Bounty
Reward: 100 MRG for a complete, reviewed, and merged implementation.
Size: Large feature.
Contributor Requirement
Contributors must star this repository before claiming, starting, or submitting bounty work. Claims and PRs from accounts that have not starred the repo are not eligible for bounty review until the repo is starred.
Background
MergeOS currently supports email/password registration and bearer-session login through:
POST /api/auth/registerPOST /api/auth/loginGET /api/auth/mePOST /api/auth/logout
The auth modal already renders Google and GitHub buttons, but they currently show "coming soon" toasts. This bounty should turn those buttons into working social login flows.
Scope
Implement social login for:
- Google OAuth / OpenID Connect
- GitHub OAuth
The implementation should support both first-time sign-up and returning-user login. Existing email/password login must continue to work.
Acceptance criteria
- Add backend OAuth endpoints for starting provider login and handling provider callbacks.
- Add provider configuration through environment variables, without committing secrets.
- Validate OAuth state/CSRF protection and handle callback errors safely.
- Create a new user when a verified provider identity has no matching account.
- Link social login to an existing user when the provider email matches an existing account, with clear duplicate-account handling.
- Return or establish the same auth session shape the frontend already expects:
{ token, user }.
- Wire the existing Google and GitHub buttons in
frontend/src/App.vue to the real flows.
- Preserve the current post-login behavior, including returning users to the project funding flow when login was required before payment.
- Add persistence support for provider identities in both PostgreSQL and local JSON state mode.
- Add automated tests for backend provider callback handling, account creation/linking, invalid state, and existing email/password login regression.
- Document required environment variables and local development setup in the README or relevant env example files.
Implementation notes
- Keep the current bearer session model unless there is a strong reason to change it.
- Do not expose provider access tokens to the frontend.
- Do not log OAuth secrets, raw authorization codes, or provider tokens.
- Prefer provider-neutral storage so additional providers can be added later.
Suggested evidence for PR
- Test command output for backend tests.
- Screenshots or a short recording showing Google and GitHub login buttons completing the flow.
- Notes covering configured redirect URLs and any new environment variables.
Bounty
Reward: 100 MRG for a complete, reviewed, and merged implementation.
Size: Large feature.
Contributor Requirement
Contributors must star this repository before claiming, starting, or submitting bounty work. Claims and PRs from accounts that have not starred the repo are not eligible for bounty review until the repo is starred.
Background
MergeOS currently supports email/password registration and bearer-session login through:
POST /api/auth/registerPOST /api/auth/loginGET /api/auth/mePOST /api/auth/logoutThe auth modal already renders Google and GitHub buttons, but they currently show "coming soon" toasts. This bounty should turn those buttons into working social login flows.
Scope
Implement social login for:
The implementation should support both first-time sign-up and returning-user login. Existing email/password login must continue to work.
Acceptance criteria
{ token, user }.frontend/src/App.vueto the real flows.Implementation notes
Suggested evidence for PR