feat(oauth): add Coinbase OAuth provider#152
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughThis pull request adds Coinbase as a new built-in OAuth provider. Changes include a provider module with profile mapping, integration into the OAuth registry, and comprehensive documentation covering setup, configuration, and usage across client and server contexts. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docs/src/content/docs/oauth/coinbase.mdx`:
- Line 203: The inline comment mistakenly references GitHub; update the comment
attached to session?.user to correctly describe the Coinbase authenticated user
profile (or use a neutral phrase like "The authenticated user profile") so the
comment no longer mentions GitHub; locate the console.log(session?.user) line
and replace the comment text accordingly.
- Around line 180-191: The server-side example in serverSignIn incorrectly calls
api.signIn("github", ...) on the Coinbase docs page; update the provider id in
the serverSignIn function to the correct provider string ("coinbase") by
changing the api.signIn call in serverSignIn to api.signIn("coinbase", {
redirectTo: "http://localhost:3000/dashboard" }) so the example matches the
Coinbase guide.
- Around line 116-131: The example OAuth scopes in the auth.ts snippet are
GitHub scopes (read:user, user:email) and must be replaced with valid Coinbase
scopes; update the coinbase provider configuration in the auth constant
(createAuth call) to set authorize.params.scope to appropriate Coinbase scopes
(e.g., wallet:accounts:read or other wallet:* scopes as required) so the
coinbase(...) invocation uses provider-compatible scopes for authorization.
- Line 65: The sentence mistakenly mentions "GitHub credentials" instead of
"Coinbase credentials"; update the documentation sentence so it refers to
configuring the environment variables required by Aura Auth including the
Coinbase credentials and the encryption secrets (i.e., change the phrase "GitHub
credentials" to "Coinbase credentials" in the existing line).
- Line 3: Update the frontmatter "description" value in the coinbase.mdx file to
correct the grammar; replace "Add Coinbase authorization provider to Aura Auth
to authentication and authorize" with a grammatically correct phrase such as
"Add Coinbase authorization provider to Aura Auth to authenticate and authorize
users" so the description uses the verbs "authenticate" and "authorize"
(reference the frontmatter "description" field in coinbase.mdx).
In `@packages/core/src/oauth/coinbase.ts`:
- Around line 38-46: Remove the debug console.log in the profile handler for the
Coinbase OAuth provider and stop coercing the id with String(...); update the
profile method (the profile: (profile) => { ... } function in
packages/core/src/oauth/coinbase.ts) to return a DefaultUser using
profile.data.id directly (it is already a string) and omit any console output so
PII (name, avatar_url, etc.) is not logged.
- Line 32: The Coinbase OAuth config's scope string uses a '+' separator which
becomes percent-encoded and yields a single malformed scope token; update the
scope value in the Coinbase provider config (the scope property in
packages/core/src/oauth/coinbase.ts) to use a space-delimited string
("wallet:user:read wallet:user:email") so setSearchParams (authorization-url.ts:
setSearchParams usage) sends two separate scope tokens per RFC 6749 §3.3.
- Around line 26-48: The provider factory currently returns a default provider
object and then shallow-spreads ...options which will completely overwrite
nested objects like authorize, accessToken, and userInfo if the caller supplies
partial overrides; update the factory to deep-merge those nested fields instead
of shallow-spreading so callers can pass partial authorize.params without losing
url/responseType. Specifically, in the Coinbase provider (and apply across all
providers) merge defaults.authorize with options.authorize (and their params
sub-objects), and likewise merge defaults.accessToken and defaults.userInfo with
options.accessToken/options.userInfo before returning the provider object so
that symbols authorize, authorize.params, accessToken, and userInfo are
preserved and extended rather than replaced.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 9cc75d51-a2d9-4daf-ab55-985416f155ba
📒 Files selected for processing (3)
docs/src/content/docs/oauth/coinbase.mdxpackages/core/src/oauth/coinbase.tspackages/core/src/oauth/index.ts
| @@ -0,0 +1,224 @@ | |||
| --- | |||
| title: Coinbase Authorization Provider | |||
| description: Add Coinbase authorization provider to Aura Auth to authentication and authorize | |||
There was a problem hiding this comment.
Grammar fix in frontmatter description.
🔧 Proposed fix
-description: Add Coinbase authorization provider to Aura Auth to authentication and authorize
+description: Add the Coinbase authorization provider to Aura Auth to authenticate and authorize users📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| description: Add Coinbase authorization provider to Aura Auth to authentication and authorize | |
| description: Add the Coinbase authorization provider to Aura Auth to authenticate and authorize users |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/src/content/docs/oauth/coinbase.mdx` at line 3, Update the frontmatter
"description" value in the coinbase.mdx file to correct the grammar; replace
"Add Coinbase authorization provider to Aura Auth to authentication and
authorize" with a grammatically correct phrase such as "Add Coinbase
authorization provider to Aura Auth to authenticate and authorize users" so the
description uses the verbs "authenticate" and "authorize" (reference the
frontmatter "description" field in coinbase.mdx).
| return { | ||
| id: "coinbase", | ||
| name: "Coinbase", | ||
| authorize: { | ||
| url: "https://login.coinbase.com/oauth2/auth", | ||
| params: { | ||
| scope: "wallet:user:read+wallet:user:email", | ||
| responseType: "code", | ||
| }, | ||
| }, | ||
| accessToken: "https://login.coinbase.com/oauth2/token", | ||
| userInfo: "https://api.coinbase.com/v2/user", | ||
| profile: (profile) => { | ||
| console.log("Coinbase profile", profile) | ||
| return { | ||
| sub: String(profile.data.id), | ||
| name: profile.data.name, | ||
| image: profile.data.avatar_url, | ||
| email: null, | ||
| } as DefaultUser | ||
| }, | ||
| ...options, | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# How do existing providers handle partial option merging?
fd -e ts . packages/core/src/oauth --exec rg -nH -C2 '\.\.\.options' {}Repository: aura-stack-ts/auth
Length of output: 4630
🏁 Script executed:
cat packages/core/src/oauth/coinbase.tsRepository: aura-stack-ts/auth
Length of output: 1642
🏁 Script executed:
head -150 docs/src/content/docs/oauth/coinbase.mdx | tail -30Repository: aura-stack-ts/auth
Length of output: 641
🏁 Script executed:
rg -nH 'OAuthProviderCredentials' packages/core/src/@types --max-count=5Repository: aura-stack-ts/auth
Length of output: 714
🏁 Script executed:
cat packages/core/src/@types/index.ts | head -100Repository: aura-stack-ts/auth
Length of output: 1932
🏁 Script executed:
cat packages/core/src/@types/oauth.tsRepository: aura-stack-ts/auth
Length of output: 2800
🏁 Script executed:
fd -e test -e spec . packages/core --type f | head -20Repository: aura-stack-ts/auth
Length of output: 44
🏁 Script executed:
rg -l "coinbase" --type ts packages/ | grep -i testRepository: aura-stack-ts/auth
Length of output: 44
🏁 Script executed:
cat packages/core/src/oauth/discord.tsRepository: aura-stack-ts/auth
Length of output: 3591
🏁 Script executed:
cat packages/core/src/oauth/github.tsRepository: aura-stack-ts/auth
Length of output: 2860
This is a systemic issue affecting all OAuth providers, not just Coinbase.
The shallow spread pattern with ...options is used by all 16+ providers (GitHub, Discord, Spotify, etc.). When users follow the documented pattern and pass a partial authorize object (e.g., { authorize: { params: { scope: "..." } } }), it replaces the entire authorize object, silently losing the url and responseType. This breaks the OAuth flow.
The fix should apply uniformly across all providers—either deep-merge authorize/accessToken/userInfo fields, or update documentation to clarify that overrides must be complete objects. The current approach creates a footgun where the documented usage pattern in docs/src/content/docs/oauth/coinbase.mdx (lines 122-129) would silently fail.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@packages/core/src/oauth/coinbase.ts` around lines 26 - 48, The provider
factory currently returns a default provider object and then shallow-spreads
...options which will completely overwrite nested objects like authorize,
accessToken, and userInfo if the caller supplies partial overrides; update the
factory to deep-merge those nested fields instead of shallow-spreading so
callers can pass partial authorize.params without losing url/responseType.
Specifically, in the Coinbase provider (and apply across all providers) merge
defaults.authorize with options.authorize (and their params sub-objects), and
likewise merge defaults.accessToken and defaults.userInfo with
options.accessToken/options.userInfo before returning the provider object so
that symbols authorize, authorize.params, accessToken, and userInfo are
preserved and extended rather than replaced.
halvaradop
added
the
oauth
1 participant
Description
This pull request adds the
AtlassianOAuth provider to the list of supported OAuth integrations in the Aura Auth library.With this addition, Aura Auth now supports seven OAuth providers:
GitHub,Bitbucket,Figma,Discord,GitLab,Spotify,X,StravaandAtlassianUsage
Note
This Coinbase OAuth provider was developed based on the Officials Docs for App OAuth 2.0 Integration, covering the authorization URL, access token exchange, and profile retrieval. However, the provider cannot currently be verified because the documentation lacks clear instructions on how to obtain a Client ID and Client Secret. Consequently, this PR will remain a draft until these credentials can be acquired to verify the end-to-end OAuth 2.0 flow.