From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 262BE1FF13B
	for <inbox@lore.proxmox.com>; Wed, 11 Feb 2026 10:00:04 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id E68EC15053;
	Wed, 11 Feb 2026 10:00:44 +0100 (CET)
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Date: Wed, 11 Feb 2026 10:00:38 +0100
Message-Id: <DGC0D7763KLD.38FZ2ALNA7DBW@proxmox.com>
Subject: Re: [PATCH pve-manager 4/5] notifications: Handle OAuth2 callback
 in login handler
From: "Lukas Wagner" <l.wagner@proxmox.com>
To: "Arthur Bied-Charreton" <a.bied-charreton@proxmox.com>,
 <pve-devel@lists.proxmox.com>
X-Mailer: aerc 0.21.0-0-g5549850facc2-dirty
References: <20260204161354.458814-1-a.bied-charreton@proxmox.com>
 <20260204161354.458814-13-a.bied-charreton@proxmox.com>
In-Reply-To: <20260204161354.458814-13-a.bied-charreton@proxmox.com>
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1770800353187
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.036 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_RPBL_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_SAFE_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: UYUV4OO7TTIHV6J2WWNKIE7IWDZY34RC
X-Message-ID-Hash: UYUV4OO7TTIHV6J2WWNKIE7IWDZY34RC
X-MailFrom: l.wagner@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

On Wed Feb 4, 2026 at 5:13 PM CET, Arthur Bied-Charreton wrote:
> The OAuth2 flow redirects to the service's origin
> (window.location.origin) after successful authentication.
>
> The callback handler infers whether the login was triggered as the
> result of an OAuth2 redirect based on the presence of the code, scope,
> and state URL parameters. It then communicates the authentication
> results back to the parent window, which is responsible for closing it.
>
> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
> ---
>  www/manager6/Workspace.js | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
>
> diff --git a/www/manager6/Workspace.js b/www/manager6/Workspace.js
> index b8061c2a..1e79dd57 100644
> --- a/www/manager6/Workspace.js
> +++ b/www/manager6/Workspace.js
> @@ -150,9 +150,29 @@ Ext.define('PVE.StdWorkspace', {
>          me.down('pveResourceTree').selectById(nodeid);
>      },
> =20
> +    handleOauth2Callback: function (params) {
> +        const code =3D params.get('code');
> +        const scope =3D params.get('scope');
> +        const state =3D params.get('state');

Regarding the use of `const`, check out our JavaScript styleguide [1];
it says:

  Avoid using const for everything, but rather in the sense of
  constants. JavaScript is too dynamic for it to provide actual benefits
  if used as default.

[1] https://pve.proxmox.com/wiki/Javascript_Style_Guide#Variables
> +
> +        // If true, this window was opened by the OAuth2 button handler =
from the
> +        // SMTP notification targets edit panel.
> +        //
> +        // Since we got here through a redirect, this window is not scri=
pt-closable,
> +        // and we rely on the parent window to close it in its broadcast=
 channel's
> +        // message handler.
> +        if (code && scope && state) {
> +            const { channelName } =3D JSON.parse(decodeURIComponent(stat=
e));
> +            const bc =3D new BroadcastChannel(channelName);
> +            bc.postMessage({ code, scope });
> +        }
> +    },
> +
>      onLogin: function (loginData) {
>          let me =3D this;
> =20
> +        me.handleOauth2Callback(new URLSearchParams(window.location.sear=
ch));
> +
>          me.updateUserInfo();
> =20
>          if (loginData) {