Universal Auth Gateway
Change Log v0.2.2: The Universal Auth Gateway & The Identity Broker
The hallmark of a true full-stack application isn't just a beautiful frontend—it's having actual, authenticated users. For too long, the workflow for generated apps has hit a massive brick wall: building the UI is instant, but wiring up Google, GitHub, and secure user sessions requires hours of soul-crushing OAuth configurations, token management, and boilerplate. We decided to kill auth boilerplate entirely.
With version 0.2.2, we are tearing down the final barrier to production with the Universal Auth Gateway. Starting today, every single application generated by Gorilla comes with free, instantly functional Google and GitHub authentication (with Facebook on the way) baked right in.
But transforming Gorilla Builder from a code generator into a multi-tenant identity broker required surviving a brutal architectural crucible. Here is how we reshaped the backend, and the technical traps we had to disarm along the way.
The Universal Auth Gateway
Instead of forcing you to set up Firebase, Supabase, or Auth0 just to get a "Sign in with Google" button working, Gorilla now acts as a centralized Identity Broker for every app you generate.
When your AI-generated app requests a login, it securely redirects to Gorilla's Hosted Login Page, tied specifically to your project's unique auth ID. The backend handles the entire OAuth dance, standardizes the provider payload, and beams the authenticated user directly back to your WebContainer.
By the time the auth popup closes, your generated React app already has the user's secure profile state natively loaded, ready to be saved to your database.
The Debugging Crucible
Shipping a centralized OAuth broker that dynamically serves thousands of independently generated applications nearly broke our routing architecture. We hit three major walls and engineered our way out of every single one:
1. The Multi-Tenant State Collision
When we first hooked up the gateway, we realized a catastrophic flaw: if someone logged into an app built by User A at the exact same millisecond someone logged into an app built by User B, the Google OAuth state redirects could cross-contaminate, sending the wrong user to the wrong app.
The Fix: We ripped out standard session state and implemented strict URL-level state passing via an "Auth ID Vault." The backend now verifies the exact auth ID against the database before rendering the login template, completely isolating authentication environments and ensuring zero state bleed between generated projects.
2. The API Secret Hostage Situation
Initially, the AI agent tried to instruct the user to "Go to Google Cloud Console, create an OAuth app, and paste your Client Secret here." It was a terrible UX that completely ruined the "instant app" magic.
The Fix: We stripped the need for user-provided secrets entirely. Gorilla Builder natively holds the master client IDs for Google and GitHub. We handle the heavy lifting, the callback URIs, and the secret management on our servers. Your generated app just consumes the clean, authenticated user data.
3. The Iframe Handshake Heist
Once the backend successfully authenticated the user, we hit a massive security flaw. How do we securely pass the user payload from our backend server into the sandboxed WebContainer running the user's app without exposing it in vulnerable URL parameters?
The Fix: The Template Injection Bridge. Instead of an insecure HTTP redirect, the callback endpoint renders a secure, ephemeral HTML template. This template securely receives the user payload on the server side and immediately fires a targeted window.postMessage directly to the parent WebContainer listening for the event, before instantly self-destructing.
The Result
Gorilla Builder is no longer just generating static components. It is deploying fully-fledged, secure, user-ready applications. You design the app, the agent writes the code, and Gorilla handles the security. The Universal Auth Gateway makes your generated apps ready for actual users from second zero.