thrillwiki_django_no_react/memory-bank/features/auth/oauth-configuration-analysis.md

OAuth Authentication Configuration Analysis

Analysis Date: 2025-06-26 09:41
Analyst: Roo
Context: Pre-OAuth testing configuration review

Executive Summary

The ThrillWiki application has a partially configured OAuth authentication system for Google and Discord. While the Django Allauth framework is properly installed and configured, no OAuth apps are currently registered in the database, making OAuth authentication non-functional at this time.

Current Configuration Status

✅ Properly Configured Components

1. Django Allauth Installation

• Status: ✅ COMPLETE
• Location: thrillwiki/settings.py
• Providers Installed:
  • allauth.socialaccount.providers.google
  • allauth.socialaccount.providers.discord

2. Authentication Backends

• Status: ✅ COMPLETE
• Location: thrillwiki/settings.py
• Backends:
  • django.contrib.auth.backends.ModelBackend
  • allauth.account.auth_backends.AuthenticationBackend

3. URL Configuration

• Status: ✅ COMPLETE
• Location: thrillwiki/urls.py
• OAuth URLs: Properly included via allauth.urls

4. OAuth Provider Settings

• Status: ✅ COMPLETE
• Location: thrillwiki/settings.py
• Google Configuration:
  • Client ID: 135166769591-nopcgmo0fkqfqfs9qe783a137mtmcrt2.apps.googleusercontent.com
  • Secret: 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 (hardcoded)
  • Scopes: ["profile", "email"]
• Discord Configuration:
  • Client ID: 1299112802274902047
  • Secret: ece7Pe_M4mD4mYzAgcINjTEKL_3ftL11 (hardcoded)
  • Scopes: ["identify", "email"]
  • PKCE Enabled: True

5. Custom Adapters

• Status: ✅ COMPLETE
• Location: accounts/adapters.py
• Features:
  • Custom social account adapter
  • Discord ID population
  • Signup control

6. OAuth UI Templates

• Status: ✅ COMPLETE
• Location: templates/account/login.html
• Features:
  • Dynamic provider button generation
  • Google and Discord icons
  • Proper OAuth flow initiation

❌ Missing/Incomplete Components

1. Database OAuth App Registration

• Status: ❌ CRITICAL ISSUE
• Problem: No SocialApp objects exist in database
• Impact: OAuth buttons will appear but authentication will fail
• Current State:
  • Sites table has default example.com entry
  • Zero social apps configured

2. Environment Variables

• Status: ❌ MISSING
• Problem: No ***REMOVED*** file found
• Impact: Management commands expecting environment variables will fail
• Expected Variables:
  • GOOGLE_CLIENT_ID
  • GOOGLE_CLIENT_SECRET
  • DISCORD_CLIENT_ID
  • DISCORD_CLIENT_SECRET

3. Site Configuration

• Status: ⚠️ NEEDS UPDATE
• Problem: Default site domain is example.com
• Impact: OAuth callbacks may fail due to domain mismatch
• Required: Update to localhost:8000 for development

OAuth Flow Analysis

Expected OAuth URLs

Based on Django Allauth configuration:

Google OAuth

• Login URL: /accounts/google/login/
• Callback URL: /accounts/google/login/callback/

Discord OAuth

• Login URL: /accounts/discord/login/
• Callback URL: /accounts/discord/login/callback/

Current Callback URL Configuration

• Google App: Must be configured to accept http://localhost:8000/accounts/google/login/callback/
• Discord App: Must be configured to accept http://localhost:8000/accounts/discord/login/callback/

Security Analysis

⚠️ Security Concerns

1. Hardcoded Secrets

• Issue: OAuth secrets are hardcoded in settings.py
• Risk: HIGH - Secrets exposed in version control
• Recommendation: Move to environment variables

2. Development vs Production

• Issue: Same credentials used for all environments
• Risk: MEDIUM - Production credentials exposed in development
• Recommendation: Separate OAuth apps for dev/staging/production

Management Commands Available

1. Setup Social Auth

• Command: uv run manage.py setup_social_auth
• Location: accounts/management/commands/setup_social_auth.py
• Function: Creates SocialApp objects from environment variables
• Status: ❌ Cannot run - missing environment variables

2. Fix Social Apps

• Command: uv run manage.py fix_social_apps
• Location: accounts/management/commands/fix_social_apps.py
• Function: Updates existing SocialApp objects
• Status: ❌ Cannot run - missing environment variables

Testing Limitations

Development Environment Constraints

1. OAuth Provider Restrictions

• Google: Requires HTTPS for production, allows HTTP for localhost
• Discord: Allows HTTP for localhost development
• Limitation: Cannot test with external domains without HTTPS

2. Callback URL Requirements

• Google: Must whitelist exact callback URLs
• Discord: Must whitelist exact callback URLs
• Current: URLs likely not whitelisted for localhost:8000

3. User Consent Screens

• Google: May show "unverified app" warnings
• Discord: May require app verification for production use

Recommended Testing Strategy

Phase 1: Database Configuration ✅ READY

1. Update Site Configuration:

   uv run manage.py shell -c "
   from django.contrib.sites.models import Site
   site = Site.objects.get(id=1)
   site.domain = 'localhost:8000'
   site.name = 'ThrillWiki Development'
   site.save()
   "
   

2. Create Social Apps (using hardcoded credentials):

   uv run manage.py shell -c "
   from allauth.socialaccount.models import SocialApp
   from django.contrib.sites.models import Site
   
   site = Site.objects.get(id=1)
   
   # Google
   google_app, _ = SocialApp.objects.get_or_create(
       provider='google',
       defaults={
           'name': 'Google',
           'client_id': '135166769591-nopcgmo0fkqfqfs9qe783a137mtmcrt2.apps.googleusercontent.com',
           'secret': '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',
       }
   )
   google_app.sites.add(site)
   
   # Discord
   discord_app, _ = SocialApp.objects.get_or_create(
       provider='discord',
       defaults={
           'name': 'Discord',
           'client_id': '1299112802274902047',
           'secret': 'ece7Pe_M4mD4mYzAgcINjTEKL_3ftL11',
       }
   )
   discord_app.sites.add(site)
   "
   

Phase 2: OAuth Provider Configuration ⚠️ EXTERNAL DEPENDENCY

1. Google Cloud Console:

   • Add http://localhost:8000/accounts/google/login/callback/ to authorized redirect URIs
   • Verify OAuth consent screen configuration

2. Discord Developer Portal:

   • Add http://localhost:8000/accounts/discord/login/callback/ to redirect URIs
   • Verify application settings

Phase 3: Functional Testing ✅ READY AFTER PHASE 1-2

1. UI Testing:

   • Verify OAuth buttons appear on login page
   • Test button click behavior
   • Verify redirect to provider

2. OAuth Flow Testing:

   • Complete Google OAuth flow
   • Complete Discord OAuth flow
   • Test account creation vs. login
   • Verify user data population

Phase 4: Error Handling Testing ✅ READY

1. Error Scenarios:
   • User denies permission
   • Invalid callback
   • Network errors
   • Provider downtime

Critical Issues Summary

Blocking Issues (Must Fix Before Testing)

1. ❌ No OAuth apps in database - OAuth will fail completely
2. ❌ Site domain mismatch - Callbacks may fail
3. ⚠️ OAuth provider callback URLs - External configuration required

Security Issues (Should Fix)

1. ⚠️ Hardcoded secrets - Move to environment variables
2. ⚠️ Single environment credentials - Separate dev/prod apps

Enhancement Opportunities

1. 📝 Environment variable support - Add ***REMOVED*** file
2. 📝 Better error handling - Custom error pages
3. 📝 Logging - OAuth flow debugging

Next Steps

1. Immediate (Required for testing):

   • Fix database configuration (Site + SocialApp objects)
   • Verify OAuth provider callback URL configuration

2. Short-term (Security):

   • Create separate OAuth apps for development
   • Implement environment variable configuration

3. Long-term (Production readiness):

   • OAuth app verification with providers
   • HTTPS configuration
   • Production domain setup

Files Referenced

• thrillwiki/settings.py - Main OAuth configuration
• thrillwiki/urls.py - URL routing
• accounts/adapters.py - Custom OAuth adapters
• accounts/urls.py - Account URL overrides
• templates/account/login.html - OAuth UI
• accounts/management/commands/setup_social_auth.py - Setup command
• accounts/management/commands/fix_social_apps.py - Fix command