AeThex-Corporation/aethex-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Foundation OAuth Deployment Checklist

Browse source 
cgen-a635f6693b0f45e793bf17c1f94113db
This commit is contained in:
Builder.io 2025-11-17 02:26:14 +00:00
parent 6dcf0148b6
commit a263bdf7d6
1 changed files with 469 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

469
docs/DEPLOYMENT-CHECKLIST.md Normal file
View file

@ -0,0 +1,469 @@
# Foundation OAuth Deployment Checklist
This checklist guides you through deploying Phase 3: Foundation OAuth integration on aethex.dev.
---
## Pre-Deployment Setup
### 1. Environment Variables
Add these to your deployment platform (Vercel, Railway, etc.):
```bash
# Foundation Identity Provider
VITE_FOUNDATION_URL=https://aethex.foundation
# OAuth Credentials (from Foundation Phase 1 setup)
FOUNDATION_OAUTH_CLIENT_ID=aethex_corp
FOUNDATION_OAUTH_CLIENT_SECRET=bcoEtyQVGr6Z4557658eUXpDF5FDni2TGNahH3HT-FtylNrLCYwydwLO0sbKVHtfYUnZc4flAODa4BXkzxD_qg
```
**Important:**
- ✅ Keep `FOUNDATION_OAUTH_CLIENT_SECRET` **secure** (never commit to git)
- ✅ Use deployment platform's secret management (Vercel > Settings > Environment Variables)
- ✅ Mark secret variables as "Encrypted"
### 2. Verify Foundation is Ready
Before deploying, confirm:
- [ ] aethex.foundation is running and accessible
- [ ] `/api/oauth/authorize` endpoint responding
- [ ] `/api/oauth/token` endpoint responding
- [ ] `/api/oauth/userinfo` endpoint responding
- [ ] OAuth credentials valid (client_id, client_secret)
**Quick Test:**
```bash
# Test token endpoint
curl -X POST https://aethex.foundation/api/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=test"
# Should return error about invalid refresh token (shows endpoint is up)
```
### 3. Verify Redirect URI
Foundation must have this redirect URI registered:
```
Production: https://aethex.dev/auth/callback
Staging: https://staging.aethex.dev/auth/callback
Development: http://localhost:5173/auth/callback
```
Ask Foundation admin to verify these are registered.
---
## Deployment Steps
### Step 1: Set Environment Variables
**Vercel:**
1. Go to Project Settings > Environment Variables
2. Add three variables:
- `VITE_FOUNDATION_URL` = `https://aethex.foundation`
- `FOUNDATION_OAUTH_CLIENT_ID` = `aethex_corp`
- `FOUNDATION_OAUTH_CLIENT_SECRET` = (paste secret, mark as encrypted)
3. Select environments: Production, Preview, Development
4. Save
**Railway/Other:**
- Add to `.env` file in deployment
- Or configure in platform's settings
- Restart deployment for changes to take effect
### Step 2: Deploy Code
Files included in deployment:
```
✅ Already Implemented:
code/
├── client/
│ ├── lib/
│ │ ├── foundation-oauth.ts (PKCE + OAuth flow)
│ │ └── foundation-auth.ts (Token/cookie management)
│ ├── hooks/
│ │ └── use-foundation-auth.ts (Callback handling)
│ └── pages/
│ └── Login.tsx (Updated with Foundation button)
├── api/
│ └── auth/callback.ts (OAuth callback + token exchange)
├── .env.foundation-oauth.example (Configuration reference)
└── docs/
└── FOUNDATION-OAUTH-IMPLEMENTATION.md
```
**Deploy command:**
```bash
# For Vercel
vercel deploy --prod
# For Railway
railway deploy
# For Docker
docker build -t aethex-dev .
docker push <registry>/aethex-dev
# Then deploy image
```
### Step 3: Verify Deployment
1. **Check environment variables:**
```bash
# On deployed app, check logs for env var loading
# Should see Foundation URL in console (not secret though!)
```
2. **Visit login page:**
- Go to https://aethex.dev/login
- Should see "Login with Foundation" button
- No console errors
3. **Test OAuth flow:**
- Click "Login with Foundation"
- Should redirect to https://aethex.foundation/api/oauth/authorize
- Page should show Foundation login (or auth screen)
4. **Check callback endpoint:**
- Network tab should show POST to `/auth/callback/exchange`
- Should return 200 with access_token
5. **Verify cookies:**
- After successful login, check Application > Cookies
- Should have: `foundation_access_token`, `auth_user_id`
- Both should be HttpOnly, Secure, SameSite=Strict
### Step 4: Monitor Logs
Watch for errors during first deployment:
```bash
# Look for these patterns in logs:
[Foundation OAuth] Received authorization code ✅ Good
[Foundation OAuth] Token exchange initiated ✅ Good
[Foundation OAuth] User info fetched ✅ Good
[Foundation OAuth] User synced successfully ✅ Good
# Watch for these errors:
[Foundation OAuth] Token exchange failed ⚠️ Check credentials
[Foundation OAuth] Failed to fetch user info ⚠️ Check Foundation
ECONNREFUSED ⚠️ Foundation unreachable
```
---
## Testing Plan
### Test 1: Happy Path (Successful Login)
**Steps:**
1. Visit https://aethex.dev/login
2. Click "Login with Foundation"
3. Enter test credentials on Foundation
4. Should redirect back to aethex.dev/auth/callback
5. Should exchange code for token
6. Should appear logged in on dashboard
**Expected Result:** ✅ Logged in, cookies set, profile synced
**Check:**
```bash
# In browser console:
document.cookie # Should show foundation_access_token
# In database:
SELECT * FROM user_profiles WHERE email = '<test-user-email>';
# Should show user synced with profile_completed status
```
### Test 2: Error: Invalid Code
**Steps:**
1. Manually modify callback URL: `?code=invalid_code_123`
2. Press Enter
**Expected Result:** ⚠️ Error page with message, redirect to login after 2s
### Test 3: Network Error
**Steps:**
1. Stop/pause Foundation service
2. Attempt login
3. Foundation redirects back with code
4. Callback tries to exchange code
**Expected Result:** ⚠️ Error about Foundation connection, graceful redirect to login
### Test 4: Logout and Re-login
**Steps:**
1. Logout from dashboard (if logout button exists)
2. Check cookies are cleared
3. Login again with Foundation
4. Should work seamlessly
**Expected Result:** ✅ Logout clears cookies, re-login establishes new session
### Test 5: Multiple Browsers
Test on:
- [ ] Chrome/Chromium
- [ ] Firefox
- [ ] Safari
- [ ] Edge
- [ ] Mobile Safari
- [ ] Mobile Chrome
**Expected Result:** ✅ Works consistently across all browsers
---
## Production Rollout
### Phase 1: Staging (First)
1. Deploy to staging environment first
2. Run full testing suite
3. Verify Foundation integration works
4. Get team sign-off
5. Monitor staging for 24 hours
### Phase 2: Canary (Small Percentage)
If your deployment supports canary deployments:
1. Deploy to 5% of production traffic
2. Monitor auth success rate and errors
3. Check logs for issues
4. Gradually increase to 100%
### Phase 3: Full Production
1. Deploy to 100% of production
2. Have support team on standby
3. Monitor metrics closely for 24 hours
4. Have rollback plan ready
### Phase 4: Cleanup
After 1-2 weeks of successful deployment:
1. Remove old Discord OAuth code (optional)
2. Delete deprecated files:
- `code/api/discord/oauth/start.ts`
- `code/api/discord/oauth/callback.ts`
- `code/api/discord/link.ts`
- `code/api/discord/create-linking-session.ts`
- `code/api/discord/verify-code.ts`
3. Update documentation
4. Remove old env variables
---
## Rollback Plan
If critical issues occur:
### Immediate Rollback (< 1 hour)
1. **Revert deployment:**
```bash
# Vercel
vercel rollback
# Railway
railway rollback <previous-deployment>
```
2. **Remove environment variables:**
- Remove VITE_FOUNDATION_URL
- Remove FOUNDATION_OAUTH_CLIENT_ID
- Remove FOUNDATION_OAUTH_CLIENT_SECRET
3. **Communicate with users:**
- "We've temporarily disabled Foundation integration"
- "Use alternative login methods"
### If Rollback Fails
Contact Foundation admin for assistance with:
- OAuth endpoint status
- User session validation
- Database consistency
---
## Monitoring & Alerts
### Key Metrics to Monitor
1. **Auth Success Rate**
- Target: >99%
- Alert threshold: <95%
- What to check: Logs for "Token exchange" errors
2. **Token Exchange Time**
- Target: <500ms
- Alert threshold: >2000ms
- What to check: Network latency to Foundation
3. **Foundation Connectivity**
- Monitor: Foundation endpoint availability
- Alert on: Connection failures to /api/oauth/token
- Fallback: Maintenance page if Foundation down
4. **Error Rate by Type**
- `invalid_code` - Usually code expired, user retries
- `state_mismatch` - CSRF validation failed, investigate
- `token_exchange_failed` - Foundation issue, escalate
- `user_sync_failed` - Database issue, check Supabase
### Sample Metrics Query
```javascript
// In application logs/dashboard:
const metrics = {
total_login_attempts: 1000,
successful_logins: 990, // 99%
failed_token_exchange: 5,
failed_user_sync: 2,
failed_state_validation: 3,
avg_token_exchange_time_ms: 234
};
```
---
## Support & Troubleshooting
### Common Issues During Deployment
| Issue | Cause | Solution |
|-------|-------|----------|
| "Client secret not found" | Missing env var | Add FOUNDATION_OAUTH_CLIENT_SECRET |
| "Redirect URI mismatch" | URI not registered on Foundation | Ask Foundation admin to register |
| "Token exchange failed 401" | Invalid credentials | Verify client_id and client_secret |
| "User sync failed" | Supabase error | Check user_profiles table schema |
| "Cookies not set" | SameSite policy blocking | Check cookie headers on response |
### Debug Commands
```bash
# Check environment variables (safely)
curl https://aethex.dev/api/health
# Should show that Foundation URL is configured (not the secret)
# Test Foundation connectivity
curl https://aethex.foundation/api/oauth/authorize?client_id=aethex_corp
# Should show authorization page (or redirect)
# Check database
psql -c "SELECT COUNT(*) FROM user_profiles;"
# Should show number of synced users
```
### Getting Help
1. **Check logs:**
- Deployment platform logs (Vercel Dashboard, Railway Dashboard)
- Application logs (if available)
- Browser console (F12)
- Network tab (check requests/responses)
2. **Verify configuration:**
- Environment variables set correctly
- Foundation endpoints accessible
- Redirect URI registered
3. **Escalate if needed:**
- Contact Foundation admin for OAuth endpoint issues
- Contact Supabase for database sync issues
- Contact platform support for deployment issues
---
## Post-Deployment
### 1. Verify Everything Works (Week 1)
- [ ] Users can login via Foundation
- [ ] User profiles sync correctly
- [ ] No errors in logs
- [ ] Auth success rate >99%
- [ ] Response times acceptable
- [ ] No support tickets about login
### 2. Communicate with Users (Week 1)
- [ ] Send announcement: "Foundation is now your identity provider"
- [ ] Explain: Existing sessions will be cleared
- [ ] Remind: They'll need to login again via Foundation
- [ ] Link: Documentation if they need help
### 3. Monitor Metrics (Week 2-3)
- [ ] Track daily auth success rate
- [ ] Monitor error rates
- [ ] Check Foundation connectivity
- [ ] Review support tickets
### 4. Final Cleanup (Week 3-4)
- [ ] Remove old Discord OAuth code (if stable)
- [ ] Archive deprecated files
- [ ] Update documentation
- [ ] Plan next features
---
## Success Criteria
✅ **Deployment is successful when:**
1. Login page shows "Login with Foundation" button
2. Users can login and are redirected to Foundation
3. After Foundation auth, users redirected back to dashboard
4. User profiles sync to local database
5. Cookies are set correctly (HttpOnly, Secure)
6. Auth success rate >99% for 24+ hours
7. No critical errors in logs
8. Support team has no blocking issues
9. Users report smooth login experience
10. All team members approve
---
## Deployment Checklist
- [ ] Environment variables configured in deployment platform
- [ ] Foundation OAuth credentials verified
- [ ] Redirect URI registered on Foundation
- [ ] Code deployed to staging
- [ ] Staging tests pass
- [ ] Production env vars set
- [ ] Code deployed to production
- [ ] Verify login page works
- [ ] Test complete OAuth flow
- [ ] Check database for user syncs
- [ ] Verify cookies are set correctly
- [ ] Monitor logs for errors
- [ ] Monitor metrics for 24 hours
- [ ] Team sign-off obtained
- [ ] User communication sent
- [ ] Support team briefed
- [ ] Rollback plan documented
- [ ] Post-deployment review scheduled
---
**Ready to deploy?** Follow this checklist step-by-step for a smooth Foundation OAuth integration!
---
**Status:** ✅ Deployment checklist complete and ready for use