Add fallback copy/paste code flow for OAuth when deep link redirect fails

[devin-ai-integration]

Add fallback copy/paste code flow for OAuth deep link failures

Summary

When Tauri users (desktop, iOS, or Android) authenticate via OAuth (Google/GitHub/Apple), the app redirects to a browser, completes auth, then attempts a deep link redirect (cloud.opensecret.maple://auth?...) back to the app. Sometimes this deep link fails — e.g., Safari doesn't redirect back, leaving the user stuck in the browser.

This PR adds a manual fallback for all Tauri platforms (macOS, Windows, Linux, iOS, Android):

Web side (auth.$provider.callback.tsx): After attempting the deep link redirect, an "Open Maple" button is shown immediately. After 3 seconds, a "Copy Code" fallback UI also appears below. The code is a base64-encoded JSON containing access_token and refresh_token. The user can copy this to their clipboard.

App side (login.tsx and signup.tsx): When the user clicks an OAuth button (GitHub/Google/Apple) on any Tauri platform, the app automatically navigates to the paste-code screen while the browser opens. This screen initially shows a spinner with "Logging in with [Provider] — Complete your login in the browser that just opened." After 3 seconds, it reveals the paste code input with "Having trouble? Paste the login code from the browser below."

Updates since last revision

• Extended to all Tauri platforms (fe77fc8): Changed paste-code auto-navigation from isTauriDesktop() back to isTauri(). iOS and Android users now also get the paste-code fallback flow, since deep link redirects can fail on mobile too (the user reported OAuth failures on iOS). Previously this was desktop-only.
• Merged with master's "Open Maple" button (fe77fc8): Resolved merge conflict in auth.$provider.callback.tsx to combine master's "Open Maple" button (for iOS Safari where auto-redirect is blocked) with the copy-code fallback. The callback page now shows: Open Maple button immediately → copy-code fallback after 3 seconds.

Prior updates

• Removed standalone "Paste Login Code" buttons (a7dad84): The buttons on the login/signup main screens have been removed. The paste-code screen is now only reachable via the auto-navigation after clicking an OAuth button.
• Fixed stale error carryover (07c55cc): Added setError(null) before navigating to the paste-code screen in all 6 OAuth handlers.
• Fixed "Complete Login" → "Complete Sign Up" on the signup page paste-code screen.
• Auto-navigate to paste-code screen after OAuth click: Instead of requiring users to manually find a button, clicking any OAuth button in Tauri now automatically shows the paste-code screen with provider-specific messaging and a loading spinner.
• Delayed paste input reveal: The paste code input is hidden for 3 seconds (while the user completes OAuth in the browser), then appears with "Having trouble?" prompt.

Desktop app testing (Linux Tauri build)

The EGL fix on master enabled testing the actual Tauri desktop app on a headless Linux VM:

Login screen (no paste button)	"Logging in with Google" spinner	Paste input after 3s delay

Error on invalid code

Review & Testing Checklist for Human

• Test on iOS/Android: Verify that iOS and Android users DO see the paste-code screen when clicking OAuth buttons (this is a change from the previous desktop-only behavior). Complete OAuth in browser → verify deep link redirect works. If deep link fails, verify the "Open Maple" button and copy fallback appear in the browser, copy the code, switch back to app (paste input should now be visible), paste and verify login completes.
• Test the full flow on desktop (macOS/Windows/Linux): Click an OAuth button → verify browser opens AND the app shows "Logging in with [Provider]" screen with spinner → complete OAuth in browser → verify deep link redirect works. If deep link fails, verify the "Open Maple" button and copy fallback appear after ~3s in the browser, copy the code, switch back to app (paste input should now be visible), paste and verify login completes.
• Verify "Open Maple" button + copy-code fallback work together: On the web callback page, verify the "Open Maple" button appears immediately and the copy-code fallback appears after 3 seconds. Both should be functional.
• Security review of token exposure: The base64-encoded code contains raw JWT tokens displayed in the browser. The tokens are already present in the deep link URL, so the exposure surface is similar — but verify this is acceptable. Consider if any additional protections are warranted (e.g., short-lived codes, one-time-use).
• Test that the normal deep link flow still works: When the deep link succeeds, the user gets redirected back to the app. Verify the paste-code screen doesn't interfere — the app should pick up the auth tokens and navigate away normally.

Notes

• Platform gating: The paste-code auto-navigation now uses isTauri() (all Tauri platforms: macOS, Windows, Linux, iOS, Android) instead of isTauriDesktop(). This was changed because the user reported OAuth failures on iOS. The browser-opening flow also uses isTauri() so it works on all platforms.
• iOS/Android NOT tested: The paste-code flow was only tested on Linux desktop. iOS and Android behavior is untested — the user will need to verify on real devices.
• No manual access to paste-code: The standalone "Paste Login Code" buttons were removed. The paste-code screen is now only accessible via the auto-navigation after clicking an OAuth button. If a user needs the fallback but didn't trigger it via the OAuth flow, there's no manual path.
• When navigated to from an OAuth button, the paste-code screen tracks which provider (oauthProvider state) to show contextual messaging.
• No server-side token validation on paste — tokens are stored directly. If significant time passes between copy and paste, tokens may be expired.
• Code duplication: handlePasteCode is duplicated identically in login.tsx and signup.tsx. Consider extracting into a shared hook. Not blocking but a maintenance concern.
• Build, lint, and format all pass cleanly with no new errors.
• Desktop testing was performed on a Linux Tauri build (headless VM with EGL software rendering). The actual OAuth redirect + deep link flow requires real OAuth credentials and a physical device to test end-to-end.

Link to Devin run: https://app.devin.ai/sessions/ec5b4b00cff6495a9f6f9ed5ab61664f
Requested by: @AnthonyRonning

Summary by CodeRabbit

• New Features
  • Copy-paste fallback flow for native OAuth on Tauri platforms when redirects may fail.
  • UI to display a base64 auth code with a Copy/Copied control for easy transfer between browser and app.
  • New "paste-code" login and signup paths allowing users to paste auth codes, with timed reveal and Back navigation.
  • Added manual "Open Maple" button on callback page to assist when auto-redirect doesn't occur.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[cloudflare-workers-and-pages]

Deploying maple with    Cloudflare Pages

Latest commit:	fe77fc8
Status:	✅  Deploy successful!
Preview URL:	https://16af247e.maple-ca8.pages.dev
Branch Preview URL:	https://devin-1772041598-oauth-copy.maple-ca8.pages.dev

View logs

[AnthonyRonning]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a desktop (Tauri) OAuth copy-paste fallback: the callback encodes tokens into a base64 auth code and exposes a copy UI; login/signup gain a "paste-code" flow that decodes the code, stores tokens, and reloads the app when automatic native redirect fails.

Changes

Cohort / File(s)	Summary
OAuth Callback Enhancement frontend/src/routes/auth.$provider.callback.tsx	Adds state for authCode, copied, showCopyFallback; base64-encodes access/refresh tokens; adds handleCopyCode (clipboard fallback/select); imports useCallback and lucide-react icons; shows copy-paste fallback UI after a timeout and minor layout tweaks.
Login Flow Expansion frontend/src/routes/login.tsx	Extends LoginMethod to include "paste-code"; adds pasteCodeValue, oauthProvider, showPasteInput; implements handlePasteCode to decode/validate/store tokens and reload; on Tauri desktop OAuth flows switch to paste-code UI with a 3s reveal and Back/reset logic.
Signup Flow Expansion frontend/src/routes/signup.tsx	Extends SignUpMethod to include "paste-code"; adds same paste-code state and handlePasteCode handler; adds paste-code signup UI (monospace input, loader, errors, Back); desktop OAuth launches external browser then navigates to paste-code path with timed reveal.

Sequence Diagram

sequenceDiagram
    actor User
    participant Desktop as Desktop (Tauri)
    participant OAuth as OAuth Provider
    participant Callback as Callback Component
    participant UI as Login/Signup UI

    User->>Desktop: Initiate OAuth (GitHub/Google/Apple)
    Desktop->>OAuth: Open external browser
    OAuth->>OAuth: User authenticates
    OAuth->>Callback: Redirect with tokens
    Callback->>Callback: Encode tokens -> base64 authCode
    Callback->>UI: Show copy UI / navigate to paste-code
    UI->>User: Display authCode (Copy button after delay)
    User->>UI: Paste code into paste-code input
    UI->>UI: Decode authCode, store tokens
    UI->>UI: Reload application

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Apple Auth start #58 — Modifies the OAuth callback handling in auth.$provider.callback.tsx, related to native/Tauri fallback UX.
• External web oauth deep link #45 — Alters desktop/native OAuth delivery in login/signup flows; overlaps with paste-code vs deep-link handling.
• Tauri oauth flow #44 — Changes Tauri/native OAuth flows and login UI, including copy/paste fallback patterns.

Poem

🐰 In a Tauri glen I softly tread,
When redirects nap, I tap my head.
A base64 carrot, neat and true,
Copy, paste — and welcome you! 🥕✂️📋

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a fallback copy/paste code flow for OAuth when deep link redirects fail, which is the primary feature across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1772041598-oauth-copy-code-fallback

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[AnthonyRonning]

@TestFlight build

[github-actions]

🚀 TestFlight deployment triggered! Check the Actions tab for progress.

[github-actions]

❌ TestFlight deployment failed. Check the workflow logs for details.

[AnthonyRonning]

@TestFlight build

[github-actions]

🚀 TestFlight deployment triggered! Check the Actions tab for progress.

[github-actions]

✅ TestFlight deployment completed successfully!

[AnthonyRonning]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

frontend/src/routes/auth.$provider.callback.tsx (1)

67-73: ⚠️ Potential issue | 🟠 Major

Security risk: clipboard code still contains raw bearer tokens.

The fallback code is still just base64-encoded { access_token, refresh_token }, which is trivially reversible and replayable if copied/leaked. This was already flagged and remains unresolved.

🧹 Nitpick comments (1)

frontend/src/routes/login.tsx (1)

124-165: Extract handlePasteCode into a shared helper/hook used by login and signup.

This logic is effectively duplicated in frontend/src/routes/signup.tsx (decode, validate, persist tokens, clear billing token, redirect), which will drift over time.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/routes/login.tsx` around lines 124 - 165, Duplicate logic in
handlePasteCode (in login.tsx and signup.tsx) should be extracted to a shared
helper/hook (e.g., processAuthPaste or useAuthPaste) that decodes base64,
JSON-parses the payload, validates access_token, persists
access_token/refresh_token to localStorage, clears billing token via
getBillingService().clearToken(), and performs the redirect via
window.location.href = "/"; implement the helper to return a Promise that throws
errors with the same messages so callers (handlePasteCode in login.tsx and the
equivalent in signup.tsx) can reuse identical try/catch UI handling
(setIsLoading, setError) while importing and invoking the shared function
instead of duplicating decode/parse/persist/clear/redirect logic; ensure the
helper exports a typed function and that callers pass pasteCodeValue and handle
result/errors unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@frontend/src/routes/auth`.$provider.callback.tsx:
- Around line 64-73: Currently the code always builds a fallback auth code using
accessToken and refreshToken and calls setAuthCode(btoa(codePayload)) even when
access_token is missing; change the logic in this component (the block that
defines accessToken, refreshToken, codePayload and calls setAuthCode) to fail
fast when accessToken is falsy: if accessToken is missing, do not construct the
codePayload or call setAuthCode, instead set an error state or trigger the
error/redirect flow (e.g., call the existing error handler or navigate to an
error page) so the UI doesn't present a broken "successful" deep link; keep
refreshToken optional but ensure accessToken is required before creating the
deep link.

In `@frontend/src/routes/login.tsx`:
- Around line 149-150: The current hardcoded post-login reload
(window.location.href = "/") drops any active route intent (query params like
selected_plan or next), so change the reload to preserve the current URL +
query/hash (or use the router navigate) instead of forcing "/" — e.g., in the
login completion handler in frontend/src/routes/login.tsx (the block that sets
window.location.href = "/"), replace it with a redirect that retains
window.location.pathname + window.location.search + window.location.hash (or
call the router's navigate to the current location) so pasted-code flows like
selected_plan and next=/redeem?code=... are preserved.

In `@frontend/src/routes/signup.tsx`:
- Around line 160-161: Replace the unconditional reload (window.location.href =
"/") so the redirect preserves selected_plan and any redeem continuation
context; instead of hard-navigating to "/", read and reuse the current
location.search (or app routing state) when redirecting—e.g. navigate to "/"
plus window.location.search or use your router's navigate/replace with the
existing query params or saved continuation state; update the code that sets
window.location.href to construct the URL from window.location.pathname/ search
or call the router's navigation method so selected_plan and redeem context are
retained after paste-code signup completion.

---

Nitpick comments:
In `@frontend/src/routes/login.tsx`:
- Around line 124-165: Duplicate logic in handlePasteCode (in login.tsx and
signup.tsx) should be extracted to a shared helper/hook (e.g., processAuthPaste
or useAuthPaste) that decodes base64, JSON-parses the payload, validates
access_token, persists access_token/refresh_token to localStorage, clears
billing token via getBillingService().clearToken(), and performs the redirect
via window.location.href = "/"; implement the helper to return a Promise that
throws errors with the same messages so callers (handlePasteCode in login.tsx
and the equivalent in signup.tsx) can reuse identical try/catch UI handling
(setIsLoading, setError) while importing and invoking the shared function
instead of duplicating decode/parse/persist/clear/redirect logic; ensure the
helper exports a typed function and that callers pass pasteCodeValue and handle
result/errors unchanged.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c580866 and fe77fc8.

📒 Files selected for processing (3)

• frontend/src/routes/auth.$provider.callback.tsx
• frontend/src/routes/login.tsx
• frontend/src/routes/signup.tsx

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fail fast when OAuth tokens are missing before generating redirect/code.

If access_token is absent, this path still generates a deep link and copy code, leading to a broken "successful" flow.

🔧 Suggested guard

       const accessToken = localStorage.getItem("access_token") || "";
       const refreshToken = localStorage.getItem("refresh_token");
+      if (!accessToken) {
+        throw new Error("Missing access token in OAuth callback");
+      }

       // Generate the fallback auth code for copy/paste flow
       const codePayload = JSON.stringify({

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const accessToken = localStorage.getItem("access_token") || "";
	const refreshToken = localStorage.getItem("refresh_token");
	// Generate the fallback auth code for copy/paste flow
	const codePayload = JSON.stringify({
	access_token: accessToken,
	refresh_token: refreshToken || ""
	});
	setAuthCode(btoa(codePayload));
	const accessToken = localStorage.getItem("access_token") || "";
	const refreshToken = localStorage.getItem("refresh_token");
	if (!accessToken) {
	throw new Error("Missing access token in OAuth callback");
	}
	// Generate the fallback auth code for copy/paste flow
	const codePayload = JSON.stringify({
	access_token: accessToken,
	refresh_token: refreshToken || ""
	});
	setAuthCode(btoa(codePayload));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/routes/auth`.$provider.callback.tsx around lines 64 - 73,
Currently the code always builds a fallback auth code using accessToken and
refreshToken and calls setAuthCode(btoa(codePayload)) even when access_token is
missing; change the logic in this component (the block that defines accessToken,
refreshToken, codePayload and calls setAuthCode) to fail fast when accessToken
is falsy: if accessToken is missing, do not construct the codePayload or call
setAuthCode, instead set an error state or trigger the error/redirect flow
(e.g., call the existing error handler or navigate to an error page) so the UI
doesn't present a broken "successful" deep link; keep refreshToken optional but
ensure accessToken is required before creating the deep link.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Preserve route intent instead of always redirecting to / after paste-code login.

Hardcoding / drops active flows like selected_plan and next === "/redeem" with code.

🔧 Suggested redirect preservation

-      // Reload the app to pick up the new tokens
-      window.location.href = "/";
+      // Reload the app to pick up the new tokens while preserving intent
+      const redirectTarget = selected_plan
+        ? `/pricing?selected_plan=${encodeURIComponent(selected_plan)}`
+        : next === "/redeem" && code
+          ? `/redeem?code=${encodeURIComponent(code)}`
+          : next || "/";
+      window.location.href = redirectTarget;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/routes/login.tsx` around lines 149 - 150, The current hardcoded
post-login reload (window.location.href = "/") drops any active route intent
(query params like selected_plan or next), so change the reload to preserve the
current URL + query/hash (or use the router navigate) instead of forcing "/" —
e.g., in the login completion handler in frontend/src/routes/login.tsx (the
block that sets window.location.href = "/"), replace it with a redirect that
retains window.location.pathname + window.location.search + window.location.hash
(or call the router's navigate to the current location) so pasted-code flows
like selected_plan and next=/redeem?code=... are preserved.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid unconditional / reload after paste-code signup completion.

This drops selected_plan and redeem continuation context, unlike other auth completion paths.

🔧 Suggested redirect preservation

-      // Reload the app to pick up the new tokens
-      window.location.href = "/";
+      // Reload the app to pick up the new tokens while preserving intent
+      const redirectTarget = selected_plan
+        ? `/pricing?selected_plan=${encodeURIComponent(selected_plan)}`
+        : next === "/redeem" && code
+          ? `/redeem?code=${encodeURIComponent(code)}`
+          : next || "/";
+      window.location.href = redirectTarget;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Reload the app to pick up the new tokens
	window.location.href = "/";
	// Reload the app to pick up the new tokens while preserving intent
	const redirectTarget = selected_plan
	? `/pricing?selected_plan=${encodeURIComponent(selected_plan)}`
	: next === "/redeem" && code
	? `/redeem?code=${encodeURIComponent(code)}`
	: next || "/";
	window.location.href = redirectTarget;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/routes/signup.tsx` around lines 160 - 161, Replace the
unconditional reload (window.location.href = "/") so the redirect preserves
selected_plan and any redeem continuation context; instead of hard-navigating to
"/", read and reuse the current location.search (or app routing state) when
redirecting—e.g. navigate to "/" plus window.location.search or use your
router's navigate/replace with the existing query params or saved continuation
state; update the code that sets window.location.href to construct the URL from
window.location.pathname/ search or call the router's navigation method so
selected_plan and redeem context are retained after paste-code signup
completion.