Migrate desktop auth from dedicated Cloud Run to Python backend

[beastoin]

Summary

Eliminates the dedicated omi-desktop-auth Cloud Run service by pointing the desktop macOS app's auth flow at the Python backend (api.omi.me), which already has identical /v1/auth/* endpoints.

Changes

Swift (AuthService.swift)

• Replace hardcoded omi-desktop-auth Cloud Run URL with OMI_API_URL env var
• Uses same resolution as APIClient.baseURL: getenv() → ProcessInfo → fatal
• Added log line showing which auth host is used per sign-in attempt

Python (auth.py + auth_callback.html)

• Pass redirect_uri from auth session to callback HTML template
• Template now uses dynamic {{ redirect_uri }} with |tojson safe serialization
• Enables desktop apps (omi-computer://auth/callback) to receive OAuth callbacks correctly
• Falls back to omi://auth/callback for mobile compatibility

Security hardening

• Server-side validation: redirect_uri must match allowed app URL schemes (omi://, omi-computer://, omi-computer-dev://)
• Client-side defense-in-depth: JavaScript validates scheme before redirect
• Empty string fallback: uses or operator instead of .get() default
• Template uses |tojson filter to prevent XSS from malformed URIs

Tests (15 new)

• test_auth_routes.py: redirect_uri validation, callback template rendering, XSS safety
• Added to test.sh

Why

• Desktop auth used a separate Cloud Run service with identical code to the Python backend
• One less service to maintain, deploy, and monitor
• Aligns with migration plan (Migrate desktop macOS app from Rust backend to Python backend #5302): Python backend is source of truth

Risk

• Low: Python backend auth endpoints are identical to the dedicated service
• Mitigated: Dynamic redirect_uri with dual validation ensures both mobile (omi://) and desktop (omi-computer://) schemes work safely
• Deploy order: Python backend changes must ship before Swift client update
• Rollback: Revert single Swift file to restore dedicated service URL

Testing

• Backend unit tests: 15 new tests all passing
• Backend tests in test.sh
• Python backend auth endpoints accept desktop redirect_uri (307 → Google/Apple OAuth)
• Clean build on Mac Mini (1072 objects)
• Source verification: zero references to omi-desktop-auth
• Live test evidence

Checkpoints

• CP0: Skills discovery
• CP1: Issue Migrate desktop auth from dedicated Cloud Run to Python backend #5359 understood
• CP2: Workspace setup
• CP3: Exploration complete
• CP4: Codex consult (3 turns)
• CP5: Implementation + commits
• CP6: PR created
• CP7: Review approved (iteration 3)
• CP8: Tests approved (iteration 2)
• CP9: Live backend validation

Closes #5359
Part of #5302

by AI for @beastoin

[greptile-apps]

Greptile Summary

This PR successfully migrates desktop auth from a dedicated Cloud Run service to the unified Python backend by making the redirect URI dynamic. The Swift changes are clean and well-implemented, with proper environment variable resolution and helpful logging. However, the implementation introduces a critical XSS vulnerability in the auth callback template where the redirect_uri is injected into JavaScript without proper escaping.

Key Changes:

• Swift: Replaced hardcoded Cloud Run URL with dynamic OMI_API_URL environment variable
• Python: Added redirect_uri parameter to template context with fallback to omi://auth/callback
• HTML: Changed from hardcoded redirect URI to dynamic {{ redirect_uri }} variable

Critical Issues:

• XSS vulnerability in auth_callback.html where unescaped redirect_uri is injected into JavaScript (line 112)
• Missing validation on /authorize endpoint's redirect_uri parameter - should whitelist allowed schemes

Recommendation: Fix the XSS vulnerability by using {{ redirect_uri | tojson }} in the template and add redirect URI validation before merging.

Confidence Score: 2/5

• This PR introduces a critical XSS vulnerability that must be fixed before merging
• The migration approach is sound and the Swift implementation is solid, but the template injection vulnerability in auth_callback.html is a critical security issue. An attacker could craft a malicious authorize URL with JavaScript in the redirect_uri parameter to steal auth codes or redirect users. The fix is simple (use tojson filter) but essential.
• backend/templates/auth_callback.html requires immediate attention to fix XSS vulnerability, backend/routers/auth.py needs redirect_uri validation

Important Files Changed

Filename	Overview
backend/templates/auth_callback.html	XSS vulnerability: dynamic redirect_uri injected into JavaScript without proper escaping
backend/routers/auth.py	Passes redirect_uri to template with fallback but lacks input validation on authorize endpoint
desktop/Desktop/Sources/AuthService.swift	Clean migration from hardcoded Cloud Run URL to OMI_API_URL with proper env var resolution and logging

Sequence Diagram

sequenceDiagram
    participant Desktop as Desktop App<br/>(AuthService.swift)
    participant Browser
    participant Backend as Python Backend<br/>(auth.py)
    participant OAuth as OAuth Provider<br/>(Google/Apple)
    participant HTML as Callback Page<br/>(auth_callback.html)

    Note over Desktop,Backend: BEFORE: Separate Cloud Run<br/>AFTER: Unified Python Backend

    Desktop->>Backend: GET /v1/auth/authorize?provider=google<br/>&redirect_uri=omi-computer://auth/callback
    Note over Backend: Store redirect_uri<br/>in Redis session
    Backend->>Browser: Redirect to OAuth provider
    Browser->>OAuth: User authenticates
    OAuth->>Backend: Callback with auth code
    Backend->>Backend: Exchange code for tokens
    Backend->>HTML: Render auth_callback.html<br/>with redirect_uri={{ redirect_uri }}
    HTML->>Desktop: window.location = omi-computer://auth/callback?code=...
    Desktop->>Backend: POST /v1/auth/token (exchange code)
    Backend->>Desktop: Return OAuth credentials

Loading

_{Last reviewed commit: 7d011c2}

[greptile-apps]

XSS vulnerability: redirect_uri injected into JavaScript without proper escaping. An attacker could craft a malicious /v1/auth/authorize URL with redirect_uri containing quotes to break out of the string and inject arbitrary JavaScript (e.g., redirect_uri=omi://callback"+alert('xss')+").

Suggested change

	const redirectUri = "{{ redirect_uri }}";
	let redirectUrl = redirectUri + '?code=' + encodeURIComponent(code);
	const redirectUri = {{ redirect_uri | tojson }};

[greptile-apps]

Additional Comments (1)

backend/routers/auth.py
Missing validation on redirect_uri parameter. Should validate against allowed schemes (omi://, omi-computer://) to prevent open redirect attacks and XSS via template injection.

[beastoin]

CP9: Live Backend Validation — Evidence

Source Code Verification ✅

• Zero references to omi-desktop-auth in source code
• AuthService.apiBaseURL reads from OMI_API_URL env var
• Clean build on Mac Mini: 1072 objects, 140s

Python Backend Auth Endpoints ✅ (tested from Mac Mini)

Endpoint	redirect_uri	Result
GET /v1/auth/authorize?provider=google	omi-computer-dev://auth/callback	307 → Google OAuth
GET /v1/auth/authorize?provider=apple	omi-computer-dev://auth/callback	307 → Apple Sign In
POST /v1/auth/token (invalid code)	N/A	400 (endpoint exists)

Redirect URI Validation ✅ (15 unit tests passing)

• omi://, omi-computer://, omi-computer-dev:// accepted
• https://, javascript:, data:, ftp://, empty → rejected (400)
• XSS: |tojson filter + client-side scheme validation

Deployment Note

Python backend changes must be deployed before the Swift client update ships, because the current prod callback HTML hardcodes omi://auth/callback.

Full evidence

by AI for @beastoin

[beastoin]

PR Ready for Merge

All checkpoints passed (CP0-CP9):

Checkpoint	Status
CP0: Skills discovery	✅
CP1: Issue understood	✅
CP2: Workspace setup	✅
CP3: Exploration	✅
CP4: Codex consult	✅
CP5: Implementation	✅
CP6: PR created	✅
CP7: Review approved	✅ (iteration 3)
CP8: Tests approved	✅ (iteration 2, 15 tests)
CP9: Live validation	✅

Deploy note: Python backend changes (redirect_uri validation + dynamic callback template) should be deployed to api.omi.me before the next desktop app release to ensure OAuth callbacks use the correct URL scheme.

Awaiting explicit merge approval.

by AI for @beastoin