Support deployments with separate back/frontend
We should offer this change to the upstream repo once we're happy with our new deployment.
Support deployments with separate back/frontend
Previously authenticated user data for OAuth logins were passed between the frontend and backend by the frontend writing them to a temporary file which the backend read. This method is not possible when the frontend is running in a separate deployment to the backend, as they don't share a filesystem.
To communicate the user data without a shared filesystem, the frontend now encodes the user data in a token, which it signs using a shared secret that the backend also knows. The token is then passed to the backend as the password data of the authentication request. The backend validates the token using the shared secret to prevent user-provided passwords from other authentication methods being misinterpreted as privileged OAuth requests from the frontend.