Fix Discord OAuth in iframed game by removing COOP from redirect page

Root cause: discord_redirect.html was served with Cross-Origin-Opener-Policy:
same-origin (from both nginx and coi-serviceworker.js). When the OAuth popup
navigates from Discord (COOP: unsafe-none) back to the redirect page (COOP:
same-origin), the COOP mismatch triggers a browsing context group switch that
permanently severs window.opener. Since BroadcastChannel is also partitioned
by top-level site, neither communication mechanism could deliver the token.

Fix: Remove COOP from discord_redirect.html specifically. It doesn't need
SharedArrayBuffer, so it doesn't need cross-origin isolation. With COOP:
unsafe-none, window.opener survives the Discord->redirect navigation chain
and postMessage works.

Changes:
- coi-serviceworker.js: Delete COOP header for discord_redirect.html navigations
- nginx config: Add specific location block without COOP for the redirect page
- discord_redirect.html: Add localStorage write as additional fallback
- common.js: Add requestStorageAccess + localStorage polling as last-resort
  fallback (covers edge case where Discord itself sets COOP), plus dedup
  guard to prevent double-handling when multiple mechanisms succeed

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: geneotech

cmake/web/assets/coi-serviceworker.js

@@ -10,7 +10,14 @@ self.addEventListener("fetch", function (e) {
     if (r.status === 0) return r;
     const headers = new Headers(r.headers);
     if (e.request.mode === "navigate") {
-      headers.set("Cross-Origin-Opener-Policy", "same-origin");
+      const url = new URL(e.request.url);
+      if (url.pathname.endsWith('/discord_redirect.html')) {
+        // OAuth redirect page must NOT have COOP so window.opener survives
+        // the cross-origin navigation chain (game iframe -> Discord -> redirect)
+        headers.delete("Cross-Origin-Opener-Policy");
+      } else {
+        headers.set("Cross-Origin-Opener-Policy", "same-origin");
+      }
     }
     headers.set("Cross-Origin-Embedder-Policy", "credentialless");
     headers.set("Cross-Origin-Resource-Policy", "cross-origin");

cmake/web/assets/common.js

@@ -426,15 +426,65 @@ function revokeDiscord(accessToken) {
 }
 
 function loginDiscord() {
-  const site_origin = window.location.origin; // Dynamically get the origin of the current site
+  const site_origin = window.location.origin;
   const redirect = site_origin + '/assets/discord_redirect.html';
   const redirectUri = encodeURIComponent(redirect);
 
   const scope = 'identify';
   const authUrl = `https://discord.com/oauth2/authorize?response_type=token&client_id=${clientIdDiscord}&redirect_uri=${redirectUri}&scope=${scope}`;
 
+  // Request unpartitioned storage access (for iframe scenarios where
+  // localStorage polling is needed as a last-resort fallback).
+  // Must be called within user gesture, before window.open.
+  if (document.requestStorageAccess) {
+    document.requestStorageAccess().then(() => {
+      console.log("loginDiscord: storage access granted");
+    }).catch(() => {});
+  }
+
   try {
-    window.open(authUrl, '_blank');
+    const popup = window.open(authUrl, '_blank');
+
+    // Poll localStorage as a last-resort fallback for when both
+    // BroadcastChannel and postMessage fail (e.g. Discord itself sets COOP)
+    if (popup) {
+      const pollInterval = setInterval(() => {
+        try {
+          const result = localStorage.getItem('discord_auth_result');
+          if (result) {
+            const data = JSON.parse(result);
+            if (data && data.access_token) {
+              clearInterval(pollInterval);
+              localStorage.removeItem('discord_auth_result');
+              fetchUserProfile(data.access_token, data.expires_in);
+              try { popup.close(); } catch (e) {}
+            }
+          }
+        } catch (e) {}
+
+        try {
+          if (popup.closed) {
+            // Final check after popup closes
+            setTimeout(() => {
+              try {
+                const result = localStorage.getItem('discord_auth_result');
+                if (result) {
+                  const data = JSON.parse(result);
+                  if (data && data.access_token) {
+                    localStorage.removeItem('discord_auth_result');
+                    fetchUserProfile(data.access_token, data.expires_in);
+                  }
+                }
+              } catch (e) {}
+            }, 500);
+            clearInterval(pollInterval);
+          }
+        } catch (e) {}
+      }, 1000);
+
+      // Stop polling after 10 minutes
+      setTimeout(() => clearInterval(pollInterval), 600000);
+    }
   } catch (e) {
     console.warn("Could not open Discord login (may be blocked by iframe restrictions or popup blocker):", e);
   }
@@ -582,12 +632,22 @@ function create_module(for_cg) {
     Module['preRun'].push(pre_run);
 
     const channel = new BroadcastChannel('token_bridge');
+    let discordAuthHandled = false;
 
     function handleDiscordAuth(data) {
+      if (discordAuthHandled) return;
+      discordAuthHandled = true;
+
       console.log('Expires in:', data.expires_in);
       console.log('Token type:', data.token_type);
 
+      // Clean up localStorage fallback token if present
+      try { localStorage.removeItem('discord_auth_result'); } catch (e) {}
+
       fetchUserProfile(data.access_token, data.expires_in);
+
+      // Reset after a delay so user can re-login later
+      setTimeout(() => { discordAuthHandled = false; }, 5000);
     }
 
     channel.addEventListener('message', event => {
@@ -602,6 +662,21 @@ function create_module(for_cg) {
       }
     });
 
+    // Listen for localStorage changes (fallback for edge cases where both
+    // BroadcastChannel and postMessage fail, requires requestStorageAccess)
+    window.addEventListener('storage', event => {
+      if (event.key === 'discord_auth_result' && event.newValue) {
+        try {
+          const data = JSON.parse(event.newValue);
+          if (data && data.type === 'authentication' && data.access_token) {
+            handleDiscordAuth(data);
+          }
+        } catch (e) {
+          console.warn("storage event handling failed:", e);
+        }
+      }
+    });
+
     Module.channel = channel;
 
     Module.loginDiscord = loginDiscord;

cmake/web/assets/discord_redirect.html

@@ -46,23 +46,36 @@
             token_type: token_type
         };
 
-        // BroadcastChannel works when the game is not iframed (same top-level origin)
+        // Method 1: BroadcastChannel (works when game is same top-level origin)
         try {
             const channel = new BroadcastChannel('token_bridge');
             channel.postMessage(message);
             channel.close();
+            console.log("discord_redirect: sent via BroadcastChannel");
         } catch (e) {
-            console.warn("BroadcastChannel failed:", e);
+            console.warn("discord_redirect: BroadcastChannel failed:", e);
         }
 
-        // window.opener.postMessage works when the game is iframed on a third-party domain
-        // (BroadcastChannel is partitioned by top-level site in modern browsers)
+        // Method 2: window.opener.postMessage (works when game is iframed,
+        // requires COOP: unsafe-none on this page so opener survives the redirect chain)
         if (window.opener) {
             try {
                 window.opener.postMessage(message, window.location.origin);
+                console.log("discord_redirect: sent via window.opener.postMessage");
             } catch (e) {
-                console.warn("window.opener.postMessage failed:", e);
+                console.warn("discord_redirect: window.opener.postMessage failed:", e);
             }
+        } else {
+            console.warn("discord_redirect: window.opener is null (COOP may have severed it)");
+        }
+
+        // Method 3: localStorage (fallback for when both above fail;
+        // requires iframe to have called requestStorageAccess)
+        try {
+            localStorage.setItem('discord_auth_result', JSON.stringify(message));
+            console.log("discord_redirect: wrote token to localStorage");
+        } catch (e) {
+            console.warn("discord_redirect: localStorage write failed:", e);
         }
     }
 };

cmake/web/play.hypersomnia.io

@@ -17,6 +17,14 @@ server {
 		add_header Cross-Origin-Embedder-Policy "credentialless" always;
     }
 
+    # OAuth redirect page must NOT have COOP so window.opener survives
+    # the cross-origin navigation chain (game iframe -> Discord -> redirect).
+    location = /assets/discord_redirect.html {
+        alias /var/www/html/assets/discord_redirect.html;
+		add_header Cross-Origin-Resource-Policy "cross-origin" always;
+		add_header Cross-Origin-Embedder-Policy "credentialless" always;
+    }
+
     location /assets/ {
         alias /var/www/html/assets/;
         autoindex on;  # This is optional; it allows directory listing if no index file is found