fetch.
Initiating
The dashboard’s login page has buttons that simply link to these paths:- The server generates a CSRF state value + PKCE code-verifier
- Stores both in a short-lived cookie
- 302s to the provider’s consent screen with
stateandcode_challenge
Callback
After the user approves at Google / GitHub:- Validates
statematches the cookie value (rejects with 400 otherwise) - Exchanges
codefor an ID token (Google) or access token (GitHub) - Extracts the verified email
- Upserts the user by email
- Creates a session, sets the
sidcookie - 302s to
/app
Error redirects
| URL param | Cause |
|---|---|
/login?error=oauth_unavailable | The provider isn’t configured on the server (missing client ID/secret) |
/login?error=oauth_no_email | The provider didn’t return a verified email |
/login?error=oauth_failed | Token exchange failed; user cancelled; state mismatch |
?error= and displays a human-readable
message in red.
What scopes we request
| Provider | Scope | What we get |
|---|---|---|
openid email profile | Email, sub (Google user ID) | |
| GitHub | read:user user:email | Primary verified email, GitHub user ID |
Disabling a provider
If GOOGLE_CLIENT_ID or GITHUB_CLIENT_ID is unset in the server’s environment, the corresponding endpoint returns:VITE_OAUTH_GOOGLE_ENABLED=0).