From 5ad1450ca5edb86774b63bf9f40e27495551c27c Mon Sep 17 00:00:00 2001
From: Mayur-e <mayureshmandalik25@gmail.com>
Date: Wed, 27 May 2026 16:28:12 +0530
Subject: [PATCH 1/2] fix(auth): resolve GitHub OAuth error=github redirect
 loop

- Add supabaseAdmin null guard in signIn callback: when Supabase env vars
  are missing or contain placeholder values, supabaseAdmin is null and
  calling .from() on it throws a TypeError that NextAuth silently converts
  to error=github. Now logs a warning and returns true so auth succeeds
  with degraded functionality instead of crashing.

- Wrap Supabase upsert in try/catch: transient DB errors (table missing,
  network issues) no longer block authentication. Errors are logged to
  the server console for operator visibility.

- Add AuthErrorBanner to sign-in page: reads the ?error= query param via
  useSearchParams() and maps NextAuth error codes to human-readable
  messages (github, OAuthCallback, OAuthSignin, Configuration,
  AccessDenied). Wrapped in Suspense boundary for Next.js 14 static
  generation compatibility. Clears the param from the URL after display
  so stale errors do not persist across page refreshes.

- Fix landing page sign-in links: all CTA and nav links that previously
  used raw href to /api/auth/signin/github (bypassing NextAuth CSRF token
  validation and causing immediate error=github) now navigate to
  /auth/signin instead, preserving the intended UX flow.

- Expand DEVELOPMENT.md troubleshooting with a dedicated error=github
  redirect loop checklist covering all known root causes.

Fixes #<issue-number>
---
 DEVELOPMENT.md                         |  76 ++++++++++++++++++-
 src/app/auth/signin/page.tsx           | 100 ++++++++++++++++++++++++-
 src/components/landing/LandingPage.tsx |   6 +-
 src/lib/auth.ts                        |  15 ++++
 src/lib/supabase.ts                    |   1 -
 5 files changed, 190 insertions(+), 8 deletions(-)

diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index 702a3bab..73f47470 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -263,11 +263,83 @@ export async function GET() {
 ```
 [next-auth][error][NO_SECRET]
 ```
-Add `NEXTAUTH_SECRET` to `.env.local`.
+Add `NEXTAUTH_SECRET` to `.env.local`. Generate one with:
+```bash
+# macOS / Linux
+openssl rand -base64 32
+# Windows PowerShell
+[Convert]::ToBase64String((1..32 | ForEach-Object { Get-Random -Maximum 256 }))
+```
+
+---
+
+### GitHub OAuth `error=github` Redirect Loop
+
+**Symptom:** After clicking "Sign in with GitHub" and completing the GitHub flow, the browser redirects back to `/auth/signin?error=github` instead of the dashboard.
+
+Work through this checklist in order:
+
+#### 1. Missing or placeholder env vars (most common cause)
+
+Open `.env.local` and confirm these four are set to real values (not `your_...` placeholders):
+
+```env
+GITHUB_ID=Ov23...            # from github.com/settings/developers
+GITHUB_SECRET=ghp_...        # generated in the same OAuth App
+NEXTAUTH_SECRET=<32-byte>    # run: openssl rand -base64 32
+NEXTAUTH_URL=http://localhost:3000
+```
+
+Also required for the database upsert on sign-in:
+```env
+NEXT_PUBLIC_SUPABASE_URL=https://xxxx.supabase.co
+SUPABASE_SERVICE_ROLE_KEY=eyJ...
+```
+
+If `NEXT_PUBLIC_SUPABASE_URL` or `SUPABASE_SERVICE_ROLE_KEY` are missing, the server log will print:
+```
+signIn: supabaseAdmin is not configured; skipping DB upsert.
+```
+Authentication will still succeed, but no user record will be written to Supabase.
+
+#### 2. Callback URL mismatch in the GitHub OAuth App
+
+The **Authorization callback URL** in your GitHub OAuth App must be **exactly**:
+
+```
+http://localhost:3000/api/auth/callback/github
+```
+
+Any trailing slash, different port, or HTTPS vs HTTP mismatch will cause `error=github`. Verify at [github.com/settings/developers](https://github.com/settings/developers) → your OAuth App → **Authorization callback URL**.
+
+#### 3. `ENCRYPTION_KEY` not set
+
+The `ENCRYPTION_KEY` is required for OAuth token encryption:
+
+```env
+ENCRYPTION_KEY=<64 hex chars>   # run: openssl rand -hex 32
+```
+
+On Windows PowerShell:
+```powershell
+-join ((1..32) | ForEach-Object { "{0:x2}" -f (Get-Random -Maximum 256) })
+```
+
+#### 4. Restart the dev server after changing env vars
+
+Next.js reads `.env.local` only at startup. After any change, stop and restart:
+
+```bash
+npm run dev
+```
+
+#### 5. Check the server console for the real error
+
+The browser only shows `error=github` — the actual error is printed to the **terminal running `npm run dev`**. Look for lines starting with `[next-auth]` or `signIn:`.
 
 ---
 
-### GitHub OAuth callback mismatch
+### GitHub OAuth callback URL mismatch
 ```
 The redirect_uri is not associated with this application
 ```
diff --git a/src/app/auth/signin/page.tsx b/src/app/auth/signin/page.tsx
index b89babda..dad7bfc7 100644
--- a/src/app/auth/signin/page.tsx
+++ b/src/app/auth/signin/page.tsx
@@ -1,12 +1,80 @@
 "use client";
 
 import { signIn } from "next-auth/react";
-import { useEffect, useRef } from "react";
+import { Suspense, useEffect, useRef } from "react";
+import { useSearchParams } from "next/navigation";
+
 
 const A = "#818cf8";
+const ERR = "#f87171";
 const MONO = "var(--font-jetbrains, ui-monospace, monospace)";
 const DISP = "var(--font-syne, system-ui, sans-serif)";
 
+/** Maps NextAuth error codes → user-facing messages. */
+const AUTH_ERROR_MESSAGES: Record<string, string> = {
+  github:
+    "GitHub sign-in failed. This is usually caused by incorrect OAuth credentials or a mismatched callback URL. Check your GitHub OAuth App settings and try again.",
+  OAuthCallback:
+    "The OAuth callback could not be completed. Please try signing in again.",
+  OAuthSignin:
+    "Could not start the GitHub sign-in flow. Please try again.",
+  Configuration:
+    "There is a server configuration error. Please contact the site administrator.",
+  AccessDenied:
+    "Access was denied. You may have cancelled the GitHub authorization.",
+  Verification:
+    "The sign-in link has expired or has already been used.",
+  Default:
+    "An unexpected authentication error occurred. Please try again.",
+};
+
+function getErrorMessage(error: string): string {
+  return AUTH_ERROR_MESSAGES[error] ?? AUTH_ERROR_MESSAGES.Default;
+}
+
+function AuthErrorBanner({ error }: { error: string }) {
+  return (
+    <div
+      role="alert"
+      aria-live="assertive"
+      style={{
+        width: "100%",
+        marginBottom: 24,
+        padding: "12px 16px",
+        borderRadius: 8,
+        background: "rgba(248,113,113,0.08)",
+        border: `1px solid rgba(248,113,113,0.25)`,
+        textAlign: "left",
+      }}
+    >
+      <p
+        style={{
+          fontFamily: MONO,
+          fontSize: 12,
+          fontWeight: 700,
+          color: ERR,
+          margin: "0 0 4px",
+          letterSpacing: "0.04em",
+          textTransform: "uppercase",
+        }}
+      >
+        ⚠ Sign-in failed
+      </p>
+      <p
+        style={{
+          fontFamily: MONO,
+          fontSize: 12,
+          color: "#e87a7a",
+          margin: 0,
+          lineHeight: 1.65,
+        }}
+      >
+        {getErrorMessage(error)}
+      </p>
+    </div>
+  );
+}
+
 function MouseSpotlight() {
   const ref = useRef<HTMLDivElement>(null);
   useEffect(() => {
@@ -35,7 +103,25 @@ function MouseSpotlight() {
   );
 }
 
-export default function SignInPage() {
+/**
+ * Inner component that reads search params — must live inside a Suspense
+ * boundary because useSearchParams() opts the subtree out of static rendering.
+ */
+function SignInContent() {
+  const searchParams = useSearchParams();
+  const error = searchParams.get("error");
+
+  // Clear the ?error= param from the URL immediately after reading it so
+  // that refreshing the page or navigating back doesn't show a stale error
+  // from a previous sign-in attempt.
+  useEffect(() => {
+    if (error && typeof window !== "undefined") {
+      const url = new URL(window.location.href);
+      url.searchParams.delete("error");
+      window.history.replaceState({}, "", url.toString());
+    }
+  }, [error]);
+
   return (
     <main
       style={{
@@ -121,6 +207,8 @@ export default function SignInPage() {
           Track streaks, PR velocity &amp; coding growth.
         </p>
 
+        {error && <AuthErrorBanner error={error} />}
+
         <button
           onClick={() => signIn("github", { callbackUrl: "/dashboard" })}
           style={{
@@ -175,3 +263,11 @@ export default function SignInPage() {
     </main>
   );
 }
+
+export default function SignInPage() {
+  return (
+    <Suspense>
+      <SignInContent />
+    </Suspense>
+  );
+}
diff --git a/src/components/landing/LandingPage.tsx b/src/components/landing/LandingPage.tsx
index 2dba147e..e97d9921 100644
--- a/src/components/landing/LandingPage.tsx
+++ b/src/components/landing/LandingPage.tsx
@@ -156,7 +156,7 @@ function LandingNav() {
       <span style={{ fontFamily: MONO, fontWeight: 700, fontSize: 14, color: TEXT, letterSpacing: '-0.02em' }}>
         <span style={{ color: A }}>▲</span> DEVTRACK
       </span>
-      <a href="/api/auth/signin/github?callbackUrl=/dashboard" className="lnd-nav-link">
+      <a href="/auth/signin" className="lnd-nav-link">
         SIGN IN →
       </a>
     </nav>
@@ -402,7 +402,7 @@ function HeroSection() {
 
         {/* CTAs */}
         <div style={{ display: 'flex', gap: 12, flexWrap: 'wrap' }}>
-          <a href="/api/auth/signin/github?callbackUrl=/dashboard" className="lnd-cta-primary">
+          <a href="/auth/signin" className="lnd-cta-primary">
             <svg width="18" height="18" viewBox="0 0 16 16" fill="currentColor">
               <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27s1.36.09 2 .27c1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z" />
             </svg>
@@ -667,7 +667,7 @@ function SetupSection() {
       </div>
 
       <div style={{ display: 'flex', gap: 12, flexWrap: 'wrap', justifyContent: 'center' }}>
-        <a href="/api/auth/signin/github?callbackUrl=/dashboard" className="lnd-cta-primary">
+        <a href="/auth/signin" className="lnd-cta-primary">
           Sign in with GitHub
         </a>
         <a
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 9e400fc0..bbdd7613 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -26,6 +26,7 @@ export const authOptions: NextAuthOptions = {
   pages: {
     signIn: "/auth/signin",
   },
+  // From PR #1334: use secure cookies on HTTPS deployments, plain cookies on HTTP (local dev).
   cookies: {
     sessionToken: {
       name: `${useSecureCookies ? "__Secure-" : ""}next-auth.session-token`,
@@ -49,6 +50,20 @@ export const authOptions: NextAuthOptions = {
     async signIn({ account, profile }) {
       if (account?.provider === "github" && profile) {
         const p = profile as { id: number; login: string; email?: string };
+
+        // Guard: supabaseAdmin is null when Supabase env vars are missing or
+        // contain placeholder values (see src/lib/supabase.ts). Calling .from()
+        // on null throws a TypeError which NextAuth silently converts to
+        // return false → error=github redirect. Skip the upsert gracefully
+        // so authentication can still succeed with degraded functionality.
+        if (!supabaseAdmin) {
+          console.warn(
+            "signIn: supabaseAdmin is not configured; skipping DB upsert. " +
+            "Set NEXT_PUBLIC_SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY in .env.local."
+          );
+          return true;
+        }
+
         try {
           let { data: user, error: upsertError } = await supabaseAdmin
             .from("users")
diff --git a/src/lib/supabase.ts b/src/lib/supabase.ts
index 5b9ac43e..7f6df3c1 100644
--- a/src/lib/supabase.ts
+++ b/src/lib/supabase.ts
@@ -6,7 +6,6 @@ const serviceRoleKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
 export const SUPABASE_ADMIN_UNAVAILABLE_MESSAGE =
   "Supabase admin client is unavailable. Check NEXT_PUBLIC_SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY.";
 
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
 type SupabaseAdminClient = SupabaseClient<any, any, any>;
 
 function createUnavailableSupabaseAdmin(): SupabaseAdminClient {

From 1ccb696656f0bc1dcea0c4c2d4f0940dd81c3a53 Mon Sep 17 00:00:00 2001
From: Mayur-e <mayureshmandalik25@gmail.com>
Date: Thu, 28 May 2026 18:14:12 +0530
Subject: [PATCH 2/2] fix(ci): fix YAML indentation error in e2e.yml at line 37

---
 .github/workflows/e2e.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 62f222e0..68d65585 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -34,7 +34,7 @@ jobs:
       - name: Install app dependencies
         run: npm ci
 
-            - name: Install Playwright browsers
+      - name: Install Playwright browsers
         run: npx playwright install --with-deps chromium
 
       - name: Run Playwright tests