Skip to content

Auth: migrate OAuth routes from /rest/v1/login to /rest/v1/auth/* #963

Description

@northdpole

Context

RFC merged in #876 (docs/rfc/user-auth-myopencre.md) proposes new auth routes at /auth/login, /auth/callback, /auth/logout. Existing Google OAuth already lives at:

  • GET /rest/v1/login
  • GET /rest/v1/callback
  • GET /rest/v1/logout
  • GET /rest/v1/user

Per maintainer review of #876, consolidate under the versioned API namespace:

Target routes:

  • GET /rest/v1/auth/login
  • GET /rest/v1/auth/callback
  • GET /rest/v1/auth/logout
  • GET /rest/v1/auth/user (or keep /rest/v1/user — decide during implementation)

Requirements

  • Add /rest/v1/auth/* routes implementing the RFC TODO 1 session contract (session['user_id'], redirect on missing session)
  • Keep /rest/v1/login, /rest/v1/callback, /rest/v1/logout as temporary aliases with deprecation headers or redirect to /rest/v1/auth/*
  • Update frontend (useUser, Header) and any docs referencing old paths
  • Update login_required to redirect to /rest/v1/auth/login?next=<url> (not 401 for browser flows)
  • Consider separate behavior for API clients (Accept: application/json → 401 vs browser → 302)

Related

Acceptance criteria

  • New routes work end-to-end with Google OAuth
  • Old routes redirect or alias without breaking existing bookmarks
  • Tests cover both old aliases and new canonical paths during migration window

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions