Skip to content

feat(desktop): add Google One Tap auth#7048

Open
Nixieboluo wants to merge 1 commit into
labring:mainfrom
Nixieboluo:feat/google-onetap
Open

feat(desktop): add Google One Tap auth#7048
Nixieboluo wants to merge 1 commit into
labring:mainfrom
Nixieboluo:feat/google-onetap

Conversation

@Nixieboluo

@Nixieboluo Nixieboluo commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

summary

Add a Desktop endpoint for Google One Tap sign-in.

The endpoint accepts a Google One Tap ID token from an allowed landing-page origin, verifies the token on the server, and enters the existing Google provider authentication path.

The caller flow is:

  1. The landing page obtains a One Tap credential.
  2. The landing page sends it to /api/auth/google/onetap.
  3. Desktop verifies the credential.
  4. Desktop creates or resolves the existing Google account.
  5. Desktop returns the existing global token.
  6. Desktop sets the shared auth cookie.
  7. The landing page redirects to the App domain with the returned token.

interface

Add:

POST /api/auth/google/onetap

Request body:

{
  "credential": "<google-id-token>"
}

Successful response uses the existing auth response shape:

{
  "code": 200,
  "message": "Successfully",
  "data": {
    "token": "<global-token>",
    "user": {
      "name": "<display-name>",
      "avatar": "<avatar-url>",
      "userUid": "<user-uid>"
    },
    "needInit": false
  }
}

The response also sets:

Set-Cookie: sealos_auth_token=<global-token>; Path=/; HttpOnly; SameSite=Lax; Max-Age=604800

Secure is added when the request is forwarded as HTTPS.

authentication

The endpoint verifies the Google credential with google-auth-library.

The Google token aud is checked against the configured Google client ID.
The Google token sub is used as the provider account identifier for ProviderType.GOOGLE.

The endpoint does not decode and trust the JWT directly.

After verification, the endpoint calls the existing getGlobalToken() path.
This preserves the current behavior for:

  • existing Google account lookup
  • signup
  • restricted users
  • provider conflicts
  • global token generation
  • user initialization state

The email claim is passed to account binding only when email_verified is true.

The avatar claim is persisted through the same avatar persistence path used by the existing Google OAuth code flow.

origin checks

Add a Google One Tap origin allowlist:

desktopConfig:
  googleOneTapOrigins:
    - "https://www.example.com"

This renders to:

desktop:
  auth:
    idp:
      google:
        oneTapOrigins:
          - "https://www.example.com"

The endpoint accepts only exact Origin matches from this list.

Allowed requests receive:

Access-Control-Allow-Origin: <origin>
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, OPTIONS
Access-Control-Allow-Headers: Content-Type
Vary: Origin

Forbidden origins are rejected before token verification.

failure modes

OPTIONS from an allowed origin returns 204.

OPTIONS from any other origin returns 403.

POST from an unlisted origin returns:

{
  "code": 403,
  "message": "Forbidden origin",
  "data": null
}

A missing credential returns:

{
  "code": 400,
  "message": "credential is invalid",
  "data": null
}

An invalid Google token returns:

{
  "code": 401,
  "message": "Unauthorized",
  "data": null
}

Provider conflicts and restricted-user cases follow the existing Desktop auth response semantics.

@Nixieboluo Nixieboluo requested a review from a team as a code owner July 7, 2026 09:00
@Nixieboluo Nixieboluo force-pushed the feat/google-onetap branch from dfb98d7 to b7427cb Compare July 8, 2026 02:09
@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.86%. Comparing base (521b711) to head (b7427cb).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #7048   +/-   ##
=======================================
  Coverage   61.86%   61.86%           
=======================================
  Files           8        8           
  Lines         653      653           
=======================================
  Hits          404      404           
  Misses        202      202           
  Partials       47       47           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant