[2.x] feat(core): redirect-only OAuth flow — rewrite ResponseFactory (#4461)

* feat(core): rewrite ResponseFactory for redirect-only OAuth flow

Replace the HtmlResponse popup approach with a proper RedirectResponse
flow throughout Forum\Auth\ResponseFactory:

- Logged-in users: redirect to returnTo with remember-me cookie set.
- Email-match users: auto-link provider then same redirect.
- New users: redirect to returnTo with _flarum_auth=<token> appended so
  the frontend can open the SignUpModal without any JS window tricks.

Remove authenticationComplete() from ForumApplication — it existed only
to call window.opener callbacks from the popup flow.

The returnTo parameter must be validated by the caller (AbstractOAuth-
Controller::validateReturnTo) before being passed to make(); this class
trusts it is a safe same-origin path.

Add unit and integration test coverage for Registration, ResponseFactory
and LoginProvider.

BREAKING CHANGE: ResponseFactory::make() now requires a $returnTo string
as the fourth argument, and returns a RedirectResponse instead of an
HtmlResponse. Extensions or custom OAuth controllers that call make()
directly must be updated. authenticationComplete() is removed from
ForumApplication.

* Apply fixes from StyleCI

* fix(tests): fix 3 unit test failures in OAuth-related classes

- Registration::$payload initialised to null to prevent "must not be
  accessed before initialization" error on getPayload() when nothing
  has been provided.
- ResponseFactoryTest: remove makeLoggedInResponse unit tests that hit
  RememberAccessToken::generate() → Eloquent DB connection. The logged-
  in redirect path is already covered by the integration test suite;
  unit tests now only cover URL construction logic for the registration
  response (which needs no DB).

* Apply fixes from StyleCI

* chore(js): yarn format

* feat(core): add RegistrationTokenResource for redirect-based OAuth pre-population

Redirect-based OAuth flows (e.g. fof/oauth) bounce the user back to the forum
with a _flarum_auth query param carrying a RegistrationToken. Previously there
was no way to resolve that token back to username/email/provided fields without
a round-trip through the popup authenticationComplete callback.

- Add GET /api/registration-tokens/{token} — returns username, email, and the
  provided[] field list. Provider name, identifier, and payload internals are
  NOT exposed. The token acts as its own credential; no auth required.
- Store suggested fields (suggestUsername, suggestEmail) in the token payload
  under a 'suggested' key so they survive the redirect.
- Add RegistrationTokenResource to ApiServiceProvider.
- Integration tests: 15 cases covering happy paths, all field combinations,
  security (sensitive fields absent), expiry, and rejected write methods.
- ResponseFactory integration test: assert suggested fields land in payload.

* Apply fixes from StyleCI

* feat(core): add POST /api/registration-token endpoint for OAuth sign-up pre-population

Redirect-based OAuth flows return the user to the forum with a
_flarum_auth token in the URL. The frontend needs to resolve that token
to username/email/provided[] before opening the SignUpModal.

Using POST (body: {token}) rather than GET /{token} keeps the token out
of server access logs, browser history, and Referer headers.

- ResolveRegistrationTokenController: accepts {token} in POST body,
  returns {username, email, provided[]}. Provider name, identifier, and
  payload internals are not exposed. Returns 404 for invalid/expired tokens.
- Route: POST /api/registration-token (name: registration-token)
- CSRF exempt (same pattern as /api/token login endpoint)
- Also stores suggested fields in token payload so they survive the redirect
  (ResponseFactory change from previous commit)
- 15 integration tests: happy paths, field combinations, security
  (sensitive fields absent), expiry, and rejected HTTP methods

* Apply fixes from StyleCI

* feat(sign-up): add visible labels to all SignUpModal fields

Username, Nickname (when flarum-nicknames is active), Email and Password
fields now display a <label> above the input so they are clearly
distinguishable when pre-filled from an OAuth redirect — previously
placeholder text disappears once a value is present, making Username and
Nickname look identical.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(ResponseFactory): append _flarum_linked param on email-match auto-link

When an OAuth login auto-links a user via email match, the redirect now
includes _flarum_linked={provider} so the frontend can show the
AccountLinkedModal informing the user their accounts have been connected.

* fix: resolve merge conflict markers in ResolveTest.php

* Apply fixes from StyleCI

* fix(test): update email_match test to expect _flarum_linked in redirect URL

* refactor(ResponseFactory): make makeLoggedInResponse/makeRegistrationResponse protected, move _flarum_linked URL-building into make()

Extensions can now override either method to customise the login redirect
or registration handoff without needing to touch _flarum_linked logic.
Clean signature: makeLoggedInResponse(User, string) with no optional params.

Adds regression test asserting returning users do not get _flarum_linked appended.

---------

Co-authored-by: StyleCI Bot <bot@styleci.io>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 3 people

extensions/nicknames/js/src/forum/index.js

@@ -72,14 +72,18 @@ app.initializers.add('flarum-nicknames', () => {
     if (app.forum.attribute('displayNameDriver') !== 'nickname') return;
 
     if (app.forum.attribute('setNicknameOnRegistration')) {
+      const nicknameLabel = extractText(app.translator.trans('flarum-nicknames.forum.sign_up.nickname_placeholder'));
+
       items.add(
         'nickname',
         <div className="Form-group">
+          <label className="label">{nicknameLabel}</label>
           <input
             className="FormControl"
             name="nickname"
             type="text"
-            placeholder={extractText(app.translator.trans('flarum-nicknames.forum.sign_up.nickname_placeholder'))}
+            placeholder={nicknameLabel}
+            aria-label={nicknameLabel}
             bidi={this.nickname}
             disabled={this.loading || this.isProvided('nickname')}
             required={app.forum.attribute('randomizeUsernameOnRegistration')}

framework/core/js/src/forum/ForumApplication.tsx

@@ -149,20 +149,4 @@ export default class ForumApplication extends Application {
   public viewingDiscussion(discussion: Discussion): boolean {
     return this.current.matches(DiscussionPage, { discussion });
   }
-
-  /**
-   * Callback for when an external authenticator (social login) action has
-   * completed.
-   *
-   * If the payload indicates that the user has been logged in, then the page
-   * will be reloaded. Otherwise, a SignUpModal will be opened, prefilled
-   * with the provided details.
-   */
-  public authenticationComplete(payload: Record<string, unknown>): void {
-    if (payload.loggedIn) {
-      window.location.reload();
-    } else {
-      this.modal.show(() => import('./components/SignUpModal'), payload);
-    }
-  }
 }

framework/core/js/src/forum/components/SignUpModal.tsx

@@ -74,6 +74,7 @@ export default class SignUpModal<CustomAttrs extends ISignupModalAttrs = ISignup
     items.add(
       'username',
       <div className="Form-group">
+        <label className="label">{usernameLabel}</label>
         <input
           className="FormControl"
           name="username"
@@ -90,6 +91,7 @@ export default class SignUpModal<CustomAttrs extends ISignupModalAttrs = ISignup
     items.add(
       'email',
       <div className="Form-group">
+        <label className="label">{emailLabel}</label>
         <input
           className="FormControl"
           name="email"
@@ -107,6 +109,7 @@ export default class SignUpModal<CustomAttrs extends ISignupModalAttrs = ISignup
       items.add(
         'password',
         <div className="Form-group">
+          <label className="label">{passwordLabel}</label>
           <input
             className="FormControl"
             name="password"

framework/core/src/Api/Controller/ResolveRegistrationTokenController.php

@@ -0,0 +1,53 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Api\Controller;
+
+use Flarum\User\Exception\InvalidConfirmationTokenException;
+use Flarum\User\RegistrationToken;
+use Illuminate\Support\Arr;
+use Laminas\Diactoros\Response\JsonResponse;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+/**
+ * Resolves a registration token submitted in the POST body and returns the
+ * non-sensitive fields needed to pre-populate the sign-up modal.
+ *
+ * The token is accepted in the body (not the URL) so it never appears in
+ * server access logs, browser history, or Referer headers.
+ *
+ * Only username, email, and the list of pre-filled field names are returned.
+ * Provider name, identifier, and payload internals are NOT exposed.
+ *
+ * No authentication is required — possession of the short-lived token is
+ * proof of authorisation.
+ */
+class ResolveRegistrationTokenController implements RequestHandlerInterface
+{
+    public function handle(ServerRequestInterface $request): ResponseInterface
+    {
+        $tokenValue = Arr::get($request->getParsedBody(), 'token');
+
+        try {
+            $token = RegistrationToken::validOrFail((string) $tokenValue);
+        } catch (InvalidConfirmationTokenException) {
+            return new JsonResponse(['errors' => [['status' => '404', 'title' => 'Not Found']]], 404);
+        }
+
+        $provided = array_keys($token->user_attributes ?? []);
+
+        return new JsonResponse([
+            'username' => $token->user_attributes['username'] ?? ($token->payload['suggested']['username'] ?? null),
+            'email' => $token->user_attributes['email'] ?? ($token->payload['suggested']['email'] ?? null),
+            'provided' => $provided,
+        ]);
+    }
+}

framework/core/src/Api/routes.php

@@ -33,6 +33,13 @@
         $route->toController(Controller\TerminateAllOtherSessionsController::class)
     );
 
+    // Resolve a registration token (returns username/email/provided for pre-populating sign-up modal)
+    $map->post(
+        '/registration-token',
+        'registration-token',
+        $route->toController(Controller\ResolveRegistrationTokenController::class)
+    );
+
     // Send forgot password email
     $map->post(
         '/forgot',

framework/core/src/Forum/Auth/Registration.php

@@ -13,7 +13,7 @@ class Registration
 {
     protected array $provided = [];
     protected array $suggested = [];
-    protected mixed $payload;
+    protected mixed $payload = null;
 
     public function getProvided(): array
     {

framework/core/src/Forum/Auth/ResponseFactory.php

@@ -15,7 +15,7 @@
 use Flarum\User\RegistrationToken;
 use Flarum\User\User;
 use Illuminate\Support\Arr;
-use Laminas\Diactoros\Response\HtmlResponse;
+use Laminas\Diactoros\Response\RedirectResponse;
 use Psr\Http\Message\ResponseInterface;
 
 class ResponseFactory
@@ -25,10 +25,25 @@ public function __construct(
     ) {
     }
 
-    public function make(string $provider, string $identifier, callable $configureRegistration): ResponseInterface
-    {
+    /**
+     * Handle an OAuth callback by logging in an existing user or beginning
+     * the registration flow for a new one.
+     *
+     * @param string   $provider              The OAuth provider name (e.g. 'github').
+     * @param string   $identifier            The provider's unique identifier for this user.
+     * @param callable $configureRegistration Callback that populates a {@see Registration} instance
+     *                                        with data from the provider (email, username, avatar, etc.).
+     * @param string   $returnTo              Validated same-origin URL to redirect to after login.
+     *                                        Must be validated by the caller before being passed here.
+     */
+    public function make(
+        string $provider,
+        string $identifier,
+        callable $configureRegistration,
+        string $returnTo = '/'
+    ): ResponseInterface {
         if ($user = LoginProvider::logIn($provider, $identifier)) {
-            return $this->makeLoggedInResponse($user);
+            return $this->makeLoggedInResponse($user, $returnTo);
         }
 
         $configureRegistration($registration = new Registration);
@@ -38,38 +53,56 @@ public function make(string $provider, string $identifier, callable $configureRe
         if (! empty($provided['email']) && $user = User::where(Arr::only($provided, 'email'))->first()) {
             $user->loginProviders()->create(compact('provider', 'identifier'));
 
-            return $this->makeLoggedInResponse($user);
+            // Append _flarum_linked so the frontend can show a confirmation modal.
+            $separator = str_contains($returnTo, '?') ? '&' : '?';
+            $returnTo .= $separator.'_flarum_linked='.urlencode($provider);
+
+            return $this->makeLoggedInResponse($user, $returnTo);
         }
 
-        $token = RegistrationToken::generate($provider, $identifier, $provided, $registration->getPayload());
+        $payload = array_merge(
+            ['suggested' => $registration->getSuggested()],
+            (array) $registration->getPayload()
+        );
+
+        $token = RegistrationToken::generate($provider, $identifier, $provided, $payload);
         $token->save();
 
-        return $this->makeResponse(array_merge(
-            $provided,
-            $registration->getSuggested(),
-            [
-                'token' => $token->token,
-                'provided' => array_keys($provided)
-            ]
-        ));
+        return $this->makeRegistrationResponse($token->token, $returnTo);
     }
 
-    private function makeResponse(array $payload): HtmlResponse
+    /**
+     * Build a redirect response for a successfully authenticated existing user.
+     * Sets the remember-me cookie so the session is established on the next request.
+     *
+     * Override this method to customise the login redirect or cookie behaviour.
+     */
+    protected function makeLoggedInResponse(User $user, string $returnTo): ResponseInterface
     {
-        $content = sprintf(
-            '<script>window.close(); window.opener.app.authenticationComplete(%s);</script>',
-            json_encode($payload)
-        );
+        $token = RememberAccessToken::generate($user->id);
+
+        $response = new RedirectResponse($returnTo ?: '/');
 
-        return new HtmlResponse($content);
+        return $this->rememberer->remember($response, $token);
     }
 
-    private function makeLoggedInResponse(User $user): ResponseInterface
+    /**
+     * Build a redirect response that triggers the registration modal on the frontend.
+     *
+     * The `_flarum_auth` query parameter carries the registration token. The frontend
+     * detects this parameter on boot, strips it from the URL, and opens the SignUpModal
+     * pre-populated with data from the provider.
+     *
+     * Override this method to customise how the registration handoff is communicated
+     * to the frontend.
+     */
+    protected function makeRegistrationResponse(string $token, string $returnTo): ResponseInterface
     {
-        $response = $this->makeResponse(['loggedIn' => true]);
+        $base = $returnTo ?: '/';
 
-        $token = RememberAccessToken::generate($user->id);
+        // Append _flarum_auth without clobbering any existing query params on returnTo.
+        $separator = str_contains($base, '?') ? '&' : '?';
 
-        return $this->rememberer->remember($response, $token);
+        return new RedirectResponse($base.$separator.'_flarum_auth='.urlencode($token));
     }
 }

framework/core/src/Http/HttpServiceProvider.php

@@ -26,7 +26,7 @@ class HttpServiceProvider extends AbstractServiceProvider
     public function register(): void
     {
         $this->container->singleton('flarum.http.csrfExemptPaths', function () {
-            return ['token'];
+            return ['token', 'registration-token'];
         });
 
         $this->container->bind(Middleware\CheckCsrfToken::class, function (Container $container) {