diff --git a/server/cmd/auth-server/handlers.go b/server/cmd/auth-server/handlers.go index d71375b..e866d7b 100644 --- a/server/cmd/auth-server/handlers.go +++ b/server/cmd/auth-server/handlers.go @@ -18,6 +18,26 @@ var loginFS embed.FS var loginTmpl = template.Must(template.ParseFS(loginFS, "login.html")) +// oauthRedirectTmpl drives the fbconnect:// hand-off via a renderer-initiated +// navigation instead of a server-side 302. Android WebView does NOT invoke +// WebViewClient.shouldOverrideUrlLoading for 302 redirects from POST form +// submissions to non-http schemes (documented Chromium WebView limitation, +// Stack Overflow #6738328 / Google issuetracker #36918490). Returning a 200 +// HTML page with both and window.location.replace() +// makes the cross-scheme navigation renderer-initiated, which DOES invoke +// shouldOverrideUrlLoading, so the FB SDK can extract access_token from the +// URL fragment and complete its login flow. html/template auto-escapes {{.}} +// correctly for the meta URL-attribute context and the JS string-literal +// context inside +
+ +