Skip to content

Add skip_setup_flow flag to oauth#1454

Merged
skyfallwastaken merged 7 commits into
hackclub:mainfrom
lordbagel42:main
Jun 28, 2026
Merged

Add skip_setup_flow flag to oauth#1454
skyfallwastaken merged 7 commits into
hackclub:mainfrom
lordbagel42:main

Conversation

@lordbagel42

@lordbagel42 lordbagel42 commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary of the problem

Hackatime requires setting up a code editor before connecting to Stardance, in addition the homepage is very coding centric and discouraging. Homepage changes have been moved to #1456

Describe your changes

When skip_setup_flow is passed into the hackatime oauth it skips to step4 of the WakatimeSetup flow & showcases a banner that setting up a code editor was skipped. This way, everybody still has to agree to the rules.

This PR is blocking for hackclub/stardance#702

Screenshots / Media

Video showcasing Stardance using the new flag:
https://github.com/user-attachments/assets/d14be4ae-9b8a-4ecf-a103-22de7d8b05ab

@lordbagel42 lordbagel42 mentioned this pull request Jun 26, 2026
Open
@lordbagel42 lordbagel42 marked this pull request as ready for review June 26, 2026 15:59
@greptile-apps

greptile-apps Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds a skip_setup_flow flag to the OAuth flow so that hardware-program users (coming from Stardance) bypass the code-editor setup wizard (steps 1–3) and land directly on the Fair Play Policy agreement page (step 4), where they still must accept the rules before continuing.

  • build_return_data is added to ApplicationController to extract skip_setup_flow and button_text from an OAuth continue URL and persist them through the session.
  • UsersController#wakatime_setup detects the flag (from session or a bare query param) and short-circuits to step 4; wakatime_setup_step_4 reads the flag, exposes it to the Svelte component as hardware, and immediately removes it from the session.
  • Step4.svelte renders an informational banner when hardware is true, and a stray > character in the Fraud page link anchor is also fixed.

Confidence Score: 5/5

Safe to merge; the OAuth redirect chain and session management look correct, and no functional regressions were identified.

The skip_setup_flow flag is correctly extracted by build_return_data, persisted through reset_session, and detected in wakatime_setup before the session flag is cleaned up. All three auth paths (HCA, Slack, email token) now carry the flag through. The only noted concerns are non-blocking: the hardware banner vanishes on refresh due to the eager session cleanup, and there are no tests for the new code path despite the existing test suite covering analogous OAuth flows.

app/controllers/users_controller.rb — the wakatime_setup_step_4 session cleanup and the missing test coverage for the new redirect logic.

Important Files Changed

Filename Overview
app/controllers/application_controller.rb Adds build_return_data helper that extracts skip_setup_flow and button_text from a validated local URL's query string and stores them in the session return-data hash; correctly defers to safe_return_url for open-redirect protection.
app/controllers/sessions_controller.rb Replaces inline { "url" => safe_return_url(...) } hash construction with build_return_data(...) in three places (hca_new, slack_create, token) so that the skip_setup_flow flag now survives all authentication paths.
app/controllers/users_controller.rb wakatime_setup now short-circuits to step 4 when skip_setup_flow is set; wakatime_setup_step_4 reads the flag, passes it as a hardware prop, then immediately removes it from the session. The early session deletion means the hardware banner disappears if the user refreshes step 4.
app/javascript/pages/WakatimeSetup/Step4.svelte Adds an informational hardware banner controlled by the new hardware prop, imports required icon components, and fixes a stray > typo in the Fraud page anchor text.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant S as Stardance
    participant B as Browser
    participant O as OAuth Controller
    participant Sess as SessionsController
    participant U as UsersController

    S->>B: "Redirect to /oauth/authorize?skip_setup_flow=1"
    B->>O: "GET /oauth/authorize?skip_setup_flow=1"
    O->>B: "Redirect to /signin?continue=/oauth/authorize?skip_setup_flow=1"
    B->>Sess: "GET /signin/hca?continue=..."
    Note over Sess: build_return_data stores skip_setup_flow in session
    Sess->>B: Redirect to HCA OAuth
    B->>Sess: GET /signin/hca/callback (new user)
    Note over Sess: Preserves return_data through reset_session
    Sess->>B: Redirect to /my/wakatime_setup
    B->>U: GET /my/wakatime_setup
    Note over U: Detects skip_setup_flow in session
    U->>B: Redirect to /my/wakatime_setup/step-4
    B->>U: GET /my/wakatime_setup/step-4
    Note over U: hardware=true, clears skip_setup_flow
    U->>B: "Render Step4 (hardware=true, return_url=oauth_url)"
    Note over B: User sees banner, must agree to Fair Play Policy
    B->>O: GET /oauth/authorize (after agreeing)
Loading 
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant S as Stardance
    participant B as Browser
    participant O as OAuth Controller
    participant Sess as SessionsController
    participant U as UsersController

    S->>B: "Redirect to /oauth/authorize?skip_setup_flow=1"
    B->>O: "GET /oauth/authorize?skip_setup_flow=1"
    O->>B: "Redirect to /signin?continue=/oauth/authorize?skip_setup_flow=1"
    B->>Sess: "GET /signin/hca?continue=..."
    Note over Sess: build_return_data stores skip_setup_flow in session
    Sess->>B: Redirect to HCA OAuth
    B->>Sess: GET /signin/hca/callback (new user)
    Note over Sess: Preserves return_data through reset_session
    Sess->>B: Redirect to /my/wakatime_setup
    B->>U: GET /my/wakatime_setup
    Note over U: Detects skip_setup_flow in session
    U->>B: Redirect to /my/wakatime_setup/step-4
    B->>U: GET /my/wakatime_setup/step-4
    Note over U: hardware=true, clears skip_setup_flow
    U->>B: "Render Step4 (hardware=true, return_url=oauth_url)"
    Note over B: User sees banner, must agree to Fair Play Policy
    B->>O: GET /oauth/authorize (after agreeing)
Loading

Reviews (8): Last reviewed commit: "Cleanup?" | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 26, 2026
View reviewed changes
Comment thread app/controllers/sessions_controller.rb Outdated
greptile-apps[bot]
greptile-apps Bot reviewed Jun 26, 2026
View reviewed changes
Comment thread app/javascript/pages/WakatimeSetup/Index.svelte Outdated
greptile-apps[bot]
greptile-apps Bot reviewed Jun 26, 2026
View reviewed changes
Comment thread app/controllers/static_pages_controller.rb Outdated
greptile-apps[bot]
greptile-apps Bot reviewed Jun 26, 2026
View reviewed changes
Comment thread app/javascript/pages/WakatimeSetup/Index.svelte Outdated
@lordbagel42 lordbagel42 mentioned this pull request Jun 26, 2026
Open
skyfallwastaken
skyfallwastaken previously requested changes Jun 27, 2026
View reviewed changes
Comment thread app/services/hca_service.rb Outdated
Comment thread app/javascript/pages/WakatimeSetup/Index.svelte Outdated
Comment thread app/controllers/sessions_controller.rb Outdated
Comment thread app/javascript/pages/WakatimeSetup/Index.svelte Outdated
@skyfallwastaken

skyfallwastaken commented Jun 28, 2026
edited
Loading

Copy link
Copy Markdown
Member

@greptileai one final check por favor?

(bagel - lgtm but I'd like to double check :pf:)

@skyfallwastaken skyfallwastaken merged commit b851790 into hackclub:main Jun 28, 2026
12 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skyfallwastaken skyfallwastaken Awaiting requested review from skyfallwastaken
1 more reviewer
@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lordbagel42 @skyfallwastaken