internal/auth/cognito/ Sign in
AWS Cognito Hosted UI with Google federation. New users land on Free; subscriptions bump custom:tier via the Paddle webhook.
Sign-in flows through AWS Cognito’s Hosted UI at login.shellyard.com. Google federation is enabled out of the box — pick Continue with Google and you’re authenticated against Cognito’s Google IdP. Microsoft federation is configured but its client secret needs rotation before it goes live.
What gets populated
A fresh sign-in lands you on the Free tier. The Paddle webhook bumps custom:tier to pro / team / enterprise on subscription. Federated users get the standard email claim populated through Cognito’s IdP attribute mapping (with Required=true on the email schema attribute, so the federated-empty-email bug is closed).
Multi-window auth
Each ShellYard window is its own OS process. The first window starts a localhost peer; subsequent windows register and broadcast a one-shot auth handoff so opening a sibling doesn’t re-prompt sign-in.
Sessions
Refresh tokens persist in the OS keychain. Sign out via Settings → Sign out, which revokes the refresh token via Cognito’s /oauth2/revoke and clears the local store.