Skip to content

feat: enable OAuth sign-in with GitHub and Google #1216

Description

@sw-factory-automations

Description

OAuth sign-in with GitHub and Google is fully implemented in code but disabled behind the NEXT_PUBLIC_OAUTH_ENABLED feature flag (currently false in .env). The implementation includes the OAuthButtons component with provider-specific sign-in, the /auth/callback route handling OAuth redirects, proxy allowlisting, and unit tests for both enabled and disabled states. Enabling OAuth reduces sign-up friction — users can authenticate with one click instead of creating a new email/password credential.

Approval Required

This is a HIGH risk change because it modifies the authentication flow:

  • Requires configuring GitHub and Google OAuth apps in the Supabase dashboard (client IDs, secrets, redirect URLs)
  • Changes the sign-in/sign-up UX from email-only to email + OAuth
  • Needs verification that the handle_new_user DB trigger correctly creates profiles and personal workspaces for OAuth users (who may not have an email/password)
  • Requires Vercel environment variable update (NEXT_PUBLIC_OAUTH_ENABLED=true)

Comment "approved" to release this to the automation queue.

Acceptance Criteria

  • NEXT_PUBLIC_OAUTH_ENABLED is set to true in the Vercel production environment
  • GitHub OAuth app is configured in Supabase dashboard with correct redirect URL (https://memo.software-factory.dev/auth/callback)
  • Google OAuth app is configured in Supabase dashboard with correct redirect URL
  • "Continue with GitHub" button on sign-in/sign-up pages initiates GitHub OAuth flow
  • "Continue with Google" button on sign-in/sign-up pages initiates Google OAuth flow
  • After OAuth sign-in, user is redirected to their workspace (existing user) or a new personal workspace is created (new user)
  • The handle_new_user trigger correctly handles OAuth users (display name from provider, email from provider)
  • OAuth error states (denied permission, provider error) redirect to sign-in with error message
  • E2E test verifies OAuth buttons are enabled and clickable (mock the provider redirect)
  • pnpm lint && pnpm typecheck && pnpm test pass

Dependencies

None (code is already implemented)

Technical Notes

  • The OAuthButtons component (src/components/auth/oauth-buttons.tsx) already handles both enabled and disabled states based on the env var.
  • The /auth/callback route (src/app/auth/callback/route.ts) already handles OAuth callbacks, including workspace redirect and error handling.
  • The proxy (src/lib/supabase/proxy.ts) already allowlists /auth/callback.
  • Unit tests exist for both states (src/components/auth/oauth-buttons.test.tsx, src/app/auth/callback/route.test.ts).
  • The main work is Supabase dashboard configuration and Vercel env var update — minimal code changes expected.
  • Verify the handle_new_user function in supabase/migrations/ handles the raw_user_meta_data shape from OAuth providers (display name, avatar URL).

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestneeds-humanNeeds human input — automation will re-queue when user respondspriority:3

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions