From b3a5eb147c6999a2e00744eb3392b779d548ca35 Mon Sep 17 00:00:00 2001
From: xrendan <brendan@brendansamek.com>
Date: Wed, 17 Jun 2026 08:52:50 -0600
Subject: [PATCH 01/11] feat: add Doorkeeper OAuth provider integration for
 draft preview mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add Next.js Draft Mode support gated behind York Factory OAuth with admin
scope, enabling admins to preview unpublished memos directly in TradingPost.

- src/app/api/auth/login/ — initiates OAuth flow with CSRF state cookie
- src/app/api/auth/callback/ — exchanges code for token, enables Draft Mode,
  stores Doorkeeper access token as httpOnly cookie
- src/app/api/auth/logout/ — disables Draft Mode and revokes Doorkeeper token
- src/lib/api/client.ts — apiFetch accepts previewToken; passes as Bearer
  header and bypasses ISR caching for preview requests
- src/lib/api/memos.ts — fetchMemo threads previewToken through to apiFetch
- src/app/memos/[slug]/page.tsx — reads draftMode() + yf_preview_token cookie;
  fetches draft content when active; shows "Draft Preview Mode" banner with
  Exit link; generateMetadata also respects draft mode
- src/middleware.ts — wires up proxy.ts as actual Next.js middleware so the
  PostHog dashboard gate runs correctly
---
 src/app/api/auth/callback/route.ts | 93 ++++++++++++++++++++++++++++++
 src/app/api/auth/login/route.ts    | 48 +++++++++++++++
 src/app/api/auth/logout/route.ts   | 32 ++++++++++
 src/app/memos/[slug]/page.tsx      | 27 ++++++++-
 src/lib/api/client.ts              | 16 ++++-
 src/lib/api/memos.ts               |  3 +-
 src/middleware.ts                  | 10 ++++
 7 files changed, 224 insertions(+), 5 deletions(-)
 create mode 100644 src/app/api/auth/callback/route.ts
 create mode 100644 src/app/api/auth/login/route.ts
 create mode 100644 src/app/api/auth/logout/route.ts
 create mode 100644 src/middleware.ts

diff --git a/src/app/api/auth/callback/route.ts b/src/app/api/auth/callback/route.ts
new file mode 100644
index 0000000..7c037b5
--- /dev/null
+++ b/src/app/api/auth/callback/route.ts
@@ -0,0 +1,93 @@
+import { draftMode } from "next/headers";
+import { NextRequest, NextResponse } from "next/server";
+
+const YF_OAUTH_URL = process.env.YF_OAUTH_URL || "http://localhost:3000";
+const CLIENT_ID = process.env.YF_OAUTH_CLIENT_ID || "";
+const CLIENT_SECRET = process.env.YF_OAUTH_CLIENT_SECRET || "";
+const CALLBACK_URL =
+  process.env.YF_OAUTH_CALLBACK_URL ||
+  "http://localhost:5050/api/auth/callback";
+
+interface TokenResponse {
+  access_token: string;
+  token_type: string;
+  expires_in: number;
+  scope: string;
+  refresh_token?: string;
+}
+
+export async function GET(request: NextRequest) {
+  const { searchParams } = request.nextUrl;
+  const code = searchParams.get("code");
+  const state = searchParams.get("state");
+  const error = searchParams.get("error");
+
+  const siteUrl = new URL(request.url).origin;
+
+  if (error) {
+    return NextResponse.redirect(
+      `${siteUrl}/?preview_error=oauth_denied`,
+    );
+  }
+
+  if (!code || !state) {
+    return NextResponse.redirect(
+      `${siteUrl}/?preview_error=invalid_callback`,
+    );
+  }
+
+  const storedState = request.cookies.get("oauth_state")?.value;
+  const redirectTo = request.cookies.get("oauth_redirect")?.value || "/memos";
+
+  if (!storedState || state !== storedState) {
+    return NextResponse.redirect(
+      `${siteUrl}/?preview_error=state_mismatch`,
+    );
+  }
+
+  const tokenRes = await fetch(`${YF_OAUTH_URL}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: CALLBACK_URL,
+      client_id: CLIENT_ID,
+      client_secret: CLIENT_SECRET,
+    }).toString(),
+    cache: "no-store",
+  });
+
+  if (!tokenRes.ok) {
+    return NextResponse.redirect(
+      `${siteUrl}/?preview_error=token_exchange_failed`,
+    );
+  }
+
+  const tokenData = (await tokenRes.json()) as TokenResponse;
+
+  if (!tokenData.scope?.split(" ").includes("admin")) {
+    return NextResponse.redirect(
+      `${siteUrl}/?preview_error=insufficient_scope`,
+    );
+  }
+
+  // Enable Next.js Draft Mode (sets __prerender_bypass cookie)
+  (await draftMode()).enable();
+
+  const isSecure = process.env.NODE_ENV === "production";
+  const response = NextResponse.redirect(`${siteUrl}${redirectTo}`);
+
+  response.cookies.delete("oauth_state");
+  response.cookies.delete("oauth_redirect");
+
+  response.cookies.set("yf_preview_token", tokenData.access_token, {
+    httpOnly: true,
+    secure: isSecure,
+    sameSite: "lax",
+    maxAge: tokenData.expires_in,
+    path: "/",
+  });
+
+  return response;
+}
diff --git a/src/app/api/auth/login/route.ts b/src/app/api/auth/login/route.ts
new file mode 100644
index 0000000..3006803
--- /dev/null
+++ b/src/app/api/auth/login/route.ts
@@ -0,0 +1,48 @@
+import { randomBytes } from "crypto";
+import { NextRequest, NextResponse } from "next/server";
+
+const YF_OAUTH_URL = process.env.YF_OAUTH_URL || "http://localhost:3000";
+const CLIENT_ID = process.env.YF_OAUTH_CLIENT_ID || "";
+const CALLBACK_URL =
+  process.env.YF_OAUTH_CALLBACK_URL ||
+  "http://localhost:5050/api/auth/callback";
+
+export async function GET(request: NextRequest) {
+  if (!CLIENT_ID) {
+    return NextResponse.json(
+      { error: "OAuth not configured" },
+      { status: 503 },
+    );
+  }
+
+  const state = randomBytes(16).toString("hex");
+  const redirectTo =
+    request.nextUrl.searchParams.get("redirect") || "/memos";
+
+  const authorizeUrl = new URL(`${YF_OAUTH_URL}/oauth/authorize`);
+  authorizeUrl.searchParams.set("client_id", CLIENT_ID);
+  authorizeUrl.searchParams.set("redirect_uri", CALLBACK_URL);
+  authorizeUrl.searchParams.set("response_type", "code");
+  authorizeUrl.searchParams.set("scope", "admin");
+  authorizeUrl.searchParams.set("state", state);
+
+  const isSecure = process.env.NODE_ENV === "production";
+  const response = NextResponse.redirect(authorizeUrl.toString());
+
+  response.cookies.set("oauth_state", state, {
+    httpOnly: true,
+    secure: isSecure,
+    sameSite: "lax",
+    maxAge: 60 * 10,
+    path: "/",
+  });
+  response.cookies.set("oauth_redirect", redirectTo, {
+    httpOnly: true,
+    secure: isSecure,
+    sameSite: "lax",
+    maxAge: 60 * 10,
+    path: "/",
+  });
+
+  return response;
+}
diff --git a/src/app/api/auth/logout/route.ts b/src/app/api/auth/logout/route.ts
new file mode 100644
index 0000000..ce06556
--- /dev/null
+++ b/src/app/api/auth/logout/route.ts
@@ -0,0 +1,32 @@
+import { draftMode } from "next/headers";
+import { NextRequest, NextResponse } from "next/server";
+
+const YF_OAUTH_URL = process.env.YF_OAUTH_URL || "http://localhost:3000";
+const CLIENT_ID = process.env.YF_OAUTH_CLIENT_ID || "";
+const CLIENT_SECRET = process.env.YF_OAUTH_CLIENT_SECRET || "";
+
+export async function GET(request: NextRequest) {
+  const siteUrl = new URL(request.url).origin;
+
+  // Revoke Doorkeeper token if present
+  const previewToken = request.cookies.get("yf_preview_token")?.value;
+  if (previewToken && CLIENT_ID && CLIENT_SECRET) {
+    await fetch(`${YF_OAUTH_URL}/oauth/revoke`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        token: previewToken,
+        client_id: CLIENT_ID,
+        client_secret: CLIENT_SECRET,
+      }).toString(),
+      cache: "no-store",
+    }).catch(() => {});
+  }
+
+  (await draftMode()).disable();
+
+  const response = NextResponse.redirect(`${siteUrl}/memos`);
+  response.cookies.delete("yf_preview_token");
+
+  return response;
+}
diff --git a/src/app/memos/[slug]/page.tsx b/src/app/memos/[slug]/page.tsx
index 25f96c5..932e802 100644
--- a/src/app/memos/[slug]/page.tsx
+++ b/src/app/memos/[slug]/page.tsx
@@ -1,3 +1,4 @@
+import { cookies, draftMode } from "next/headers";
 import { notFound, permanentRedirect } from "next/navigation";
 import type { Metadata } from "next";
 import { fetchMemo, fetchMemos, getSiteConfig } from "@/lib/api";
@@ -26,9 +27,13 @@ export async function generateMetadata({
   params: Promise<{ slug: string }>;
 }): Promise<Metadata> {
   const { slug } = await params;
+  const { isEnabled: isDraft } = await draftMode();
+  const previewToken = isDraft
+    ? (await cookies()).get("yf_preview_token")?.value
+    : undefined;
   let memo;
   try {
-    memo = await fetchMemo(slug);
+    memo = await fetchMemo(slug, { previewToken });
   } catch {
     return { title: "Memo Not Found | Build Canada" };
   }
@@ -64,9 +69,16 @@ export default async function MemoDetailPage({
   params: Promise<{ slug: string }>;
 }) {
   const { slug } = await params;
+
+  const { isEnabled: isDraft } = await draftMode();
+  const cookieStore = await cookies();
+  const previewToken = isDraft
+    ? cookieStore.get("yf_preview_token")?.value
+    : undefined;
+
   let memo;
   try {
-    memo = await fetchMemo(slug);
+    memo = await fetchMemo(slug, { previewToken });
   } catch {
     notFound();
   }
@@ -141,6 +153,17 @@ export default async function MemoDetailPage({
 
   return (
     <div className="mx-[10px] my-[10px] border border-border-light bg-bg">
+      {isDraft && (
+        <div className="fixed top-0 left-0 right-0 z-50 bg-amber-500 text-white text-sm px-4 py-2 flex items-center justify-between">
+          <span>Draft Preview Mode — content may be unpublished</span>
+          <a
+            href={`/api/auth/logout?redirect=/memos/${slug}`}
+            className="underline font-medium"
+          >
+            Exit Preview
+          </a>
+        </div>
+      )}
       <script
         type="application/ld+json"
         dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLd) }}
diff --git a/src/lib/api/client.ts b/src/lib/api/client.ts
index b3c8882..a2355a2 100644
--- a/src/lib/api/client.ts
+++ b/src/lib/api/client.ts
@@ -4,7 +4,11 @@ export const API_URL =
 
 export async function apiFetch<T>(
   path: string,
-  options?: { revalidate?: number; params?: Record<string, string> },
+  options?: {
+    revalidate?: number;
+    params?: Record<string, string>;
+    previewToken?: string;
+  },
 ): Promise<T> {
   const url = new URL(`${API_URL}${path}`);
   if (options?.params) {
@@ -15,8 +19,16 @@ export async function apiFetch<T>(
     }
   }
 
+  const headers: Record<string, string> = {};
+  if (options?.previewToken) {
+    headers["Authorization"] = `Bearer ${options.previewToken}`;
+  }
+
   const res = await fetch(url.toString(), {
-    next: { revalidate: options?.revalidate ?? 60 },
+    headers,
+    next: options?.previewToken
+      ? { revalidate: 0 }
+      : { revalidate: options?.revalidate ?? 60 },
   });
 
   if (!res.ok) {
diff --git a/src/lib/api/memos.ts b/src/lib/api/memos.ts
index 60f1a70..049cf5b 100644
--- a/src/lib/api/memos.ts
+++ b/src/lib/api/memos.ts
@@ -96,12 +96,13 @@ export async function fetchMemos(params?: {
   return all.map((m) => mapMemo(m, authorTitles));
 }
 
-export async function fetchMemo(slug: string, params?: { publication?: string }) {
+export async function fetchMemo(slug: string, params?: { publication?: string; previewToken?: string }) {
   const queryParams: Record<string, string> = {};
   if (params?.publication) queryParams.publication = params.publication;
   const m = await apiFetch<YFMemoDetail>(`/memos/${slug}`, {
     revalidate: 300,
     params: queryParams,
+    previewToken: params?.previewToken,
   });
   const keyMessages = extractKeyMessages((m.key_messages ?? []) as unknown[]);
   const authorName = m.author?.name ?? "Build Canada";
diff --git a/src/middleware.ts b/src/middleware.ts
new file mode 100644
index 0000000..bcf5bb0
--- /dev/null
+++ b/src/middleware.ts
@@ -0,0 +1,10 @@
+import type { NextRequest } from "next/server";
+import { proxy } from "./proxy";
+
+export const config = {
+  matcher: ["/dashboard", "/dashboard/:path*"],
+};
+
+export async function middleware(req: NextRequest) {
+  return proxy(req);
+}

From d43739c65ab2c89835d5d0eb50701355d214f161 Mon Sep 17 00:00:00 2001
From: xrendan <brendan@brendansamek.com>
Date: Wed, 17 Jun 2026 08:58:17 -0600
Subject: [PATCH 02/11] fix: align .env.local.example variable names with
 actual route usage

---
 .env.local.example | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .env.local.example

diff --git a/.env.local.example b/.env.local.example
new file mode 100644
index 0000000..ea5655d
--- /dev/null
+++ b/.env.local.example
@@ -0,0 +1,5 @@
+# York Factory OAuth (Doorkeeper) — run `bin/rails db:seed` in york_factory to get these values
+YF_OAUTH_URL=http://localhost:3000
+YF_OAUTH_CLIENT_ID=your-client-id
+YF_OAUTH_CLIENT_SECRET=your-client-secret
+YF_OAUTH_CALLBACK_URL=http://localhost:5050/api/auth/callback

From 68076e1ac8a9dc588c262b3a08686ba4db1ffe21 Mon Sep 17 00:00:00 2001
From: xrendan <brendan@brendansamek.com>
Date: Wed, 17 Jun 2026 09:01:43 -0600
Subject: [PATCH 03/11] =?UTF-8?q?fix:=20remove=20middleware.ts=20=E2=80=94?=
 =?UTF-8?q?=20Next.js=2016=20uses=20proxy.ts=20convention?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/middleware.ts | 10 ----------
 1 file changed, 10 deletions(-)
 delete mode 100644 src/middleware.ts

diff --git a/src/middleware.ts b/src/middleware.ts
deleted file mode 100644
index bcf5bb0..0000000
--- a/src/middleware.ts
+++ /dev/null
@@ -1,10 +0,0 @@
-import type { NextRequest } from "next/server";
-import { proxy } from "./proxy";
-
-export const config = {
-  matcher: ["/dashboard", "/dashboard/:path*"],
-};
-
-export async function middleware(req: NextRequest) {
-  return proxy(req);
-}

From b776e88061746eee24c396b1f1303aa7295ac7d0 Mon Sep 17 00:00:00 2001
From: xrendan <brendan@brendansamek.com>
Date: Wed, 17 Jun 2026 09:20:45 -0600
Subject: [PATCH 04/11] fix: use yf_preview_token cookie directly instead of
 draftMode()

NextResponse.redirect() in Next.js 16 does not reliably merge cookies set
via draftMode().enable() from next/headers. The yf_preview_token cookie is
sufficient as the preview indicator and is passed directly to fetchMemo.
---
 src/app/api/auth/callback/route.ts |  4 ----
 src/app/api/auth/logout/route.ts   |  3 ---
 src/app/memos/[slug]/page.tsx      | 14 ++++----------
 3 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/src/app/api/auth/callback/route.ts b/src/app/api/auth/callback/route.ts
index 7c037b5..fc6ef35 100644
--- a/src/app/api/auth/callback/route.ts
+++ b/src/app/api/auth/callback/route.ts
@@ -1,4 +1,3 @@
-import { draftMode } from "next/headers";
 import { NextRequest, NextResponse } from "next/server";
 
 const YF_OAUTH_URL = process.env.YF_OAUTH_URL || "http://localhost:3000";
@@ -72,9 +71,6 @@ export async function GET(request: NextRequest) {
     );
   }
 
-  // Enable Next.js Draft Mode (sets __prerender_bypass cookie)
-  (await draftMode()).enable();
-
   const isSecure = process.env.NODE_ENV === "production";
   const response = NextResponse.redirect(`${siteUrl}${redirectTo}`);
 
diff --git a/src/app/api/auth/logout/route.ts b/src/app/api/auth/logout/route.ts
index ce06556..8c833f5 100644
--- a/src/app/api/auth/logout/route.ts
+++ b/src/app/api/auth/logout/route.ts
@@ -1,4 +1,3 @@
-import { draftMode } from "next/headers";
 import { NextRequest, NextResponse } from "next/server";
 
 const YF_OAUTH_URL = process.env.YF_OAUTH_URL || "http://localhost:3000";
@@ -23,8 +22,6 @@ export async function GET(request: NextRequest) {
     }).catch(() => {});
   }
 
-  (await draftMode()).disable();
-
   const response = NextResponse.redirect(`${siteUrl}/memos`);
   response.cookies.delete("yf_preview_token");
 
diff --git a/src/app/memos/[slug]/page.tsx b/src/app/memos/[slug]/page.tsx
index 932e802..6f3d1ed 100644
--- a/src/app/memos/[slug]/page.tsx
+++ b/src/app/memos/[slug]/page.tsx
@@ -1,4 +1,4 @@
-import { cookies, draftMode } from "next/headers";
+import { cookies } from "next/headers";
 import { notFound, permanentRedirect } from "next/navigation";
 import type { Metadata } from "next";
 import { fetchMemo, fetchMemos, getSiteConfig } from "@/lib/api";
@@ -27,10 +27,7 @@ export async function generateMetadata({
   params: Promise<{ slug: string }>;
 }): Promise<Metadata> {
   const { slug } = await params;
-  const { isEnabled: isDraft } = await draftMode();
-  const previewToken = isDraft
-    ? (await cookies()).get("yf_preview_token")?.value
-    : undefined;
+  const previewToken = (await cookies()).get("yf_preview_token")?.value;
   let memo;
   try {
     memo = await fetchMemo(slug, { previewToken });
@@ -70,11 +67,8 @@ export default async function MemoDetailPage({
 }) {
   const { slug } = await params;
 
-  const { isEnabled: isDraft } = await draftMode();
-  const cookieStore = await cookies();
-  const previewToken = isDraft
-    ? cookieStore.get("yf_preview_token")?.value
-    : undefined;
+  const previewToken = (await cookies()).get("yf_preview_token")?.value;
+  const isDraft = !!previewToken;
 
   let memo;
   try {

From 67dd33c607299f183219a8e1b410c9e5b78d4355 Mon Sep 17 00:00:00 2001
From: xrendan <brendan@brendansamek.com>
Date: Wed, 17 Jun 2026 10:41:35 -0600
Subject: [PATCH 05/11] memos: per-request preview token store + draft banner

Share the yf_preview_token cookie from the memo Server Component to apiFetch
via a React.cache() per-request store (setPreviewToken/getPreviewToken)
instead of threading it through fetchMemo args. Add DraftPreviewBanner shown
below the navbar when previewing a draft, and document production OAuth /
API env vars in .env.local.example.
---
 .env.local.example                          | 17 +++++++++-
 src/app/memos/[slug]/DraftPreviewBanner.tsx | 30 +++++++++++++++++
 src/app/memos/[slug]/page.tsx               | 37 ++++++++++++---------
 src/lib/api/client.ts                       | 10 +++---
 src/lib/api/memos.ts                        |  3 +-
 src/lib/preview-token.ts                    | 13 ++++++++
 6 files changed, 88 insertions(+), 22 deletions(-)
 create mode 100644 src/app/memos/[slug]/DraftPreviewBanner.tsx
 create mode 100644 src/lib/preview-token.ts

diff --git a/.env.local.example b/.env.local.example
index ea5655d..7262edf 100644
--- a/.env.local.example
+++ b/.env.local.example
@@ -1,5 +1,20 @@
-# York Factory OAuth (Doorkeeper) — run `bin/rails db:seed` in york_factory to get these values
+# York Factory OAuth (Doorkeeper) — draft preview mode
+# Run `bin/rails db:seed` in york_factory to create the TradingPost OAuth
+# application and print the client_id / client_secret.
+#
+# Local development values:
 YF_OAUTH_URL=http://localhost:3000
 YF_OAUTH_CLIENT_ID=your-client-id
 YF_OAUTH_CLIENT_SECRET=your-client-secret
 YF_OAUTH_CALLBACK_URL=http://localhost:5050/api/auth/callback
+#
+# Production values (set in the buildcanada.com deployment env):
+#   YF_OAUTH_URL=https://auth.buildcanada.com
+#   YF_OAUTH_CLIENT_ID=<from york_factory db:seed>
+#   YF_OAUTH_CLIENT_SECRET=<from york_factory db:seed>
+#   YF_OAUTH_CALLBACK_URL=https://buildcanada.com/api/auth/callback
+
+# York Factory API base URL (data API — memos, posts, etc.)
+# Local: http://localhost:3000/api/v1
+# Production: https://yorkfactory.buildcanada.com/api/v1
+YORK_FACTORY_API_URL=http://localhost:3000/api/v1
diff --git a/src/app/memos/[slug]/DraftPreviewBanner.tsx b/src/app/memos/[slug]/DraftPreviewBanner.tsx
new file mode 100644
index 0000000..c3e4f84
--- /dev/null
+++ b/src/app/memos/[slug]/DraftPreviewBanner.tsx
@@ -0,0 +1,30 @@
+import Link from "next/link";
+
+type BannerState = "viewing-draft" | "draft-not-found";
+
+interface DraftPreviewBannerProps {
+  state: BannerState;
+  slug: string;
+}
+
+export function DraftPreviewBanner({ state }: DraftPreviewBannerProps) {
+  if (state === "viewing-draft") {
+    return (
+      <div className="w-full bg-amber-500 text-white text-sm px-4 py-2 flex items-center justify-between">
+        <span className="font-medium">DRAFT — not yet published</span>
+        <Link href="/api/auth/logout" className="underline">
+          Exit preview
+        </Link>
+      </div>
+    );
+  }
+
+  return (
+    <div className="w-full border border-amber-400 bg-amber-50 text-amber-900 text-sm px-4 py-3 flex items-center gap-2">
+      <span>No draft found for this slug.</span>
+      <Link href="/api/auth/logout" className="underline ml-auto">
+        Exit preview mode
+      </Link>
+    </div>
+  );
+}
diff --git a/src/app/memos/[slug]/page.tsx b/src/app/memos/[slug]/page.tsx
index 6f3d1ed..3fa361d 100644
--- a/src/app/memos/[slug]/page.tsx
+++ b/src/app/memos/[slug]/page.tsx
@@ -11,6 +11,8 @@ import { buildGraph } from "@/lib/schemas/graph";
 import { generateArticleSchema } from "@/lib/schemas/generators/article";
 import { generateBreadcrumbSchema } from "@/lib/schemas/generators/breadcrumb";
 import { generateOrganizationSchema } from "@/lib/schemas/generators/organization";
+import { DraftPreviewBanner } from "./DraftPreviewBanner";
+import { setPreviewToken } from "@/lib/preview-token";
 
 export async function generateStaticParams() {
   try {
@@ -27,10 +29,10 @@ export async function generateMetadata({
   params: Promise<{ slug: string }>;
 }): Promise<Metadata> {
   const { slug } = await params;
-  const previewToken = (await cookies()).get("yf_preview_token")?.value;
+  setPreviewToken((await cookies()).get("yf_preview_token")?.value);
   let memo;
   try {
-    memo = await fetchMemo(slug, { previewToken });
+    memo = await fetchMemo(slug);
   } catch {
     return { title: "Memo Not Found | Build Canada" };
   }
@@ -68,13 +70,26 @@ export default async function MemoDetailPage({
   const { slug } = await params;
 
   const previewToken = (await cookies()).get("yf_preview_token")?.value;
-  const isDraft = !!previewToken;
+  setPreviewToken(previewToken);
 
   let memo;
   try {
-    memo = await fetchMemo(slug, { previewToken });
+    memo = await fetchMemo(slug);
   } catch {
-    notFound();
+    if (!previewToken) notFound();
+
+    return (
+      <div className="mx-[10px] my-[10px] border border-border-light bg-bg">
+        <div className="max-w-[720px] mx-auto px-[5vw] md:px-[10vw] py-24 flex flex-col items-center gap-8 text-center">
+          <p className="type-label text-text-secondary">404</p>
+          <h1 className="type-title">Memo not found</h1>
+          <p className="type-body text-text-secondary">
+            This memo doesn&apos;t exist or hasn&apos;t been published yet.
+          </p>
+          <DraftPreviewBanner state="draft-not-found" slug={slug} />
+        </div>
+      </div>
+    );
   }
 
   if (memo.slug !== slug) {
@@ -147,16 +162,8 @@ export default async function MemoDetailPage({
 
   return (
     <div className="mx-[10px] my-[10px] border border-border-light bg-bg">
-      {isDraft && (
-        <div className="fixed top-0 left-0 right-0 z-50 bg-amber-500 text-white text-sm px-4 py-2 flex items-center justify-between">
-          <span>Draft Preview Mode — content may be unpublished</span>
-          <a
-            href={`/api/auth/logout?redirect=/memos/${slug}`}
-            className="underline font-medium"
-          >
-            Exit Preview
-          </a>
-        </div>
+      {previewToken && (
+        <DraftPreviewBanner state="viewing-draft" slug={slug} />
       )}
       <script
         type="application/ld+json"
diff --git a/src/lib/api/client.ts b/src/lib/api/client.ts
index a2355a2..ac4dcbc 100644
--- a/src/lib/api/client.ts
+++ b/src/lib/api/client.ts
@@ -1,3 +1,5 @@
+import { getPreviewToken } from "@/lib/preview-token";
+
 export const API_URL =
   process.env.YORK_FACTORY_API_URL ||
   "https://yorkfactory.buildcanada.com/api/v1";
@@ -7,7 +9,6 @@ export async function apiFetch<T>(
   options?: {
     revalidate?: number;
     params?: Record<string, string>;
-    previewToken?: string;
   },
 ): Promise<T> {
   const url = new URL(`${API_URL}${path}`);
@@ -20,13 +21,14 @@ export async function apiFetch<T>(
   }
 
   const headers: Record<string, string> = {};
-  if (options?.previewToken) {
-    headers["Authorization"] = `Bearer ${options.previewToken}`;
+  const previewToken = getPreviewToken();
+  if (previewToken) {
+    headers["Authorization"] = `Bearer ${previewToken}`;
   }
 
   const res = await fetch(url.toString(), {
     headers,
-    next: options?.previewToken
+    next: previewToken
       ? { revalidate: 0 }
       : { revalidate: options?.revalidate ?? 60 },
   });
diff --git a/src/lib/api/memos.ts b/src/lib/api/memos.ts
index 049cf5b..60f1a70 100644
--- a/src/lib/api/memos.ts
+++ b/src/lib/api/memos.ts
@@ -96,13 +96,12 @@ export async function fetchMemos(params?: {
   return all.map((m) => mapMemo(m, authorTitles));
 }
 
-export async function fetchMemo(slug: string, params?: { publication?: string; previewToken?: string }) {
+export async function fetchMemo(slug: string, params?: { publication?: string }) {
   const queryParams: Record<string, string> = {};
   if (params?.publication) queryParams.publication = params.publication;
   const m = await apiFetch<YFMemoDetail>(`/memos/${slug}`, {
     revalidate: 300,
     params: queryParams,
-    previewToken: params?.previewToken,
   });
   const keyMessages = extractKeyMessages((m.key_messages ?? []) as unknown[]);
   const authorName = m.author?.name ?? "Build Canada";
diff --git a/src/lib/preview-token.ts b/src/lib/preview-token.ts
new file mode 100644
index 0000000..3484e52
--- /dev/null
+++ b/src/lib/preview-token.ts
@@ -0,0 +1,13 @@
+import { cache } from "react";
+
+type Store = { value: string | undefined };
+
+const _store = cache((): Store => ({ value: undefined }));
+
+export function setPreviewToken(token: string | undefined): void {
+  _store().value = token;
+}
+
+export function getPreviewToken(): string | undefined {
+  return _store().value;
+}

From a0a976190edd31a02ec223802c65b3ddf5ae2183 Mon Sep 17 00:00:00 2001
From: xrendan <brendan@brendansamek.com>
Date: Wed, 17 Jun 2026 11:48:17 -0600
Subject: [PATCH 06/11] auth: general login + admin via /me, gate preview on
 admin

The OAuth provider is now general login: request no admin scope. After the
token exchange the callback calls York Factory's /api/v1/me to learn whether
the user is an admin and stores it in a yf_admin cookie. Draft preview (the
banner + uncached draft fetch) is enabled only for admins; non-admins get a
normal logged-in session. Draft access is still enforced server-side by York
Factory, so the cookie is a UI hint, not a security boundary.
---
 src/app/api/auth/callback/route.ts | 31 ++++++++++++++++++++++--------
 src/app/api/auth/login/route.ts    |  1 -
 src/app/api/auth/logout/route.ts   |  1 +
 src/app/memos/[slug]/page.tsx      | 13 +++++++++++--
 4 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/src/app/api/auth/callback/route.ts b/src/app/api/auth/callback/route.ts
index fc6ef35..0bea63b 100644
--- a/src/app/api/auth/callback/route.ts
+++ b/src/app/api/auth/callback/route.ts
@@ -6,12 +6,15 @@ const CLIENT_SECRET = process.env.YF_OAUTH_CLIENT_SECRET || "";
 const CALLBACK_URL =
   process.env.YF_OAUTH_CALLBACK_URL ||
   "http://localhost:5050/api/auth/callback";
+const API_URL =
+  process.env.YORK_FACTORY_API_URL ||
+  "https://yorkfactory.buildcanada.com/api/v1";
 
 interface TokenResponse {
   access_token: string;
   token_type: string;
   expires_in: number;
-  scope: string;
+  scope?: string;
   refresh_token?: string;
 }
 
@@ -65,10 +68,20 @@ export async function GET(request: NextRequest) {
 
   const tokenData = (await tokenRes.json()) as TokenResponse;
 
-  if (!tokenData.scope?.split(" ").includes("admin")) {
-    return NextResponse.redirect(
-      `${siteUrl}/?preview_error=insufficient_scope`,
-    );
+  // Look up the user to learn whether they're an admin. Admin status is a
+  // property of the user (surfaced by /me), not an OAuth scope — only admins
+  // get draft preview. Non-admins still get a valid session (general login).
+  let isAdmin = false;
+  try {
+    const meRes = await fetch(`${API_URL}/me`, {
+      headers: { Authorization: `Bearer ${tokenData.access_token}` },
+      cache: "no-store",
+    });
+    if (meRes.ok) {
+      isAdmin = (await meRes.json()).admin === true;
+    }
+  } catch {
+    // Treat a failed lookup as non-admin; the API still enforces access server-side.
   }
 
   const isSecure = process.env.NODE_ENV === "production";
@@ -77,13 +90,15 @@ export async function GET(request: NextRequest) {
   response.cookies.delete("oauth_state");
   response.cookies.delete("oauth_redirect");
 
-  response.cookies.set("yf_preview_token", tokenData.access_token, {
+  const cookieOpts = {
     httpOnly: true,
     secure: isSecure,
-    sameSite: "lax",
+    sameSite: "lax" as const,
     maxAge: tokenData.expires_in,
     path: "/",
-  });
+  };
+  response.cookies.set("yf_preview_token", tokenData.access_token, cookieOpts);
+  response.cookies.set("yf_admin", String(isAdmin), cookieOpts);
 
   return response;
 }
diff --git a/src/app/api/auth/login/route.ts b/src/app/api/auth/login/route.ts
index 3006803..70eaad7 100644
--- a/src/app/api/auth/login/route.ts
+++ b/src/app/api/auth/login/route.ts
@@ -23,7 +23,6 @@ export async function GET(request: NextRequest) {
   authorizeUrl.searchParams.set("client_id", CLIENT_ID);
   authorizeUrl.searchParams.set("redirect_uri", CALLBACK_URL);
   authorizeUrl.searchParams.set("response_type", "code");
-  authorizeUrl.searchParams.set("scope", "admin");
   authorizeUrl.searchParams.set("state", state);
 
   const isSecure = process.env.NODE_ENV === "production";
diff --git a/src/app/api/auth/logout/route.ts b/src/app/api/auth/logout/route.ts
index 8c833f5..43a631d 100644
--- a/src/app/api/auth/logout/route.ts
+++ b/src/app/api/auth/logout/route.ts
@@ -24,6 +24,7 @@ export async function GET(request: NextRequest) {
 
   const response = NextResponse.redirect(`${siteUrl}/memos`);
   response.cookies.delete("yf_preview_token");
+  response.cookies.delete("yf_admin");
 
   return response;
 }
diff --git a/src/app/memos/[slug]/page.tsx b/src/app/memos/[slug]/page.tsx
index 3fa361d..548b202 100644
--- a/src/app/memos/[slug]/page.tsx
+++ b/src/app/memos/[slug]/page.tsx
@@ -29,7 +29,12 @@ export async function generateMetadata({
   params: Promise<{ slug: string }>;
 }): Promise<Metadata> {
   const { slug } = await params;
-  setPreviewToken((await cookies()).get("yf_preview_token")?.value);
+  const cookieStore = await cookies();
+  const previewToken =
+    cookieStore.get("yf_admin")?.value === "true"
+      ? cookieStore.get("yf_preview_token")?.value
+      : undefined;
+  setPreviewToken(previewToken);
   let memo;
   try {
     memo = await fetchMemo(slug);
@@ -69,7 +74,11 @@ export default async function MemoDetailPage({
 }) {
   const { slug } = await params;
 
-  const previewToken = (await cookies()).get("yf_preview_token")?.value;
+  const cookieStore = await cookies();
+  const previewToken =
+    cookieStore.get("yf_admin")?.value === "true"
+      ? cookieStore.get("yf_preview_token")?.value
+      : undefined;
   setPreviewToken(previewToken);
 
   let memo;

From 9af341317a5f20b030fb6e1575d29560697cd2d0 Mon Sep 17 00:00:00 2001
From: xrendan <brendan@brendansamek.com>
Date: Wed, 17 Jun 2026 12:49:03 -0600
Subject: [PATCH 07/11] docs: production OAuth callback is www.buildcanada.com

Keep in sync with york_factory's registered redirect_uri; OAuth requires
an exact redirect_uri match.
---
 .env.local.example | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.env.local.example b/.env.local.example
index 7262edf..5c215b9 100644
--- a/.env.local.example
+++ b/.env.local.example
@@ -12,7 +12,7 @@ YF_OAUTH_CALLBACK_URL=http://localhost:5050/api/auth/callback
 #   YF_OAUTH_URL=https://auth.buildcanada.com
 #   YF_OAUTH_CLIENT_ID=<from york_factory db:seed>
 #   YF_OAUTH_CLIENT_SECRET=<from york_factory db:seed>
-#   YF_OAUTH_CALLBACK_URL=https://buildcanada.com/api/auth/callback
+#   YF_OAUTH_CALLBACK_URL=https://www.buildcanada.com/api/auth/callback
 
 # York Factory API base URL (data API — memos, posts, etc.)
 # Local: http://localhost:3000/api/v1

From d527a5edfc57e7030887518a28ab921733b62c30 Mon Sep 17 00:00:00 2001
From: xrendan <brendan@brendansamek.com>
Date: Wed, 17 Jun 2026 13:58:36 -0600
Subject: [PATCH 08/11] refactor: live user identity via /me, drop yf_admin
 cookie, identify in PostHog
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- rename yf_preview_token -> yf_access_token (general login, not just preview)
- add lib/auth.ts getCurrentUser() — admin/identity resolved live from /me,
  React.cache-deduped per request; removes the stale yf_admin cookie
- collapse duplicated cookie checks in memos/[slug] into one helper
- /api/auth/me proxy + <IdentifyUser/> to identify users in PostHog on login,
  reset on logout (once-per-session gate)
---
 src/app/api/auth/callback/route.ts   | 28 +++------------
 src/app/api/auth/logout/route.ts     |  9 +++--
 src/app/api/auth/me/route.ts         | 13 +++++++
 src/app/layout.tsx                   |  2 ++
 src/app/memos/[slug]/page.tsx        | 30 ++++++++--------
 src/components/auth/IdentifyUser.tsx | 52 ++++++++++++++++++++++++++++
 src/lib/api/client.ts                | 10 +++---
 src/lib/auth-token.ts                | 17 +++++++++
 src/lib/auth.ts                      | 52 ++++++++++++++++++++++++++++
 src/lib/preview-token.ts             | 13 -------
 10 files changed, 166 insertions(+), 60 deletions(-)
 create mode 100644 src/app/api/auth/me/route.ts
 create mode 100644 src/components/auth/IdentifyUser.tsx
 create mode 100644 src/lib/auth-token.ts
 create mode 100644 src/lib/auth.ts
 delete mode 100644 src/lib/preview-token.ts

diff --git a/src/app/api/auth/callback/route.ts b/src/app/api/auth/callback/route.ts
index 0bea63b..f49e654 100644
--- a/src/app/api/auth/callback/route.ts
+++ b/src/app/api/auth/callback/route.ts
@@ -6,9 +6,6 @@ const CLIENT_SECRET = process.env.YF_OAUTH_CLIENT_SECRET || "";
 const CALLBACK_URL =
   process.env.YF_OAUTH_CALLBACK_URL ||
   "http://localhost:5050/api/auth/callback";
-const API_URL =
-  process.env.YORK_FACTORY_API_URL ||
-  "https://yorkfactory.buildcanada.com/api/v1";
 
 interface TokenResponse {
   access_token: string;
@@ -68,37 +65,22 @@ export async function GET(request: NextRequest) {
 
   const tokenData = (await tokenRes.json()) as TokenResponse;
 
-  // Look up the user to learn whether they're an admin. Admin status is a
-  // property of the user (surfaced by /me), not an OAuth scope — only admins
-  // get draft preview. Non-admins still get a valid session (general login).
-  let isAdmin = false;
-  try {
-    const meRes = await fetch(`${API_URL}/me`, {
-      headers: { Authorization: `Bearer ${tokenData.access_token}` },
-      cache: "no-store",
-    });
-    if (meRes.ok) {
-      isAdmin = (await meRes.json()).admin === true;
-    }
-  } catch {
-    // Treat a failed lookup as non-admin; the API still enforces access server-side.
-  }
-
   const isSecure = process.env.NODE_ENV === "production";
   const response = NextResponse.redirect(`${siteUrl}${redirectTo}`);
 
   response.cookies.delete("oauth_state");
   response.cookies.delete("oauth_redirect");
 
-  const cookieOpts = {
+  // Store only the access token. Identity and admin status are resolved live
+  // from /me when needed (see lib/auth.ts) — never baked into a cookie that
+  // could go stale.
+  response.cookies.set("yf_access_token", tokenData.access_token, {
     httpOnly: true,
     secure: isSecure,
     sameSite: "lax" as const,
     maxAge: tokenData.expires_in,
     path: "/",
-  };
-  response.cookies.set("yf_preview_token", tokenData.access_token, cookieOpts);
-  response.cookies.set("yf_admin", String(isAdmin), cookieOpts);
+  });
 
   return response;
 }
diff --git a/src/app/api/auth/logout/route.ts b/src/app/api/auth/logout/route.ts
index 43a631d..aef5dd4 100644
--- a/src/app/api/auth/logout/route.ts
+++ b/src/app/api/auth/logout/route.ts
@@ -8,13 +8,13 @@ export async function GET(request: NextRequest) {
   const siteUrl = new URL(request.url).origin;
 
   // Revoke Doorkeeper token if present
-  const previewToken = request.cookies.get("yf_preview_token")?.value;
-  if (previewToken && CLIENT_ID && CLIENT_SECRET) {
+  const accessToken = request.cookies.get("yf_access_token")?.value;
+  if (accessToken && CLIENT_ID && CLIENT_SECRET) {
     await fetch(`${YF_OAUTH_URL}/oauth/revoke`, {
       method: "POST",
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       body: new URLSearchParams({
-        token: previewToken,
+        token: accessToken,
         client_id: CLIENT_ID,
         client_secret: CLIENT_SECRET,
       }).toString(),
@@ -23,8 +23,7 @@ export async function GET(request: NextRequest) {
   }
 
   const response = NextResponse.redirect(`${siteUrl}/memos`);
-  response.cookies.delete("yf_preview_token");
-  response.cookies.delete("yf_admin");
+  response.cookies.delete("yf_access_token");
 
   return response;
 }
diff --git a/src/app/api/auth/me/route.ts b/src/app/api/auth/me/route.ts
new file mode 100644
index 0000000..9024276
--- /dev/null
+++ b/src/app/api/auth/me/route.ts
@@ -0,0 +1,13 @@
+import { NextResponse } from "next/server";
+import { getCurrentUser } from "@/lib/auth";
+
+// Surfaces the signed-in user's identity to the browser for PostHog identify.
+// The access token stays httpOnly on the server; only non-sensitive identity
+// fields cross to the client. Returns { user: null } when not signed in.
+export async function GET() {
+  const user = await getCurrentUser();
+  return NextResponse.json(
+    { user },
+    { headers: { "Cache-Control": "no-store" } },
+  );
+}
diff --git a/src/app/layout.tsx b/src/app/layout.tsx
index d52d8d3..5406e6a 100644
--- a/src/app/layout.tsx
+++ b/src/app/layout.tsx
@@ -7,6 +7,7 @@ import ScrollToTop from "@/components/ScrollToTop";
 import ThemeShell from "@/components/ThemeShell";
 import { Toaster } from "sonner";
 import { SubscribeModal } from "@/components/subscribe";
+import { IdentifyUser } from "@/components/auth/IdentifyUser";
 
 const GA_ID = process.env.NEXT_PUBLIC_GA_MEASUREMENT_ID;
 
@@ -73,6 +74,7 @@ export default function RootLayout({
         </ThemeShell>
         <Toaster position="bottom-right" />
         <SubscribeModal />
+        <IdentifyUser />
       </body>
     </html>
   );
diff --git a/src/app/memos/[slug]/page.tsx b/src/app/memos/[slug]/page.tsx
index 548b202..dcd25bf 100644
--- a/src/app/memos/[slug]/page.tsx
+++ b/src/app/memos/[slug]/page.tsx
@@ -1,4 +1,3 @@
-import { cookies } from "next/headers";
 import { notFound, permanentRedirect } from "next/navigation";
 import type { Metadata } from "next";
 import { fetchMemo, fetchMemos, getSiteConfig } from "@/lib/api";
@@ -12,7 +11,19 @@ import { generateArticleSchema } from "@/lib/schemas/generators/article";
 import { generateBreadcrumbSchema } from "@/lib/schemas/generators/breadcrumb";
 import { generateOrganizationSchema } from "@/lib/schemas/generators/organization";
 import { DraftPreviewBanner } from "./DraftPreviewBanner";
-import { setPreviewToken } from "@/lib/preview-token";
+import { setAccessToken } from "@/lib/auth-token";
+import { getCurrentUser, getAccessTokenCookie } from "@/lib/auth";
+
+// Draft preview is gated on the signed-in user actually being an admin (live
+// from /me), never on a baked cookie. When they are, we hand apiFetch the
+// access token so it fetches drafts; otherwise the request store stays empty
+// and only published content is returned.
+async function resolvePreviewToken(): Promise<string | undefined> {
+  const user = await getCurrentUser();
+  const token = user?.admin ? await getAccessTokenCookie() : undefined;
+  setAccessToken(token);
+  return token;
+}
 
 export async function generateStaticParams() {
   try {
@@ -29,12 +40,8 @@ export async function generateMetadata({
   params: Promise<{ slug: string }>;
 }): Promise<Metadata> {
   const { slug } = await params;
-  const cookieStore = await cookies();
-  const previewToken =
-    cookieStore.get("yf_admin")?.value === "true"
-      ? cookieStore.get("yf_preview_token")?.value
-      : undefined;
-  setPreviewToken(previewToken);
+  // Prime the request-scoped token so draft metadata resolves for admins.
+  await resolvePreviewToken();
   let memo;
   try {
     memo = await fetchMemo(slug);
@@ -74,12 +81,7 @@ export default async function MemoDetailPage({
 }) {
   const { slug } = await params;
 
-  const cookieStore = await cookies();
-  const previewToken =
-    cookieStore.get("yf_admin")?.value === "true"
-      ? cookieStore.get("yf_preview_token")?.value
-      : undefined;
-  setPreviewToken(previewToken);
+  const previewToken = await resolvePreviewToken();
 
   let memo;
   try {
diff --git a/src/components/auth/IdentifyUser.tsx b/src/components/auth/IdentifyUser.tsx
new file mode 100644
index 0000000..ea04505
--- /dev/null
+++ b/src/components/auth/IdentifyUser.tsx
@@ -0,0 +1,52 @@
+"use client";
+
+import { useEffect } from "react";
+import posthog from "posthog-js";
+
+// Sentinel recording which user id we've already identified this browser
+// session, so identify fires once per session rather than once per page load.
+const SESSION_KEY = "yf_identified";
+
+// Bridges the httpOnly session to PostHog: asks the server who the user is
+// (token never leaves the server) and identifies them in PostHog on login,
+// resets on logout. Rendered once in the root layout; returns no UI.
+export function IdentifyUser() {
+  useEffect(() => {
+    let cancelled = false;
+
+    (async () => {
+      try {
+        const res = await fetch("/api/auth/me", { cache: "no-store" });
+        if (!res.ok || cancelled) return;
+
+        const { user } = await res.json();
+        if (cancelled) return;
+
+        if (user) {
+          if (sessionStorage.getItem(SESSION_KEY) !== String(user.id)) {
+            posthog.identify(String(user.id), {
+              email: user.email,
+              name: user.name,
+              role: user.role,
+              is_admin: user.admin,
+            });
+            sessionStorage.setItem(SESSION_KEY, String(user.id));
+          }
+        } else if (sessionStorage.getItem(SESSION_KEY)) {
+          // Was identified, now signed out → reset so the next anonymous
+          // visitor isn't conflated with the previous user.
+          posthog.reset();
+          sessionStorage.removeItem(SESSION_KEY);
+        }
+      } catch {
+        // Best-effort: analytics identification must never break the page.
+      }
+    })();
+
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  return null;
+}
diff --git a/src/lib/api/client.ts b/src/lib/api/client.ts
index ac4dcbc..70732de 100644
--- a/src/lib/api/client.ts
+++ b/src/lib/api/client.ts
@@ -1,4 +1,4 @@
-import { getPreviewToken } from "@/lib/preview-token";
+import { getAccessToken } from "@/lib/auth-token";
 
 export const API_URL =
   process.env.YORK_FACTORY_API_URL ||
@@ -21,14 +21,14 @@ export async function apiFetch<T>(
   }
 
   const headers: Record<string, string> = {};
-  const previewToken = getPreviewToken();
-  if (previewToken) {
-    headers["Authorization"] = `Bearer ${previewToken}`;
+  const accessToken = getAccessToken();
+  if (accessToken) {
+    headers["Authorization"] = `Bearer ${accessToken}`;
   }
 
   const res = await fetch(url.toString(), {
     headers,
-    next: previewToken
+    next: accessToken
       ? { revalidate: 0 }
       : { revalidate: options?.revalidate ?? 60 },
   });
diff --git a/src/lib/auth-token.ts b/src/lib/auth-token.ts
new file mode 100644
index 0000000..61114ba
--- /dev/null
+++ b/src/lib/auth-token.ts
@@ -0,0 +1,17 @@
+import { cache } from "react";
+
+type Store = { value: string | undefined };
+
+// Request-scoped holder for the caller's OAuth access token. A server component
+// sets it (when the signed-in user may access non-public data) and apiFetch
+// reads it to attach the Authorization header. React.cache keeps it isolated
+// per request.
+const _store = cache((): Store => ({ value: undefined }));
+
+export function setAccessToken(token: string | undefined): void {
+  _store().value = token;
+}
+
+export function getAccessToken(): string | undefined {
+  return _store().value;
+}
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
new file mode 100644
index 0000000..14d6b73
--- /dev/null
+++ b/src/lib/auth.ts
@@ -0,0 +1,52 @@
+import { cache } from "react";
+import { cookies } from "next/headers";
+import { API_URL } from "@/lib/api/client";
+
+export const ACCESS_TOKEN_COOKIE = "yf_access_token";
+
+export interface YfUser {
+  id: number;
+  email: string;
+  name: string | null;
+  role: string | null;
+  avatarUrl: string | null;
+  admin: boolean;
+}
+
+// Reads the signed-in user's OAuth access token from the httpOnly cookie.
+export async function getAccessTokenCookie(): Promise<string | undefined> {
+  const store = await cookies();
+  return store.get(ACCESS_TOKEN_COOKIE)?.value;
+}
+
+// Resolves the current user from York Factory's /me endpoint using the access
+// token cookie. Returns null when there's no token or the token is invalid /
+// expired. React.cache dedupes this to a single /me call per server request
+// (e.g. generateMetadata + the page component share one result). It is
+// intentionally NOT cached across requests: /me is per-user authenticated data,
+// so a shared TTL cache could serve one user's identity to another and would
+// also let a revoked admin keep access until the entry expired.
+export const getCurrentUser = cache(async (): Promise<YfUser | null> => {
+  const token = await getAccessTokenCookie();
+  if (!token) return null;
+
+  try {
+    const res = await fetch(`${API_URL}/me`, {
+      headers: { Authorization: `Bearer ${token}` },
+      cache: "no-store",
+    });
+    if (!res.ok) return null;
+
+    const data = await res.json();
+    return {
+      id: data.id,
+      email: data.email,
+      name: data.name ?? null,
+      role: data.role ?? null,
+      avatarUrl: data.avatar_url ?? null,
+      admin: data.admin === true,
+    };
+  } catch {
+    return null;
+  }
+});
diff --git a/src/lib/preview-token.ts b/src/lib/preview-token.ts
deleted file mode 100644
index 3484e52..0000000
--- a/src/lib/preview-token.ts
+++ /dev/null
@@ -1,13 +0,0 @@
-import { cache } from "react";
-
-type Store = { value: string | undefined };
-
-const _store = cache((): Store => ({ value: undefined }));
-
-export function setPreviewToken(token: string | undefined): void {
-  _store().value = token;
-}
-
-export function getPreviewToken(): string | undefined {
-  return _store().value;
-}

From e0429245dc260b971b9deac19b7ab211b2bb8bf4 Mon Sep 17 00:00:00 2001
From: xrendan <brendan@brendansamek.com>
Date: Wed, 17 Jun 2026 14:20:25 -0600
Subject: [PATCH 09/11] refactor: identify by email, drop user id; rename
 residual previewToken

- PostHog identify keyed on email (no internal id in the frontend)
- YfUser drops id; getCurrentUser no longer maps it
- resolvePreviewToken -> resolveAccessToken, previewToken var -> accessToken
---
 src/app/memos/[slug]/page.tsx        | 10 +++++-----
 src/components/auth/IdentifyUser.tsx | 11 ++++++-----
 src/lib/auth.ts                      |  2 --
 3 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/src/app/memos/[slug]/page.tsx b/src/app/memos/[slug]/page.tsx
index dcd25bf..2a02bdb 100644
--- a/src/app/memos/[slug]/page.tsx
+++ b/src/app/memos/[slug]/page.tsx
@@ -18,7 +18,7 @@ import { getCurrentUser, getAccessTokenCookie } from "@/lib/auth";
 // from /me), never on a baked cookie. When they are, we hand apiFetch the
 // access token so it fetches drafts; otherwise the request store stays empty
 // and only published content is returned.
-async function resolvePreviewToken(): Promise<string | undefined> {
+async function resolveAccessToken(): Promise<string | undefined> {
   const user = await getCurrentUser();
   const token = user?.admin ? await getAccessTokenCookie() : undefined;
   setAccessToken(token);
@@ -41,7 +41,7 @@ export async function generateMetadata({
 }): Promise<Metadata> {
   const { slug } = await params;
   // Prime the request-scoped token so draft metadata resolves for admins.
-  await resolvePreviewToken();
+  await resolveAccessToken();
   let memo;
   try {
     memo = await fetchMemo(slug);
@@ -81,13 +81,13 @@ export default async function MemoDetailPage({
 }) {
   const { slug } = await params;
 
-  const previewToken = await resolvePreviewToken();
+  const accessToken = await resolveAccessToken();
 
   let memo;
   try {
     memo = await fetchMemo(slug);
   } catch {
-    if (!previewToken) notFound();
+    if (!accessToken) notFound();
 
     return (
       <div className="mx-[10px] my-[10px] border border-border-light bg-bg">
@@ -173,7 +173,7 @@ export default async function MemoDetailPage({
 
   return (
     <div className="mx-[10px] my-[10px] border border-border-light bg-bg">
-      {previewToken && (
+      {accessToken && (
         <DraftPreviewBanner state="viewing-draft" slug={slug} />
       )}
       <script
diff --git a/src/components/auth/IdentifyUser.tsx b/src/components/auth/IdentifyUser.tsx
index ea04505..9c39682 100644
--- a/src/components/auth/IdentifyUser.tsx
+++ b/src/components/auth/IdentifyUser.tsx
@@ -3,8 +3,9 @@
 import { useEffect } from "react";
 import posthog from "posthog-js";
 
-// Sentinel recording which user id we've already identified this browser
-// session, so identify fires once per session rather than once per page load.
+// Sentinel recording which user (by email) we've already identified this
+// browser session, so identify fires once per session rather than once per
+// page load.
 const SESSION_KEY = "yf_identified";
 
 // Bridges the httpOnly session to PostHog: asks the server who the user is
@@ -23,14 +24,14 @@ export function IdentifyUser() {
         if (cancelled) return;
 
         if (user) {
-          if (sessionStorage.getItem(SESSION_KEY) !== String(user.id)) {
-            posthog.identify(String(user.id), {
+          if (sessionStorage.getItem(SESSION_KEY) !== user.email) {
+            posthog.identify(user.email, {
               email: user.email,
               name: user.name,
               role: user.role,
               is_admin: user.admin,
             });
-            sessionStorage.setItem(SESSION_KEY, String(user.id));
+            sessionStorage.setItem(SESSION_KEY, user.email);
           }
         } else if (sessionStorage.getItem(SESSION_KEY)) {
           // Was identified, now signed out → reset so the next anonymous
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 14d6b73..09a2f3e 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -5,7 +5,6 @@ import { API_URL } from "@/lib/api/client";
 export const ACCESS_TOKEN_COOKIE = "yf_access_token";
 
 export interface YfUser {
-  id: number;
   email: string;
   name: string | null;
   role: string | null;
@@ -39,7 +38,6 @@ export const getCurrentUser = cache(async (): Promise<YfUser | null> => {
 
     const data = await res.json();
     return {
-      id: data.id,
       email: data.email,
       name: data.name ?? null,
       role: data.role ?? null,

From 3de575a0b75d810a575cdbe5726887bde9e513fb Mon Sep 17 00:00:00 2001
From: xrendan <brendan@brendansamek.com>
Date: Wed, 17 Jun 2026 14:44:33 -0600
Subject: [PATCH 10/11] review fixes: silent token refresh, fix open redirect,
 fail-loud config

- M2: store refresh token + middleware that silently renews the access token
  when it expires; logout now revokes both access and refresh tokens
- M1: safeRedirectPath() rejects protocol-relative/absolute redirects in
  login and callback (no more //evil.com open redirect)
- H1: oauthConfig() refuses localhost fallback in production (fail loudly)
- L2: getCurrentUser logs YF 5xx/network errors instead of silently treating
  a transient outage as 'signed out'
- centralize OAuth config/cookies in lib/oauth.ts
---
 src/app/api/auth/callback/route.ts |  62 ++++++-----------
 src/app/api/auth/login/route.ts    |  27 +++-----
 src/app/api/auth/logout/route.ts   |  48 ++++++++-----
 src/lib/auth.ts                    |  35 ++++++----
 src/lib/oauth.ts                   | 107 +++++++++++++++++++++++++++++
 src/middleware.ts                  |  41 +++++++++++
 6 files changed, 233 insertions(+), 87 deletions(-)
 create mode 100644 src/lib/oauth.ts
 create mode 100644 src/middleware.ts

diff --git a/src/app/api/auth/callback/route.ts b/src/app/api/auth/callback/route.ts
index f49e654..8e6569d 100644
--- a/src/app/api/auth/callback/route.ts
+++ b/src/app/api/auth/callback/route.ts
@@ -1,21 +1,13 @@
 import { NextRequest, NextResponse } from "next/server";
-
-const YF_OAUTH_URL = process.env.YF_OAUTH_URL || "http://localhost:3000";
-const CLIENT_ID = process.env.YF_OAUTH_CLIENT_ID || "";
-const CLIENT_SECRET = process.env.YF_OAUTH_CLIENT_SECRET || "";
-const CALLBACK_URL =
-  process.env.YF_OAUTH_CALLBACK_URL ||
-  "http://localhost:5050/api/auth/callback";
-
-interface TokenResponse {
-  access_token: string;
-  token_type: string;
-  expires_in: number;
-  scope?: string;
-  refresh_token?: string;
-}
+import {
+  oauthConfig,
+  safeRedirectPath,
+  setSessionCookies,
+  type TokenResponse,
+} from "@/lib/oauth";
 
 export async function GET(request: NextRequest) {
+  const { url, callbackUrl, clientId, clientSecret } = oauthConfig();
   const { searchParams } = request.nextUrl;
   const code = searchParams.get("code");
   const state = searchParams.get("state");
@@ -24,35 +16,31 @@ export async function GET(request: NextRequest) {
   const siteUrl = new URL(request.url).origin;
 
   if (error) {
-    return NextResponse.redirect(
-      `${siteUrl}/?preview_error=oauth_denied`,
-    );
+    return NextResponse.redirect(`${siteUrl}/?preview_error=oauth_denied`);
   }
 
   if (!code || !state) {
-    return NextResponse.redirect(
-      `${siteUrl}/?preview_error=invalid_callback`,
-    );
+    return NextResponse.redirect(`${siteUrl}/?preview_error=invalid_callback`);
   }
 
   const storedState = request.cookies.get("oauth_state")?.value;
-  const redirectTo = request.cookies.get("oauth_redirect")?.value || "/memos";
+  const redirectTo = safeRedirectPath(
+    request.cookies.get("oauth_redirect")?.value,
+  );
 
   if (!storedState || state !== storedState) {
-    return NextResponse.redirect(
-      `${siteUrl}/?preview_error=state_mismatch`,
-    );
+    return NextResponse.redirect(`${siteUrl}/?preview_error=state_mismatch`);
   }
 
-  const tokenRes = await fetch(`${YF_OAUTH_URL}/oauth/token`, {
+  const tokenRes = await fetch(`${url}/oauth/token`, {
     method: "POST",
     headers: { "Content-Type": "application/x-www-form-urlencoded" },
     body: new URLSearchParams({
       grant_type: "authorization_code",
       code,
-      redirect_uri: CALLBACK_URL,
-      client_id: CLIENT_ID,
-      client_secret: CLIENT_SECRET,
+      redirect_uri: callbackUrl,
+      client_id: clientId,
+      client_secret: clientSecret,
     }).toString(),
     cache: "no-store",
   });
@@ -65,22 +53,14 @@ export async function GET(request: NextRequest) {
 
   const tokenData = (await tokenRes.json()) as TokenResponse;
 
-  const isSecure = process.env.NODE_ENV === "production";
   const response = NextResponse.redirect(`${siteUrl}${redirectTo}`);
-
   response.cookies.delete("oauth_state");
   response.cookies.delete("oauth_redirect");
 
-  // Store only the access token. Identity and admin status are resolved live
-  // from /me when needed (see lib/auth.ts) — never baked into a cookie that
-  // could go stale.
-  response.cookies.set("yf_access_token", tokenData.access_token, {
-    httpOnly: true,
-    secure: isSecure,
-    sameSite: "lax" as const,
-    maxAge: tokenData.expires_in,
-    path: "/",
-  });
+  // Store the access token (+ refresh token for silent renewal). Identity and
+  // admin status are resolved live from /me when needed (see lib/auth.ts) —
+  // never baked into a cookie that could go stale.
+  setSessionCookies(response, tokenData);
 
   return response;
 }
diff --git a/src/app/api/auth/login/route.ts b/src/app/api/auth/login/route.ts
index 70eaad7..09c2273 100644
--- a/src/app/api/auth/login/route.ts
+++ b/src/app/api/auth/login/route.ts
@@ -1,27 +1,22 @@
 import { randomBytes } from "crypto";
 import { NextRequest, NextResponse } from "next/server";
-
-const YF_OAUTH_URL = process.env.YF_OAUTH_URL || "http://localhost:3000";
-const CLIENT_ID = process.env.YF_OAUTH_CLIENT_ID || "";
-const CALLBACK_URL =
-  process.env.YF_OAUTH_CALLBACK_URL ||
-  "http://localhost:5050/api/auth/callback";
+import { oauthConfig, safeRedirectPath } from "@/lib/oauth";
 
 export async function GET(request: NextRequest) {
-  if (!CLIENT_ID) {
-    return NextResponse.json(
-      { error: "OAuth not configured" },
-      { status: 503 },
-    );
+  const { url, callbackUrl, clientId } = oauthConfig();
+
+  if (!clientId) {
+    return NextResponse.json({ error: "OAuth not configured" }, { status: 503 });
   }
 
   const state = randomBytes(16).toString("hex");
-  const redirectTo =
-    request.nextUrl.searchParams.get("redirect") || "/memos";
+  const redirectTo = safeRedirectPath(
+    request.nextUrl.searchParams.get("redirect"),
+  );
 
-  const authorizeUrl = new URL(`${YF_OAUTH_URL}/oauth/authorize`);
-  authorizeUrl.searchParams.set("client_id", CLIENT_ID);
-  authorizeUrl.searchParams.set("redirect_uri", CALLBACK_URL);
+  const authorizeUrl = new URL(`${url}/oauth/authorize`);
+  authorizeUrl.searchParams.set("client_id", clientId);
+  authorizeUrl.searchParams.set("redirect_uri", callbackUrl);
   authorizeUrl.searchParams.set("response_type", "code");
   authorizeUrl.searchParams.set("state", state);
 
diff --git a/src/app/api/auth/logout/route.ts b/src/app/api/auth/logout/route.ts
index aef5dd4..a521f1c 100644
--- a/src/app/api/auth/logout/route.ts
+++ b/src/app/api/auth/logout/route.ts
@@ -1,29 +1,41 @@
 import { NextRequest, NextResponse } from "next/server";
-
-const YF_OAUTH_URL = process.env.YF_OAUTH_URL || "http://localhost:3000";
-const CLIENT_ID = process.env.YF_OAUTH_CLIENT_ID || "";
-const CLIENT_SECRET = process.env.YF_OAUTH_CLIENT_SECRET || "";
+import {
+  ACCESS_TOKEN_COOKIE,
+  REFRESH_TOKEN_COOKIE,
+  clearSessionCookies,
+  oauthConfig,
+} from "@/lib/oauth";
 
 export async function GET(request: NextRequest) {
+  const { url, clientId, clientSecret } = oauthConfig();
   const siteUrl = new URL(request.url).origin;
 
-  // Revoke Doorkeeper token if present
-  const accessToken = request.cookies.get("yf_access_token")?.value;
-  if (accessToken && CLIENT_ID && CLIENT_SECRET) {
-    await fetch(`${YF_OAUTH_URL}/oauth/revoke`, {
-      method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams({
-        token: accessToken,
-        client_id: CLIENT_ID,
-        client_secret: CLIENT_SECRET,
-      }).toString(),
-      cache: "no-store",
-    }).catch(() => {});
+  // Revoke both tokens server-side so logout isn't just a client-side cookie
+  // drop — a leaked token shouldn't outlive the session.
+  if (clientId && clientSecret) {
+    const tokens = [
+      request.cookies.get(ACCESS_TOKEN_COOKIE)?.value,
+      request.cookies.get(REFRESH_TOKEN_COOKIE)?.value,
+    ].filter(Boolean) as string[];
+
+    await Promise.all(
+      tokens.map((token) =>
+        fetch(`${url}/oauth/revoke`, {
+          method: "POST",
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          body: new URLSearchParams({
+            token,
+            client_id: clientId,
+            client_secret: clientSecret,
+          }).toString(),
+          cache: "no-store",
+        }).catch(() => {}),
+      ),
+    );
   }
 
   const response = NextResponse.redirect(`${siteUrl}/memos`);
-  response.cookies.delete("yf_access_token");
+  clearSessionCookies(response);
 
   return response;
 }
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 09a2f3e..77d5007 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -1,8 +1,7 @@
 import { cache } from "react";
 import { cookies } from "next/headers";
 import { API_URL } from "@/lib/api/client";
-
-export const ACCESS_TOKEN_COOKIE = "yf_access_token";
+import { ACCESS_TOKEN_COOKIE } from "@/lib/oauth";
 
 export interface YfUser {
   email: string;
@@ -34,17 +33,29 @@ export const getCurrentUser = cache(async (): Promise<YfUser | null> => {
       headers: { Authorization: `Bearer ${token}` },
       cache: "no-store",
     });
-    if (!res.ok) return null;
 
-    const data = await res.json();
-    return {
-      email: data.email,
-      name: data.name ?? null,
-      role: data.role ?? null,
-      avatarUrl: data.avatar_url ?? null,
-      admin: data.admin === true,
-    };
-  } catch {
+    if (res.ok) {
+      const data = await res.json();
+      return {
+        email: data.email,
+        name: data.name ?? null,
+        role: data.role ?? null,
+        avatarUrl: data.avatar_url ?? null,
+        admin: data.admin === true,
+      };
+    }
+
+    // 401/403 means the token is genuinely invalid/expired → signed out (quiet).
+    // Anything else means York Factory is unhealthy; log it so a transient
+    // outage isn't silently misread as "every admin lost access."
+    if (res.status !== 401 && res.status !== 403) {
+      console.warn(
+        `[auth] /me returned ${res.status}; treating user as signed out`,
+      );
+    }
+    return null;
+  } catch (err) {
+    console.warn("[auth] /me request failed; treating user as signed out", err);
     return null;
   }
 });
diff --git a/src/lib/oauth.ts b/src/lib/oauth.ts
new file mode 100644
index 0000000..29f16ad
--- /dev/null
+++ b/src/lib/oauth.ts
@@ -0,0 +1,107 @@
+import { NextResponse } from "next/server";
+
+const isProd = process.env.NODE_ENV === "production";
+
+// Resolves a required OAuth env var. In production we refuse to fall back to a
+// localhost default — a missing var should fail loudly rather than silently
+// send auth codes to a non-existent local callback.
+function resolve(name: string, devFallback: string): string {
+  const value = process.env[name];
+  if (value) return value;
+  if (isProd) {
+    throw new Error(
+      `Missing required OAuth env var ${name}; refusing to fall back to a localhost default in production.`,
+    );
+  }
+  return devFallback;
+}
+
+export function oauthConfig() {
+  return {
+    url: resolve("YF_OAUTH_URL", "http://localhost:3000"),
+    callbackUrl: resolve(
+      "YF_OAUTH_CALLBACK_URL",
+      "http://localhost:5050/api/auth/callback",
+    ),
+    clientId: process.env.YF_OAUTH_CLIENT_ID ?? "",
+    clientSecret: process.env.YF_OAUTH_CLIENT_SECRET ?? "",
+  };
+}
+
+export const ACCESS_TOKEN_COOKIE = "yf_access_token";
+export const REFRESH_TOKEN_COOKIE = "yf_refresh_token";
+
+// Refresh tokens outlive the short access token so middleware can renew the
+// session silently. 30 days bounds how long an idle session can be revived.
+const REFRESH_TOKEN_MAX_AGE = 60 * 60 * 24 * 30;
+
+export interface TokenResponse {
+  access_token: string;
+  token_type: string;
+  expires_in: number;
+  scope?: string;
+  refresh_token?: string;
+}
+
+// Only allow same-site, path-absolute redirects. Rejects absolute URLs and
+// protocol-relative values like "//evil.com" that browsers treat as external.
+export function safeRedirectPath(input: string | null | undefined): string {
+  return input && /^\/(?!\/)/.test(input) ? input : "/memos";
+}
+
+// Persists session tokens as httpOnly cookies. The access token cookie expires
+// with the token; the refresh token lives longer so it can renew the session.
+export function setSessionCookies(
+  response: NextResponse,
+  tokenData: TokenResponse,
+): void {
+  const secure = isProd;
+  response.cookies.set(ACCESS_TOKEN_COOKIE, tokenData.access_token, {
+    httpOnly: true,
+    secure,
+    sameSite: "lax",
+    maxAge: tokenData.expires_in,
+    path: "/",
+  });
+  if (tokenData.refresh_token) {
+    response.cookies.set(REFRESH_TOKEN_COOKIE, tokenData.refresh_token, {
+      httpOnly: true,
+      secure,
+      sameSite: "lax",
+      maxAge: REFRESH_TOKEN_MAX_AGE,
+      path: "/",
+    });
+  }
+}
+
+export function clearSessionCookies(response: NextResponse): void {
+  response.cookies.delete(ACCESS_TOKEN_COOKIE);
+  response.cookies.delete(REFRESH_TOKEN_COOKIE);
+}
+
+// Exchanges a refresh token for a fresh access token (and, with rotation, a new
+// refresh token). Returns null on any failure so callers fail closed.
+export async function refreshAccessToken(
+  refreshToken: string,
+): Promise<TokenResponse | null> {
+  const { url, clientId, clientSecret } = oauthConfig();
+  if (!clientId || !clientSecret) return null;
+
+  try {
+    const res = await fetch(`${url}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: refreshToken,
+        client_id: clientId,
+        client_secret: clientSecret,
+      }).toString(),
+      cache: "no-store",
+    });
+    if (!res.ok) return null;
+    return (await res.json()) as TokenResponse;
+  } catch {
+    return null;
+  }
+}
diff --git a/src/middleware.ts b/src/middleware.ts
new file mode 100644
index 0000000..9a525d1
--- /dev/null
+++ b/src/middleware.ts
@@ -0,0 +1,41 @@
+import { NextRequest, NextResponse } from "next/server";
+import {
+  ACCESS_TOKEN_COOKIE,
+  REFRESH_TOKEN_COOKIE,
+  clearSessionCookies,
+  refreshAccessToken,
+  setSessionCookies,
+} from "@/lib/oauth";
+
+// Silently renews the session. When the short-lived access token cookie has
+// expired but a refresh token is still present, exchange it for a new access
+// token (and rotated refresh token). Runs only on routes that actually consume
+// the token (memo pages for draft preview, and the identity proxy), never on
+// static assets.
+export async function middleware(request: NextRequest) {
+  const hasAccess = request.cookies.has(ACCESS_TOKEN_COOKIE);
+  const refreshToken = request.cookies.get(REFRESH_TOKEN_COOKIE)?.value;
+
+  if (hasAccess || !refreshToken) return NextResponse.next();
+
+  const tokenData = await refreshAccessToken(refreshToken);
+
+  if (!tokenData) {
+    // Refresh token is dead/revoked — clear it so we stop retrying every request.
+    const response = NextResponse.next();
+    clearSessionCookies(response);
+    return response;
+  }
+
+  // Make the fresh token visible to the current request (so this very render /
+  // API call already sees the renewed session)…
+  request.cookies.set(ACCESS_TOKEN_COOKIE, tokenData.access_token);
+  const response = NextResponse.next({ request: { headers: request.headers } });
+  // …and persist it on the browser for subsequent requests.
+  setSessionCookies(response, tokenData);
+  return response;
+}
+
+export const config = {
+  matcher: ["/memos/:path*", "/api/auth/me"],
+};

From 089f3548f932d704dcfa34cee66099296248cbf1 Mon Sep 17 00:00:00 2001
From: xrendan <brendan@brendansamek.com>
Date: Wed, 17 Jun 2026 15:34:11 -0600
Subject: [PATCH 11/11] review fix (L1): make logout POST-only with same-origin
 check

Converts the 'Exit preview' links to POST forms and the logout route from
GET to POST with an Origin check + 303 redirect. Removes the CSRF
force-logout vector (cross-site <img>/<a> could previously hit GET logout).
---
 src/app/api/auth/logout/route.ts            | 13 ++++++--
 src/app/memos/[slug]/DraftPreviewBanner.tsx | 33 ++++++++++++++++-----
 2 files changed, 36 insertions(+), 10 deletions(-)

diff --git a/src/app/api/auth/logout/route.ts b/src/app/api/auth/logout/route.ts
index a521f1c..5be087b 100644
--- a/src/app/api/auth/logout/route.ts
+++ b/src/app/api/auth/logout/route.ts
@@ -6,10 +6,18 @@ import {
   oauthConfig,
 } from "@/lib/oauth";
 
-export async function GET(request: NextRequest) {
+export async function POST(request: NextRequest) {
   const { url, clientId, clientSecret } = oauthConfig();
   const siteUrl = new URL(request.url).origin;
 
+  // CSRF guard: a same-origin form POST sends an Origin header matching our own
+  // origin. Reject anything cross-site so logout can't be forced from another
+  // site. (Logout is POST-only for the same reason — no GET vector.)
+  const origin = request.headers.get("origin");
+  if (origin && origin !== siteUrl) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
   // Revoke both tokens server-side so logout isn't just a client-side cookie
   // drop — a leaked token shouldn't outlive the session.
   if (clientId && clientSecret) {
@@ -34,7 +42,8 @@ export async function GET(request: NextRequest) {
     );
   }
 
-  const response = NextResponse.redirect(`${siteUrl}/memos`);
+  // 303 See Other so the browser issues a GET to /memos after the POST.
+  const response = NextResponse.redirect(`${siteUrl}/memos`, 303);
   clearSessionCookies(response);
 
   return response;
diff --git a/src/app/memos/[slug]/DraftPreviewBanner.tsx b/src/app/memos/[slug]/DraftPreviewBanner.tsx
index c3e4f84..65f2d41 100644
--- a/src/app/memos/[slug]/DraftPreviewBanner.tsx
+++ b/src/app/memos/[slug]/DraftPreviewBanner.tsx
@@ -1,5 +1,3 @@
-import Link from "next/link";
-
 type BannerState = "viewing-draft" | "draft-not-found";
 
 interface DraftPreviewBannerProps {
@@ -7,14 +5,35 @@ interface DraftPreviewBannerProps {
   slug: string;
 }
 
+// Logout is a POST form (not a link) so it can't be triggered cross-site via
+// <img>/<a>. Combined with the route's same-origin check, this prevents CSRF
+// force-logout. display:contents keeps the form transparent to the flex layout
+// so the button behaves like the link it replaces.
+function ExitPreviewButton({
+  className,
+  label,
+}: {
+  className: string;
+  label: string;
+}) {
+  return (
+    <form action="/api/auth/logout" method="post" className="contents">
+      <button
+        type="submit"
+        className={`${className} [font:inherit] text-inherit cursor-pointer border-0 bg-transparent p-0`}
+      >
+        {label}
+      </button>
+    </form>
+  );
+}
+
 export function DraftPreviewBanner({ state }: DraftPreviewBannerProps) {
   if (state === "viewing-draft") {
     return (
       <div className="w-full bg-amber-500 text-white text-sm px-4 py-2 flex items-center justify-between">
         <span className="font-medium">DRAFT — not yet published</span>
-        <Link href="/api/auth/logout" className="underline">
-          Exit preview
-        </Link>
+        <ExitPreviewButton className="underline" label="Exit preview" />
       </div>
     );
   }
@@ -22,9 +41,7 @@ export function DraftPreviewBanner({ state }: DraftPreviewBannerProps) {
   return (
     <div className="w-full border border-amber-400 bg-amber-50 text-amber-900 text-sm px-4 py-3 flex items-center gap-2">
       <span>No draft found for this slug.</span>
-      <Link href="/api/auth/logout" className="underline ml-auto">
-        Exit preview mode
-      </Link>
+      <ExitPreviewButton className="underline ml-auto" label="Exit preview mode" />
     </div>
   );
 }