feat(frontend): remove Auth0, make Better Auth the default (Phase 2)#486
Open
nhyiramante1 wants to merge 5 commits into
Open
feat(frontend): remove Auth0, make Better Auth the default (Phase 2)#486nhyiramante1 wants to merge 5 commits into
nhyiramante1 wants to merge 5 commits into
Conversation
Make Better Auth the default auth on every real-auth surface and delete Auth0. Demo mode stays (Google Docs runs in demo). Token now persists across refreshes. - authTokenStore.ts (new): guarded localStorage token persistence. - useDeviceAuth.ts: persist/clear + hydrate-on-mount (validate stored token, restore session without a fresh device flow). - appAuthContext.tsx: drop the Auth0 adapter + opt-in gate; Better Auth is the default, Demo for demo mode. - types.d.ts + editor APIs: replace EditorAPI.doLogin/doLogout(auth0Client) with a surface-specific openExternal(url) (Word: openBrowserWindow guarded; standalone/GDocs: window.open). Delete dead Auth0 code. - app/index.tsx: remove Auth0Provider; approval link uses editorAPI.openExternal; drop Microsoft/Facebook provider icons (Google only). - Remove popup.tsx/popup.html + their webpack entries; remove AUTH0 DefinePlugin entries from both webpack configs; remove @auth0/auth0-react. - privacypolicy.html: minimal wording + TODO for team review. No OpenAI route protection; no Word/Google Docs behavior change beyond auth. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes Auth0 from the frontend and makes Better Auth the default authentication flow across real-auth surfaces (standalone editor + Word task pane), adding guarded token persistence so Better Auth sessions survive reloads.
Changes:
- Removed Auth0 frontend integration (providers, popup entrypoint, webpack env defines, dependency removal).
- Introduced a surface-agnostic
EditorAPI.openExternal(url)to open the Better Auth approval page appropriately per host. - Added guarded localStorage token persistence + hydration-on-mount for Better Auth device flow, including unit tests.
Reviewed changes
Copilot reviewed 16 out of 18 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| frontend/webpack.google-docs.config.js | Removes Auth0 DefinePlugin env values from the Google Docs build. |
| frontend/webpack.config.js | Removes the popup entry + popup HtmlWebpackPlugin and Auth0 env defines. |
| frontend/src/types.d.ts | Replaces Auth0-specific login/logout API with EditorAPI.openExternal(url). |
| frontend/src/static/privacypolicy.html | Updates auth-related wording; adds a TODO comment about final phrasing. |
| frontend/src/popup.tsx | Deletes Auth0 popup bridge implementation. |
| frontend/src/popup.html | Deletes Auth0 popup HTML entrypoint. |
| frontend/src/pages/app/index.tsx | Removes Auth0Provider usage; updates device-flow approval UI to use openExternal; removes non-Google provider icons. |
| frontend/src/index-gdocs.tsx | Updates comments to reflect demo-mode behavior without Auth0 references. |
| frontend/src/hooks/useDeviceAuth.ts | Adds token persistence + hydration-on-mount with validation via /api/protected. |
| frontend/src/editor/index.tsx | Removes Auth0 login/logout implementation; adds openExternal for standalone editor. |
| frontend/src/contexts/editorContext.tsx | Updates the default EditorAPI shape to include openExternal. |
| frontend/src/contexts/appAuthContext.tsx | Removes Auth0 adapter/opt-in gate; Better Auth becomes default except demo mode. |
| frontend/src/api/wordEditorAPI.ts | Replaces Auth0 dialog flow with openExternal using Office.context.ui.openBrowserWindow. |
| frontend/src/api/googleDocsEditorAPI.ts | Removes dead Auth0 placeholder code; provides openExternal implementation. |
| frontend/src/api/authTokenStore.ts | Adds guarded localStorage token store for Better Auth access tokens. |
| frontend/src/api/tests/authTokenStore.test.ts | Adds unit tests covering token store round-trip and guarded failure behavior. |
| frontend/package.json | Removes @auth0/auth0-react dependency. |
| frontend/package-lock.json | Removes Auth0 packages and transitive deps from lockfile. |
Files not reviewed (1)
- frontend/package-lock.json: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
2
to
12
| // Open the device-flow approval page in the system browser. Guarded so an Office | ||
| // host that doesn't expose openBrowserWindow fails explainably rather than silently. | ||
| openExternal(url: string): void { | ||
| if (Office?.context?.ui?.openBrowserWindow) { | ||
| Office.context.ui.openBrowserWindow(url); | ||
| } else { | ||
| throw new Error( | ||
| 'External browser login is not supported in this Office host.', | ||
| ); | ||
| } | ||
| }, |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Drop the now-unused EditorContext lookup in DeviceAuthStatus and add rel="noopener" to the approval-page link. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01CHabwqx37ssPEFQwbU7Hk7
…n-yoaawz # Conflicts: # frontend/popup.html # frontend/webpack.config.js # frontend/webpack.google-docs.config.js
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes Auth0 from the frontend and makes Better Auth the default authentication
path on every real-auth surface (standalone editor + Word task pane), and persists the
device-flow token so sessions survive a page reload. Demo mode is kept (Google Docs runs
in it). Builds on the device flow + manual code-entry already merged in #469.
What changed
Provider collapse
appAuthContext.tsx: delete the Auth0 adapter and the?auth=betterauthopt-in gate.Better Auth is the default; Demo is used in demo mode. Adapters remain separate
components (chosen by the selector) to respect the rules of hooks.
pages/app/index.tsx: removeAuth0Provider; the approval link is a themed buttoncalling
editorAPI.openExternal; drop the Microsoft/Facebook provider icons (Google only).EditorAPI decoupled from Auth0
types.d.ts: replacedoLogin/doLogout(auth0Client)with a surface-specificopenExternal(url).wordEditorAPI.ts: delete the Auth0 dialog/popup.htmlbounce;openExternalusesOffice.context.ui.openBrowserWindow, guarded so unsupported hosts fail explainably.googleDocsEditorAPI.ts: delete dead Auth0 placeholder code (GDocs is demo mode).editor/index.tsx,editorContext.tsx: conform to the new interface.Token persistence (survive refresh)
authTokenStore.ts(new): guarded localStorage token store (try/catch so embeddedwebviews that block storage degrade to in-memory).
useDeviceAuth.ts: persist on success, clear on logout/reset, and hydrate-on-mount(validate a stored token via
/api/protectedbefore forcing a new login).authTokenStore.test.ts(new): round-trip + guarded-failure paths.Auth0 teardown
popup.tsx/popup.html; remove the popup webpack entry and theAUTH0_*DefinePlugin entries from both webpack configs (keep
BETTER_AUTH_DEVICE_CLIENT_ID);remove
@auth0/auth0-react.Verification
tsc,lint,npm test(23/23),npm run build— all green on top ofmain.editor.html?page=editor, no query param): Better Auth bydefault → manual code entry + Google account chooser → authenticated; refresh stays
signed in (persistence); sign-out clears.
openBrowserWindowopened the systembrowser, login succeeded, and the session persisted across closing/reopening the
pane.
?page=demo, Google Docs) unchanged.Notable details for review
getAccessTokenrejects with anErrorthat also carries anerrorproperty — thisreconciles
authTokenContext's contract (readse.error) with theprefer-promise-reject-errorslint rule.mountedRef: cancellation is driven solely by the AbortController signal; hydrationcommits through the same
safeSetguard.cacheLocation="localstorage"posture, so it doesn't raise the existing risk level.Non-goals
Follow-ups (not blockers)
privacypolicy.htmlhas aTODO(auth)— team should confirmthe final phrasing for "Google sign-in via Better Auth" and remove the comment.
right hardening before any broader rollout.
consent-screen branding — separate pass.
🤖 Generated with Claude Code