foss42
diff --git a/‎.github/dependabot.yml‎
Lines changed: 13 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎.github/workflows/aur-publish.yml‎
Lines changed: 5 additions & 3 deletions b/‎.github/workflows/aur-publish.yml‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎.github/workflows/scorecard.yml‎
Lines changed: 78 additions & 0 deletions b/‎.github/workflows/scorecard.yml‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎doc/dev_guide/README.md‎
Lines changed: 2 additions & 1 deletion b/‎doc/dev_guide/README.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎doc/dev_guide/oauth_authentication_limitations.md‎
Lines changed: 182 additions & 0 deletions b/‎doc/dev_guide/oauth_authentication_limitations.md‎
Lines changed: 182 additions & 0 deletions
@@ -0,0 +1,13 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "pub" # See documentation for possible values
+    directories:
+      - "/" # Location of package manifests
+      - "/packages/*/"
+    schedule:
+      interval: "monthly"
@@ -1,4 +1,6 @@
 name: Update AUR Package
+permissions:
+  contents: read
 
 on:
   push:
@@ -12,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Get version from pubspec
         id: get_version
@@ -42,7 +44,7 @@ jobs:
           echo "license_checksum=$LICENSE_CHECKSUM" >> $GITHUB_OUTPUT
 
       - name: Publish AUR package
-        uses: KSXGitHub/github-actions-deploy-aur@v2.7.0
+        uses: KSXGitHub/github-actions-deploy-aur@2ac5a4c1d7035885d46b10e3193393be8460b6f1 # v4.1.1
         with:
           pkgname: apidash-bin
           pkgbuild: |
@@ -85,4 +87,4 @@ jobs:
           commit_username: ${{ secrets.AUR_USERNAME }}
           commit_email: ${{ secrets.AUR_EMAIL }}
           ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
-          commit_message: "Update to version ${{ steps.get_version.outputs.version }}"
+          commit_message: "Update to version ${{ steps.get_version.outputs.version }}"
@@ -0,0 +1,78 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '30 5 1 * *'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+          # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
+          # file_mode: git
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
@@ -6,7 +6,8 @@
 4. [Integration Testing](https://github.com/foss42/apidash/blob/main/doc/dev_guide/integration_testing.md)
 5. [List of API Endpoints for Testing](https://github.com/foss42/apidash/blob/main/doc/dev_guide/api_endpoints_for_testing.md)
 6. [Packaging API Dash](https://github.com/foss42/apidash/blob/main/doc/dev_guide/packaging.md)
-7. Other Topics
+7. [OAuth Authentication Limitations](https://github.com/foss42/apidash/blob/main/doc/dev_guide/oauth_authentication_limitations.md)
+8. Other Topics
     - [Flutter Rust Bridge Experiment for Parsing Hurl](https://github.com/foss42/apidash/blob/main/doc/dev_guide/flutter_rust_bridge_experiment.md)
 
 ## Code Walkthrough for New Contributors
 
@@ -0,0 +1,182 @@
+# OAuth Authentication Limitations
+
+This document outlines the current limitations and implementation details of OAuth authentication in API Dash.
+
+## Table of Contents
+
+1. [OAuth2 Limitations](#oauth2-limitations)
+2. [OAuth1 Limitations](#oauth1-limitations)
+3. [Platform-Specific Behavior](#platform-specific-behavior)
+4. [Technical Implementation Details](#technical-implementation-details)
+5. [Workarounds](#workarounds)
+6. [Future Improvements](#future-improvements)
+
+## OAuth2 Limitations
+
+### Response Format Restriction
+
+**Limitation**: OAuth2 implementation only supports `application/json` response format as specified in [RFC 6749, Section 5.1](https://tools.ietf.org/html/rfc6749#section-5.1).
+
+**Details**:
+- The OAuth2 client automatically sets the `Accept: application/json` header for token requests
+- Servers that return token responses in other formats (e.g., `application/x-www-form-urlencoded`, `text/plain`) are not supported
+- This is enforced by the `_JsonAcceptClient` wrapper in the HTTP client manager
+
+**Impact**:
+- Some legacy OAuth2 providers that don't return JSON responses will fail
+- Non-standard OAuth2 implementations may not work correctly
+
+**Code Reference**:
+```dart
+// In HttpClientManager.createClientWithJsonAccept()
+class _JsonAcceptClient extends http.BaseClient {
+  @override
+  Future<http.StreamedResponse> send(http.BaseRequest request) {
+    request.headers['Accept'] = 'application/json';
+    return _inner.send(request);
+  }
+}
+```
+
+### Port Range Limitation (Desktop Only)
+
+**Limitation**: For desktop platforms, the OAuth2 callback server requires at least one free port in the range 8080-8090.
+
+**Details**:
+- The callback server attempts to bind to ports starting from 8080
+- If all ports in the range (8080-8090) are occupied, the OAuth flow will fail
+- This only affects desktop platforms (macOS, Windows, Linux)
+
+**Impact**:
+- Users running other services on these ports may experience OAuth failures
+- Development environments with multiple applications may conflict
+
+**Code Reference**:
+```dart
+// In OAuthCallbackServer.start()
+for (int port = 8080; port <= 8090; port++) {
+  try {
+    _server = await HttpServer.bind(InternetAddress.loopbackIPv4, port);
+    _port = port;
+    break;
+  } catch (e) {
+    if (port == 8090) {
+      throw Exception('Unable to find available port for OAuth callback server');
+    }
+  }
+}
+```
+
+## OAuth1 Limitations
+
+### Incomplete Flow Implementation
+
+**Limitation**: OAuth1 implementation does not handle the complete OAuth1 authorization flow.
+
+**Details**:
+- The implementation assumes that the necessary steps to obtain the access token have already been performed manually or through a backend service
+- Users must provide pre-obtained access tokens and token secrets
+- The three-legged OAuth1 flow (request token → user authorization → access token) is not implemented
+- This aligns with the behavior in other API clients such as Postman and Insomnia
+
+**Impact**:
+- Users cannot complete OAuth1 authentication entirely within API Dash
+- External tools or manual processes are required to obtain tokens
+- Limited to scenarios where tokens are already available
+
+**Workaround**:
+Users need to:
+1. Obtain request tokens from the OAuth1 provider
+2. Complete user authorization outside of API Dash
+3. Exchange the authorized request token for an access token
+4. Manually enter the access token and token secret in API Dash
+
+## Platform-Specific Behavior
+
+### Redirect URI Handling
+
+**Mobile Platforms (iOS, Android)**:
+- **Default Redirect URI**: `apidash://oauth2`
+- **Mechanism**: Uses `flutter_web_auth_2` with custom URL scheme
+- **User Experience**: Opens authorization in a WebView within the app
+
+**Desktop Platforms (macOS, Windows, Linux)**:
+- **Default Redirect URI**: `http://localhost:{port}/callback`
+- **Port Range**: 8080-8090 (automatically selects first available port)
+- **Mechanism**: Opens authorization in the system's default browser
+- **User Experience**: External browser window with automatic callback handling
+
+**Code Reference**:
+```dart
+// Platform detection logic
+static bool get shouldUseLocalhostCallback => isDesktop;
+
+// Redirect URL determination
+if (PlatformUtils.shouldUseLocalhostCallback) {
+  callbackServer = OAuthCallbackServer();
+  final localhostUrl = await callbackServer.start();
+  actualRedirectUrl = Uri.parse(localhostUrl);
+} else {
+  // Use custom scheme for mobile
+  actualRedirectUrl = redirectUrl; // apidash://oauth2
+}
+```
+
+## Technical Implementation Details
+
+### Grant Types Supported
+
+**OAuth2**:
+- ✅ Authorization Code Grant
+- ✅ Client Credentials Grant  
+- ✅ Resource Owner Password Grant
+- ❌ Implicit Grant (deprecated by OAuth2.1)
+- ❌ Device Authorization Grant
+
+**OAuth1**:
+- ✅ Manual token entry (post-authorization)
+- ❌ Automated three-legged flow
+
+### PKCE Support
+
+**Status**: ✅ Supported for Authorization Code Grant
+- Code Challenge Method: SHA-256 or Plaintext
+- Automatically generates code verifier and challenge
+- Configurable through the UI
+
+### Token Storage
+
+**Mechanism**: File-based credential storage
+- **Location**: `{workspaceFolderPath}/oauth2_credentials.json`
+- **Format**: JSON with access token, refresh token, expiration time
+- **Security**: Stored as plain text (limitation for local development tool)
+
+**Auto-refresh**: ✅ Supported
+- Automatically refreshes expired tokens using refresh tokens
+- Updates stored credentials file
+
+## Workarounds
+
+### For Non-JSON OAuth2 Responses
+
+If you encounter an OAuth2 provider that doesn't return JSON responses:
+
+1. **Contact the provider** to request JSON support (recommended)
+2. **Use a proxy server** to convert the response format
+3. **Consider alternative authentication methods** if available
+
+### For Port Conflicts on Desktop
+
+If ports 8080-8090 are occupied:
+
+1. **Stop conflicting services** temporarily during OAuth flow
+2. **Use mobile platform** for OAuth authentication if possible
+3. **Configure OAuth provider** to use a different callback URL (if supported)
+
+## Related Documentation
+
+- [Setup and Run Guide](setup_run.md)
+- [Platform-Specific Instructions](platform_specific_instructions.md)
+- [Testing Guide](testing.md)
+- [OAuth2 RFC 6749](https://tools.ietf.org/html/rfc6749)
+- [OAuth1 RFC 5849](https://tools.ietf.org/html/rfc5849)