Feature Request: Enable OAuth Flows in WebContainers for Secure Provider Authentication #1639
Description
Is your feature request related to a problem? Please describe:
When developing applications with OAuth authentication in Bolt, developers currently cannot test real OAuth flows due to security restrictions in WebContainers. This forces the use of mock data during development, creating a disconnect between development and production environments.
Describe the solution you'd like:
Implement a secure proxy system in WebContainers that would:
- Allow whitelisted OAuth providers (GitHub, Google, etc.) to securely communicate with applications running in WebContainers
- Handle the OAuth flow through a secure bridge between the WebContainer and the host browser
- Maintain WebContainer isolation while allowing authenticated API requests to these providers
- Support common OAuth flows including PKCE
- Provide a consistent developer experience that matches production behavior
The implementation would:
- Use a secure proxy to handle OAuth redirects and token exchange
- Maintain WebContainer security boundaries
- Only allow communication with verified OAuth providers
- Handle token storage securely within the WebContainers environment
Describe alternatives you've considered:
- Current approach: Using mock data during development
- Custom OAuth simulation: Creating a fake OAuth provider within WebContainers
- Disabling security restrictions: Not viable as it would compromise WebContainers security model
Additional context:
This feature would significantly improve the development experience by:
- Allowing real OAuth testing in development
- Maintaining security while enabling OAuth flows
- Providing a more production-like environment
- Supporting common authentication patterns
- Enabling better testing of OAuth-dependent features
The secure proxy approach balances security needs with developer experience, making it an ideal solution for this use case.