Added OAuth login flow

Author: Herve Tribouilloy

.gitignore

@@ -7,4 +7,5 @@ www
 widget.local.crt
 widget.local.key
 test-results
-README-dev.md
+README-dev.md
+*.html

README.md

@@ -79,4 +79,13 @@ Planned work includes:
 - Step-up authentication after repeated login failure
 - Turnstile token reuse across booking flow
 - Expanded Playwright coverage on abuse scenarios
-- Playwright tests focused on core flow integrity  
+- Playwright tests focused on core flow integrity  
+
+## Hosts examples
+| Host                           | Test to check it works                                                                                                       | Notes on the component                                                                                                                                                                                                                            |
+| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **booking-api.local**          | Open `https://booking-api.local/api/graphql` in browser → expect GraphQL JSON (or GraphiQL), then run `query { __typename }` | Keystone persistence + GraphQL. Must be bound to `0.0.0.0`, HTTPS cert trusted, CORS must allow `https://southerndemo.com` **with credentials**. Auth logic must accept JWT (not rely on `context.session`).                                      |
+| **oauth-api.local**            | `POST https://oauth-api.local/auth/login` → expect `200` + token in JSON                                                     | Token issuer only. No cookies here unless explicitly designed. Verify token format (JWT vs opaque) and expiry. HTTPS required but CORS usually not (server-to-server or same origin).                                                             |
+| **auth-bridge.local**          | Hit login/refresh endpoint → DevTools → Application → Cookies → verify cookie appears                                        | Most fragile component. Must set cookie with `Secure; SameSite=None; Domain=.southerndemo.com; Path=/`. Must return `Access-Control-Allow-Origin: https://southerndemo.com` **and** `Allow-Credentials: true`. Any mismatch silently breaks auth. |
+| **southerndemo.com**           | Load page → Network tab shows widget JS `200`, no CSP/CORS errors                                                            | Host page. Must be HTTPS. Must not block third-party scripts or credentials. CSP must allow widget domain and auth-bridge. Cookies should be visible under this domain after auth.                                                                |
+| **widget.bookingsystem.co.uk** | Widget loads, then triggers calls to auth-bridge and booking-api with `credentials: include`                                 | Execution layer only. Should not read cookies manually. Should rely on browser cookie attachment. Any auth failure here usually originates upstream (cookies or CORS).                                                                            |

vite_project/index.html

@@ -1,7 +1,7 @@
 {
   "name": "widget-booking",
   "private": true,
-  "version": "0.2.0",
+  "version": "0.2.1",
   "type": "module",
   "scripts": {
     "dev": "vite",

vite_project/package-lock.json

@@ -9,6 +9,7 @@ interface BookingSystemConfig {
     widgets: {
         booking?: {
             api: string;
+            auth: string;
         };
     };
     integrations?: {
@@ -40,6 +41,10 @@ export function readBookingSystemConfig(): BookingSystemConfig {
         throw new Error('BookingWidget: booking.api missing in global config');
     }
 
+    if (!config.widgets?.booking?.auth) {
+        throw new Error('BookingWidget: booking.auth missing in global config');
+    }
+
     return config;
 }
 

vite_project/package.json

@@ -9,7 +9,7 @@ type Props = {
 };
 
 export function BookingSystemWidget({ host }: Props) {
-    const { booking } = useWidgetConfig(host);
+    const { booking, user } = useWidgetConfig(host);
 
     if (!booking) {
         activity('bootstrap', '[ContactUs] Widget is not correctly configured', null, 'warn');
@@ -18,7 +18,7 @@ export function BookingSystemWidget({ host }: Props) {
 
     return (
         <SystemStateProvider config={booking}>
-            <UserStateProvider>
+            <UserStateProvider config={user}>
                 <BookingSystemWrapper venueId={booking.venueId} />
             </UserStateProvider>
         </SystemStateProvider>

vite_project/src/BookingSystemConfig.tsx

@@ -27,7 +27,7 @@ export function BookingSystemWrapper({venueId}: Props) {
     } = useEventTypeGroups(venue?.id);
 
     if (venueError || hostsError || eventTypeGroupError) {
-        activity('bootstrap', 'Keystone data cannot be returned', null, 'error');
+        activity('bootstrap', 'Keystone data cannot be returned', {venue, hostsError, eventTypeGroupError}, 'error');
         return <ErrorState />;
     }
 

vite_project/src/BookingSystemWidget.tsx

@@ -60,7 +60,7 @@ export function AddToCart({onRequireAuth}: AddToCartProps) {
                 eventId: eventState.activeEventId,
                 eventTypeId: visitIntent.eventTypeId,
                 shampoo: eventState.shampoo ? 1 : 0,
-                userId: user?.id,
+                userId: user?.id || '',
                 turnstileToken,
             });
 

vite_project/src/components/BookingSystemWrapper.tsx

@@ -1,4 +1,3 @@
-import {useLoginUser} from "../../hooks/domain/useLoginUser.tsx";
 import {useState} from "react";
 import {useUserState} from "../../state/User/useUserState.ts";
 import {loginWithCredentials} from "../../domain/user/authentication.ts";
@@ -8,15 +7,15 @@ export const Sign: React.FC = () => {
     const [password, setPassword] = useState('');
     const [submitting, setSubmitting] = useState(false);
     const [errorMessage, setErrorMessage] = useState<string | null>(null);
-    const { refreshUser} = useUserState()
+    const { refreshUser, config} = useUserState()
 
     const handleSubmit = async (e: React.FormEvent) => {
         e.preventDefault();
         setErrorMessage(null);
 
         try {
             setSubmitting(true);
-            await loginWithCredentials(email, password);
+            await loginWithCredentials(email, password, config);
             await refreshUser();
         } catch {
             setErrorMessage('Incorrect email or password');