Add Redis-backed Matrix OIDC auth backend and update AuthContext #1

Open

florianbeisel wants to merge 3 commits from codex/create-backend-auth-module-with-oidc into main

pull from: codex/create-backend-auth-module-with-oidc

merge into: datenba-ch:main

datenba-ch:main

datenba-ch:renovate/react-router-monorepo

datenba-ch:renovate/react-monorepo

datenba-ch:renovate/radix-ui-primitives-monorepo

datenba-ch:renovate/vite-7.x-lockfile

datenba-ch:renovate/tailwind-merge-2.x-lockfile

datenba-ch:renovate/react-day-picker-8.x-lockfile

datenba-ch:renovate/postcss-8.x-lockfile

datenba-ch:renovate/nanoid-5.x-lockfile

datenba-ch:renovate/express-4.x-lockfile

datenba-ch:renovate/tailwindcss-typography-0.x-lockfile

datenba-ch:dependabot/npm_and_yarn/npm_and_yarn-86c0509402

datenba-ch:initial-release

datenba-ch:changeset-release/main

datenba-ch:codex/remove-duplicate-release-job

datenba-ch:codex/create-github-actions-release-workflow-gjdj9b

datenba-ch:codex/create-github-actions-release-workflow-oz4hci

datenba-ch:codex/create-github-actions-release-workflow-yf77ea

datenba-ch:codex/create-github-actions-release-workflow

datenba-ch:codex/update-github-actions-deploy-workflow-zcqyd6

datenba-ch:codex/update-github-actions-deploy-workflow

datenba-ch:codex/add-changeset-configuration-and-entry-ulm03j

datenba-ch:codex/add-changeset-configuration-and-entry

datenba-ch:rescue-1e4b748

datenba-ch:codex/resolve-branch-conflict-for-express-usage

datenba-ch:codex/add-invite-code-api-endpoints

datenba-ch:codex/add-matrix-auth-secret-configuration

datenba-ch:codex/add-backend-server-and-docker-packaging

datenba-ch:codex/wire-countdown-to-backend-data

Conversation 2 Commits 3 Files changed 4 +463 -37

florianbeisel commented 2026-01-26 09:59:58 +01:00 (Migrated from github.com)

Copy link

Motivation

• Implement a real backend authentication flow using Matrix OIDC with server-side sessions instead of the frontend mock and localStorage storage.
• Persist session state in Redis and protect session identifiers with a signed, httpOnly cookie so the frontend can rely on a secure server session.
• Expose endpoints the frontend can call to start OIDC login, receive the callback, refresh tokens, fetch the current user, and logout.

Description

• Add server/auth.ts which implements OIDC discovery or explicit endpoints, PKCE state generation, token exchange, userinfo fetching, and session persistence in Redis under keys session:<id> with a ff_session signed httpOnly cookie and a 7-day TTL.
• Add server/index.ts which mounts an Express app with cookie-parser (signed via SESSION_COOKIE_SECRET) and routes POST /api/auth/login, GET /api/auth/callback, POST /api/auth/refresh, POST /api/auth/logout, and GET /api/me wired to the handlers in server/auth.ts.
• Update src/contexts/AuthContext.tsx to remove the local mock/localStorage flow and instead call GET /api/me on mount, POST /api/auth/login to start the OIDC flow, and POST /api/auth/logout to clear the server session; add a fetchJson helper using credentials: 'include' so cookies are sent.
• Update package.json to include backend runtime dependencies (express, cookie-parser, nanoid, redis) and type dev-dependencies for the new packages.

Testing

• Attempted to install dependencies with npm install, but the run failed due to a 403 Forbidden error fetching @types/cookie-parser from the registry, so installation and runtime tests were not completed.
• No automated unit or integration tests were added or executed in this change set due to the blocked dependency installation.
• The new files were lint/compiled locally in this environment only to the extent of creating and saving them, but full verification requires a successful dependency installation and running the auth server.

---

Codex Task

### Motivation - Implement a real backend authentication flow using Matrix OIDC with server-side sessions instead of the frontend mock and localStorage storage. - Persist session state in Redis and protect session identifiers with a signed, `httpOnly` cookie so the frontend can rely on a secure server session. - Expose endpoints the frontend can call to start OIDC login, receive the callback, refresh tokens, fetch the current user, and logout. ### Description - Add `server/auth.ts` which implements OIDC discovery or explicit endpoints, PKCE state generation, token exchange, `userinfo` fetching, and session persistence in Redis under keys `session:<id>` with a `ff_session` signed `httpOnly` cookie and a 7-day TTL. - Add `server/index.ts` which mounts an Express app with `cookie-parser` (signed via `SESSION_COOKIE_SECRET`) and routes `POST /api/auth/login`, `GET /api/auth/callback`, `POST /api/auth/refresh`, `POST /api/auth/logout`, and `GET /api/me` wired to the handlers in `server/auth.ts`. - Update `src/contexts/AuthContext.tsx` to remove the local mock/localStorage flow and instead call `GET /api/me` on mount, `POST /api/auth/login` to start the OIDC flow, and `POST /api/auth/logout` to clear the server session; add a `fetchJson` helper using `credentials: 'include'` so cookies are sent. - Update `package.json` to include backend runtime dependencies (`express`, `cookie-parser`, `nanoid`, `redis`) and type dev-dependencies for the new packages. ### Testing - Attempted to install dependencies with `npm install`, but the run failed due to a `403 Forbidden` error fetching `@types/cookie-parser` from the registry, so installation and runtime tests were not completed. - No automated unit or integration tests were added or executed in this change set due to the blocked dependency installation. - The new files were lint/compiled locally in this environment only to the extent of creating and saving them, but full verification requires a successful dependency installation and running the auth server. ------ [Codex Task](https://chatgpt.com/codex/tasks/task_e_697726e63eb0832a85c2d21d3b4bdbb6)

chatgpt-codex-connector[bot] commented 2026-01-26 10:00:05 +01:00 (Migrated from github.com)

Copy link

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

You have reached your Codex usage limits for code reviews. You can see your limits in the [Codex usage dashboard](https://chatgpt.com/codex/settings/usage). To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your [settings](https://chatgpt.com/codex/settings/code-review).

changeset-bot[bot] commented 2026-01-28 13:18:58 +01:00 (Migrated from github.com)

Copy link

⚠️ No Changeset found

Latest commit: db07b8dcda

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

### ⚠️ No Changeset found Latest commit: db07b8dcda0c386897a1695265f16f5b4b8428b1 Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. **If these changes should result in a version bump, you need to add a changeset.** [Click here to learn what changesets are, and how to add one](https://github.com/changesets/changesets/blob/main/docs/adding-a-changeset.md). [Click here if you're a maintainer who wants to add a changeset to this PR](https://github.com/florianbeisel/forest-friend-invites/new/codex/create-backend-auth-module-with-oidc?filename=.changeset/pretty-plants-collect.md&value=---%0A%22%40fake-scope%2Ffake-pkg%22%3A%20patch%0A---%0A%0AAdd%20Redis-backed%20Matrix%20OIDC%20auth%20backend%20and%20update%20AuthContext%0A)

This pull request has changes conflicting with the target branch.

• package.json
• server/auth.ts
• server/index.ts

View command line instructions

Manual merge helper

Use this merge commit message when completing the merge manually.

Merge commit title Merge pull request 'Add Redis-backed Matrix OIDC auth backend and update AuthContext' (#1) from codex/create-backend-auth-module-with-oidc into main

Merge commit body Reviewed-on: https://git.services.beisel.it/datenba-ch/matrix-social-invites/pulls/1

Merge pull request 'Add Redis-backed Matrix OIDC auth backend and update AuthContext' (#1) from codex/create-backend-auth-module-with-oidc into main Reviewed-on: https://git.services.beisel.it/datenba-ch/matrix-social-invites/pulls/1 Copy merge commit message

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin codex/create-backend-auth-module-with-oidc:codex/create-backend-auth-module-with-oidc

git switch codex/create-backend-auth-module-with-oidc

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main

git merge --no-ff codex/create-backend-auth-module-with-oidc

git switch codex/create-backend-auth-module-with-oidc

git rebase main

git switch main

git merge --ff-only codex/create-backend-auth-module-with-oidc

git switch codex/create-backend-auth-module-with-oidc

git rebase main

git switch main

git merge --no-ff codex/create-backend-auth-module-with-oidc

git switch main

git merge --squash codex/create-backend-auth-module-with-oidc

git switch main

git merge --ff-only codex/create-backend-auth-module-with-oidc

git switch main

git merge codex/create-backend-auth-module-with-oidc

git push origin main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something isn't working

  

codex

  

dependencies

Pull requests that update a dependency file

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

javascript

Pull requests that update javascript code

  

question

Further information is requested

  

wontfix

This will not be worked on

No labels

bug

codex

dependencies

documentation

duplicate

enhancement

good first issue

help wanted

invalid

javascript

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

datenba-ch/matrix-social-invites!1

No description provided.