AnabasisChatRemove/deploy/vk-auth-setup.md

# VK OAuth callback setup

The desktop app uses this redirect URI by default:

```text
https://vk.daemonlord.ru/vk/callback
```

The public HTTPS endpoint is expected to be handled by a reverse proxy. The
backend callback host itself is plain HTTP on a non-standard local port:

```text
http://127.0.0.1:8787/vk/callback
```

## VK app settings

1. Open the VK developer dashboard.
2. Select the standalone app with ID `54454043`.
3. Make sure the app type is `Standalone application`.
4. Add the exact redirect URI:

```text
https://vk.daemonlord.ru/vk/callback
```

If the redirect URI in the OAuth request does not exactly match the app settings,
VK can return:

```json
{"error":"invalid_request","error_description":"Security Error"}
```

## Backend callback host

Run the local HTTP callback host:

```bash
python deploy/vk_callback_server.py --host 127.0.0.1 --port 8787
```

Health check:

```text
http://127.0.0.1:8787/health
```

Optional systemd unit:

```text
deploy/systemd/anabasis-vk-callback.service
```

Adjust `WorkingDirectory`, `ExecStart`, and `User` for the server path/user.

The callback page does not process or store the token. With implicit OAuth, VK
puts `access_token` in the URL fragment. The desktop webview reads that final URL
directly from the embedded browser.

## Reverse proxy

Use the nginx example:

```text
deploy/nginx/vk.daemonlord.ru.conf
```

It proxies:

```text
https://vk.daemonlord.ru/vk/callback -> http://127.0.0.1:8787/vk/callback
```

## Desktop app override

The app already defaults to `https://vk.daemonlord.ru/vk/callback`. To override it:

```powershell
$env:ANABASIS_VK_REDIRECT_URI = "https://vk.daemonlord.ru/vk/callback"
python main.py
```