Merge branch 'main' into partners-catalog

Author: thejessewinton

src/routes/blog/post/understand-oauth2/+page.markdoc

@@ -0,0 +1,159 @@
+---
+layout: post
+title: "Understanding OAuth2: The backbone of modern authorization"
+description: A quick guide to OAuth2, its flows, and when to use each one.
+date: 2025-06-12
+cover: /images/blog/understand-oauth2/cover.png
+timeToRead: 06
+author: laura-du-ry
+callToAction: true
+unlisted: true
+category: product
+---
+
+In today’s interconnected app ecosystem, users expect seamless, secure access across services. OAuth2 has emerged as the industry standard for handling secure delegated access, making it a critical protocol for developers to understand.
+
+This guide explains OAuth2, how it works, the different flows available, and when to use each one, helping you build secure, scalable authorization experiences.
+
+# What is OAuth2?
+
+OAuth2 is an open standard for authorization. It allows users to grant limited access to their resources on one service to another service without sharing credentials.
+
+Rather than handing out a username and password, users authorize apps to act on their behalf using access tokens. OAuth2 ensures that:
+
+- Apps never directly handle user credentials.
+- Users retain control over what permissions they grant.
+- Access can be easily revoked.
+
+# Core components of OAuth2
+
+Before diving into the flows, it's important to understand the key players:
+
+- **Resource owner**: The user who authorizes access to their data.
+- **Client**: The application requesting access.
+- **Authorization server**: Issues access tokens after authenticating the user.
+- **Resource server**: Hosts the protected resources.
+
+These components work together to ensure secure authorization across systems.
+
+Refer to the OAuth2 [documentation](/docs/product/auth/oauth2) for complete technical details.
+
+# How OAuth2 works: A simple flow
+
+1. **Authorization request**: The client asks the resource owner for permission.
+2. **Authorization grant**: If the user consents, the server issues a grant (authorization code, token, etc.).
+3. **Token request**: The client exchanges the grant for an access token.
+4. **Resource access**: The client uses the token to access protected resources.
+
+Tokens are typically short-lived and scoped, meaning they only allow the operations the user approved.
+
+# Major OAuth2 flows
+
+OAuth2 offers different "flows" to accommodate various scenarios. Here's a breakdown of the major ones:
+
+## 1. Authorization code flow
+
+**Best for**: Server-side applications
+
+- User authenticates via browser.
+- Client receives an authorization code.
+- Server exchanges the code for an access token.
+
+**Advantages**:
+
+- Highly secure (authorization code exchanged server-side).
+- Supports refresh tokens.
+
+**Typical use cases**:
+
+- Web apps with secure backend servers.
+
+{% call_to_action title="Customer identity without the hassle" description="Add secure authentication for your users in just a couple of minutes." point1="Multiple OAuth providers" point2="Built-in security" point3="Custom roles and permissions" point4="Integrates with your favourite SDK" cta="Contact sales" url="https://appwrite.io/contact-us/enterprise" /%}
+
+
+## 2. Authorization code flow with PKCE (Proof Key for Code Exchange)
+
+**Best for**: Mobile and SPA (Single Page Applications)
+
+- Similar to Authorization Code Flow, but with an added security layer (PKCE).
+- Prevents interception attacks.
+
+**Advantages**:
+
+- Stronger protection for public clients.
+
+**Typical use cases**:
+
+- Mobile apps, SPAs.
+
+## 3. Client credentials flow
+
+**Best for**: Machine-to-machine (M2M) communication
+
+- No user interaction.
+- Client authenticates itself to obtain an access token.
+
+**Advantages**:
+
+- Efficient for service-to-service communication.
+
+**Typical use cases**:
+
+- APIs accessed by backend services.
+
+## 4. Implicit Flow (Legacy)
+
+**Best for**: SPAs (historically)
+
+- Tokens returned directly in browser URL.
+- Faster but less secure.
+
+**Note**: Now largely replaced by Authorization Code Flow with PKCE due to security risks.
+
+## 5. Device authorization flow
+
+**Best for**: Devices without browsers/keyboards
+
+- User authenticates on a separate device.
+- Device polls authorization server for approval.
+
+**Typical use cases**:
+
+- Smart TVs, IoT devices.
+
+[Appwrite Auth](/products/auth) supports all major OAuth2 flows, making it easy to integrate secure authentication into any app
+
+# OAuth2 Tokens: Access and refresh
+
+OAuth2 commonly uses two types of tokens:
+
+- **Access Token**: Grants access to protected resources.
+- **Refresh Token**: Used to obtain new access tokens without re-authenticating the user.
+
+Tokens are often JWTs (JSON Web Tokens) containing claims about the user and the permissions granted.
+
+# When to Use OAuth2
+
+- **Third-party integrations**: Allowing users to connect external services securely.
+- **APIs**: Protecting APIs from unauthorized access.
+- **Mobile and web Apps**: Enabling secure login and data access without managing credentials.
+- **B2B applications**: Secure service-to-service communication.
+
+# Common OAuth2 pitfalls
+
+- **Over-scoped tokens**: Granting too many permissions.
+- **Insecure storage**: Storing tokens in insecure locations (e.g., localStorage without encryption).
+- **Ignoring token expiration**: Failing to handle token refresh flows.
+- **Misusing Implicit Flow**: Using legacy flows where better options (PKCE) are available.
+
+# OAuth2: A key enabler of modern security
+
+OAuth2 powers secure, flexible authorization across the modern internet. Understanding its core flows and best practices helps developers build safer, more user-friendly apps.
+
+Choosing the proper OAuth2 flow based on your application's architecture and user needs is critical to balancing security, usability, and scalability.
+
+Ready to explore OAuth2 more deeply? Check
+
+- [Appwrite Authentication docs](/docs/products/auth)
+- [Overview of all the OAuth providers](/integrations#auth)
+- [Appwrite Authentication overview](/products/auth)

src/routes/docs/advanced/self-hosting/environment-variables/+page.markdoc

@@ -109,8 +109,8 @@ If running in production, it might be easier to use a 3rd party SMTP server as i
 | `_APP_STORAGE_S3_ACCESS_KEY`                | **version >= 0.13.0** AWS S3 storage access key. Required when the storage adapter is set to S3. You can get your access key from your AWS console.                                                                                |
 | `_APP_STORAGE_S3_SECRET`                    | **version >= 0.13.0** AWS S3 storage secret key. Required when the storage adapter is set to S3. You can get your secret key from your AWS console.                                                                               |
 | `_APP_STORAGE_S3_REGION`                    | **version >= 0.13.0** AWS S3 storage region. Required when storage adapter is set to S3. You can find your region info for your bucket from AWS console.                                                                          |
-| `_APP_STORAGE_S3_BUCKET`                    | **version >= 0.13.0** AWS S3 storage bucket. Required when storage adapter is set to S3. You can create buckets in your AWS console.                                                                                               |
-| `_APP_STORAGE_S3_ENDPOINT`                  | **version >= 1.7.0** Override the S3 endpoint to use an S3-compatible provider. This should just be the host (without 'https://').                                                                                                |
+| `_APP_STORAGE_S3_BUCKET`                    | **version >= 0.13.0** AWS S3 storage bucket. Required when storage adapter is set to S3 and using path-style requests (where the bucket is in the path). You can create buckets in your AWS console. If using virtual-hosted-style paths where the bucket is in the endpoint URL, this should be empty.                         |
+| `_APP_STORAGE_S3_ENDPOINT`                  | **version >= 1.7.0** Override the S3 endpoint to use an S3-compatible provider. This should just be the host (without 'https://'). If using virtual-hosted-style paths where the bucket is included in the endpoint (e.g., `bucket-name.s3.amazonaws.com`), `_APP_STORAGE_S3_BUCKET` should be empty. For path-style requests, the endpoint should not include the bucket name and `_APP_STORAGE_S3_BUCKET` should be set.      |
 | `_APP_STORAGE_DO_SPACES_ACCESS_KEY`         | **version >= 0.13.0** DigitalOcean spaces access key. Required when the storage adapter is set to DOSpaces. You can get your access key from your DigitalOcean console.                                                            |
 | `_APP_STORAGE_DO_SPACES_SECRET`             | **version >= 0.13.0** DigitalOcean spaces secret key. Required when the storage adapter is set to DOSpaces. You can get your secret key from your DigitalOcean console.                                                           |
 | `_APP_STORAGE_DO_SPACES_REGION`             | **version >= 0.13.0** DigitalOcean spaces region. Required when storage adapter is set to DOSpaces. You can find your region info for your space from DigitalOcean console.                                                       |

src/routes/docs/products/auth/+layout.svelte

@@ -97,6 +97,10 @@
                     label: 'Multi-factor authentication',
                     href: '/docs/products/auth/mfa'
                 },
+                {
+                    label: 'Auth status check',
+                    href: '/docs/products/auth/checking-auth-status'
+                },
                 {
                     label: 'User verification',
                     href: '/docs/products/auth/verify-user'

src/routes/docs/products/auth/checking-auth-status/+page.markdoc

@@ -0,0 +1,146 @@
+---
+layout: article
+title: Checking auth status
+description: Learn how to check a user's authentication status in your Appwrite application and handle authentication flow appropriately.
+---
+
+One of the first things your application needs to do when starting up is to check if the user is authenticated. This is an important step in creating a great user experience, as it determines whether to show login screens or protected content.
+
+# Check auth with `account.get()`
+
+The recommended approach for checking authentication status is to use the `account.get()` method when your application starts:
+
+{% multicode %}
+```client-web
+import { Client, Account } from "appwrite";
+
+const client = new Client()
+    .setEndpoint('https://<REGION>.cloud.appwrite.io/v1')
+    .setProject('<PROJECT_ID>');
+
+const account = new Account(client);
+
+// Check if user is logged in
+async function checkAuthStatus() {
+    try {
+        // If successful, user is authenticated
+        const user = await account.get();
+        console.log("User is authenticated:", user);
+        // Proceed with your authenticated app flow
+        return user;
+    } catch (error) {
+        console.error("User is not authenticated:", error);
+        // Redirect to login page or show login UI
+        // window.location.href = '/login';
+        return null;
+    }
+}
+
+// Call this function when your app initializes
+checkAuthStatus();
+```
+```client-flutter
+import 'package:appwrite/appwrite.dart';
+
+void checkAuthStatus() async {
+  final client = Client()
+    .setEndpoint('https://<REGION>.cloud.appwrite.io/v1')
+    .setProject('<PROJECT_ID>');
+
+  final account = Account(client);
+
+  try {
+    // If successful, user is authenticated
+    final user = await account.get();
+    print('User is authenticated: ${user.name}');
+    // Proceed with your authenticated app flow
+  } catch (e) {
+    print('User is not authenticated: $e');
+    // Redirect to login page or show login UI
+  }
+}
+
+// Call this function when your app initializes
+```
+```client-android-kotlin
+import io.appwrite.Client
+import io.appwrite.services.Account
+import io.appwrite.exceptions.AppwriteException
+
+class AuthManager {
+    private val client = Client(context)
+        .setEndpoint("https://<REGION>.cloud.appwrite.io/v1")
+        .setProject("<PROJECT_ID>")
+
+    private val account = Account(client)
+
+    suspend fun checkAuthStatus(): Boolean {
+        return try {
+            val user = account.get()
+            Log.d("Auth", "User is authenticated: ${user.name}")
+            // Proceed with your authenticated app flow
+            true
+        } catch (e: AppwriteException) {
+            Log.e("Auth", "User is not authenticated: ${e.message}")
+            // Redirect to login page or show login UI
+            false
+        }
+    }
+}
+
+// Call this function when your app initializes
+```
+```client-apple
+import Appwrite
+
+func checkAuthStatus() {
+    let client = Client()
+        .setEndpoint("https://<REGION>.cloud.appwrite.io/v1")
+        .setProject("<PROJECT_ID>")
+
+    let account = Account(client)
+
+    Task {
+        do {
+            // If successful, user is authenticated
+            let user = try await account.get()
+            print("User is authenticated: \(user.name)")
+            // Proceed with your authenticated app flow
+        } catch {
+            print("User is not authenticated: \(error)")
+            // Redirect to login page or show login UI
+        }
+    }
+}
+
+// Call this function when your app initializes
+```
+{% /multicode %}
+
+# Missing scope error
+
+When a user is not authenticated and you call `account.get()`, you might see an error message like:
+
+```
+User (role: guests) missing scope (account)
+```
+
+This error is telling you that:
+1. The current user has the role of "guest" (unauthenticated visitor)
+2. This guest user does not have the required permission scope to access account information
+3. This is the expected behavior when a user is not logged in
+
+{% info title="Authentication flow" %}
+In a typical application flow:
+
+1. Call `account.get()` when your app starts
+2. If successful → User is authenticated → Show the main app UI
+3. If error → User is not authenticated → Redirect to login screen
+{% /info %}
+
+# Best practices
+
+- Call `account.get()` early in your application lifecycle
+- Handle both authenticated and unauthenticated states gracefully
+- Show appropriate loading states while checking authentication
+- Implement proper error handling to avoid showing error messages to users

src/routes/integrations/storage-s3/+page.markdoc

@@ -8,13 +8,13 @@ isPartner: true
 isNew: false
 cover: /images/integrations/storage-s3/cover.png
 category: storage
-product: 
+product:
     avatar: '/images/integrations/avatars/aws.png'
     vendor: AWS
     description: 'Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance.'
-platform: 
+platform:
     - 'Self-hosted'
-images: 
+images:
     - /images/integrations/storage-s3/cover.png
     - /images/integrations/storage-s3/bucket.png
     - /images/integrations/storage-s3/access-key.png
@@ -50,10 +50,22 @@ Visit the `.env` file created for your Appwrite instance and update the followin
 
 ```bash
 _APP_STORAGE_DEVICE=s3
-_APP_STORAGE_S3_BUCKET=[BUCKET_NAME]
-_APP_STORAGE_S3_REGION=[AWS_REGION]
-_APP_STORAGE_S3_ACCESS_KEY=[ACCESS_KEY_ID]
-_APP_STORAGE_S3_SECRET=[SECRET_ACCESS_KEY]
+_APP_STORAGE_S3_BUCKET=<BUCKET_NAME>
+_APP_STORAGE_S3_REGION=<AWS_REGION>
+_APP_STORAGE_S3_ACCESS_KEY=<ACCESS_KEY_ID>
+_APP_STORAGE_S3_SECRET=<SECRET_ACCESS_KEY>
+```
+
+Starting from version 1.7.0, you can also use S3-compatible providers by configuring the endpoint:
+
+```bash
+# For path-style requests (bucket in the path)
+_APP_STORAGE_S3_ENDPOINT=<PROVIDER_ENDPOINT> # e.g., s3.amazonaws.com (without https://)
+_APP_STORAGE_S3_BUCKET=<BUCKET_NAME> # bucket name required here
+
+# OR for virtual-hosted-style paths (bucket in the endpoint)
+_APP_STORAGE_S3_ENDPOINT=<BUCKET_NAME>.<PROVIDER_ENDPOINT> # e.g., bucket-name.s3.amazonaws.com
+_APP_STORAGE_S3_BUCKET= # leave this empty when bucket is in the endpoint
 ```
 
 After that, run the following Docker Compose commands in your terminal to restart your Appwrite containers and verify if the changes have been successfully applied: