null;
+        }
+      }),
+    );
+    return results.filter((r): r is NonNullable<typeof r> => r !== null);
+  }
+
+  /**
+   * Get all organizations the user belongs to.
+   */
+  async getOrganizations(): Promise<
+    Array<{ id: string; name: string; slug: string }>
+  > {
+    const url = new URL(`${this.api.baseUrl}/api/organizations/`);
+    const response = await this.api.fetcher.fetch({
+      method: "get",
+      url,
+      path: "/api/organizations/",
+    });
+
+    if (!response.ok) {
+      throw new Error(`Failed to fetch organizations: ${response.statusText}`);
+    }
+
+    const data = await response.json();
+    const orgs = data.results ?? data ?? [];
+    return orgs.map((org: { id: string; name: string; slug?: string }) => ({
+      id: org.id,
+      name: org.name,
+      slug: org.slug ?? org.id,
+    }));
+  }
 }

apps/twig/src/main/services/oauth/schemas.ts

@@ -22,7 +22,7 @@ export const oAuthTokenResponse = z.object({
   access_token: z.string(),
   expires_in: z.number(),
   token_type: z.string(),
-  scope: z.string(),
+  scope: z.string().optional().default(""),
   refresh_token: z.string(),
   scoped_teams: z.array(z.number()).optional(),
   scoped_organizations: z.array(z.string()).optional(),
@@ -42,6 +42,9 @@ export const startFlowOutput = z.object({
 });
 export type StartFlowOutput = z.infer<typeof startFlowOutput>;
 
+export const startSignupFlowInput = startFlowInput;
+export type StartSignupFlowInput = z.infer<typeof startSignupFlowInput>;
+
 export const refreshTokenInput = z.object({
   refreshToken: z.string(),
   region: cloudRegion,
@@ -61,3 +64,8 @@ export const cancelFlowOutput = z.object({
   error: z.string().optional(),
 });
 export type CancelFlowOutput = z.infer<typeof cancelFlowOutput>;
+
+export const openExternalUrlInput = z.object({
+  url: z.string().url(),
+});
+export type OpenExternalUrlInput = z.infer<typeof openExternalUrlInput>;

apps/twig/src/main/services/oauth/service.ts

@@ -109,44 +109,43 @@ export class OAuthService {
       };
 
       const codeVerifier = this.generateCodeVerifier();
-      const codeChallenge = this.generateCodeChallenge(codeVerifier);
-      const redirectUri = this.getRedirectUri();
+      const authUrl = this.buildAuthorizeUrl(region, codeVerifier);
 
-      // Build the authorization URL
-      const cloudUrl = getCloudUrlFromRegion(region);
-      const authUrl = new URL(`${cloudUrl}/oauth/authorize`);
-      authUrl.searchParams.set("client_id", getOauthClientIdFromRegion(region));
-      authUrl.searchParams.set("redirect_uri", redirectUri);
-      authUrl.searchParams.set("response_type", "code");
-      authUrl.searchParams.set("code_challenge", codeChallenge);
-      authUrl.searchParams.set("code_challenge_method", "S256");
-      authUrl.searchParams.set("scope", config.scopes.join(" "));
-      authUrl.searchParams.set("required_access_level", "project");
-
-      // Create a promise that will be resolved when the callback arrives
-      const code = IS_DEV
-        ? await this.waitForHttpCallback(
-            codeVerifier,
-            config,
-            authUrl.toString(),
-          )
-        : await this.waitForDeepLinkCallback(
-            codeVerifier,
-            config,
-            authUrl.toString(),
-          );
-
-      // Exchange the code for tokens
-      const tokenResponse = await this.exchangeCodeForToken(
-        code,
-        codeVerifier,
+      return await this.startFlowWithUrl(
         config,
+        codeVerifier,
+        authUrl.toString(),
       );
-
+    } catch (error) {
       return {
-        success: true,
-        data: tokenResponse,
+        success: false,
+        error: error instanceof Error ? error.message : "Unknown error",
+      };
+    }
+  }
+
+  /**
+   * Start the OAuth flow from the signup page.
+   */
+  public async startSignupFlow(region: CloudRegion): Promise<StartFlowOutput> {
+    try {
+      // Cancel any existing flow
+      this.cancelFlow();
+
+      const config: OAuthConfig = {
+        scopes: OAUTH_SCOPES,
+        cloudRegion: region,
       };
+
+      const codeVerifier = this.generateCodeVerifier();
+      const authUrl = this.buildAuthorizeUrl(region, codeVerifier);
+      const signupUrl = this.buildSignupUrl(region, authUrl);
+
+      return await this.startFlowWithUrl(
+        config,
+        codeVerifier,
+        signupUrl.toString(),
+      );
     } catch (error) {
       return {
         success: false,
@@ -443,11 +442,62 @@ export class OAuthService {
     return response.json();
   }
 
+  private buildAuthorizeUrl(region: CloudRegion, codeVerifier: string): URL {
+    const codeChallenge = this.generateCodeChallenge(codeVerifier);
+    const redirectUri = this.getRedirectUri();
+    const cloudUrl = getCloudUrlFromRegion(region);
+    const authUrl = new URL(`${cloudUrl}/oauth/authorize`);
+    authUrl.searchParams.set("client_id", getOauthClientIdFromRegion(region));
+    authUrl.searchParams.set("redirect_uri", redirectUri);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("code_challenge", codeChallenge);
+    authUrl.searchParams.set("code_challenge_method", "S256");
+    authUrl.searchParams.set("scope", OAUTH_SCOPES.join(" "));
+    authUrl.searchParams.set("required_access_level", "project");
+    return authUrl;
+  }
+
+  private buildSignupUrl(region: CloudRegion, authUrl: URL): URL {
+    const cloudUrl = getCloudUrlFromRegion(region);
+    const signupUrl = new URL(`${cloudUrl}/signup`);
+    const nextPath = `${authUrl.pathname}${authUrl.search}`;
+    signupUrl.searchParams.set("next", nextPath);
+    return signupUrl;
+  }
+
+  private async startFlowWithUrl(
+    config: OAuthConfig,
+    codeVerifier: string,
+    authUrl: string,
+  ): Promise<StartFlowOutput> {
+    const code = IS_DEV
+      ? await this.waitForHttpCallback(codeVerifier, config, authUrl)
+      : await this.waitForDeepLinkCallback(codeVerifier, config, authUrl);
+
+    const tokenResponse = await this.exchangeCodeForToken(
+      code,
+      codeVerifier,
+      config,
+    );
+
+    return {
+      success: true,
+      data: tokenResponse,
+    };
+  }
+
   private generateCodeVerifier(): string {
     return crypto.randomBytes(32).toString("base64url");
   }
 
   private generateCodeChallenge(verifier: string): string {
     return crypto.createHash("sha256").update(verifier).digest("base64url");
   }
+
+  /**
+   * Open an external URL in the default browser.
+   */
+  public async openExternalUrl(url: string): Promise<void> {
+    await shell.openExternal(url);
+  }
 }

apps/twig/src/main/trpc/routers/oauth.ts

@@ -2,10 +2,12 @@ import { container } from "../../di/container.js";
 import { MAIN_TOKENS } from "../../di/tokens.js";
 import {
   cancelFlowOutput,
+  openExternalUrlInput,
   refreshTokenInput,
   refreshTokenOutput,
   startFlowInput,
   startFlowOutput,
+  startSignupFlowInput,
 } from "../../services/oauth/schemas.js";
 import type { OAuthService } from "../../services/oauth/service.js";
 import { publicProcedure, router } from "../trpc.js";
@@ -18,6 +20,11 @@ export const oauthRouter = router({
     .output(startFlowOutput)
     .mutation(({ input }) => getService().startFlow(input.region)),
 
+  startSignupFlow: publicProcedure
+    .input(startSignupFlowInput)
+    .output(startFlowOutput)
+    .mutation(({ input }) => getService().startSignupFlow(input.region)),
+
   refreshToken: publicProcedure
     .input(refreshTokenInput)
     .output(refreshTokenOutput)
@@ -28,4 +35,8 @@ export const oauthRouter = router({
   cancelFlow: publicProcedure
     .output(cancelFlowOutput)
     .mutation(() => getService().cancelFlow()),
+
+  openExternalUrl: publicProcedure
+    .input(openExternalUrlInput)
+    .mutation(({ input }) => getService().openExternalUrl(input.url)),
 });

apps/twig/src/renderer/App.tsx

@@ -138,29 +138,36 @@ function App() {
     );
   }
 
+  // Determine which screen to show
+  const renderContent = () => {
+    if (!isAuthenticated) {
+      return (
+        <motion.div
+          key="auth"
+          initial={{ opacity: 1 }}
+          exit={{ opacity: 0 }}
+          transition={{ duration: 0.5 }}
+        >
+          <AuthScreen />
+        </motion.div>
+      );
+    }
+
+    return (
+      <motion.div
+        key="main"
+        initial={{ opacity: 0 }}
+        animate={{ opacity: 1 }}
+        transition={{ duration: 0.5, delay: showTransition ? 1.5 : 0 }}
+      >
+        <MainLayout />
+      </motion.div>
+    );
+  };
+
   return (
     <ErrorBoundary name="App">
-      <AnimatePresence mode="wait">
-        {!isAuthenticated ? (
-          <motion.div
-            key="auth"
-            initial={{ opacity: 1 }}
-            exit={{ opacity: 0 }}
-            transition={{ duration: 0.5 }}
-          >
-            <AuthScreen />
-          </motion.div>
-        ) : (
-          <motion.div
-            key="main"
-            initial={{ opacity: 0 }}
-            animate={{ opacity: 1 }}
-            transition={{ duration: 0.5, delay: showTransition ? 1.5 : 0 }}
-          >
-            <MainLayout />
-          </motion.div>
-        )}
-      </AnimatePresence>
+      <AnimatePresence mode="wait">{renderContent()}</AnimatePresence>
       <LoginTransition
         isAnimating={showTransition}
         onComplete={handleTransitionComplete}