# OAuth Authentication Configuration Analysis

**Analysis Date**: 2025-06-26 09:41  
**Analyst**: Roo  
**Context**: Pre-OAuth testing configuration review

## Executive Summary

The ThrillWiki application has a **partially configured** OAuth authentication system for Google and Discord. While the Django Allauth framework is properly installed and configured, **no OAuth apps are currently registered in the database**, making OAuth authentication non-functional at this time.

## Current Configuration Status

### ✅ Properly Configured Components

#### 1. Django Allauth Installation
- **Status**: ✅ COMPLETE
- **Location**: [`thrillwiki/settings.py`](thrillwiki/settings.py:35-39)
- **Providers Installed**:
  - `allauth.socialaccount.providers.google`
  - `allauth.socialaccount.providers.discord`

#### 2. Authentication Backends
- **Status**: ✅ COMPLETE
- **Location**: [`thrillwiki/settings.py`](thrillwiki/settings.py:160-163)
- **Backends**:
  - `django.contrib.auth.backends.ModelBackend`
  - `allauth.account.auth_backends.AuthenticationBackend`

#### 3. URL Configuration
- **Status**: ✅ COMPLETE
- **Location**: [`thrillwiki/urls.py`](thrillwiki/urls.py:38-40)
- **OAuth URLs**: Properly included via `allauth.urls`

#### 4. OAuth Provider Settings
- **Status**: ✅ COMPLETE
- **Location**: [`thrillwiki/settings.py`](thrillwiki/settings.py:179-201)
- **Google Configuration**:
  - Client ID: `135166769591-nopcgmo0fkqfqfs9qe783a137mtmcrt2.apps.googleusercontent.com`
  - Secret: `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` (hardcoded)
  - Scopes: `["profile", "email"]`
- **Discord Configuration**:
  - Client ID: `1299112802274902047`
  - Secret: `ece7Pe_M4mD4mYzAgcINjTEKL_3ftL11` (hardcoded)
  - Scopes: `["identify", "email"]`
  - PKCE Enabled: `True`

#### 5. Custom Adapters
- **Status**: ✅ COMPLETE
- **Location**: [`accounts/adapters.py`](accounts/adapters.py:41-62)
- **Features**:
  - Custom social account adapter
  - Discord ID population
  - Signup control

#### 6. OAuth UI Templates
- **Status**: ✅ COMPLETE
- **Location**: [`templates/account/login.html`](templates/account/login.html:14-47)
- **Features**:
  - Dynamic provider button generation
  - Google and Discord icons
  - Proper OAuth flow initiation

### ❌ Missing/Incomplete Components

#### 1. Database OAuth App Registration
- **Status**: ❌ **CRITICAL ISSUE**
- **Problem**: No `SocialApp` objects exist in database
- **Impact**: OAuth buttons will appear but authentication will fail
- **Current State**: 
  - Sites table has default `example.com` entry
  - Zero social apps configured

#### 2. Environment Variables
- **Status**: ❌ **MISSING**
- **Problem**: No `***REMOVED***` file found
- **Impact**: Management commands expecting environment variables will fail
- **Expected Variables**:
  - `GOOGLE_CLIENT_ID`
  - `GOOGLE_CLIENT_SECRET`
  - `DISCORD_CLIENT_ID`
  - `DISCORD_CLIENT_SECRET`

#### 3. Site Configuration
- **Status**: ⚠️ **NEEDS UPDATE**
- **Problem**: Default site domain is `example.com`
- **Impact**: OAuth callbacks may fail due to domain mismatch
- **Required**: Update to `localhost:8000` for development

## OAuth Flow Analysis

### Expected OAuth URLs
Based on Django Allauth configuration:

#### Google OAuth
- **Login URL**: `/accounts/google/login/`
- **Callback URL**: `/accounts/google/login/callback/`

#### Discord OAuth  
- **Login URL**: `/accounts/discord/login/`
- **Callback URL**: `/accounts/discord/login/callback/`

### Current Callback URL Configuration
- **Google App**: Must be configured to accept `http://localhost:8000/accounts/google/login/callback/`
- **Discord App**: Must be configured to accept `http://localhost:8000/accounts/discord/login/callback/`

## Security Analysis

### ⚠️ Security Concerns

#### 1. Hardcoded Secrets
- **Issue**: OAuth secrets are hardcoded in [`settings.py`](thrillwiki/settings.py:183-195)
- **Risk**: HIGH - Secrets exposed in version control
- **Recommendation**: Move to environment variables

#### 2. Development vs Production
- **Issue**: Same credentials used for all environments
- **Risk**: MEDIUM - Production credentials exposed in development
- **Recommendation**: Separate OAuth apps for dev/staging/production

## Management Commands Available

### 1. Setup Social Auth
- **Command**: `uv run manage.py setup_social_auth`
- **Location**: [`accounts/management/commands/setup_social_auth.py`](accounts/management/commands/setup_social_auth.py)
- **Function**: Creates `SocialApp` objects from environment variables
- **Status**: ❌ Cannot run - missing environment variables

### 2. Fix Social Apps
- **Command**: `uv run manage.py fix_social_apps`
- **Location**: [`accounts/management/commands/fix_social_apps.py`](accounts/management/commands/fix_social_apps.py)
- **Function**: Updates existing `SocialApp` objects
- **Status**: ❌ Cannot run - missing environment variables

## Testing Limitations

### Development Environment Constraints

#### 1. OAuth Provider Restrictions
- **Google**: Requires HTTPS for production, allows HTTP for localhost
- **Discord**: Allows HTTP for localhost development
- **Limitation**: Cannot test with external domains without HTTPS

#### 2. Callback URL Requirements
- **Google**: Must whitelist exact callback URLs
- **Discord**: Must whitelist exact callback URLs
- **Current**: URLs likely not whitelisted for localhost:8000

#### 3. User Consent Screens
- **Google**: May show "unverified app" warnings
- **Discord**: May require app verification for production use

## Recommended Testing Strategy

### Phase 1: Database Configuration ✅ READY
1. **Update Site Configuration**:
   ```bash
   uv run manage.py shell -c "
   from django.contrib.sites.models import Site
   site = Site.objects.get(id=1)
   site.domain = 'localhost:8000'
   site.name = 'ThrillWiki Development'
   site.save()
   "
   ```

2. **Create Social Apps** (using hardcoded credentials):
   ```bash
   uv run manage.py shell -c "
   from allauth.socialaccount.models import SocialApp
   from django.contrib.sites.models import Site
   
   site = Site.objects.get(id=1)
   
   # Google
   google_app, _ = SocialApp.objects.get_or_create(
       provider='google',
       defaults={
           'name': 'Google',
           'client_id': '135166769591-nopcgmo0fkqfqfs9qe783a137mtmcrt2.apps.googleusercontent.com',
           'secret': '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',
       }
   )
   google_app.sites.add(site)
   
   # Discord
   discord_app, _ = SocialApp.objects.get_or_create(
       provider='discord',
       defaults={
           'name': 'Discord',
           'client_id': '1299112802274902047',
           'secret': 'ece7Pe_M4mD4mYzAgcINjTEKL_3ftL11',
       }
   )
   discord_app.sites.add(site)
   "
   ```

### Phase 2: OAuth Provider Configuration ⚠️ EXTERNAL DEPENDENCY
1. **Google Cloud Console**:
   - Add `http://localhost:8000/accounts/google/login/callback/` to authorized redirect URIs
   - Verify OAuth consent screen configuration

2. **Discord Developer Portal**:
   - Add `http://localhost:8000/accounts/discord/login/callback/` to redirect URIs
   - Verify application settings

### Phase 3: Functional Testing ✅ READY AFTER PHASE 1-2
1. **UI Testing**:
   - Verify OAuth buttons appear on login page
   - Test button click behavior
   - Verify redirect to provider

2. **OAuth Flow Testing**:
   - Complete Google OAuth flow
   - Complete Discord OAuth flow
   - Test account creation vs. login
   - Verify user data population

### Phase 4: Error Handling Testing ✅ READY
1. **Error Scenarios**:
   - User denies permission
   - Invalid callback
   - Network errors
   - Provider downtime

## Critical Issues Summary

### Blocking Issues (Must Fix Before Testing)
1. ❌ **No OAuth apps in database** - OAuth will fail completely
2. ❌ **Site domain mismatch** - Callbacks may fail
3. ⚠️ **OAuth provider callback URLs** - External configuration required

### Security Issues (Should Fix)
1. ⚠️ **Hardcoded secrets** - Move to environment variables
2. ⚠️ **Single environment credentials** - Separate dev/prod apps

### Enhancement Opportunities
1. 📝 **Environment variable support** - Add `***REMOVED***` file
2. 📝 **Better error handling** - Custom error pages
3. 📝 **Logging** - OAuth flow debugging

## Next Steps

1. **Immediate** (Required for testing):
   - Fix database configuration (Site + SocialApp objects)
   - Verify OAuth provider callback URL configuration

2. **Short-term** (Security):
   - Create separate OAuth apps for development
   - Implement environment variable configuration

3. **Long-term** (Production readiness):
   - OAuth app verification with providers
   - HTTPS configuration
   - Production domain setup

## Files Referenced

- [`thrillwiki/settings.py`](thrillwiki/settings.py) - Main OAuth configuration
- [`thrillwiki/urls.py`](thrillwiki/urls.py) - URL routing
- [`accounts/adapters.py`](accounts/adapters.py) - Custom OAuth adapters
- [`accounts/urls.py`](accounts/urls.py) - Account URL overrides
- [`templates/account/login.html`](templates/account/login.html) - OAuth UI
- [`accounts/management/commands/setup_social_auth.py`](accounts/management/commands/setup_social_auth.py) - Setup command
- [`accounts/management/commands/fix_social_apps.py`](accounts/management/commands/fix_social_apps.py) - Fix command