Perhaps it should increase by a random integer each time.
PR #153
31 votes · 30 up · 1 down
31
Total Votes
+30
Upvotes
-1
Downvotes
+30-1
Comments(23)
Looks great until you refresh the page!
I note you can keep on upvoting multiple times and the apparent score gets bigger and bigger. Bug or feature?
This is a great addition, now that it's working. My only feature request is to be able to see how I already voted on PRs when loading the page.
Fixed. The GitHub App was set to private - only I could authorize. Changed to public. Should work now. Sorry for the runaround.
Ok, it's working for me because I'm the app owner, for other Github accounts it's 404. Taking some time to figure things out here. Bare with me.
@Daviey @bigintersmind can you try in a fresh incognito/private window? The earlier failed attempts (when the callback URL was wrong) might have left stale cookies or cached state. It's working for me, I'm able to login. Curious what could be the issue.
Yeah that's true. My one is still running and has this redirect, and it works with the scope value removed.
@skridlevsky Can this get your attention please?
https://github.com/login/oauth/authorize?client_id=Ov23liv8Qkg06XR51638&scope=public_repo&state=efc0de64-ca4b-46f7-b820-22eb37c4d0cf&redirect_uri=http%3A%2F%2F<REDACTED>%3A3000%2Fapi%2Fauth%2Fcallback
I'm doubtful that's the issue, as if so then removing scope=public_repo would fix it
Is the client_id definitely correct: Iv23litere2a5PqwFTuc
@skridlevsky
@skridlevsky I am also seeing the same 404. The redirect is:
https://github.com/login/oauth/authorize?client_id=Iv23litere2a5PqwFTuc&scope=public_repo&state=8adeb220-0885-4bd0-a487-d11087742fe8&redirect_uri=https%3A%2F%2Fwww.openchaos.dev%2Fapi%2Fauth%2Fcallback
I suspect as we have scope=public_repo here:
https://github.com/skridlevsky/openchaos/blob/3e9a84ca248a3f54371cd6579530537d4d4dbd12/src/app/api/auth/login/route.ts#L28
And you (correctly) created the github app with a tigher scope, we are seeing 404.
main is still working locally for me with my github app creds with the public_repo config.
@bigintersmind Can you share the full URL from your browser when you see the 404? That'll help debug what GitHub is rejecting.
Still a 404 on my end.
@bigintersmind Callback URL was set to openchaos.dev but the site 307s to www.openchaos.dev ↗. Fixed - should work now.
@Daviey good catch on the callback URL. Also heads up: I swapped the classic OAuth app for a GitHub App with fine-grained permissions - scoped to reactions on this repo only. The original public_repo scope in code would've given the server write access to every voter's public repos. Not ideal for a chaos repo. Github App overrides it with properly scoped permissions.
@skridlevsky Hey, can you check "Authorization callback URL" is set to https://www.openchaos.dev/api/auth/callback ↗ please? Ta
Trying to vote or login just sends me to a github 404 page...
Nice fix on the cookies.
I'll create a fresh OAuth app when this approaches merge. Cleaner than a handover. Env vars go in the Vercel dashboard, we'll set those up at merge time.
📢💀 I SPEAK TRUTH TO POWER - DON'T TRY TO REPRESS ME 💀📢
But yeah:
-
oauth_state cookie: YoURe absolutely right!!! Fixed in 8bfa0ad 💪 - all THREE OAuth cookies (oauth_state, oauth_redirect, oauth_origin) are now httpOnly: true,, The callback route reads them server-side so theres NO NEED for JavaScript access. ✅✅
- Yeah ThemeToggle was FUGLY 🤮 and getting in the WAY.. Theme switching can be added back later if needed; but the focus here was on getting the core OAuth voting flow WORKING. 🎯🎯
We NEED to talk about transition of POWER 👑👑 - I can handover this OAuth app rather than create a new one???
And, how should WE handle the .env file?? 🤔🤔 Wanna use GitHub Actions/secrets or WHAT!?
In-site voting is a real upgrade. On first look OAuth flow is clean, the pending vote queue (vote before login, cast after callback) is smart, and the XP sounds are nice-to-have.
Two things I noticed:
-
oauth_state cookie. It's set with httpOnly: false. Since this is the CSRF protection token, it should be httpOnly: true to prevent JavaScript access. The callback route reads it server-side anyway.
-
ThemeToggle removal. The PR removes ThemeToggle from page.tsx. Was that intentional or a side effect of a rebase?
Overall this is solid. Lowers the barrier for the community.
🤖 OpenChaos Bot
Summary: This PR adds GitHub OAuth authentication so users can vote on PRs using their GitHub accounts. It includes API routes for login, logout, and voting, along with updated UI including sounds, css, and instructions, and even adds a globe animation.
Files changed: 12 (OAUTH_SETUP.md, public/globe.svg, src/app/api/auth/callback/route.ts, src/app/api/auth/login/route.ts, src/app/globals.css)
Vibe: The internet is getting a login screen and a side of dial-up modem nostalgia.
⚠️ Large PR - partial review
All Activity(56)
Perhaps it should increase by a random integer each time.
Looks great until you refresh the page!
I note you can keep on upvoting multiple times and the apparent score gets bigger and bigger. Bug or feature?
This is a great addition, now that it's working. My only feature request is to be able to see how I already voted on PRs when loading the page.
Fixed. The GitHub App was set to private - only I could authorize. Changed to public. Should work now. Sorry for the runaround.
Ok, it's working for me because I'm the app owner, for other Github accounts it's 404. Taking some time to figure things out here. Bare with me.
@Daviey @bigintersmind can you try in a fresh incognito/private window? The earlier failed attempts (when the callback URL was wrong) might have left stale cookies or cached state. It's working for me, I'm able to login. Curious what could be the issue.
Yeah that's true. My one is still running and has this redirect, and it works with the scope value removed.
@skridlevsky Can this get your attention please?
https://github.com/login/oauth/authorize?client_id=Ov23liv8Qkg06XR51638&scope=public_repo&state=efc0de64-ca4b-46f7-b820-22eb37c4d0cf&redirect_uri=http%3A%2F%2F<REDACTED>%3A3000%2Fapi%2Fauth%2Fcallback
I'm doubtful that's the issue, as if so then removing scope=public_repo would fix it
Is the client_id definitely correct: Iv23litere2a5PqwFTuc
@skridlevsky
@skridlevsky I am also seeing the same 404. The redirect is:
https://github.com/login/oauth/authorize?client_id=Iv23litere2a5PqwFTuc&scope=public_repo&state=8adeb220-0885-4bd0-a487-d11087742fe8&redirect_uri=https%3A%2F%2Fwww.openchaos.dev%2Fapi%2Fauth%2Fcallback
I suspect as we have scope=public_repo here:
https://github.com/skridlevsky/openchaos/blob/3e9a84ca248a3f54371cd6579530537d4d4dbd12/src/app/api/auth/login/route.ts#L28
And you (correctly) created the github app with a tigher scope, we are seeing 404.
main is still working locally for me with my github app creds with the public_repo config.
@bigintersmind Can you share the full URL from your browser when you see the 404? That'll help debug what GitHub is rejecting.
Still a 404 on my end.
@bigintersmind Callback URL was set to openchaos.dev but the site 307s to www.openchaos.dev ↗. Fixed - should work now.
@Daviey good catch on the callback URL. Also heads up: I swapped the classic OAuth app for a GitHub App with fine-grained permissions - scoped to reactions on this repo only. The original public_repo scope in code would've given the server write access to every voter's public repos. Not ideal for a chaos repo. Github App overrides it with properly scoped permissions.
@skridlevsky Hey, can you check "Authorization callback URL" is set to https://www.openchaos.dev/api/auth/callback ↗ please? Ta
Trying to vote or login just sends me to a github 404 page...
Nice fix on the cookies.
I'll create a fresh OAuth app when this approaches merge. Cleaner than a handover. Env vars go in the Vercel dashboard, we'll set those up at merge time.
📢💀 I SPEAK TRUTH TO POWER - DON'T TRY TO REPRESS ME 💀📢
But yeah:
-
oauth_state cookie: YoURe absolutely right!!! Fixed in 8bfa0ad 💪 - all THREE OAuth cookies (oauth_state, oauth_redirect, oauth_origin) are now httpOnly: true,, The callback route reads them server-side so theres NO NEED for JavaScript access. ✅✅
- Yeah ThemeToggle was FUGLY 🤮 and getting in the WAY.. Theme switching can be added back later if needed; but the focus here was on getting the core OAuth voting flow WORKING. 🎯🎯
We NEED to talk about transition of POWER 👑👑 - I can handover this OAuth app rather than create a new one???
And, how should WE handle the .env file?? 🤔🤔 Wanna use GitHub Actions/secrets or WHAT!?
In-site voting is a real upgrade. On first look OAuth flow is clean, the pending vote queue (vote before login, cast after callback) is smart, and the XP sounds are nice-to-have.
Two things I noticed:
-
oauth_state cookie. It's set with httpOnly: false. Since this is the CSRF protection token, it should be httpOnly: true to prevent JavaScript access. The callback route reads it server-side anyway.
-
ThemeToggle removal. The PR removes ThemeToggle from page.tsx. Was that intentional or a side effect of a rebase?
Overall this is solid. Lowers the barrier for the community.
🤖 OpenChaos Bot
Summary: This PR adds GitHub OAuth authentication so users can vote on PRs using their GitHub accounts. It includes API routes for login, logout, and voting, along with updated UI including sounds, css, and instructions, and even adds a globe animation.
Files changed: 12 (OAUTH_SETUP.md, public/globe.svg, src/app/api/auth/callback/route.ts, src/app/api/auth/login/route.ts, src/app/globals.css)
Vibe: The internet is getting a login screen and a side of dial-up modem nostalgia.