lhumina_code/home
0
0
Fork 0
Code Issues 63 Pull requests Projects Releases Packages Wiki Activity Actions

External viewers cannot open shared app links (whiteboard): login flow fails, and this used to work #251

New issue
Closed
opened 2026-06-04 19:05:25 +00:00 by mik-tf · 1 comment
mik-tf commented 2026-06-04 19:05:25 +00:00
Owner
Copy link

Opening a shared link to an app such as the whiteboard from outside the tester's account currently lands on an error page that reads "Invalid or expired OAuth state", so the external person never sees the shared content. This used to work, so it is most likely a recent regression and the fix may be quick once we find the change that caused it. Two things to check. First, the proxy keeps the in-progress login state only in memory with a ten minute window, so every time the proxy is redeployed or restarted any login that is mid-flow fails with exactly this message; making that state survive a restart, by signing it into the flow rather than holding it in memory, is a likely quick fix. Second, the tester domain now forces every visitor through login and recently added an allowlist on some routes, so a person with no account cannot get in at all; for real external sharing we also want a public read-only path for shared links that skips the login gate. Checking the recent proxy login and OAuth commits should point straight at what changed. We will know it is fixed when a person outside the account can open a shared whiteboard link in a fresh browser and see the board.

Signed-by: mik-tf mik-tf@noreply.invalid

Opening a shared link to an app such as the whiteboard from outside the tester's account currently lands on an error page that reads "Invalid or expired OAuth state", so the external person never sees the shared content. This used to work, so it is most likely a recent regression and the fix may be quick once we find the change that caused it. Two things to check. First, the proxy keeps the in-progress login state only in memory with a ten minute window, so every time the proxy is redeployed or restarted any login that is mid-flow fails with exactly this message; making that state survive a restart, by signing it into the flow rather than holding it in memory, is a likely quick fix. Second, the tester domain now forces every visitor through login and recently added an allowlist on some routes, so a person with no account cannot get in at all; for real external sharing we also want a public read-only path for shared links that skips the login gate. Checking the recent proxy login and OAuth commits should point straight at what changed. We will know it is fixed when a person outside the account can open a shared whiteboard link in a fresh browser and see the board. Signed-by: mik-tf <mik-tf@noreply.invalid>
mik-tf commented 2026-06-06 17:56:18 +00:00
Author
Owner
Copy link

Fixed and verified live. Two changes landed. First, the proxy now persists the in-progress login state instead of keeping it only in memory, so a proxy restart in the middle of a login no longer produces "Invalid or expired OAuth state" (lhumina_code/hero_proxy@cf40313). Second, there is now a public read-only path for shared whiteboard links that skips the login gate: a logged-out visitor is served the shared board as an anonymous request, and the whiteboard re-checks the share token on every call, so access is scoped to that one board and role (read-only for a viewer link, read and write for an editor link) and fails closed otherwise (lhumina_code/hero_whiteboard@6147c7a), with new tester installs turning this on by default (lhumina_code/hero_os_tfgrid_deployer@b39a2da). A logged-out person in a fresh browser can now open a shared link and see the board, confirmed by a twelve case access check on the live tester where every allowed case worked and every cross-board or wrong-role case was correctly refused. Closing.

Signed-by: mik-tf mik-tf@noreply.invalid

Fixed and verified live. Two changes landed. First, the proxy now persists the in-progress login state instead of keeping it only in memory, so a proxy restart in the middle of a login no longer produces "Invalid or expired OAuth state" (https://forge.ourworld.tf/lhumina_code/hero_proxy/commit/cf40313). Second, there is now a public read-only path for shared whiteboard links that skips the login gate: a logged-out visitor is served the shared board as an anonymous request, and the whiteboard re-checks the share token on every call, so access is scoped to that one board and role (read-only for a viewer link, read and write for an editor link) and fails closed otherwise (https://forge.ourworld.tf/lhumina_code/hero_whiteboard/commit/6147c7a), with new tester installs turning this on by default (https://forge.ourworld.tf/lhumina_code/hero_os_tfgrid_deployer/commit/b39a2da). A logged-out person in a fresh browser can now open a shared link and see the board, confirmed by a twelve case access check on the live tester where every allowed case worked and every cross-board or wrong-role case was correctly refused. Closing. Signed-by: mik-tf <mik-tf@noreply.invalid>
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
main
No results found.
Labels
Clear labels   
meeting-notes

Meeting notes and follow-ups

  
meeting-transcript

Raw meeting transcript; AI drafts the report

No labels
meeting-notes
meeting-transcript
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/home#251
No description provided.