284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
1.7 KiB
1.7 KiB
Server Mobile Auth Configuration (Hosted)
Last updated: 2026-02-03
This document describes how to enable and configure the server-side “web login → mobile handoff” flow for the Alga PSA mobile app.
Overview
Mobile login reuses the existing web sign-in (/auth/signin) and SSO providers. After successful login, the browser is redirected to /auth/mobile/handoff, which issues a one-time token (OTT) and redirects back into the app via deep link.
Endpoints
- Browser handoff:
GET /auth/mobile/handoff?redirect={deepLink}&state={state}
- Mobile API:
GET /api/v1/mobile/auth/capabilitiesPOST /api/v1/mobile/auth/exchangePOST /api/v1/mobile/auth/refreshPOST /api/v1/mobile/auth/revoke
Environment Variables
Token TTLs (seconds)
ALGA_MOBILE_OTT_TTL_SEC(default:60)ALGA_MOBILE_ACCESS_TTL_SEC(default:900/ 15 minutes)ALGA_MOBILE_REFRESH_TTL_SEC(default:2592000/ 30 days)
Hosted domain allowlist
ALGA_MOBILE_HOST_ALLOWLIST- Comma-separated hostnames, e.g.
app.alga.example,staging.alga.example - Returned by the capabilities endpoint and enforced by the mobile client before opening sign-in.
- Comma-separated hostnames, e.g.
Deep Link Redirect Validation
/auth/mobile/handoff only redirects to:
- Schemes:
alga://,exp://(Expo Go), orhttps://(dev convenience) - Paths matching the mobile callback route (
/auth/callback)
If validation fails, the handoff redirects back to /auth/signin?error=invalid_redirect.
Database
Migration: server/migrations/20260203210000_add_mobile_auth_tables.cjs
mobile_auth_otts- hashed token storage, TTL, and single-use (
used_at)
- hashed token storage, TTL, and single-use (
mobile_refresh_tokens- hashed refresh token storage and rotation (
replaced_by_id)
- hashed refresh token storage and rotation (