google sign in with oauth 2.0. no more console errors or warnings

2025-10-08 12:46:25 -04:00
parent 299522b3a6
commit 052781a0e6
8 changed files with 186 additions and 93 deletions
--- a/backend/middleware/validation.js
+++ b/backend/middleware/validation.js
@@ -146,11 +146,11 @@ const validateLogin = [

 // Google auth validation
 const validateGoogleAuth = [
-  body("idToken")
+  body("code")
    .notEmpty()
-    .withMessage("Google ID token is required")
-    .isLength({ max: 2048 })
-    .withMessage("Invalid token format"),
+    .withMessage("Authorization code is required")
+    .isLength({ max: 512 })
+    .withMessage("Invalid authorization code format"),

  handleValidationErrors,
 ];
--- a/backend/routes/auth.js
+++ b/backend/routes/auth.js
@@ -13,7 +13,11 @@ const { csrfProtection, getCSRFToken } = require("../middleware/csrf");
 const { loginLimiter, registerLimiter } = require("../middleware/rateLimiter");
 const router = express.Router();

-const googleClient = new OAuth2Client(process.env.GOOGLE_CLIENT_ID);
+const googleClient = new OAuth2Client(
+  process.env.GOOGLE_CLIENT_ID,
+  process.env.GOOGLE_CLIENT_SECRET,
+  process.env.GOOGLE_REDIRECT_URI || "http://localhost:3000/auth/google/callback"
+);

 // Get CSRF token endpoint
 router.get("/csrf-token", (req, res) => {
@@ -214,15 +218,21 @@ router.post(
  validateGoogleAuth,
  async (req, res) => {
    try {
-      const { idToken } = req.body;
+      const { code } = req.body;

-      if (!idToken) {
-        return res.status(400).json({ error: "ID token is required" });
+      if (!code) {
+        return res.status(400).json({ error: "Authorization code is required" });
      }

-      // Verify the Google ID token
+      // Exchange authorization code for tokens
+      const { tokens } = await googleClient.getToken({
+        code,
+        redirect_uri: process.env.GOOGLE_REDIRECT_URI || "http://localhost:3000/auth/google/callback",
+      });
+
+      // Verify the ID token from the token response
      const ticket = await googleClient.verifyIdToken({
-        idToken,
+        idToken: tokens.id_token,
        audience: process.env.GOOGLE_CLIENT_ID,
      });

@@ -315,26 +325,21 @@ router.post(
        // Don't send token in response body for security
      });
    } catch (error) {
-      if (error.message && error.message.includes("Token used too late")) {
+      if (error.message && error.message.includes("invalid_grant")) {
        return res
          .status(401)
-          .json({ error: "Google token has expired. Please try again." });
+          .json({ error: "Invalid or expired authorization code. Please try again." });
      }
-      if (error.message && error.message.includes("Invalid token")) {
-        return res
-          .status(401)
-          .json({ error: "Invalid Google token. Please try again." });
-      }
-      if (error.message && error.message.includes("Wrong number of segments")) {
+      if (error.message && error.message.includes("redirect_uri_mismatch")) {
        return res
          .status(400)
-          .json({ error: "Malformed Google token. Please try again." });
+          .json({ error: "Redirect URI mismatch. Please contact support." });
      }
      const reqLogger = logger.withRequestId(req.id);
-      reqLogger.error("Google auth error", {
+      reqLogger.error("Google OAuth error", {
        error: error.message,
        stack: error.stack,
-        tokenInfo: logger.sanitize({ idToken: req.body.idToken })
+        codePresent: !!req.body.code
      });
      res
        .status(500)