Mobile bringup phase 1 backend auth and Schoology flow#4
Mobile bringup phase 1 backend auth and Schoology flow#4
Conversation
There was a problem hiding this comment.
Pull request overview
This PR implements mobile authentication and Schoology OAuth flow support for the mobile app, introducing a comprehensive backend API for mobile clients with token-based authentication, PKCE flow support, and rate limiting.
Changes:
- Added mobile API endpoints for Google/Schoology OAuth flows with PKCE verification
- Implemented mobile-specific JWT tokens, refresh token rotation, and device management
- Added rate limiting infrastructure using Flask-Limiter
Reviewed changes
Copilot reviewed 15 out of 16 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/mobile/test_mobile_api.py | Comprehensive test suite for mobile auth flows, token exchange, and device management |
| tests/mobile/init.py | Package marker for mobile tests |
| tests/init.py | Package marker for tests |
| schoology_service | Updated subproject commit reference |
| requirements.txt | Added Flask-Limiter dependency |
| mobile/service.py | Core service layer implementing mobile auth flows, token management, and PKCE validation |
| mobile/routes.py | REST API endpoints for mobile authentication and session management |
| mobile/init.py | Package marker for mobile module |
| extensions.py | Flask-Limiter configuration for rate limiting |
| docs/mobile_auth_contract_v1.md | API documentation for mobile authentication contract |
| db/mobile.py | Database operations for mobile tokens, devices, and OAuth requests |
| db/init.py | Database schema initialization for mobile tables |
| config.py | Configuration for mobile token TTLs, redirect URIs, and rate limiting |
| auth/mobile_middleware.py | Bearer token authentication middleware for mobile endpoints |
| auth/jwt_utils.py | JWT utility functions supporting multiple audiences (mobile_api, convex) |
| app.py | Integration of mobile blueprint and rate limiting |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| else: | ||
| expires_in_seconds = Config.MOBILE_ACCESS_TOKEN_TTL_SECONDS | ||
|
|
||
| now = datetime.now(timezone.utc) |
There was a problem hiding this comment.
The function uses datetime.now(timezone.utc) while other parts of the codebase use mobile_db.utcnow() which returns datetime.now(timezone.utc). Consider using the centralized mobile_db.utcnow() helper for consistency, or create a shared utility function to avoid duplicating this pattern.
| def now_utc(): | ||
| return mobile_db.utcnow() |
There was a problem hiding this comment.
This function is a simple wrapper around mobile_db.utcnow() without adding functionality. Consider directly using mobile_db.utcnow() throughout this module to reduce unnecessary indirection and improve code clarity.
Summary
Testing