Google sign in implementation is harder than I thought. Grindr only allowed postmessage response type in their google oauth project so
1) google prevents all url-based responses so we can't open sign in page directly, wait for redirect and sniff response code from the url - there is no code in url and there is no redirect
2) WebView built-in security prevents cross origin postMessage so we can't make a dummy page that opens sign in and receives token callback - google will only send oauth code to web grindr org origin
3) Tauri prevents cross origin ipc to web grindr org page and grindr has set csp preventing injections to the real grindr web website, so we can't open web grindr org and handle the flow via injected js - js is not injectable
Unless anyone has ideas on how to bypass all these security systems and make google sign in work, the only approach is to manually sign in on web grindr org in external browser, manually extract the token (via a script, a browser extension or any other means) and copy paste it to the app. I don't think it's possible to bypass cross origin security and get token from google sign in without extensions (which have to be signed and verified and preferrably published to stores and that's over complicated for a simple oauth login)

https://matrix.to/#/!6A0aN28yRLpX1K8aLtfJWm87DXoyyMGjkPeORakOBZg/$EqyDl0B4ZghgcgSclXmbOw_EvqSA8AQnDl0orNcfcb4?via=hloth.dev&via=matrix.org&via=opengrind.org

> Google sign in implementation is harder than I thought. Grindr only allowed postmessage response type in their google oauth project so > 1\) google prevents all url-based responses so we can't open sign in page directly, wait for redirect and sniff response code from the url - there is no code in url and there is no redirect > 2\) WebView built-in security prevents cross origin postMessage so we can't make a dummy page that opens sign in and receives token callback - google will only send oauth code to web grindr org origin > 3\) Tauri prevents cross origin ipc to web grindr org page and grindr has set csp preventing injections to the real grindr web website, so we can't open web grindr org and handle the flow via injected js - js is not injectable > Unless anyone has ideas on how to bypass all these security systems and make google sign in work, the only approach is to manually sign in on web grindr org in external browser, manually extract the token (via a script, a browser extension or any other means) and copy paste it to the app. I don't think it's possible to bypass cross origin security and get token from google sign in without extensions (which have to be signed and verified and preferrably published to stores and that's over complicated for a simple oauth login) https://matrix.to/#/!6A0aN28yRLpX1K8aLtfJWm87DXoyyMGjkPeORakOBZg/$EqyDl0B4ZghgcgSclXmbOw_EvqSA8AQnDl0orNcfcb4?via=hloth.dev&via=matrix.org&via=opengrind.org

hloth modified the milestone from v1.0.0 to v0.1.0-alpha.4

2026-05-28 00:05:33 +02:00

hloth modified the milestone from v0.1.0-alpha.4 to v0.1.0-beta.1

2026-05-28 17:45:34 +02:00

hloth referenced this issue

2026-06-05 20:00:49 +02:00

bug messages #94