Feature: Linking X/Twitter Account in the Profile and Logging in via X oauth #123
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ion during X redirect
…d apply proper cleanup to twitter_url and twitter_username rows when disconnecting the X account
m2rads
commented
Jan 12, 2026
Author
There was a problem hiding this comment.
Hi @dvassallo! Here is my self review. Please let me know if any changes or further explanation required. Thanks!
Comment on lines
+83
to
+85
| gem "omniauth" | ||
| gem "omniauth-twitter2" | ||
| gem "omniauth-rails_csrf_protection" |
Author
There was a problem hiding this comment.
These three gems are recommended on X documentation page here.
omniauth-twitter2 is dependent on omniauth.
omniauth-rails_csrf_protection adds CSRF protection to omniauth.
Comment on lines
+174
to
+179
|
|
||
| <% unless @user.twitter_connected_at.present? %> | ||
| <form id="x-oauth-form" action="/auth/twitter2" method="post" style="display: none;"> | ||
| <input type="hidden" name="authenticity_token" value="<%= form_authenticity_token %>"> | ||
| </form> | ||
| <% end %> |
Author
There was a problem hiding this comment.
This is the form where it initiates the X account linking by calling the auth/twitter2 endpoint.
Comment on lines
+1
to
+12
| class AddTwitterOAuthToUsers < ActiveRecord::Migration[7.2] | ||
| def change | ||
| add_column :users, :twitter_uid, :string | ||
| add_column :users, :twitter_oauth_token, :text | ||
| add_column :users, :twitter_oauth_refresh_token, :text | ||
| add_column :users, :twitter_screen_name, :string | ||
| add_column :users, :twitter_profile_image, :string | ||
| add_column :users, :twitter_connected_at, :datetime | ||
|
|
||
| add_index :users, :twitter_uid, unique: true | ||
| end | ||
| end |
Author
There was a problem hiding this comment.
Adds OAuth db fields to User table. This will be used for refreshing the session and logging in during X OAuth flow.
Comment on lines
+1
to
+6
| Rails.application.config.middleware.use OmniAuth::Builder do | ||
| provider :twitter2, | ||
| ENV["X_CLIENT_ID"], | ||
| ENV["X_CLIENT_SECRET"], | ||
| scope: "tweet.read users.read offline.access" | ||
| end |
Author
There was a problem hiding this comment.
Configures OmniAuth middleware with X client ID/secret and required scopes.
Comment on lines
+75
to
+76
| get "/auth/failure", to: "users/omniauth_callbacks#failure" | ||
| delete "/auth/twitter/disconnect", to: "users/omniauth_callbacks#disconnect" |
Author
There was a problem hiding this comment.
These two endpoints handle auth failures and account disconnection.
|
|
||
| validates_presence_of :email_address, if: :person? | ||
| normalizes :email_address, with: ->(email_address) { email_address.downcase } | ||
| validates :twitter_uid, uniqueness: true, allow_nil: true |
Author
There was a problem hiding this comment.
Prevents one X account from being linked to multiple users.
Comment on lines
+219
to
+222
| def twitter_connected? | ||
| twitter_uid.present? && twitter_connected_at.present? | ||
| end | ||
|
|
Author
There was a problem hiding this comment.
Helper to check if account is linked. This is only used in the test to make sure that the X account is linked properly.
Comment on lines
+14
to
+58
| def mock_auth_hash(uid: "123456789", nickname: "testuser") | ||
| OmniAuth::AuthHash.new({ | ||
| "provider" => "twitter2", | ||
| "uid" => uid, | ||
| "info" => { | ||
| "nickname" => nickname, | ||
| "image" => "https://pbs.twimg.com/profile_images/test.jpg" | ||
| }, | ||
| "credentials" => { | ||
| "token" => "test_token", | ||
| "refresh_token" => "test_refresh" | ||
| } | ||
| }) | ||
| end | ||
|
|
||
| test "twitter callback for login signs in user with linked X account" do | ||
| user = users(:david) | ||
| user.update!(twitter_uid: "123456789", twitter_oauth_token: "token") | ||
|
|
||
| OmniAuth.config.mock_auth[:twitter2] = mock_auth_hash | ||
|
|
||
| post "/auth/twitter2/login" | ||
| assert_response :success | ||
|
|
||
| get "/auth/twitter2/callback" | ||
|
|
||
| assert_redirected_to root_path | ||
| assert_equal "Signed in with X successfully!", flash[:notice] | ||
| end | ||
|
|
||
| test "twitter callback for login rejects user without linked X account" do | ||
| OmniAuth.config.mock_auth[:twitter2] = mock_auth_hash(uid: "nonexistent") | ||
|
|
||
| post "/auth/twitter2/login" | ||
| get "/auth/twitter2/callback" | ||
|
|
||
| assert_redirected_to new_session_path | ||
| assert_equal "No account found with this X account. Please sign in with email first and connect your X account.", flash[:alert] | ||
| end | ||
|
|
||
| test "twitter callback for connect redirects when not signed in" do | ||
| OmniAuth.config.mock_auth[:twitter2] = mock_auth_hash | ||
|
|
||
| get "/auth/twitter2/callback" | ||
|
|
Author
There was a problem hiding this comment.
Tests login flow (success and failure cases)
Comment on lines
+62
to
+106
|
|
||
| test "disconnect clears X account data" do | ||
| sign_in :david | ||
| user = users(:david) | ||
| user.update!( | ||
| twitter_uid: "123456789", | ||
| twitter_oauth_token: "token", | ||
| twitter_oauth_refresh_token: "refresh", | ||
| twitter_screen_name: "testuser", | ||
| twitter_profile_image: "https://example.com/image.jpg", | ||
| twitter_connected_at: Time.current | ||
| ) | ||
|
|
||
| delete "/auth/twitter/disconnect" | ||
|
|
||
| assert_redirected_to user_profile_path("me") | ||
| assert_equal "X account disconnected successfully!", flash[:notice] | ||
|
|
||
| user.reload | ||
| assert_nil user.twitter_uid | ||
| assert_nil user.twitter_oauth_token | ||
| assert_nil user.twitter_screen_name | ||
| assert_nil user.twitter_connected_at | ||
| end | ||
|
|
||
| test "disconnect requires authentication" do | ||
| delete "/auth/twitter/disconnect" | ||
|
|
||
| assert_redirected_to new_session_path | ||
| end | ||
|
|
||
| test "initiate_login renders auto-submit form" do | ||
| post "/auth/twitter2/login" | ||
|
|
||
| assert_response :success | ||
| assert_includes response.body, 'action="/auth/twitter2"' | ||
| end | ||
|
|
||
| test "failure redirects with error message" do | ||
| get "/auth/failure", params: { message: "access_denied" } | ||
|
|
||
| assert_redirected_to user_profile_path("me") | ||
| assert_equal "X authentication failed: access_denied", flash[:alert] | ||
| end | ||
|
|
Comment on lines
+107
to
+137
| test "user twitter_uid must be unique" do | ||
| users(:david).update!(twitter_uid: "123456789") | ||
|
|
||
| user = users(:jason) | ||
| user.twitter_uid = "123456789" | ||
|
|
||
| assert_not user.valid? | ||
| assert_includes user.errors[:twitter_uid], "has already been taken" | ||
| end | ||
|
|
||
| test "twitter_connected? returns true when uid and connected_at present" do | ||
| user = users(:david) | ||
| user.update!(twitter_uid: "123", twitter_connected_at: Time.current) | ||
|
|
||
| assert user.twitter_connected? | ||
| end | ||
|
|
||
| test "twitter_connected? returns false when uid missing" do | ||
| user = users(:david) | ||
| user.update!(twitter_uid: nil, twitter_connected_at: Time.current) | ||
|
|
||
| assert_not user.twitter_connected? | ||
| end | ||
|
|
||
| test "twitter_connected? returns false when connected_at missing" do | ||
| user = users(:david) | ||
| user.update!(twitter_uid: "123", twitter_connected_at: nil) | ||
|
|
||
| assert_not user.twitter_connected? | ||
| end | ||
| end |
Author
There was a problem hiding this comment.
Test proper X account connection and account uniqueness.
m2rads
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello all, this PR closes issue #20.
Users can:
Changes:
omniauth,omniauth-twitter2, andomniauth-rails_csrf_protectiongemstwitter_uid,twitter_oauth_token,twitter_oauth_refresh_token, etc.)twitter_uidTesting:
AI Disclosure:
Test Execution result before code changes:
Test Execution result after code changes plus the new tests added for this feature:
Demo:
https://github.com/user-attachments/assets/4264f624-f82a-454f-8a0c-2c03a64a62e3