Account nav and page panels now fetched from events/cart fragments
instead of using shared widget registry.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Keep get_navigation_tree() as fallback when nav-tree fragment fetch
fails. Update shared submodule with fixed app slug URLs in nav.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Navigation is now rendered by blog as an HTML fragment. This app
fetches it with its own app_name and path for correct highlighting.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Desktop span: hidden md:inline-flex, mobile span: block md:hidden.
Prevents both showing when fragment is injected in a single spot.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase 2 of fragment composition: account exposes auth-menu fragment
(sign-in button or user email for desktop + mobile) via
/internal/fragments/ endpoint. Updates shared submodule.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
External clients like artdag POST to this endpoint from their
backend, so there's no browser session with a CSRF token.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signals external services (artdag) about device auth state changes
via the AP internal bus, replacing shared-Redis coupling.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Standard HTTP token exchange for clients that don't share the coop DB.
Returns user_id, username, display_name, grant_token in exchange for
a valid authorization code.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- OAuth authorize: pass account_did (g.device_id) in both success
and error redirects so client apps can track the device
- Magic link login: set did_auth:{device_id} in Redis so client
apps detect login even when their prompt=none cache says "no"
- Logout + SSO-logout: clear did_auth:{device_id} from Redis
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Account's authorize endpoint now supports prompt=none: returns
error=login_required redirect when user isn't logged in instead of
bouncing to interactive login. Removed /propagate endpoint since
client apps now detect auth state via prompt=none handshake.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Device cookies handle subsequent auth changes (logout/re-login),
but the initial login needs the chain to create grants on each app
and link them to device cookies. Dead apps skipped via health check.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
OAuth authorize stores device_id on grants. New /internal/check-device
endpoint lets client apps detect login/logout by checking device's
grant state + user.last_login_at. Propagation chain removed — each
app detects auth changes independently via its device cookie.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Health-check each app via internal URL before redirecting.
Dead apps are silently skipped so the chain doesn't break.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
After magic link login, account bounces through each client app's
/auth/login to establish local sessions via OAuth. Each app does its
OAuth flow (instant since account is logged in) then redirects back
to /auth/propagate for the next app in the chain.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Account creates OAuthGrant per authorization, revokes on logout.
Client apps verify grants via /auth/internal/verify-grant endpoint.
Removes iframe-based logout page.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Account is now the OAuth authorization server with magic link login,
OAuth2 authorize endpoint, SSO logout, and session management.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
