284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
52 lines
1.7 KiB
Markdown
52 lines
1.7 KiB
Markdown
# Server Mobile Auth Configuration (Hosted)
|
|
|
|
Last updated: 2026-02-03
|
|
|
|
This document describes how to enable and configure the server-side “web login → mobile handoff” flow for the Alga PSA mobile app.
|
|
|
|
## Overview
|
|
|
|
Mobile login reuses the existing web sign-in (`/auth/signin`) and SSO providers. After successful login, the browser is redirected to `/auth/mobile/handoff`, which issues a one-time token (OTT) and redirects back into the app via deep link.
|
|
|
|
## Endpoints
|
|
|
|
- Browser handoff:
|
|
- `GET /auth/mobile/handoff?redirect={deepLink}&state={state}`
|
|
- Mobile API:
|
|
- `GET /api/v1/mobile/auth/capabilities`
|
|
- `POST /api/v1/mobile/auth/exchange`
|
|
- `POST /api/v1/mobile/auth/refresh`
|
|
- `POST /api/v1/mobile/auth/revoke`
|
|
|
|
## Environment Variables
|
|
|
|
### Token TTLs (seconds)
|
|
|
|
- `ALGA_MOBILE_OTT_TTL_SEC` (default: `60`)
|
|
- `ALGA_MOBILE_ACCESS_TTL_SEC` (default: `900` / 15 minutes)
|
|
- `ALGA_MOBILE_REFRESH_TTL_SEC` (default: `2592000` / 30 days)
|
|
|
|
### Hosted domain allowlist
|
|
|
|
- `ALGA_MOBILE_HOST_ALLOWLIST`
|
|
- Comma-separated hostnames, e.g. `app.alga.example,staging.alga.example`
|
|
- Returned by the capabilities endpoint and enforced by the mobile client before opening sign-in.
|
|
|
|
## Deep Link Redirect Validation
|
|
|
|
`/auth/mobile/handoff` only redirects to:
|
|
|
|
- Schemes: `alga://`, `exp://` (Expo Go), or `https://` (dev convenience)
|
|
- Paths matching the mobile callback route (`/auth/callback`)
|
|
|
|
If validation fails, the handoff redirects back to `/auth/signin?error=invalid_redirect`.
|
|
|
|
## Database
|
|
|
|
Migration: `server/migrations/20260203210000_add_mobile_auth_tables.cjs`
|
|
|
|
- `mobile_auth_otts`
|
|
- hashed token storage, TTL, and single-use (`used_at`)
|
|
- `mobile_refresh_tokens`
|
|
- hashed refresh token storage and rotation (`replaced_by_id`)
|