Feature: Implement Google Oauth login

config/custom-environment-variables.js

@@ -37,6 +37,11 @@ module.exports = {
     clientSecret: "GITHUB_CLIENT_SECRET",
   },
 
+  googleOauth: {
+    clientId: "GOOGLE_CLIENT_ID",
+    clientSecret: "GOOGLE_CLIENT_SECRET",
+  },
+
   githubAccessToken: "GITHUB_PERSONAL_ACCESS_TOKEN",
 
   firestore: "FIRESTORE_CONFIG",

config/default.js

@@ -32,6 +32,11 @@ module.exports = {
     clientSecret: "<clientSecret>",
   },
 
+  googleOauth: {
+    clientId: "<clientId>",
+    clientSecret: "<clientSecret>",
+  },
+
   emailServiceConfig: {
     email: "<RDS_EMAIL>",
     password: "<EMAIL PASSWORD GENERATED AFTER 2FA>",

controllers/auth.js

@@ -9,6 +9,91 @@ const {
   USER_DOES_NOT_EXIST_ERROR,
 } = require("../constants/errorMessages");
 
+const googleAuthLogin = (req, res, next) => {
+  const { redirectURL, dev } = req.query;
+  if (dev === "true") {
+    return passport.authenticate("google", {
+      scope: ["email"],
+      state: redirectURL,
+    })(req, res, next);
+  } else {
+    return res.boom.unauthorized("User cannot be authenticated");
+  }
+};
+
+async function handleGoogleLogin(req, res, user, authRedirectionUrl) {
+  const rdsUiUrl = new URL(config.get("services.rdsUi.baseUrl"));
+  try {
+    if (!user.emails || user.emails.length === 0) {
+      throw new Error("Email not found in user data");
+    }
+    const userData = {
+      email: user.emails[0].value,
+      created_at: Date.now(),
+      updated_at: null,
+    };
+
+    const userDataFromDB = await users.fetchUser({ email: userData.email });
+
+    if (userDataFromDB.userExists) {
+      if (userDataFromDB.user.roles?.developer) {
+        const errorMessage = encodeURIComponent("Google login is restricted for developer role.");
+        return res.redirect(`${authRedirectionUrl}?error=${errorMessage}`);
+      }
+    }
+
+    const { userId, incompleteUserDetails } = await users.addOrUpdate(userData);
+
+    const token = authService.generateAuthToken({ userId });
+
+    const cookieOptions = {
+      domain: rdsUiUrl.hostname,
+      expires: new Date(Date.now() + config.get("userToken.ttl") * 1000),
+      httpOnly: true,
+      secure: true,
+      sameSite: "lax",
+    };
+
+    res.cookie(config.get("userToken.cookieName"), token, cookieOptions);
+
+    if (incompleteUserDetails) {
+      authRedirectionUrl = "https://my.realdevsquad.com/new-signup";
+    }
+
+    return res.redirect(authRedirectionUrl);
+  } catch (err) {
+    logger.error(err);
+    return res.boom.unauthorized("User cannot be authenticated");
+  }
+}
+
+const googleAuthCallback = (req, res, next) => {
+  const rdsUiUrl = new URL(config.get("services.rdsUi.baseUrl"));
+  let authRedirectionUrl = rdsUiUrl;
+
+  if ("state" in req.query) {
+    try {
+      const redirectUrl = new URL(req.query.state);
+
+      if (`.${redirectUrl.hostname}`.endsWith(`.${rdsUiUrl.hostname}`)) {
+        // Matching *.realdevsquad.com
+        authRedirectionUrl = redirectUrl;
+      } else {
+        logger.error(`Malicious redirect URL provided URL: ${redirectUrl}, Will redirect to RDS`);
+      }
+    } catch (error) {
+      logger.error("Invalid redirect URL provided", error);
+    }
+  }
+  return passport.authenticate("google", { session: false }, async (err, accessToken, user) => {
+    if (err) {
+      logger.error(err);
+      return res.boom.unauthorized("User cannot be authenticated");
+    }
+    return await handleGoogleLogin(req, res, user, authRedirectionUrl);
+  })(req, res, next);
+};
+
 /**
  * Makes authentication call to GitHub statergy
  *
@@ -56,7 +141,6 @@ const githubAuthCallback = (req, res, next) => {
       }
 
       if (redirectUrl.searchParams.get("v2") === "true") isV2FlagPresent = true;
-
       if (`.${redirectUrl.hostname}`.endsWith(`.${rdsUiUrl.hostname}`)) {
         // Matching *.realdevsquad.com
         authRedirectionUrl = redirectUrl;
@@ -77,12 +161,28 @@ const githubAuthCallback = (req, res, next) => {
       userData = {
         github_id: user.username,
         github_display_name: user.displayName,
+        email: user._json.email,
         github_created_at: Number(new Date(user._json.created_at).getTime()),
         github_user_id: user.id,
         created_at: Date.now(),
         updated_at: null,
       };
 
+      if (!userData.email) {
+        const githubBaseUrl = config.get("githubApi.baseUrl");
+        const res = await fetch(`${githubBaseUrl}/user/emails`, {
+          headers: {
+            Authorization: `token ${accessToken}`,
+          },
+        });
+        const emails = await res.json();
+        const primaryEmails = emails.filter((item) => item.primary);
+
+        if (primaryEmails.length > 0) {
+          userData.email = primaryEmails[0].email;
+        }
+      }
+
       const { userId, incompleteUserDetails, role } = await users.addOrUpdate(userData);
 
       const token = authService.generateAuthToken({ userId });
@@ -232,6 +332,8 @@ const fetchDeviceDetails = async (req, res) => {
 module.exports = {
   githubAuthLogin,
   githubAuthCallback,
+  googleAuthLogin,
+  googleAuthCallback,
   signout,
   storeUserDeviceInfo,
   updateAuthStatus,

middlewares/passport.js

@@ -1,5 +1,6 @@
 const passport = require("passport");
 const GitHubStrategy = require("passport-github2").Strategy;
+const GoogleStrategy = require("passport-google-oauth20").Strategy;
 
 try {
   passport.use(
@@ -14,6 +15,18 @@ try {
       }
     )
   );
+  passport.use(
+    new GoogleStrategy(
+      {
+        clientID: config.get("googleOauth.clientId"),
+        clientSecret: config.get("googleOauth.clientSecret"),
+        callbackURL: `${config.get("services.rdsApi.baseUrl")}/auth/google/callback`,
+      },
+      (accessToken, refreshToken, profile, done) => {
+        return done(null, accessToken, profile);
+      }
+    )
+  );
 } catch (err) {
   logger.error("Error initialising passport:", err);
 }

models/users.js

@@ -117,15 +117,23 @@ const addOrUpdate = async (userData, userId = null) => {
     }
 
     // userId is null, Add or Update user
-    let user;
+    let user = null;
+
     if (userData.github_user_id) {
       user = await userModel.where("github_user_id", "==", userData.github_user_id).limit(1).get();
     }
-    if (!user || (user && user.empty)) {
+
+    if (userData.github_id && (!user || user.empty)) {
       user = await userModel.where("github_id", "==", userData.github_id).limit(1).get();
     }
+
+    if (userData.email && (!user || user.empty)) {
+      user = await userModel.where("email", "==", userData.email).limit(1).get();
+    }
+
     if (user && !user.empty && user.docs !== null) {
-      await userModel.doc(user.docs[0].id).set({ ...userData, updated_at: Date.now() }, { merge: true });
+      const { created_at: createdAt, ...updatedUserData } = userData;
+      await userModel.doc(user.docs[0].id).set({ ...updatedUserData, updated_at: Date.now() }, { merge: true });
 
       const logData = {
         type: logType.USER_DETAILS_UPDATED,
@@ -143,7 +151,6 @@ const addOrUpdate = async (userData, userId = null) => {
         role: Object.values(AUTHORITIES).find((role) => data.roles[role]) || AUTHORITIES.USER,
       };
     }
-
     // Add new user
     /*
        Adding default archived role enables us to query for only
@@ -367,7 +374,7 @@ const fetchUsers = async (usernames = []) => {
  * @param { Object }: Object with username and userId, any of the two can be used
  * @return {Promise<{userExists: boolean, user: <userModel>}|{userExists: boolean, user: <userModel>}>}
  */
-const fetchUser = async ({ userId = null, username = null, githubUsername = null, discordId = null }) => {
+const fetchUser = async ({ userId = null, username = null, githubUsername = null, discordId = null, email = null }) => {
   try {
     let userData, id;
     if (username) {
@@ -392,6 +399,12 @@ const fetchUser = async ({ userId = null, username = null, githubUsername = null
         id = doc.id;
         userData = doc.data();
       });
+    } else if (email) {
+      const user = await userModel.where("email", "==", email).limit(1).get();
+      user.forEach((doc) => {
+        id = doc.id;
+        userData = doc.data();
+      });
     }
 
     if (userData && userData.disabled_roles !== undefined) {

package.json

@@ -40,6 +40,7 @@
     "nodemailer-mock": "^2.0.6",
     "passport": "0.7.0",
     "passport-github2": "0.1.12",
+    "passport-google-oauth20": "^2.0.0",
     "rate-limiter-flexible": "5.0.3",
     "winston": "3.13.0"
   },

routes/auth.ts

@@ -9,6 +9,10 @@ router.get("/github/login", auth.githubAuthLogin);
 
 router.get("/github/callback", auth.githubAuthCallback);
 
+router.get("/google/login", auth.googleAuthLogin);
+
+router.get("/google/callback", auth.googleAuthCallback);
+
 router.get("/signout", auth.signout);
 
 router.get("/qr-code-auth", userDeviceInfoValidator.validateFetchingUserDocument, auth.fetchUserDeviceInfo);

test/config/test.js

@@ -30,6 +30,10 @@ module.exports = {
     identity_store_id: "test-identity-store-id",
   },
 
+  googleOauth: {
+    clientId: "cliendId",
+    clientSecret: "clientSecret",
+  },
   firestore: `{
     "type": "service_account",
     "project_id": "test-project-id-for-emulator",

test/fixtures/auth/githubUserInfo.js

@@ -43,7 +43,7 @@ module.exports = () => {
         company: null,
         blog: "",
         location: null,
-        email: null,
+        email: "[email protected]",
         hireable: null,
         bio: null,
         twitter_username: null,

test/fixtures/auth/googleUserInfo.js

@@ -0,0 +1,43 @@
+/**
+ * User info for Google auth response
+ * Multiple responses can be added to the array if required
+ *
+ * @return {Object}
+ */
+module.exports = () => {
+  return [
+    {
+      id: "1234567890",
+      displayName: "Google User",
+      emails: [{ value: "[email protected]", verified: true }],
+      photos: [
+        {
+          value: "https://lh3.googleusercontent.com/a-/test",
+        },
+      ],
+      provider: "google",
+      _raw: `{
+          '"sub": "1234567890",\n' +
+          '"picture": "https://lh3.googleusercontent.com/a-/test",\n' +
+          '"email": "[email protected]",\n' +
+          '"email_verified": true\n' +
+        }`,
+      _json: {
+        sub: "1234567890",
+        picture: "https://lh3.googleusercontent.com/a-/test",
+        email: "[email protected]",
+        email_verified: true,
+      },
+    },
+    {
+      email: "[email protected]",
+      roles: {
+        in_discord: true,
+        archived: false,
+      },
+      incompleteUserDetails: false,
+      updated_at: Date.now(),
+      created_at: Date.now(),
+    },
+  ];
+};

test/fixtures/user/user.js

@@ -94,7 +94,7 @@ module.exports = () => {
       github_id: "sagarbajpai",
       github_display_name: "Sagar Bajpai",
       phone: "1234567890",
-      email: "abc@gmail.com",
+      email: "abc1@gmail.com",
       status: "active",
       tokens: {
         githubAccessToken: "githubAccessToken",
@@ -146,7 +146,7 @@ module.exports = () => {
       github_display_name: "Ankita Bannore",
       isMember: true,
       phone: "1234567890",
-      email: "abc@gmail.com",
+      email: "abc12@gmail.com",
       tokens: {
         githubAccessToken: "githubAccessToken",
       },
@@ -195,7 +195,7 @@ module.exports = () => {
       github_id: "ankur1234",
       github_display_name: "ankur-xyz",
       phone: "1234567890",
-      email: "abc@gmail.com",
+      email: "abc123@gmail.com",
     },
     {
       username: "ritvik",
@@ -426,7 +426,7 @@ module.exports = () => {
       github_display_name: "vinayak-trivedi",
       discordJoinedAt: "2023-04-06T01:47:34.488000+00:00",
       phone: "1234567890",
-      email: "abc@gmail.com",
+      email: "abcd123@gmail.com",
       status: "active",
       tokens: {
         githubAccessToken: "githubAccessToken",