Description
OAuth sign-in with GitHub and Google is fully implemented in code but disabled behind the NEXT_PUBLIC_OAUTH_ENABLED feature flag (currently false in .env). The implementation includes the OAuthButtons component with provider-specific sign-in, the /auth/callback route handling OAuth redirects, proxy allowlisting, and unit tests for both enabled and disabled states. Enabling OAuth reduces sign-up friction — users can authenticate with one click instead of creating a new email/password credential.
Approval Required
This is a HIGH risk change because it modifies the authentication flow:
- Requires configuring GitHub and Google OAuth apps in the Supabase dashboard (client IDs, secrets, redirect URLs)
- Changes the sign-in/sign-up UX from email-only to email + OAuth
- Needs verification that the
handle_new_user DB trigger correctly creates profiles and personal workspaces for OAuth users (who may not have an email/password)
- Requires Vercel environment variable update (
NEXT_PUBLIC_OAUTH_ENABLED=true)
Comment "approved" to release this to the automation queue.
Acceptance Criteria
Dependencies
None (code is already implemented)
Technical Notes
- The
OAuthButtons component (src/components/auth/oauth-buttons.tsx) already handles both enabled and disabled states based on the env var.
- The
/auth/callback route (src/app/auth/callback/route.ts) already handles OAuth callbacks, including workspace redirect and error handling.
- The proxy (
src/lib/supabase/proxy.ts) already allowlists /auth/callback.
- Unit tests exist for both states (
src/components/auth/oauth-buttons.test.tsx, src/app/auth/callback/route.test.ts).
- The main work is Supabase dashboard configuration and Vercel env var update — minimal code changes expected.
- Verify the
handle_new_user function in supabase/migrations/ handles the raw_user_meta_data shape from OAuth providers (display name, avatar URL).
Description
OAuth sign-in with GitHub and Google is fully implemented in code but disabled behind the
NEXT_PUBLIC_OAUTH_ENABLEDfeature flag (currentlyfalsein.env). The implementation includes theOAuthButtonscomponent with provider-specific sign-in, the/auth/callbackroute handling OAuth redirects, proxy allowlisting, and unit tests for both enabled and disabled states. Enabling OAuth reduces sign-up friction — users can authenticate with one click instead of creating a new email/password credential.Approval Required
This is a HIGH risk change because it modifies the authentication flow:
handle_new_userDB trigger correctly creates profiles and personal workspaces for OAuth users (who may not have an email/password)NEXT_PUBLIC_OAUTH_ENABLED=true)Comment "approved" to release this to the automation queue.
Acceptance Criteria
NEXT_PUBLIC_OAUTH_ENABLEDis set totruein the Vercel production environmenthttps://memo.software-factory.dev/auth/callback)handle_new_usertrigger correctly handles OAuth users (display name from provider, email from provider)pnpm lint && pnpm typecheck && pnpm testpassDependencies
None (code is already implemented)
Technical Notes
OAuthButtonscomponent (src/components/auth/oauth-buttons.tsx) already handles both enabled and disabled states based on the env var./auth/callbackroute (src/app/auth/callback/route.ts) already handles OAuth callbacks, including workspace redirect and error handling.src/lib/supabase/proxy.ts) already allowlists/auth/callback.src/components/auth/oauth-buttons.test.tsx,src/app/auth/callback/route.test.ts).handle_new_userfunction insupabase/migrations/handles theraw_user_meta_datashape from OAuth providers (display name, avatar URL).