feat(macos): Native OAuth via ASWebAuthenticationSession#4004
Conversation
Replace the old open-system-browser + deep-link flow with Apple's ASWebAuthenticationSession — a sandboxed Safari sheet that stays anchored inside the app window and handles the screenpipe:// callback itself. - Add auth_session module: macOS impl (apple.rs) + cross-platform stub (mod.rs) - Wire open_login_window Tauri command to start_session on macOS - Register module in main.rs
…ocus Add concise Apple doc hyperlinks and explain non-obvious decisions in apple.rs. Re-activate the app window after the auth sheet closes. - Document presentationAnchor fallback chain (keyWindow -> windows.firstObject) - Explain canceledLogin error code detection - Comment prefersEphemeralWebBrowserSession trade-off - Call activateIgnoringOtherApps after sheet closes to pull focus back
louis030195
left a comment
There was a problem hiding this comment.
apps/screenpipe-app-tauri/src-tauri/Cargo.toml:191 — should these be under [target.'cfg(target_os = "macos")'.dependencies] to avoid linking failures on windows/linux?
apps/screenpipe-app-tauri/src-tauri/src/auth_session/apple.rs:76 — what if screenpipe runs in menu-bar-only mode with no windows open? will this panic?
generated by the screenpipe pr-review pipe (https://screenpi.pe), not written by a human — reply and tag @louis030195 if it got something wrong.
…bar-only) panic get_key_window_as_anchor() now returns Option instead of calling .expect(). start_session pre-checks for an available NSWindow before calling session.start(), so the ObjC presentationAnchor delegate never fires without a valid anchor.
Done. |
What changed
Clicking Login on macOS now opens a native system Safari sheet anchored to the screenpipe window, instead of a separate in-app WebView window.
The previous macOS path used a
WebviewWindowBuilderwindow that loaded the login URL and anon_navigationhook intercepted thescreenpipe://redirect.login-browserwindow pops up inside the appon_navigationhook detectsscreenpipe://scheme in the WebViewscreenpipe://itself, no hook neededlogin-browserwindow after authactivateIgnoringOtherAppsScreen.Recording.2026-06-11.at.9.48.59.PM.mov
Screen.Recording.2026-06-11.at.9.50.09.PM.mov
Why ASWebAuthenticationSession?
Apple built ASWebAuthenticationSession specifically for OAuth in native apps. It has been the recommended path since macOS 10.15 Catalina.
Sandboxed — the app only ever sees the final callback URL; it cannot read Safari cookies directly. Secure by design.
Shared session — the user's existing Safari login is reused, so SSO just works without re-entering credentials.
No extra plumbing — no
on_navigationhook, no window lifecycle management, no manual close. The framework handles everything.Other production macOS apps that use this API
This is the industry-standard approach for native macOS login flows: