feat: implement OAuth 2.0 browser authentication with token management and refresh

This commit is contained in:
MayaTheShy
2025-11-09 17:57:12 -05:00
parent 813558ec97
commit 49977dfb98

View File

@@ -96,34 +96,82 @@ Connect to a domain using the domain address format:
### Connect with Authentication ### Connect with Authentication
**⚠️ OAuth Not Yet Implemented** - See [OVERTE_AUTH.md](OVERTE_AUTH.md) for details. ** OAuth Browser Authentication Now Implemented!**
The authentication infrastructure exists but is currently disabled. Overte uses browser-based OAuth 2.0 which requires: Starworld now supports full OAuth 2.0 authentication via browser flow (Authorization Code Grant). This allows you to authenticate with your Overte account and access private domains and full entity data.
- HTTP callback server for authorization code flow
- Browser launcher for login page
- Token persistence and refresh
**Current Status:** **Quick Start - Browser OAuth (Recommended):**
- ✅ Anonymous connection works perfectly ```bash
- ✅ Domain connection and entity queries functional # Automatic browser-based login
- ❌ OAuth login disabled (needs authorization code flow implementation) ./build/starworld --auth --overte=127.0.0.1:40102
- ❌ Assignment client discovery limited to authenticated users
**Workaround:** Run in anonymous mode (default): # The application will:
# 1. Start a local callback server (usually port 8765)
# 2. Open your web browser to the Overte login page
# 3. Wait for you to log in
# 4. Receive the authorization code
# 5. Exchange it for an access token
# 6. Save the token for future use
```
**Features:**
- ✅ Browser-based OAuth 2.0 (Authorization Code Grant)
- ✅ Automatic token refresh
- ✅ Token persistence (`~/.config/starworld/overte_token.txt`)
- ✅ CSRF protection with state parameter
- ✅ Secure local callback server (localhost only)
- ✅ Fallback to saved tokens
- ✅ Username/password login (less secure, for testing)
**Advanced Options:**
```bash
# Use saved token if available, otherwise open browser
./build/starworld --auth
# Specify metaverse server
OVERTE_METAVERSE=https://mv.overte.org ./build/starworld --auth
# Legacy username/password (NOT RECOMMENDED - use browser flow)
./build/starworld --auth --username=myuser --password=mypass
# Force re-authentication (deletes saved token)
rm ~/.config/starworld/overte_token.txt && ./build/starworld --auth
```
**How It Works:**
1. Application starts HTTP callback server on `http://localhost:8765/callback`
2. Opens browser to: `https://mv.overte.org/oauth/authorize?...`
3. User logs in via Overte's web interface
4. Overte redirects to `http://localhost:8765/callback?code=ABC&state=XYZ`
5. Application receives authorization code
6. Exchanges code for access token via POST to `/oauth/token`
7. Saves token to `~/.config/starworld/overte_token.txt`
8. Token is automatically refreshed when expiring
**Benefits of Authenticated Connection:**
- Access to private/restricted domains
- Full entity server topology information
- Direct EntityServer connections (faster, more reliable)
- User profile information
- Permission to edit entities
- Voice chat capabilities (future)
**Anonymous Connection (No --auth flag):**
```bash ```bash
./build/starworld --overte=127.0.0.1:40104 ./build/starworld --overte=127.0.0.1:40104
``` ```
Anonymous users can: Anonymous users can:
- Connect to public domains - Connect to public domains
- Query entity data - Query entity data (limited by server permissions)
- Receive domain list packets - Receive domain list packets
- View and render entities - View and render entities (if server allows)
Limitations: Limitations:
- No assignment client topology information - No assignment client topology information
- EntityServer address not advertised (uses domain server fallback) - EntityServer address not advertised (uses domain server fallback)
- Some restricted domains may reject anonymous connections - Some restricted domains may reject anonymous connections
- Cannot edit entities or participate in voice chat
### Domain Discovery ### Domain Discovery