Skip to content

feat: new auth flow, refactor state#185

Merged
fa-sharp merged 59 commits intomainfrom
refactor-state
Mar 16, 2026
Merged

feat: new auth flow, refactor state#185
fa-sharp merged 59 commits intomainfrom
refactor-state

Conversation

@fa-sharp
Copy link
Owner

@fa-sharp fa-sharp commented Mar 12, 2026
edited
Loading

This PR introduces a more secure auth flow, and a major refactoring of internal state and storage syncing.

Auth

  • OAuth login and refresh is now entirely handled by backend server, with added PKCE support on login
  • Access and refresh tokens are encrypted by the backend and stored in an opaque auth token by the client
  • Client requests the access token when needed, and holds it in memory (session storage). Refresh token is never exposed.

State and storage

  • Refactored state into composable hooks
  • Using Zustand for transaction form state / persistence
  • Migrated from Plasmo to WXT for browser extension storage

fa-sharp added 30 commits March 6, 2026 06:12
@fa-sharp
migrate popup state and tx form state to jotai and zustand
02ef033
@fa-sharp
Update readme.md
2c75ad5
@fa-sharp
web: safer JSON parse in API routes
e9fb596
@fa-sharp
fix(ext): default purchase account not being selected
2e6ca97
@fa-sharp
fix(ext): tx state bugs
5b68f19
@fa-sharp
chore(ext): refactor popup state utils
db261cd
@fa-sharp
fix(ext): omnibox working with new tx state
5b7a393
@fa-sharp
chore(ext): migrate token storage to jotai
1e7ec69
@fa-sharp
web: update deps
f054cb1
@fa-sharp
web: fix cors in dev
8348a7f
@fa-sharp
ext: use wxt storage library and context, remove jotai
d48900b
@fa-sharp
ext: separate storage provider and context
7cceea5
@fa-sharp
ext: migrate saved budgets, cats, and accounts to new storage
37ce774
@fa-sharp
ext: attempt to prevent duplicate token refresh
4f7b328
@fa-sharp
ext: migrated fully to wxt storage
92b89f4
@fa-sharp
Update fly.toml
8bb23a4
@fa-sharp
web: accept both token request versions to prepare for migration
4d0b7ed
@fa-sharp
server: new server complete
01cba84
@fa-sharp
server: fix crypto
b85e07d
@fa-sharp
server: simpler token data format
759733e
@fa-sharp
server: add token refresh test with mock OAuth server
a2767b4
@fa-sharp
server: add security headers
c94e707
@fa-sharp
ext: new OAuth login working
3f5dc3c
@fa-sharp
ext: update background script for new auth
e662588
@fa-sharp
ext: tweaks, clear old token
bb74ef6
@fa-sharp
ext: persist the access token in memory
5fb650f
@fa-sharp
ext: fix context tests
21208fd
@fa-sharp
Merge branch 'refactor-state' into token-encrypt
073ee3b
@fa-sharp
ext: fix type errors
405294e
@fa-sharp
ext: fix more tests
a677ff6
@fa-sharp fa-sharp changed the title New auth flow, refactor state feat: new auth flow, refactor state Mar 12, 2026
@fa-sharp fa-sharp merged commit 5dd9c87 into main Mar 16, 2026
5 checks passed
@fa-sharp fa-sharp deleted the refactor-state branch March 16, 2026 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fa-sharp