From fd27dc072ca88008dbe735be809c64465df13680 Mon Sep 17 00:00:00 2001
From: Sam Liu <sam@samliu.dev>
Date: Wed, 26 Nov 2025 22:34:17 -0500
Subject: [PATCH] Use x-www-form-urlencoded instead of json

---
 app/controllers/admin/sessions_controller.rb  | 9 +++++----
 app/controllers/identity_controller.rb        | 5 +++--
 app/controllers/popup/authorize_controller.rb | 5 +++--
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/app/controllers/admin/sessions_controller.rb b/app/controllers/admin/sessions_controller.rb
index 25d6ca2..4d87fb8 100644
--- a/app/controllers/admin/sessions_controller.rb
+++ b/app/controllers/admin/sessions_controller.rb
@@ -11,7 +11,7 @@ def new
     nextauth_url = ENV['NEXTAUTH_URL'].presence || request.base_url
     query = {
       client_id: ENV['IDENTITY_CLIENT_ID'],
-      redirect_uri: File.join(nextauth_url, 'admin/callback'),
+      redirect_uri: join_url(nextauth_url, 'admin/callback'),
       response_type: 'code',
       scope: 'basic_info',
       state: state
@@ -31,7 +31,7 @@ def callback
       code: code,
       client_id: ENV['IDENTITY_CLIENT_ID'],
       client_secret: ENV['IDENTITY_CLIENT_SECRET'],
-      redirect_uri: File.join(ENV['NEXTAUTH_URL'].presence || request.base_url, 'admin/callback'),
+      redirect_uri: join_url(ENV['NEXTAUTH_URL'].presence || request.base_url, 'admin/callback'),
       grant_type: 'authorization_code'
     }
 
@@ -39,8 +39,9 @@ def callback
       http.use_ssl = token_uri.scheme == 'https'
       http.open_timeout = 3
       http.read_timeout = 5
-    req = Net::HTTP::Post.new(token_uri, { 'Content-Type' => 'application/json' })
-    req.body = body.to_json
+    req = Net::HTTP::Post.new(token_uri)
+    req['Content-Type'] = 'application/x-www-form-urlencoded'
+    req.body = URI.encode_www_form(body)
       begin
         res = http.request(req)
       rescue => e
diff --git a/app/controllers/identity_controller.rb b/app/controllers/identity_controller.rb
index c4f767e..dfcad99 100644
--- a/app/controllers/identity_controller.rb
+++ b/app/controllers/identity_controller.rb
@@ -137,8 +137,9 @@ def callback
   http.use_ssl = token_uri.scheme == 'https'
   http.open_timeout = 3
   http.read_timeout = 5
-    req = Net::HTTP::Post.new(token_uri, { 'Content-Type' => 'application/json' })
-    req.body = body.to_json
+    req = Net::HTTP::Post.new(token_uri)
+    req['Content-Type'] = 'application/x-www-form-urlencoded'
+    req.body = URI.encode_www_form(body)
     begin
       res = http.request(req)
     rescue => e
diff --git a/app/controllers/popup/authorize_controller.rb b/app/controllers/popup/authorize_controller.rb
index 40e1451..6856ed8 100644
--- a/app/controllers/popup/authorize_controller.rb
+++ b/app/controllers/popup/authorize_controller.rb
@@ -183,8 +183,9 @@ def exchange_oauth_code_for_user_data(code)
     http.use_ssl = token_uri.scheme == 'https'
     http.open_timeout = 3
     http.read_timeout = 5
-    req = Net::HTTP::Post.new(token_uri, { 'Content-Type' => 'application/json' })
-    req.body = body.to_json
+    req = Net::HTTP::Post.new(token_uri)
+    req['Content-Type'] = 'application/x-www-form-urlencoded'
+    req.body = URI.encode_www_form(body)
     
     res = http.request(req)
     raise "Token exchange failed: #{res.code}" unless res.is_a?(Net::HTTPSuccess)