Commit graph

2 commits

Author SHA1 Message Date
fee3008b60 Document picker: forward OAuth2 access token to Forgejo API
The select-documents picker queried the Forgejo API with only the
browser's session cookie (credentials: 'include'), so an OpenCDE client
that authenticated via OAuth2 saw only public repositories.

Thread the access token presented on the select-documents request
through to the picker UI (query param) and have its JS send it as
Authorization: Bearer on every Forgejo API call, falling back to cookie
auth when no token is supplied. Add a no-referrer policy so the token in
the page URL does not leak via Referer on API fetches or the callback
redirect.

Closes ifcurl-i5c.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 23:56:30 +01:00
e2d3d12bc1 Add OpenCDE select-documents picker (POST + UI)
POST /documents/1.0/select-documents accepts a callback URL and returns a
select_documents_url pointing to a self-contained HTML picker that browses
Forgejo repos and IFC files, encodes the selection as a document_id, then
redirects back to the callback with document_ids[] appended.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-07 12:19:01 +01:00