feat(desktop): add Google One Tap auth#7048
Open
Nixieboluo wants to merge 1 commit into
Open
Conversation
dfb98d7 to
b7427cb
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7048 +/- ##
=======================================
Coverage 61.86% 61.86%
=======================================
Files 8 8
Lines 653 653
=======================================
Hits 404 404
Misses 202 202
Partials 47 47 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
summary
Add a Desktop endpoint for Google One Tap sign-in.
The endpoint accepts a Google One Tap ID token from an allowed landing-page origin, verifies the token on the server, and enters the existing Google provider authentication path.
The caller flow is:
credential./api/auth/google/onetap.interface
Add:
Request body:
{ "credential": "<google-id-token>" }Successful response uses the existing auth response shape:
{ "code": 200, "message": "Successfully", "data": { "token": "<global-token>", "user": { "name": "<display-name>", "avatar": "<avatar-url>", "userUid": "<user-uid>" }, "needInit": false } }The response also sets:
Secureis added when the request is forwarded as HTTPS.authentication
The endpoint verifies the Google credential with
google-auth-library.The Google token
audis checked against the configured Google client ID.The Google token
subis used as the provider account identifier forProviderType.GOOGLE.The endpoint does not decode and trust the JWT directly.
After verification, the endpoint calls the existing
getGlobalToken()path.This preserves the current behavior for:
The email claim is passed to account binding only when
email_verifiedis true.The avatar claim is persisted through the same avatar persistence path used by the existing Google OAuth code flow.
origin checks
Add a Google One Tap origin allowlist:
This renders to:
The endpoint accepts only exact
Originmatches from this list.Allowed requests receive:
Forbidden origins are rejected before token verification.
failure modes
OPTIONSfrom an allowed origin returns204.OPTIONSfrom any other origin returns403.POSTfrom an unlisted origin returns:{ "code": 403, "message": "Forbidden origin", "data": null }A missing credential returns:
{ "code": 400, "message": "credential is invalid", "data": null }An invalid Google token returns:
{ "code": 401, "message": "Unauthorized", "data": null }Provider conflicts and restricted-user cases follow the existing Desktop auth response semantics.