Skip to content

Implement Google Oauth2 login + Account Linking #229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stadust merged 15 commits into from
Mar 29, 2025
Merged

Implement Google Oauth2 login + Account Linking #229

stadust merged 15 commits into from
Mar 29, 2025

Conversation

@stadust
Copy link
Owner

@stadust stadust commented Mar 9, 2025

Allow linking google accounts to pointercrate accounts, to allow signing in through google. This then eliminates the option to sign in with pointercrate password, but also means you can no longer lock yourself out of your pointercrate account as easily (unless you also lock yourself out of your google account, but really, what are you doing?).

This is a very bare-bones implementation:

  • No registration with google possible yet (you must register for a legacy account, and then link)
  • No changing of linked google account

Essentially, we're implementing Phase 1 and 2 of #127, leaving Phase 3 and especially 4 for later work.

License Acceptance

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@codecov
Copy link

codecov bot commented Mar 9, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 16.37168% with 189 lines in your changes missing coverage. Please review.

Project coverage is 30.17%. Comparing base (4da49a1) to head (6ee7058).
Report is 1 commits behind head on master.

Files with missing lines Patch % Lines
pointercrate-user-api/src/oauth.rs 0.00% 46 Missing ⚠️
pointercrate-user-api/src/pages.rs 6.12% 46 Missing ⚠️
pointercrate-user/src/auth/oauth/post.rs 0.00% 25 Missing ⚠️
pointercrate-user/src/auth/oauth/get.rs 0.00% 15 Missing ⚠️
pointercrate-core-pages/src/head.rs 0.00% 13 Missing ⚠️
pointercrate-user/src/auth/oauth/patch.rs 0.00% 9 Missing ⚠️
pointercrate-user/src/auth/patch.rs 18.18% 9 Missing ⚠️
pointercrate-user-pages/src/login.rs 0.00% 8 Missing ⚠️
pointercrate-user-pages/src/account/profile.rs 0.00% 6 Missing ⚠️
pointercrate-user/src/auth/oauth/mod.rs 33.33% 6 Missing ⚠️
... and 3 more
Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #229      +/-   ##
==========================================
- Coverage   30.36%   30.17%   -0.20%     
==========================================
  Files         113      118       +5     
  Lines        8012     8126     +114     
==========================================
+ Hits         2433     2452      +19     
- Misses       5579     5674      +95

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@stadust stadust force-pushed the oauth2 branch 2 times, most recently from 1e175b3 to f206116 Compare March 9, 2025 19:44
@stadust stadust mentioned this pull request Mar 9, 2025
Closed
stadust added 9 commits March 23, 2025 12:00
@stadust
add oauth2 feature to Cargo.tomls
78ac90f 
Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust
core-pages: add support for async scripts
3eabae4 
Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust
ui: drop forced left/right margin on form input contents
30b1018 
If these are wanted, they can be applied on the form-input itself, since
all form inputs we are using are laid out top-to-bottom anyway.

Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust
ui: drop margin on left/right/under/over-lined classes
c2e27ce 
Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust
css: apply styling to p.error elements independent of parent
9bc0a58 
Sometimes we might want to use these outside of forms.

Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust
user-api: add utility function for cookie placement
b69cea3 
Both /login and /register place CSRF and access tokens in cookies.
Deduplicate the code with a helper function (especially because later
on, oauth will _also_ need to place the same cookies).

Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust
user-pages: add "sign in with google" button to login page
7285044 
Also add a dummy request handler to the backend which for now always
returns 403 UNAUTHORIZED.

We use the javascript callback version (instead of redirect) of the
google oauth flow so that it's easier to display potential error
messages directly on the login page, as well as to avoid the form data
payload that google would give us if we let it directly POST to our
servers (going through javascript allows us to convert to JSON, which is
easier to deal with).

Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust
add google account id to members table
cd2e16b 
Mark as UNIQUE to prevent any bugs/race conditions from allowing the
same google account for multiple pointercrate accounts.

Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust
Handle members with linked google accounts in auth module
7042111 
Introduce a new `AuthenticationType` for these, so that password based
login will automatically be rejected.

Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
stadust added 5 commits March 23, 2025 12:06
@stadust
Implement "sign in with google" flow
ddaeec9 
Have the backend validate credentials it receives via /auth/oauth/google
with the certificates that google publishes, decode the associated JWT
to determine the google account id, and then log in the user who has
that google account id linked by placing the required cookies.

Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust
ui: add "Link with google" button to profile page
525a8f7 
Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust
refactor(user): call increment_generation_id from set_password
57cf8ea 
Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust
user: Implement backend part of google accoutn linking
7af1a7e 
When reaching the /oauth/google endpoint fully authenticated, and the
provided google credentials are valid, link the authenticated
pointercrate account with the google account. Only do so it the google
account is not already linked to another pointercrate account, and if
the pointercrate account is not already linked to a google account (e.g.
re-linking from one google account to a different one is not possible
right now).

Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust
test: validate no legacy login if google account linked
bef5891 
Add an integration test to ensure that if a google account is linked to
a pointercrate account, that pointercrate account becomes impossible to
log in via username/password combo.

Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
@stadust stadust merged commit 031261e into master Mar 29, 2025
2 of 4 checks passed
This was referenced Mar 29, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stadust