···

       
38
       
38
       
 
       
	// Use login limiter since callback completes the authentication flow

     

       
39
       
39
       
 
       
	r.With(corsMiddleware(allowedOrigins), loginLimiter.Middleware).Get("/oauth/callback", handler.HandleCallback)

     

       
40
       
40
       
 
       


     

       
41
       
41
       
-
       
	// Mobile Universal Link callback route

     

       
42
       
42
       
-
       
	// This route is used for iOS Universal Links and Android App Links

     

       
43
       
43
       
-
       
	// Path must match the path in .well-known/apple-app-site-association

     

       
44
       
44
       
-
       
	// Uses the same handler as web callback - the system routes it to the mobile app

     

       
45
       
45
       
-
       
	r.With(loginLimiter.Middleware).Get("/app/oauth/callback", handler.HandleCallback)

     

       
41
       
41
       
+
       
	// Mobile Universal Link callback route (fallback when app doesn't intercept)

     

       
42
       
42
       
+
       
	// This route exists for iOS Universal Links and Android App Links.

     

       
43
       
43
       
+
       
	// When properly configured, the mobile OS intercepts this URL and opens the app

     

       
44
       
44
       
+
       
	// BEFORE the request reaches the server. If this handler is reached, it means

     

       
45
       
45
       
+
       
	// Universal Links failed to intercept.

     

       
46
       
46
       
+
       
	r.With(loginLimiter.Middleware).Get("/app/oauth/callback", handler.HandleMobileDeepLinkFallback)

     

       
46
       
47
       
 
       


     

       
47
       
48
       
 
       
	// Session management - dedicated rate limits

     

       
48
       
49
       
 
       
	r.With(logoutLimiter.Middleware).Post("/oauth/logout", handler.HandleLogout)

     

···

       
688
       
688
       
 
       
		return

     

       
689
       
689
       
 
       
	}

     

       
690
       
690
       
 
       
}

     

       
691
       
691
       
+
       


     

       
692
       
692
       
+
       
// HandleMobileDeepLinkFallback handles requests to /app/oauth/callback when

     

       
693
       
693
       
+
       
// Universal Links fail to intercept the redirect.

     

       
694
       
694
       
+
       
//

     

       
695
       
695
       
+
       
// If this handler is reached, it means the mobile app did NOT intercept the

     

       
696
       
696
       
+
       
// Universal Link redirect. The OAuth flow succeeded server-side, but the

     

       
697
       
697
       
+
       
// credentials couldn't be delivered to the app.

     

       
698
       
698
       
+
       
func (h *OAuthHandler) HandleMobileDeepLinkFallback(w http.ResponseWriter, r *http.Request) {

     

       
699
       
699
       
+
       
	// Log the failure for debugging

     

       
700
       
700
       
+
       
	slog.Warn("Universal Link not intercepted - mobile app did not handle redirect",

     

       
701
       
701
       
+
       
		"path", r.URL.Path,

     

       
702
       
702
       
+
       
		"has_token", r.URL.Query().Get("token") != "",

     

       
703
       
703
       
+
       
		"has_did", r.URL.Query().Get("did") != "",

     

       
704
       
704
       
+
       
	)

     

       
705
       
705
       
+
       


     

       
706
       
706
       
+
       
	http.Error(w, "Universal Link not intercepted: The mobile app should have opened this URL. "+

     

       
707
       
707
       
+
       
		"Check that Universal Links (iOS) or App Links (Android) are properly configured.", http.StatusBadRequest)

     

       
708
       
708
       
+
       
}