Foundation OAuth Deployment Checklist

This checklist guides you through deploying Phase 3: Foundation OAuth integration on aethex.dev.

Pre-Deployment Setup

1. Environment Variables

Add these to your deployment platform (Vercel, Railway, etc.):

# Foundation Identity Provider
VITE_FOUNDATION_URL=https://aethex.foundation

# OAuth Credentials (from Foundation Phase 1 setup)
FOUNDATION_OAUTH_CLIENT_ID=aethex_corp
FOUNDATION_OAUTH_CLIENT_SECRET=bcoEtyQVGr6Z4557658eUXpDF5FDni2TGNahH3HT-FtylNrLCYwydwLO0sbKVHtfYUnZc4flAODa4BXkzxD_qg

Important:

  • ✅ Keep FOUNDATION_OAUTH_CLIENT_SECRET secure (never commit to git)

  • ✅ Use deployment platform's secret management (Vercel > Settings > Environment Variables)

  • ✅ Mark secret variables as "Encrypted"

2. Verify Foundation is Ready

Before deploying, confirm:

Quick Test:

3. Verify Redirect URI

Foundation must have this redirect URI registered:

Ask Foundation admin to verify these are registered.

Deployment Steps

Step 1: Set Environment Variables

Vercel:

  1. Go to Project Settings > Environment Variables

  2. Add three variables:

    • VITE_FOUNDATION_URL = https://aethex.foundation

    • FOUNDATION_OAUTH_CLIENT_ID = aethex_corp

    • FOUNDATION_OAUTH_CLIENT_SECRET = (paste secret, mark as encrypted)

  3. Select environments: Production, Preview, Development

  4. Save

Railway/Other:

  • Add to .env file in deployment

  • Or configure in platform's settings

  • Restart deployment for changes to take effect

Step 2: Deploy Code

Files included in deployment:

Deploy command:

Step 3: Verify Deployment

  1. Check environment variables:

  2. Visit login page:

    • Go to https://aethex.dev/login

    • Should see "Login with Foundation" button

    • No console errors

  3. Test OAuth flow:

    • Click "Login with Foundation"

    • Should redirect to https://aethex.foundation/api/oauth/authorize

    • Page should show Foundation login (or auth screen)

  4. Check callback endpoint:

    • Network tab should show POST to /auth/callback/exchange

    • Should return 200 with access_token

  5. Verify cookies:

    • After successful login, check Application > Cookies

    • Should have: foundation_access_token, auth_user_id

    • Both should be HttpOnly, Secure, SameSite=Strict

Step 4: Monitor Logs

Watch for errors during first deployment:

Testing Plan

Test 1: Happy Path (Successful Login)

Steps:

  1. Visit https://aethex.dev/login

  2. Click "Login with Foundation"

  3. Enter test credentials on Foundation

  4. Should redirect back to aethex.dev/auth/callback

  5. Should exchange code for token

  6. Should appear logged in on dashboard

Expected Result: ✅ Logged in, cookies set, profile synced

Check:

Test 2: Error: Invalid Code

Steps:

  1. Manually modify callback URL: ?code=invalid_code_123

  2. Press Enter

Expected Result: ⚠️ Error page with message, redirect to login after 2s

Test 3: Network Error

Steps:

  1. Stop/pause Foundation service

  2. Attempt login

  3. Foundation redirects back with code

  4. Callback tries to exchange code

Expected Result: ⚠️ Error about Foundation connection, graceful redirect to login

Test 4: Logout and Re-login

Steps:

  1. Logout from dashboard (if logout button exists)

  2. Check cookies are cleared

  3. Login again with Foundation

  4. Should work seamlessly

Expected Result: ✅ Logout clears cookies, re-login establishes new session

Test 5: Multiple Browsers

Test on:

Expected Result: ✅ Works consistently across all browsers

Production Rollout

Phase 1: Staging (First)

  1. Deploy to staging environment first

  2. Run full testing suite

  3. Verify Foundation integration works

  4. Get team sign-off

  5. Monitor staging for 24 hours

Phase 2: Canary (Small Percentage)

If your deployment supports canary deployments:

  1. Deploy to 5% of production traffic

  2. Monitor auth success rate and errors

  3. Check logs for issues

  4. Gradually increase to 100%

Phase 3: Full Production

  1. Deploy to 100% of production

  2. Have support team on standby

  3. Monitor metrics closely for 24 hours

  4. Have rollback plan ready

Phase 4: Cleanup

After 1-2 weeks of successful deployment:

  1. Remove old Discord OAuth code (optional)

  2. Delete deprecated files:

    • code/api/discord/oauth/start.ts

    • code/api/discord/oauth/callback.ts

    • code/api/discord/link.ts

    • code/api/discord/create-linking-session.ts

    • code/api/discord/verify-code.ts

  3. Update documentation

  4. Remove old env variables

Rollback Plan

If critical issues occur:

Immediate Rollback (< 1 hour)

  1. Revert deployment:

  2. Remove environment variables:

    • Remove VITE_FOUNDATION_URL

    • Remove FOUNDATION_OAUTH_CLIENT_ID

    • Remove FOUNDATION_OAUTH_CLIENT_SECRET

  3. Communicate with users:

    • "We've temporarily disabled Foundation integration"

    • "Use alternative login methods"

If Rollback Fails

Contact Foundation admin for assistance with:

  • OAuth endpoint status

  • User session validation

  • Database consistency

Monitoring & Alerts

Key Metrics to Monitor

  1. Auth Success Rate

    • Target: >99%

    • Alert threshold: <95%

    • What to check: Logs for "Token exchange" errors

  2. Token Exchange Time

    • Target: <500ms

    • Alert threshold: >2000ms

    • What to check: Network latency to Foundation

  3. Foundation Connectivity

    • Monitor: Foundation endpoint availability

    • Alert on: Connection failures to /api/oauth/token

    • Fallback: Maintenance page if Foundation down

  4. Error Rate by Type

    • invalid_code - Usually code expired, user retries

    • state_mismatch - CSRF validation failed, investigate

    • token_exchange_failed - Foundation issue, escalate

    • user_sync_failed - Database issue, check Supabase

Sample Metrics Query

Support & Troubleshooting

Common Issues During Deployment

Issue
Cause
Solution

"Client secret not found"

Missing env var

Add FOUNDATION_OAUTH_CLIENT_SECRET

"Redirect URI mismatch"

URI not registered on Foundation

Ask Foundation admin to register

"Token exchange failed 401"

Invalid credentials

Verify client_id and client_secret

"User sync failed"

Supabase error

Check user_profiles table schema

"Cookies not set"

SameSite policy blocking

Check cookie headers on response

Debug Commands

Getting Help

  1. Check logs:

    • Deployment platform logs (Vercel Dashboard, Railway Dashboard)

    • Application logs (if available)

    • Browser console (F12)

    • Network tab (check requests/responses)

  2. Verify configuration:

    • Environment variables set correctly

    • Foundation endpoints accessible

    • Redirect URI registered

  3. Escalate if needed:

    • Contact Foundation admin for OAuth endpoint issues

    • Contact Supabase for database sync issues

    • Contact platform support for deployment issues

Post-Deployment

1. Verify Everything Works (Week 1)

2. Communicate with Users (Week 1)

3. Monitor Metrics (Week 2-3)

4. Final Cleanup (Week 3-4)

Success Criteria

Deployment is successful when:

  1. Login page shows "Login with Foundation" button

  2. Users can login and are redirected to Foundation

  3. After Foundation auth, users redirected back to dashboard

  4. User profiles sync to local database

  5. Cookies are set correctly (HttpOnly, Secure)

  6. Auth success rate >99% for 24+ hours

  7. No critical errors in logs

  8. Support team has no blocking issues

  9. Users report smooth login experience

  10. All team members approve

Deployment Checklist

Ready to deploy? Follow this checklist step-by-step for a smooth Foundation OAuth integration!

Status: ✅ Deployment checklist complete and ready for use

PreviousAeThex Complete Notification SystemNextAeThex Desktop App - Release Guide

Last updated