starred/ALwrity
1
0
Fork 0
mirror of https://github.com/AJaySi/ALwrity.git synced 2026-04-25 08:55:58 +03:00
Code Issues 82 Projects Releases 4 Packages Wiki Activity

[PR #353] Fix WordPress OAuth postMessage origin wiring #320

New issue
Open
opened 2026-03-02 23:35:07 +03:00 by kerem · 0 comments
kerem commented 2026-03-02 23:35:07 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/AJaySi/ALwrity/pull/353
Author: @AJaySi
Created: 2/13/2026
Status: 🔄 Open

Base: mainHead: codex/review-oauth-integration-framework-analysis

📝 Commits (10+)

  • db50935 Documentation updates and scheduler dashboard improvements
  • 531d027 Remove large generated media files from Git tracking
  • 328ac7d Added Backlinking feature
  • 397e926 Refactor Image Studio, Video Studio, Backlinking, Scheduler Dashboard, YouTube Router, and Story Writer.
  • bd6e0cb Backlinking AI Enhancement Complete.
  • 6d51cab feat: Complete Competitor Analyzer Refactoring + Week 1-2 Immediate Wins
  • ef31895 Apply essential SSOT PostgreSQL architecture - dual database with backward compatibility
  • 4a8f3ed Complete PostgreSQL-only architecture with SQLite removal
  • 7bba595 Fix DATABASE_URL references to use dual PostgreSQL architecture
  • 9ed791f Fix PostgreSQL JSON index error in content_assets table

📊 Changes

792 files changed (+130258 additions, -9106 deletions)

View changed files

📝 .github/README.md (+46 -21)
📝 .gitignore (+18 -0)
IMAGE_STUDIO_REVIEW.md (+80 -0)
ToBeMigrated/legacy_backlinker/App.css (+42 -0)
ToBeMigrated/legacy_backlinker/App.tsx (+31 -0)
ToBeMigrated/legacy_backlinker/assets/ai-brain-icon.png (+0 -0)
ToBeMigrated/legacy_backlinker/assets/neural-network-hero.jpg (+0 -0)
ToBeMigrated/legacy_backlinker/components/comparison-section.tsx (+103 -0)
ToBeMigrated/legacy_backlinker/components/dashboard-preview.tsx (+201 -0)
ToBeMigrated/legacy_backlinker/components/dashboard/analytics-summary.tsx (+109 -0)
ToBeMigrated/legacy_backlinker/components/dashboard/collaboration-tracker.tsx (+271 -0)
ToBeMigrated/legacy_backlinker/components/dashboard/dashboard-header.tsx (+42 -0)
ToBeMigrated/legacy_backlinker/components/dashboard/email-campaigns.tsx (+177 -0)
ToBeMigrated/legacy_backlinker/components/dashboard/keyword-research.tsx (+126 -0)
ToBeMigrated/legacy_backlinker/components/dashboard/prospect-analysis.tsx (+145 -0)
ToBeMigrated/legacy_backlinker/components/features-section.tsx (+195 -0)
ToBeMigrated/legacy_backlinker/components/hero-section.tsx (+143 -0)
ToBeMigrated/legacy_backlinker/components/navigation.tsx (+80 -0)
ToBeMigrated/legacy_backlinker/components/pricing-section.tsx (+108 -0)
ToBeMigrated/legacy_backlinker/components/ui/accordion.tsx (+56 -0)

...and 80 more files

📄 Description

Motivation

  • Fix a regression where WordPress OAuth callback HTML emitted the literal '{postmessage_origin}' (missing f-strings) which prevented the backend from targeting a validated origin.
  • Remove wildcard postMessage('*') usage in the frontend callback flow to restore origin-aware messaging consistent with other providers.
  • Unify frontend WordPress OAuth flow with the shared origin utilities so provider message validation uses the same trusted-origins contract.

Description

  • Backend backend/routers/wordpress_oauth.py now imports get_trusted_origins_for_redirect, safely initializes postmessage_origin, uses f-strings for all callback HTML branches, and includes trusted_origins in the /auth/url response payload.
  • Frontend typing frontend/src/api/wordpressOAuth.ts updated to include trusted_origins in WordPressOAuthResponse.
  • frontend/src/components/WordPressCallbackPage/WordPressCallbackPage.tsx now uses getOAuthPostMessageTargetOrigin('wordpress') instead of '*' when calling postMessage.
  • frontend/src/hooks/useWordPressOAuth.ts now uses getTrustedOrigins, setOAuthTargetOrigin, and isTrustedOAuthMessageEvent to compute and validate allowed origins instead of a hardcoded allowlist.

Testing

  • Compiled the modified backend file with python -m compileall backend/routers/wordpress_oauth.py which completed successfully.
  • Verified there are no remaining wildcard postMessage calls by running rg -n "postMessage\(.*'\*'|\}, '\*'\)" against the backend and updated frontend files, which returned no matches.
  • Exercised the frontend changes locally (callback page + hook flow) to confirm the code paths use the shared origin helpers and target a computed origin (manual validation of message target wiring succeeded).

Codex Task

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/AJaySi/ALwrity/pull/353 **Author:** [@AJaySi](https://github.com/AJaySi) **Created:** 2/13/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `codex/review-oauth-integration-framework-analysis` --- ### 📝 Commits (10+) - [`db50935`](https://github.com/AJaySi/ALwrity/commit/db509355712b9d5e8faaa7b2c0243e1e240b92e6) Documentation updates and scheduler dashboard improvements - [`531d027`](https://github.com/AJaySi/ALwrity/commit/531d027f1b1a2904a37ef752b6a91a68eb57a9af) Remove large generated media files from Git tracking - [`328ac7d`](https://github.com/AJaySi/ALwrity/commit/328ac7d711b896cfe319db56962b6968954d3dfd) Added Backlinking feature - [`397e926`](https://github.com/AJaySi/ALwrity/commit/397e926eb74e83ff8d90b140d7ef6ec6b888fdcc) Refactor Image Studio, Video Studio, Backlinking, Scheduler Dashboard, YouTube Router, and Story Writer. - [`bd6e0cb`](https://github.com/AJaySi/ALwrity/commit/bd6e0cb611c4868d103546e2da9a344c9994cce5) Backlinking AI Enhancement Complete. - [`6d51cab`](https://github.com/AJaySi/ALwrity/commit/6d51cab6fba84692839fb950f6151d152002ab00) feat: Complete Competitor Analyzer Refactoring + Week 1-2 Immediate Wins - [`ef31895`](https://github.com/AJaySi/ALwrity/commit/ef318955a3dd9203ab51bee366586a0803e65cd5) Apply essential SSOT PostgreSQL architecture - dual database with backward compatibility - [`4a8f3ed`](https://github.com/AJaySi/ALwrity/commit/4a8f3ed68b7fed8546716b8561b97249cfe4ee6f) Complete PostgreSQL-only architecture with SQLite removal - [`7bba595`](https://github.com/AJaySi/ALwrity/commit/7bba595cf37c59f26742abf421c0c929a93c51be) Fix DATABASE_URL references to use dual PostgreSQL architecture - [`9ed791f`](https://github.com/AJaySi/ALwrity/commit/9ed791f00f8d7b57acbb680697957c3589b186c8) Fix PostgreSQL JSON index error in content_assets table ### 📊 Changes **792 files changed** (+130258 additions, -9106 deletions) <details> <summary>View changed files</summary> 📝 `.github/README.md` (+46 -21) 📝 `.gitignore` (+18 -0) ➕ `IMAGE_STUDIO_REVIEW.md` (+80 -0) ➕ `ToBeMigrated/legacy_backlinker/App.css` (+42 -0) ➕ `ToBeMigrated/legacy_backlinker/App.tsx` (+31 -0) ➕ `ToBeMigrated/legacy_backlinker/assets/ai-brain-icon.png` (+0 -0) ➕ `ToBeMigrated/legacy_backlinker/assets/neural-network-hero.jpg` (+0 -0) ➕ `ToBeMigrated/legacy_backlinker/components/comparison-section.tsx` (+103 -0) ➕ `ToBeMigrated/legacy_backlinker/components/dashboard-preview.tsx` (+201 -0) ➕ `ToBeMigrated/legacy_backlinker/components/dashboard/analytics-summary.tsx` (+109 -0) ➕ `ToBeMigrated/legacy_backlinker/components/dashboard/collaboration-tracker.tsx` (+271 -0) ➕ `ToBeMigrated/legacy_backlinker/components/dashboard/dashboard-header.tsx` (+42 -0) ➕ `ToBeMigrated/legacy_backlinker/components/dashboard/email-campaigns.tsx` (+177 -0) ➕ `ToBeMigrated/legacy_backlinker/components/dashboard/keyword-research.tsx` (+126 -0) ➕ `ToBeMigrated/legacy_backlinker/components/dashboard/prospect-analysis.tsx` (+145 -0) ➕ `ToBeMigrated/legacy_backlinker/components/features-section.tsx` (+195 -0) ➕ `ToBeMigrated/legacy_backlinker/components/hero-section.tsx` (+143 -0) ➕ `ToBeMigrated/legacy_backlinker/components/navigation.tsx` (+80 -0) ➕ `ToBeMigrated/legacy_backlinker/components/pricing-section.tsx` (+108 -0) ➕ `ToBeMigrated/legacy_backlinker/components/ui/accordion.tsx` (+56 -0) _...and 80 more files_ </details> ### 📄 Description ### Motivation - Fix a regression where WordPress OAuth callback HTML emitted the literal `'{postmessage_origin}'` (missing f-strings) which prevented the backend from targeting a validated origin. - Remove wildcard `postMessage('*')` usage in the frontend callback flow to restore origin-aware messaging consistent with other providers. - Unify frontend WordPress OAuth flow with the shared origin utilities so provider message validation uses the same trusted-origins contract. ### Description - Backend `backend/routers/wordpress_oauth.py` now imports `get_trusted_origins_for_redirect`, safely initializes `postmessage_origin`, uses f-strings for all callback HTML branches, and includes `trusted_origins` in the `/auth/url` response payload. - Frontend typing `frontend/src/api/wordpressOAuth.ts` updated to include `trusted_origins` in `WordPressOAuthResponse`. - `frontend/src/components/WordPressCallbackPage/WordPressCallbackPage.tsx` now uses `getOAuthPostMessageTargetOrigin('wordpress')` instead of `'*'` when calling `postMessage`. - `frontend/src/hooks/useWordPressOAuth.ts` now uses `getTrustedOrigins`, `setOAuthTargetOrigin`, and `isTrustedOAuthMessageEvent` to compute and validate allowed origins instead of a hardcoded allowlist. ### Testing - Compiled the modified backend file with `python -m compileall backend/routers/wordpress_oauth.py` which completed successfully. - Verified there are no remaining wildcard postMessage calls by running `rg -n "postMessage\(.*'\*'|\}, '\*'\)"` against the backend and updated frontend files, which returned no matches. - Exercised the frontend changes locally (callback page + hook flow) to confirm the code paths use the shared origin helpers and target a computed origin (manual validation of message target wiring succeeded). ------ [Codex Task](https://chatgpt.com/codex/tasks/task_e_698c77c942b88328aaf30ea838c2221a) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
codex/task-title-3y5pbt
codex/task-title-lsrpho
codex/task-title
codex/locate-and-render-brollinfopanel-component
codex/import-scene-composition-symbols-in-broll_service
codex/refactor-preview-generation-flow
codex/standardize-chart-preview-route-usage
codex/import-b-roll-handler-and-update-router
codex/implement-podcast-research-response-updates
codex/add-cost-estimation-feature-to-podcastdashboard
codex/remove-heuristic-calculators-and-update-estimates-bhvhnh
codex/remove-heuristic-calculators-and-update-estimates
codex/implement-dedicated-podcastcostest-model
codex/add-podcast-maker-feature-documentation
codex/review-flat-file-context-system-implementation
codex/create-podcast-maker-best-practices-documentation
codex/add-podcast-maker-journey-pages-for-personas
codex/refactor-podcast-maker-documentation-structure
dependabot/npm_and_yarn/frontend/npm_and_yarn-7d3393088f
codex/log-skipped-and-loaded-items
codex/create-startup-phases-for-podcast-demo-tugrzv
codex/create-startup-phases-for-podcast-demo
codex/add-api-feature-profile-status-endpoint
codex/refactor-routermanager-to-use-registry
codex/add-new-modules-for-feature-management
codex/downgrade-api-key-warning-logging
codex/refactor-onboarding-loading-logic
codex/add-ci-lint-check-for-user_id-patterns
codex/remove-sessionlocal-import-and-add-health-check
codex/refactor-dubbed_audio_dir-to-tenant-path-resolver
codex/update-task-metadata-and-api-responses
codex/verify-podcast-analysis-and-cost-tracking
codex/assert-api-endpoints-on-startup
codex/add-env-controlled-guard-for-stripe-key
codex/remove-feature-flag-for-production-demo
codex/add-mode-aware-redirect-logic-in-pricingpage
codex/document-deployment-configuration-for-demo-mode
codex/ensure-api.subscription.router-always-included
codex/guard-onboarding-manager-and-endpoints
codex/wrap-router-inclusion-in-demo-mode-check
codex/add-podcast-only-demo-mode-toggle
dependabot/npm_and_yarn/frontend/npm_and_yarn-f5ea90b336
codex/update-reset_current_billing_period-logic
codex/update-error-handling-in-monitoring-middleware
codex/move-stripe_plan_price_mapping-to-env-driven-config
codex/refactor-billingservice-to-use-authenticated-user
codex/update-user-access-verification-for-routes
session/agent_eae6711f-e04b-4d48-8d66-43ee051feb7b
v0.5.0
v0.3
v0.2
v0.1
Labels
Clear labels   
AI Content Agents

   
AI Content Strategy

   
AI Content planning

   
AI Marketing Tools

   
AI SEO

   
AI personalization

   
AI writer

   
ALwrity Copi-lot

   
Alwrity web search

   
Anthropic

   
DeepSeek

   
Gemini AI

   
Integration

   
LLM

   
OnBoarding

   
OnBoarding

   
RAG knowledgebase Memory

   
bug

   
documentation

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
openai

   
pull-request

Mirrored from GitHub Pull Request

No labels
AI Content Agents
AI Content Strategy
AI Content planning
AI Marketing Tools
AI SEO
AI personalization
AI writer
ALwrity Copi-lot
Alwrity web search
Anthropic
DeepSeek
Gemini AI
Integration
LLM
OnBoarding
OnBoarding
RAG knowledgebase Memory
bug
documentation
enhancement
good first issue
help wanted
invalid
openai
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/ALwrity#320
No description provided.