- Replace HttpClient API calls with direct ISessionStore DI to avoid
302 redirect from missing auth cookie in Blazor Server interactive mode
- Use NavigationManager.NavigateTo with forceLoad=true for Discord OAuth
to bypass Blazor circuit navigation and trigger full HTTP request
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- UpsertDiscordUserAsync: restore await using on opened connection
- LinkIdentityAsync: compute effectiveCurrentPrimary before existingLink check
to prevent false conflict when current user is a secondary identity
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add V020 migration: player_links + identity_audit_log tables
- Add ISessionStore methods: ResolveEffectivePlayerId, LinkIdentity, UnlinkIdentity, GetLinkedIdentities
- Update SessionService to resolve effective player id for all permission checks
- Add /auth/discord/callback linking flow when already authenticated
- Add /api/me/identities GET/DELETE endpoints
- Add Profile.razor page for managing linked accounts
- Update NavMenu with profile link and v3.0.0 badge
- Bump version to 3.0.0 across all files
Bump version → 3.0.0
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Replace __DiscordOAuthState cookie (blocked by third-party cookie policies)
with in-memory DiscordOAuthStateStore singleton
- State is created server-side and validated on callback, eliminating
cross-site cookie transmission issues entirely
- Removed CryptographicOperations dependency from Program.cs
Bump version → 2.8.1
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Changed __DiscordOAuthState cookie from SameSite=Strict to SameSite=None
because Discord redirects from discord.com (cross-site) and Strict
prevents the cookie from being sent on the callback request.
- Added logging for CSRF validation failure to aid future diagnostics.
Bump version → 2.8.1
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Log status code and response body when Discord /oauth2/token fails
- Helps identify why ExchangeCodeAsync returns null in production
Bump version → 2.8.1
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add V019 migration: rename session_audit_log.actor_telegram_id → actor_external_user_id
- Add CSRF protection to Discord OAuth flow (state cookie with HttpOnly/Secure/Strict)
- Add Discord OAuth env vars to compose.yaml, deploy.yml, and .env.example
- Fix SQL COALESCE for nullable telegram_id in GetGroupManagersAsync and GetSessionParticipantsAsync
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Bump version to 2.8.0 across all versioned files
- Fix AuthorizedSessionServiceTests for platform-agnostic identity
- Update Razor Pages to use *ForCurrentUserAsync APIs
- Add backward-compatible constructors to WebGameGroup/WebGroupManager
- Make DiscordOAuthOptions properties non-required for config binding
Bump version → 2.8.0
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Discord login button on /login with brand colors
- NavMenu shows user avatar (Discord) and platform label
- CSS: login-divider, login-btn-discord, nav-user-info, nav-user-platform
- NavMenu version bumped to v2.8.0
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- ISessionStore: all methods use (platform, external_user_id)
- SessionService: updated SQL queries and added UpsertDiscordUserAsync
- AuthorizedSessionService: resolves identity from HttpContext, no longer accepts telegram_id params
- SessionAccessDeniedException now accepts string externalUserId
- Added ExternalUserId/ExternalUsername to WebGroupManager and WebParticipant
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- DiscordOAuthOptions for client_id, secret, redirect_uri
- DiscordAuthService exchanges code for token and fetches user profile
- /auth/discord and /auth/discord/callback endpoints
- CreateDiscordPrincipal for cookie auth claims
- Telegram principal now includes Platform claim for forward compatibility
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add docs/superpowers/, docs/plans/, *.diff to .gitignore.
These directories contain implementation plans and design specs
used during agentic development; they are not needed in source control.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Database:
- Add source_platform and proposed_by_external_user_id to reschedule_proposals
- Make proposed_by nullable for Discord proposals
Shared:
- Extract platform-neutral RescheduleVoteRules, RescheduleVotingInput, RescheduleDtos
- Create RescheduleVotingFinalizer for cross-platform deadline handling
Telegram:
- Refactor RescheduleVotingDeadlineService to use RescheduleVotingFinalizer
- Tag Telegram proposals with source_platform = 'Telegram'
Discord:
- /reschedule slash command with time options and deadline
- DiscordRescheduleVoteHandler for button interactions
- DiscordRescheduleVotingRenderer for embeds and buttons
- DiscordRescheduleVotingDeadlineService for automatic finalization
- DiscordSessionInteractionModule routing for vote buttons
Version: 2.5.0 -> 2.6.0
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Both Telegram and Discord deadline services were querying ALL due
proposals without filtering by source_platform. If the Telegram
service reached a Discord proposal first, it finalized the DB state
but skipped message handling. The Discord service then saw status
!= 'Voting' and never updated the Discord vote message.
Fix: GetDueProposalIdsAsync now accepts a sourcePlatform parameter
and filters at the DB level. Each service only processes its own
platform's proposals.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Toutsu