Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions app/views/doorkeeper/authorizations/new.html.erb
Original file line number Diff line number Diff line change
Expand Up @@ -50,12 +50,17 @@
CANONICAL McpOauth::CONFIG[:resource_uri], never the client's
spelling -- which Doorkeeper's stock form would silently drop
(RFC 8707 round-trip). %>
<%= form_tag oauth_authorization_path, method: :post do %>
<%# OAuth completes with a cross-origin redirect to the client's callback
(commonly http://localhost:<port> for CLI agents). Turbo would follow
that redirect as fetch(), which the callback correctly rejects via
CORS, leaving this page apparently stuck. Native form navigation is
required for both approval and denial. %>
<%= form_tag oauth_authorization_path, method: :post, data: { turbo: false } do %>
<%= render "authorization_params" %>
<%= submit_tag t(".authorize"),
class: "w-full rounded-md border-3 border-ink bg-hero-red px-4 py-3 font-display text-2xl tracking-wide text-white shadow-comic-sm hover:bg-hero-red/90 t-press" %>
<% end %>
<%= form_tag oauth_authorization_path, method: :delete do %>
<%= form_tag oauth_authorization_path, method: :delete, data: { turbo: false } do %>
<%= render "authorization_params" %>
<%= submit_tag t(".deny"),
class: "w-full rounded-md border-2 border-ink bg-white px-4 py-2 font-display text-xl tracking-wide text-ink shadow-comic-sm hover:bg-paper t-press" %>
Expand Down
5 changes: 5 additions & 0 deletions test/integration/oauth_authorization_flow_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ class OauthAuthorizationFlowTest < ActionDispatch::IntegrationTest
assert_select "input[type=hidden][name=code_challenge][value=?]", code_challenge
assert_includes response.body, client.name

# Approval and denial redirect to a client-controlled callback origin
# (usually localhost for CLI agents). Turbo must not turn those redirects
# into cross-origin fetches; both forms require native browser navigation.
assert_select "form[data-turbo='false']", count: 2

# Requested scopes are shown with human labels.
assert_includes response.body, I18n.t("doorkeeper.scopes.mcp:read")
assert_includes response.body, I18n.t("doorkeeper.scopes.mcp:write")
Expand Down
Loading